rpm/permissions
SHA256
1
0
Fork 0
forked from pool/permissions
Code Pull Requests Activity

Accepting request 18547 from Base:System

Browse Source 
Copy from Base:System/permissions based on submit request 18547 from user lnussel

OBS-URL: https://build.opensuse.org/request/show/18547
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=34
This commit is contained in:
OBS User autobuild 2009-08-26 15:26:35 +00:00 committed by Git OBS Bridge
parent 879f6a2ca4
commit 4e507c69e1
14 changed files with 36 additions and 2548 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
SuSEconfig.permissions
View File

@ -1,86 +0,0 @@
#! /bin/bash
# This module checks and sets file permissions
# Copyright (C) 1996-2007 SUSE Linux Products GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Author: Burchard Steinbild, 1996-97
# Bernhard Kaindl <bk@suse.de>, 1999
# Rüdiger Oertel <ro@suse.de>, 2000-01
# Ludwig Nussel <lnussel@suse.de> 2007
#
. /lib/YaST/SuSEconfig.functions || exit 1
for i in /etc/sysconfig/security /etc/sysconfig/suseconfig ; do
. $i || exit 1
done
if test -n "$ENABLE_SUSECONFIG" -a "$ENABLE_SUSECONFIG" = "no" ; then
echo "SuSEconfig is disabled in /etc/sysconfig/suseconfig"
exit 0
fi
mode=""
case "$CHECK_PERMISSIONS" in
set) mode="-set" ;;
warn) ;;
no|"") exit 0 ;;
*) echo "invalid value '$CHECK_PERMISSIONS' for \$CHECK_PERMISSIONS" >&2 ;;
esac
# collect files that contain permission specifications
#
# 1. central fixed permissions file
files="/etc/permissions"
# 2. central easy, secure paranoid as those are defined by SUSE
for level in $PERMISSION_SECURITY; do
case "$level" in
easy|secure|paranoid)
if [ -e /etc/permissions.$level ]; then
files="$files /etc/permissions.$level"
fi
;;
esac
done
# 3. package specific permissions
pkgfiles=(/etc/permissions.d/*)
pkgfiles=(${pkgfiles[*]##*/})
pkgfiles=(${pkgfiles[*]%%.*})
pkgfiles=(`for i in ${pkgfiles[@]}; do echo $i; done | /usr/bin/sort -u`)
for file in ${pkgfiles[@]}; do
file=/etc/permissions.d/$file
[ -e $file ] && files="$files $file"
for level in $PERMISSION_SECURITY; do
[ -e $file.$level ] && files="$files $file.$level"
done
done
# 4. central permissions files with user defined level incl 'local'
for level in $PERMISSION_SECURITY; do
case "$level" in
easy|secure|paranoid) continue ;;
esac
if [ -e /etc/permissions.$level ]; then
files="$files /etc/permissions.$level"
fi
done
/usr/bin/chkstat $mode $files

