- Update to version 20210901:
* libksysguard5: Updated path for ksgrd_network_helper
* kdesu: Updated path for kdesud
* sbin_dirs cleanup: these binaries have already been moved to /usr/sbin
* mariadb: revert auth_pam_tool to /usr/lib{,64} again
* cleanup: revert virtualbox back to plain /usr/lib
* cleanup: remove deprecated /etc/ssh/sshd_config
* hawk_invoke is not part of newer hawk2 packages anymore
* cleanup: texlive-filesystem: public now resides in libexec
* cleanup: authbind: helper now resides in libexec
* cleanup: polkit: the agent now also resides in libexec
* libexec cleanup: 'inn' news binaries now reside in libexec
OBS-URL: https://build.opensuse.org/request/show/915438
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=149
* libksysguard5: Updated path for ksgrd_network_helper
* kdesu: Updated path for kdesud
* sbin_dirs cleanup: these binaries have already been moved to /usr/sbin
* mariadb: revert auth_pam_tool to /usr/lib{,64} again
* cleanup: revert virtualbox back to plain /usr/lib
* cleanup: remove deprecated /etc/ssh/sshd_config
* hawk_invoke is not part of newer hawk2 packages anymore
* cleanup: texlive-filesystem: public now resides in libexec
* cleanup: authbind: helper now resides in libexec
* cleanup: polkit: the agent now also resides in libexec
* libexec cleanup: 'inn' news binaries now reside in libexec
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=298
- Update to version 20201111:
* squid: remove basic_pam_auth which doesn't need special perms (bsc#1171569)
* mgetty: remove long dead (or never existing) locks directory (bsc#1171882)
* adjust squid pinger path (bsc#1171569)
* profiles: remove now superfluous squid pinger paths (bsc#1171569)
* ksgrd_network_helper: remove obviously wrong path
* etc/permissions: remove unnecessary, duplicate, outdated entries
* chkstat: implement support for variables in profile paths in new
variables.conf
* man pages: add documentation about variables, update copyrights
* profiles: use new variables feature to remove redundant entries
* profiles: prepare /usr/sbin versions of profile entries (bsc#1029961)
* Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475)
* Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476)
* README: added information about know limitations of this approach
- adjusted spec file:
- package new variables.conf
- apply %{optflags} correctly via CXXFLAGS variable
- drop FSCAPS_DEFAULT_ENABLED which isn't recognized anymore by the
refactored chkstat sources. This is now the default.
OBS-URL: https://build.opensuse.org/request/show/847754
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=289
- Update to version 20200710:
* Revert "etc/permissions: remove entries for bind-chrootenv". This
currently conflicts with the way the CheckSUIDPermissions rpmlint-check is
implemented.
- Removed dbus-libexec.patch: contained in upstream
- Update to version 20200624:
* rework permissions.local text (boo#1173221)
* dbus-1: adjust to new libexec dir location (bsc#1171164)
* permission profiles: reinstate kdesud for kde5
* etc/permissions: remove entries for bind-chrootenv
* etc/permissions: remove traceroute entry
* VirtualBox: remove outdated entry which is only a symlink any more
* /bin/su: remove path refering to symlink
* etc/permissions: remove legacy RPM directory entries
* /etc/permissions: remove outdated sudo directories
* singularity: remove outdated setuid-binary entries
* chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
* dbus-1: remove deprecated alternative paths
* PolicyKit: remove outdated entries last used in SLE-11
* pcp: remove no longer needed / conflicting entries
* gnats: remove entries for package removed from Factory
* kdelibs4: remove entries for package removed from Factory
* v4l-base: remove entries for package removed from Factory
* mailman: remove entries for package deleted from Factory
* gnome-pty-helper: remove dead entry no longer part of the vte package
* gnokii: remove entries for package no longer in Factory
* xawtv (v4l-conf): correct group ownership in easy profile
* systemd-journal: remove unnecessary profile entries
OBS-URL: https://build.opensuse.org/request/show/819968
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=138
* rework permissions.local text (boo#1173221)
* dbus-1: adjust to new libexec dir location (bsc#1171164)
* permission profiles: reinstate kdesud for kde5
* etc/permissions: remove entries for bind-chrootenv
* etc/permissions: remove traceroute entry
* VirtualBox: remove outdated entry which is only a symlink any more
* /bin/su: remove path refering to symlink
* etc/permissions: remove legacy RPM directory entries
* /etc/permissions: remove outdated sudo directories
* singularity: remove outdated setuid-binary entries
* chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
* dbus-1: remove deprecated alternative paths
* PolicyKit: remove outdated entries last used in SLE-11
* pcp: remove no longer needed / conflicting entries
