SHA256
1
0
forked from pool/permissions
permissions/permissions

205 lines
9.5 KiB
Plaintext
Raw Normal View History

# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format:
# <file> <owner>:<group> <permission>
#
# How it works:
# Change the entries as you like, then call
# `chkstat -set /etc/permissions<6E> or /etc/permissions.{easy,secure,paranoid}
# respectively, or call `SuSEconfig<69> as yast do after they think
# that files have been modified in the system.
#
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
#
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
#
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
#
# Please see the headers of the files
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# as well as
# /etc/permissions.local
# for more information about their particular meaning and their setup.
#
# root directories:
#
/ root:root 755
/root root:root 700
/tmp root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev root:root 755
/bin root:root 755
/sbin root:root 755
/lib root:root 755
/etc root:root 755
/home root:root 755
/boot root:root 755
/opt root:root 755
/usr root:root 755
#
# /var:
#
/var/tmp root:root 1777
/var/tmp/vi.recover/ root:root 1777
/var/log root:root 755
/var/spool root:root 755
/var/spool/atjobs at:at 700
/var/spool/atjobs/.SEQ at:at 600
/var/spool/atjobs/.lockfile at:at 600
/var/spool/atspool at:at 700
/var/spool/cron root:root 700
/var/spool/mqueue root:root 700
/var/spool/news news:news 775
/var/spool/uucp uucp:uucp 755
/var/spool/voice root:root 755
/var/spool/mail root:root 1777
/var/adm root:root 755
/var/adm/backup root:root 700
/var/cache root:root 755
/var/cache/fonts root:root 1777
/var/cache/man man:root 755
/var/yp root:root 755
/var/run/nscd/socket root:root 666
/var/run/sudo root:root 700
#
# log files that do not grow remarkably
#
/var/log/faillog root:root 600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog root:tty 644
#
# some device files
#
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 640
/etc/init.d root:root 755
/etc/HOSTNAME root:root 644
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644
/etc/opiekeys root:root 600
/etc/ppp root:dialout 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers root:root 700
# utempter
/usr/sbin/utempter root:tty 2755
# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644
/etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl root:root 755
# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord root:root 755
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd root:lp 0755
# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750
#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666
#
# directory for system crash dumps (#438041)
#
/var/crash root:root 1777
#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666