198
checkpermissionfiles.pl
View File

@ -1,198 +0,0 @@
#!/usr/bin/perl -w
# perform some consistency checks on permission files
use Getopt::Long;
use strict;
use Data::Dumper;
use File::Basename;
my @deflevels = ('easy', 'secure', 'paranoid');
my @defpermfiles = ('permissions', 'permissions.easy', 'permissions.secure', 'permissions.paranoid');
# filename
# - level (DEFAULT, easy, secure, paranoid)
# - owner
# - mode
my %perms;
my($nodups, $checkmissing, $defonly, $showsuid, $showsgid, $showww, $showgw,
$show, @levels, $showsame, $dump, @permfiles, $help, $checkdirs);
Getopt::Long::Configure("no_ignore_case");
GetOptions (
"nodups" => \$nodups,
"missing" => \$checkmissing,
"defonly" => \$defonly,
"show" => \$show,
"suid" => \$showsuid,
"sgid" => \$showsgid,
"ww" => \$showww,
"gw" => \$showgw,
"same" => \$showsame,
"level=s" => \@levels,
"dump" => \$dump,
"checkdirs=s" => \$checkdirs,
"help" => \$help,
);
if($help)
{
print <<EOF;
perform some consistency checks on permission files
USAGE: $0 [OPTIONS] [FILES]
OPTIONS:
--nodups skip check for duplicate entries
--same check for identical entries in all files
--missing check whether entries are in all three files (default)
--defonly run actions only on default file
--show show entries
--suid only suid files
--sgid only sgid files
--ww only world writeable files
--gw only group writeable files
--dump dump files as perl hash
--level restrict checks to this coma separated list of levels
--checkdirs DIR check for group writeable directories below DIR
EOF
exit 0;
}
@levels = @deflevels unless $#levels != -1;
@levels = split(/,/,join(',',@levels));
if($#ARGV != -1)
{
while (my $permfile = shift @ARGV)
{
push @permfiles, $permfile;
}
}
else
{
@permfiles = @defpermfiles;
}
for my $permfile (@permfiles)
{
my $level = 'DEFAULT';
$level =$1 if(basename($permfile) =~ /.*\.(.*)/);
open(FH, '<', $permfile) or next;
while(<FH>)
{
chomp;
s/#.*//;
next if(/^$/);
my ($file, $owner, $mode) = split(/\s+/);
if(!$nodups && exists($perms{$file}{$level}))
{
print STDERR "$permfile:$. File listed twice: $file already in $level\n";
}
else
{
$perms{$file}{$level}{'owner'} = $owner;
$perms{$file}{$level}{'mode'} = $mode;
}
if($checkdirs)
{
if(! -e $checkdirs.$file)
{
#print STDERR "$permfile:$.: can't check $file\n";
}
elsif(-d $checkdirs.$file && oct($mode)&020 && !(oct($mode)&01000))
{
print STDERR "$permfile:$.: $file group writeable but not sticky\n"
}
}
}
close(FH);
}
my ($file, $owner, $mode, $level);
format FORMATTED =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<< @>>>> (@*)
$file, $owner, $mode, $level
.
open FORMATTED, ">&STDOUT";
$checkmissing = 1 unless ($show || $showsuid || $showsgid || $showww || $showgw || $dump || $showsame);
foreach $file (sort keys %perms)
{
next if($defonly && !exists($perms{$file}{'DEFAULT'}));
{
my @l = ('DEFAULT');
push @l, @levels unless $defonly;
my ($om, $modechanged, $numseen);
$numseen = 0;
for $level (@l)
{
next unless exists $perms{$file}{$level};
++$numseen;
$mode = $perms{$file}{$level}{'mode'};
$om = oct($mode) unless $om;
$modechanged = 1 if($om != oct($mode));
$owner = $perms{$file}{$level}{'owner'};
next if(
($showsuid && !(oct($mode) & 04000)) ||
($showsgid && !(oct($mode) & 02000)) ||
($showww && !(oct($mode) & 0002)) ||
($showgw && !(oct($mode) & 0020))
);
write FORMATTED if ($show);
}
if($numseen > 3)
{
print STDERR "Suspicious: $file in >3 levels\n";
}
if($showsame && $numseen > 1 && !$modechanged)
{
print STDERR "Useless: $file\n";
}
}
if($checkmissing)
{
my $msg = '';
if(!exists($perms{$file}{'DEFAULT'}))
{
for $level (@levels)
{
if(!exists($perms{$file}{$level}))
{
$msg .= " not in $level\n";
}
}
}
if(length $msg)
{
print STDERR "$file:\n$msg\n";
}
}
}
close FORMATTED;
print Dumper(\%perms) if($dump);
# vim: sw=4

78
chkstat.8
View File

@ -1,78 +0,0 @@
.\"
.\" SUSE man page for chkstat
.\"
.\" Author: Ruediger Oertel
.\"
.TH CHKSTAT 8 "2008-04-17" "SUSE Linux" "Tool to check and set file permissions"
.\"
.UC 8
.SH NAME
.\"
chkstat \- Tool to check and set file permissions
.SH SYNOPSIS
.\"
.B chkstat
.RB \|[\| \-\-set|\-set ]
.RB \|[\| \-\-noheader ]
.RB \|[\|\|[\| \-\-examine\ file\ ] ... ]
.RB \|[\|\|[\| \-\-files\ filelist\ ] ... ]
.RB \|[\|\|[\| \-\-root\ directory\ ] ... ]
.B permission-file ...
.\"
.SH DESCRIPTION
The program
.I /usr/bin/chkstat
is a tool to check and set file permissions.
.PP
Multiple permissions files can be given on the commandline.
If the permission files contain multiple entries for a single
file, the last entry found will be used.
.PP
.\"
.SS General Options
.TP
.IR \-\-set ,\ \-set
This option enables setting the file permissions,
the default is to check and warn only.
.TP
.IR \-\-noheader
Omit printing the output header lines.
.TP
.IR \-\-examine\ file
Check permissions for this file and not all files listed in the permissions files.
.TP
.IR \-\-files\ filelist
Check permissions for the files listed in
.IR filelist
and not for all files listed in the permissions files.
.TP
.IR \-\-root\ directory
Prefix the files given in the permissions files by this directory.
.PP
.SH EXAMPLE
.PP
The command
.PP
.RS
.B chkstat -set /etc/permissions
.RE
.PP
will parse the file /etc/permissions and set the access mode and the
user- and group memberships each file listed. The format
for the input file is
.PP
.B FILEPATH
.B OWNER:GROUP
.B MODE
.PP
and wildcards are not supported for the filepath. Lines starting
with '#' and empty lines are treated as comments.
.SH COPYRIGHT
1996-2003 SuSE Linux AG, Nuernberg, Germany.
2008 SUSE LINUX Products GmbH
.SH AUTHORS
Reinhold Sojer, Ruediger Oertel, Michael Schroeder
.PP
Useful changes and additions by Tobias Burnus