* gnats: remove entries for package removed from Factory
* kdelibs4: remove entries for package removed from Factory
* v4l-base: remove entries for package removed from Factory
* mailman: remove entries for package deleted from Factory
* gnome-pty-helper: remove dead entry no longer part of the vte package
* gnokii: remove entries for package no longer in Factory
* xawtv (v4l-conf): correct group ownership in easy profile
* systemd-journal: remove unnecessary profile entries
* thttp: make makeweb entry usable in the secure profile (bsc#1171580)
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=268
- Update to version 20200324:
* whitelist s390-tools setgid bit on log directory (bsc#1167163)
* whitelist WMP (bsc#1161335)
* regtest: improve readability of path variables by using literals
* regtest: adjust test suite to new path locations in /usr/share/permissions
* regtest: only catch explicit FileNotFoundError
* regtest: provide valid home directory in /root
* regtest: mount permissions src repository in /usr/src/permissions
* regtest: move initialialization of TestBase paths into the prepare() function
* chkstat: suppport new --config-root command line option
* fix spelling of icingacmd group
OBS-URL: https://build.opensuse.org/request/show/787822
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=254
- Update to version 20200228:
* chkstat: fix readline() on platforms with unsigned char
- Update to version 20200227:
* remove capability whitelisting for radosgw
* whitelist ceph log directory (bsc#1150366)
* adjust testsuite to post CVE-2020-8013 link handling
* testsuite: add option to not mount /proc
* do not follow symlinks that are the final path element: CVE-2020-8013
* add a test for symlinked directories
* fix relative symlink handling
* include cpp compat headers, not C headers
* Move permissions and permissions.* except .local to /usr/share/permissions
* regtest: fix the static PATH list which was missing /usr/bin
* regtest: also unshare the PID namespace to support /proc mounting
* regtest: bindMount(): explicitly reject read-only recursive mounts
* Makefile: force remove upon clean target to prevent bogus errors
* regtest: by default automatically (re)build chkstat before testing
* regtest: add test for symlink targets
* regtest: make capability setting tests optional
* regtest: fix capability assertion helper logic
* regtests: add another test case that catches set*id or caps in world-writable sub-trees
* regtest: add another test that catches when privilege bits are set for special files
* regtest: add test case for user owned symlinks
* regtest: employ subuid and subgid feature in user namespace
* regtest: add another test case that covers unknown user/group config
* regtest: add another test that checks rejection of insecure mixed-owner paths
* regtest: add test that checks for rejection of world-writable paths
* regtest: add test for detection of unexpected parent directory ownership
* regtest: add further helper functions, allow access to main instance (forwarded request 780264 from mkraus)
OBS-URL: https://build.opensuse.org/request/show/780979
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=132
- Update to version 20200228:
* chkstat: fix readline() on platforms with unsigned char
- Update to version 20200227:
* remove capability whitelisting for radosgw
* whitelist ceph log directory (bsc#1150366)
* adjust testsuite to post CVE-2020-8013 link handling
* testsuite: add option to not mount /proc
* do not follow symlinks that are the final path element: CVE-2020-8013
* add a test for symlinked directories
* fix relative symlink handling
* include cpp compat headers, not C headers
* Move permissions and permissions.* except .local to /usr/share/permissions
* regtest: fix the static PATH list which was missing /usr/bin
* regtest: also unshare the PID namespace to support /proc mounting
* regtest: bindMount(): explicitly reject read-only recursive mounts
* Makefile: force remove upon clean target to prevent bogus errors
* regtest: by default automatically (re)build chkstat before testing
* regtest: add test for symlink targets
* regtest: make capability setting tests optional
* regtest: fix capability assertion helper logic
* regtests: add another test case that catches set*id or caps in world-writable sub-trees
* regtest: add another test that catches when privilege bits are set for special files
* regtest: add test case for user owned symlinks
* regtest: employ subuid and subgid feature in user namespace
* regtest: add another test case that covers unknown user/group config
* regtest: add another test that checks rejection of insecure mixed-owner paths
* regtest: add test that checks for rejection of world-writable paths
* regtest: add test for detection of unexpected parent directory ownership
* regtest: add further helper functions, allow access to main instance
OBS-URL: https://build.opensuse.org/request/show/780264
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=252