591
chkstat.c
View File

@ -1,591 +0,0 @@
/* Copyright (c) 2004 SuSE Linux AG
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING); if not, write to the
* Free Software Foundation, Inc.,
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*
****************************************************************
*/
#include <stdio.h>
#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define __USE_GNU
#include <fcntl.h>
struct perm {
struct perm *next;
char *file;
char *owner;
char *group;
mode_t mode;
};
struct perm *permlist;
char **checklist;
int nchecklist;
uid_t euid;
char *root;
int rootl;
void
add_permlist(char *file, char *owner, char *group, mode_t mode)
{
struct perm *ec, **epp;
owner = strdup(owner);
group = strdup(group);
if (rootl)
{
char *nfile;
nfile = malloc(strlen(file) + rootl + (*file != '/' ? 2 : 1));
if (nfile)
{
strcpy(nfile, root);
if (*file != '/')
strcat(nfile, "/");
strcat(nfile, file);
}
file = nfile;
}
else
file = strdup(file);
if (!owner || !group || !file)
{
perror("permlist entry alloc");
exit(1);
}
for (epp = &permlist; (ec = *epp) != 0; )
if (!strcmp(ec->file, file))
{
*epp = ec->next;
free(ec->file);
free(ec->owner);
free(ec->group);
free(ec);
}
else
epp = &ec->next;
ec = malloc(sizeof(struct perm));
if (ec == 0)
{
perror("permlist entry alloc");
exit(1);
}
ec->file = file;
ec->owner = owner;
ec->group = group;
ec->mode = mode;
ec->next = 0;
*epp = ec;
}
int
in_checklist(char *e)
{
int i;
for (i = 0; i < nchecklist; i++)
if (!strcmp(e, checklist[i]))
return 1;
return 0;
}
void
add_checklist(char *e)
{
if (in_checklist(e))
return;
e = strdup(e);
if (e == 0)
{
perror("checklist entry alloc");
exit(1);
}
if ((nchecklist & 63) == 0)
{
if (checklist == 0)
checklist = malloc(sizeof(char *) * (nchecklist + 64));
else
checklist = realloc(checklist, sizeof(char *) * (nchecklist + 64));
if (checklist == 0)
{
perror("checklist alloc");
exit(1);
}
}
checklist[nchecklist++] = e;
}
int
readline(FILE *fp, char *buf, int len)
{
int l;
if (!fgets(buf, len, fp))
return 0;
l = strlen(buf);
if (l && buf[l - 1] == '\n')
{
l--;
buf[l] = 0;
}
if (l + 1 < len)
return 1;
fprintf(stderr, "warning: buffer overrun in line starting with '%s'\n", buf);
while ((l = getc(fp)) != EOF && l != '\n')
;
buf[0] = 0;
return 1;
}
void
usage(int x)
{
fprintf(stderr, "Usage: chkstat [--set] [--noheader] [[--examine file] ...] [ [--files filelist] ...] permission-file ...\n");
exit(x);
}
int
safepath(char *path, uid_t uid, gid_t gid)
{
struct stat stb;
char pathbuf[1024];
char linkbuf[1024];
char *p, *p2;
int l, l2, lcnt;
lcnt = 0;
l2 = strlen(path);
if (l2 >= sizeof(pathbuf))
return 0;
strcpy(pathbuf, path);
if (pathbuf[0] != '/')
return 0;
p = pathbuf + rootl;
for (;;)
{
p = strchr(p, '/');
if (!p)
return 1;
*p = 0;
if (lstat(*pathbuf ? pathbuf : "/", &stb))
return 0;
if (S_ISLNK(stb.st_mode))
{
if (++lcnt >= 256)
return 0;
l = readlink(pathbuf, linkbuf, sizeof(linkbuf));
if (l <= 0 || l >= sizeof(linkbuf))
return 0;
while(l && linkbuf[l - 1] == '/')
l--;
if (l + 1 >= sizeof(linkbuf))
return 0;
linkbuf[l++] = '/';
linkbuf[l] = 0;
*p++ = '/';
if (linkbuf[0] == '/')
{
if (rootl)
{
p[-1] = 0;
fprintf(stderr, "can't handle symlink %s at the moment\n", pathbuf);
return 0;
}
l2 -= (p - pathbuf);
memmove(pathbuf + rootl, p, l2 + 1);
l2 += rootl;
p = pathbuf + rootl;
}
else
{
if (p - 1 == pathbuf)
return 0; /* huh, "/" is a symlink */
for (p2 = p - 2; p2 >= pathbuf; p2--)
if (*p2 == '/')
break;
if (p2 < pathbuf + rootl) /* cannot happen */
return 0;
p2++; /* am now after '/' */
memmove(p2, p, pathbuf + l2 - p + 1);
l2 -= (p - p2);
p = p2;
}
if (l + l2 >= sizeof(pathbuf))
return 0;
memmove(p + l, p, pathbuf + l2 - p + 1);
memmove(p, linkbuf, l);
l2 += l;
if (pathbuf[0] != '/') /* cannot happen */
return 0;
if (p == pathbuf)
p++;
continue;
}
if (!S_ISDIR(stb.st_mode))
return 0;
/* write is always forbidden for other */
if ((stb.st_mode & 02) != 0)
return 0;
/* owner must be ok as she may change the mode */
/* for euid != 0 it is also ok if the owner is euid */
if (stb.st_uid && stb.st_uid != uid && stb.st_uid != euid)
return 0;
/* group gid may do fancy things */
/* for euid != 0 we don't check this */
if ((stb.st_mode & 020) != 0 && !euid)
if (!gid || stb.st_gid != gid)
return 0;
*p++ = '/';
}
}
int
main(int argc, char **argv)
{
char *opt, *p;
int set = 0;
int told = 0;
int use_checklist = 0;
FILE *fp;
char line[512];
char *part[4];
int i, pcnt, lcnt;
int inpart;
mode_t mode;
struct perm *e;
struct stat stb, stb2;
struct passwd *pwd = 0;
struct group *grp = 0;
uid_t uid;
gid_t gid;
int fd, r;
int errors = 0;
while (argc > 1)
{
opt = argv[1];
if (!strcmp(opt, "--"))
break;
if (*opt == '-' && opt[1] == '-')
opt++;
if (!strcmp(opt, "-s") || !strcmp(opt, "-set"))
{
set = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-n") || !strcmp(opt, "-noheader"))
{
told = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-e") || !strcmp(opt, "-examine"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "examine: argument required\n");
exit(1);
}
add_checklist(argv[1]);
use_checklist = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-f") || !strcmp(opt, "-files"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "files: argument required\n");
exit(1);
}
if ((fp = fopen(argv[1], "r")) == 0)
{
fprintf(stderr, "files: %s: %s\n", argv[1], strerror(errno));
exit(1);
}
while (readline(fp, line, sizeof(line)))
{
if (!*line)
continue;
add_checklist(line);
}
fclose(fp);
use_checklist = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-r") || !strcmp(opt, "-root"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "root: argument required\n");
exit(1);
}
root = argv[1];
rootl = strlen(root);
if (*root != '/')
{
fprintf(stderr, "root: must begin with '/'\n");
exit(1);
}
argc--;
argv++;
continue;
}
if (*opt == '-')
usage(!strcmp(opt, "-h") || !strcmp(opt, "-help") ? 0 : 1);
break;
}
if (argc <= 1)
usage(1);
for (i = 1; i < argc; i++)
{
if ((fp = fopen(argv[i], "r")) == 0)
{
perror(argv[i]);
exit(1);
}
lcnt = 0;
while (readline(fp, line, sizeof(line)))
{
lcnt++;
if (*line == 0 || *line == '#' || *line == '$')
continue;
inpart = 0;
pcnt = 0;
for (p = line; *p; p++)
{
if (*p == ' ' || *p == '\t')
{
*p = 0;
if (inpart)
{
pcnt++;
inpart = 0;
}
continue;
}
if (!inpart)
{
inpart = 1;
if (pcnt == 3)
break;
part[pcnt] = p;
}
}
if (inpart)
pcnt++;
if (pcnt != 3)
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
part[3] = part[2];
part[2] = strchr(part[1], ':');
if (!part[2])
part[2] = strchr(part[1], '.');
if (!part[2])
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
*part[2]++ = 0;
mode = strtoul(part[3], part + 3, 8);
if (mode > 07777 || part[3][0])
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
add_permlist(part[0], part[1], part[2], mode);
}
fclose(fp);
}
euid = geteuid();
for (e = permlist; e; e = e->next)
{
if (use_checklist && !in_checklist(e->file))
continue;
if (lstat(e->file, &stb))
continue;
if (S_ISLNK(stb.st_mode))
continue;
if ((!pwd || strcmp(pwd->pw_name, e->owner)) && (pwd = getpwnam(e->owner)) == 0)
{
fprintf(stderr, "%s: unknown user %s\n", e->file, e->owner);
continue;
}
if ((!grp || strcmp(grp->gr_name, e->group)) && (grp = getgrnam(e->group)) == 0)
{
fprintf(stderr, "%s: unknown group %s\n", e->file, e->group);
continue;
}
uid = pwd->pw_uid;
gid = grp->gr_gid;
if ((stb.st_mode & 07777) == e->mode && stb.st_uid == uid && stb.st_gid == gid)
continue;
if (!told)
{
told = 1;
printf("Checking permissions and ownerships - using the permissions files\n");
for (i = 1; i < argc; i++)
printf("\t%s\n", argv[i]);
}
if (!set)
printf("%s should be %s:%s %04o.", e->file, e->owner, e->group, e->mode);
else
printf("setting %s to %s:%s %04o.", e->file, e->owner, e->group, e->mode);
printf(" (wrong");
if (stb.st_uid != uid || stb.st_gid != gid)
{
pwd = getpwuid(stb.st_uid);
grp = getgrgid(stb.st_gid);
if (pwd)
printf(" owner/group %s", pwd->pw_name);
else
printf(" owner/group %d", stb.st_uid);
if (grp)
printf(":%s", grp->gr_name);
else
printf(":%d", stb.st_gid);
pwd = 0;
grp = 0;
}
if ((stb.st_mode & 07777) != e->mode)
printf(" permissions %04o", (int)(stb.st_mode & 07777));
putchar(')');
putchar('\n');
if (!set)
continue;
fd = -1;
if (S_ISDIR(stb.st_mode))
{
fd = open(e->file, O_RDONLY|O_DIRECTORY|O_NONBLOCK|O_NOFOLLOW);
if (fd == -1)
{
perror(e->file);
errors++;
continue;
}
}
else if (S_ISREG(stb.st_mode))
{
fd = open(e->file, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
if (fd == -1)
{
perror(e->file);
errors++;
continue;
}
if (fstat(fd, &stb2))
continue;
if (stb.st_mode != stb2.st_mode || stb.st_nlink != stb2.st_nlink || stb.st_dev != stb2.st_dev || stb.st_ino != stb2.st_ino)
{
fprintf(stderr, "%s: too fluctuating\n", e->file);
errors++;
continue;
}
if (stb.st_nlink > 1 && !safepath(e->file, 0, 0))
{
fprintf(stderr, "%s: on an insecure path\n", e->file);
errors++;
continue;
}
else if (e->mode & 06000)
{
/* extra checks for s-bits */
if (!safepath(e->file, (e->mode & 02000) == 0 ? uid : 0, (e->mode & 04000) == 0 ? gid : 0))
{
fprintf(stderr, "%s: will not give away s-bits on an insecure path\n", e->file);
errors++;
continue;
}
}
}
else if (strncmp(e->file, "/dev/", 4) != 0)
{
fprintf(stderr, "%s: don't know what to do with that type of file\n", e->file);
errors++;
continue;
}
if (euid == 0 && (stb.st_uid != uid || stb.st_gid != gid))
{
if (fd >= 0)
r = fchown(fd, uid, gid);
else
r = chown(e->file, uid, gid);
if (r)
{
fprintf(stderr, "%s: chown: %s\n", e->file, strerror(errno));
errors++;
}
if (fd >= 0)
r = fstat(fd, &stb);
else
r = lstat(e->file, &stb);
if (r)
{
fprintf(stderr, "%s: too fluctuating\n", e->file);
errors++;
continue;
}
}
if ((stb.st_mode & 07777) != e->mode)
{
if (fd >= 0)
r = fchmod(fd, e->mode);
else
r = chmod(e->file, e->mode);
if (r)
{
fprintf(stderr, "%s: chmod: %s\n", e->file, strerror(errno));
errors++;
}
}
if (fd >= 0)
close(fd);
}
if (errors)
{
fprintf(stderr, "ERROR: not all operations were successful.\n");
exit(1);
}
exit(0);
}

1
get_version_number.sh
View File

@ -1 +0,0 @@
get_date_version_string `find_newest_file *.*`

199
permissions
View File

@ -1,199 +0,0 @@
# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format:
# <file> <owner>:<group> <permission>
#
# How it works:
# Change the entries as you like, then call
# 'chkstat -set /etc/permissions' or /etc/permissions.{easy,secure,paranoid}
# respectively, or call 'SuSEconfig' as yast do after they think
# that files have been modified in the system.
#
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
#
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
#
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
#
# Please see the headers of the files
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# as well as
# /etc/permissions.local
# for more information about their particular meaning and their setup.
#
# root directories:
#
/ root:root 755
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 755
/sbin/ root:root 755
/lib/ root:root 755
/etc/ root:root 755
/home/ root:root 755
/boot/ root:root 755
/opt/ root:root 755
/usr/ root:root 755
#
# /var:
#
/var/tmp/ root:root 1777
/var/tmp/vi.recover/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/uucp/ uucp:uucp 755
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/fonts/ root:root 1777
/var/cache/man/ man:root 755
/var/yp/ root:root 755
/var/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
#
# log files that do not grow remarkably
#
/var/log/faillog root:root 600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog root:tty 644
#
# some device files
#
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 640
/etc/init.d/ root:root 755
/etc/HOSTNAME root:root 644
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644
/etc/opiekeys root:root 600
/etc/ppp/ root:dialout 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700
# utempter
/usr/sbin/utempter root:tty 2755
# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644
/etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl root:root 755
# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord root:root 755
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd root:lp 0755
# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750
#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666
#
# directory for system crash dumps (#438041)
#
/var/crash/ root:root 1777
#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666

3
permissions-2009.08.24.1152.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:93f8bb126cf82a643030902d002344e9bfc3a5dea03b909ae1192aae7ac1fa21
size 17497

17
permissions.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Mon Aug 24 09:53:25 UTC 2009 - lnussel@suse.de
- remove permissions handling for traceroute6 and cdrecord which are
symlinks nowadays
-------------------------------------------------------------------
Thu Aug 20 08:30:02 UTC 2009 - lnussel@suse.de
- fix weird sendfax permissions (bnc#525954)
-------------------------------------------------------------------
Wed Aug 19 11:17:53 UTC 2009 - lnussel@suse.de
- permissions now maintained at gitorious so use tarball instead of
individual files
-------------------------------------------------------------------
Wed Aug 12 09:57:12 CEST 2009 - meissner@suse.de

417
permissions.easy
View File

@ -1,417 +0,0 @@
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.easy is set up for the use in a standalone and single-user
# installation to make things "work" out-of-the box.
# Some of the settings might be considered somewhat lax from the security
# standpoint. These aspects are handled differently in the permissions.secure
# file.
#
#
# Directories
#
# lock file for emacs
/var/lib/xemacs/lock/ root:root 1777
# for screen's session sockets:
/var/run/uscreens/ root:root 1777
#
# /etc
#
/etc/crontab root:root 644
/etc/exports root:root 644
/etc/fstab root:root 644
# we don't package it
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 644
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
/usr/bin/at root:trusted 4755
/usr/bin/crontab root:trusted 4755
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 4755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# #331020
/sbin/mount.nfs root:root 4755
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4755
#
# #133657
/usr/bin/fusermount root:trusted 4755
# #66203
/usr/lib/majordomo/wrapper root:daemon 4755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755
# qpopper
/usr/sbin/popauth pop:trusted 4755
# from the squid package
/usr/sbin/pam_auth root:shadow 4755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 2755
#
# mixed section:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 1777
/usr/src/packages/BUILD/ root:root 1777
/usr/src/packages/RPMS/ root:root 1777
/usr/src/packages/RPMS/alpha/ root:root 1777
/usr/src/packages/RPMS/alphaev56/ root:root 1777
/usr/src/packages/RPMS/alphaev67/ root:root 1777
/usr/src/packages/RPMS/alphaev6/ root:root 1777
/usr/src/packages/RPMS/arm4l/ root:root 1777
/usr/src/packages/RPMS/athlon/ root:root 1777
/usr/src/packages/RPMS/i386/ root:root 1777
/usr/src/packages/RPMS/i486/ root:root 1777
/usr/src/packages/RPMS/i586/ root:root 1777
/usr/src/packages/RPMS/i686/ root:root 1777
/usr/src/packages/RPMS/ia64/ root:root 1777
/usr/src/packages/RPMS/mips/ root:root 1777
/usr/src/packages/RPMS/ppc/ root:root 1777
/usr/src/packages/RPMS/ppc64/ root:root 1777
/usr/src/packages/RPMS/powerpc/ root:root 1777
/usr/src/packages/RPMS/powerpc64/ root:root 1777
/usr/src/packages/RPMS/s390/ root:root 1777
/usr/src/packages/RPMS/s390x/ root:root 1777
/usr/src/packages/RPMS/sparc/ root:root 1777
/usr/src/packages/RPMS/sparcv9/ root:root 1777
/usr/src/packages/RPMS/sparc64/ root:root 1777
/usr/src/packages/RPMS/x86_64/ root:root 1777
/usr/src/packages/RPMS/armv4l/ root:root 1777
/usr/src/packages/RPMS/hppa/ root:root 1777
/usr/src/packages/RPMS/hppa2.0/ root:root 1777
/usr/src/packages/RPMS/noarch/ root:root 1777
/usr/src/packages/SPECS/ root:root 1777
/usr/src/packages/SRPMS/ root:root 1777
#########################################################################
# video
/usr/bin/v4l-conf root:video 4755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 4755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# screen savers:
/usr/bin/vlock root:shadow 2755
/usr/bin/Xorg root:root 4711
# turn off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 2755
/usr/bin/write root:tty 2755
# thttpd:
/usr/bin/makeweb root:www 2755
# yaps, pager software, accesses /dev/ttyS?
/usr/bin/yaps root:uucp 2755
# ncpfs tool
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 4755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:root 4755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 4755
#
# cups (#66305,#406058)
#
/usr/bin/lppasswd lp:lp 2755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 4750
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. For dialout only.
/usr/sbin/mtr root:dialout 4750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# exim
/usr/sbin/exim root:root 4755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 4755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 4755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 6755
#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 4755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 4755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 4755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 4755
#
# amanda
#
/usr/sbin/amcheck root:amanda 4750
/usr/lib/amanda/calcsize root:amanda 4750
/usr/lib/amanda/rundump root:amanda 4750
/usr/lib/amanda/planner root:amanda 4750
/usr/lib/amanda/runtar root:amanda 4750
/usr/lib/amanda/dumper root:amanda 4750
/usr/lib/amanda/killpgrp root:amanda 4750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
#
# sendfax
#
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing/ fax:root 1755
/var/spool/fax/outgoing/locks fax:root 0777
#
# uucp
#
/var/spool/uucppublic/ root:root 1777
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
#
# games of all kinds, toys
#
# bsd-games
/usr/games/atc games:games 2755
/usr/games/battlestar games:games 2755
/usr/games/canfield games:games 2755
/usr/games/cribbage games:games 2755
/usr/games/phantasia games:games 2755
/usr/games/robots games:games 2755
/usr/games/sail games:games 2755
/usr/games/snake games:games 2755
/usr/games/tetris-bsd games:games 2755
# Maelstrom
/usr/games/Maelstrom games:games 2755
# pachi
/usr/games/pachi games:games 2755
/usr/games/martian games:games 2755
# nethack
/usr/lib/nethack/nethack.tty games:games 2755
# chromium,
/usr/games/chromium games:games 2755
# xscrabble
/usr/games/xscrab games:games 2755
# trackballs
/usr/games/trackballs games:games 2755
# ltris
/usr/games/ltris games:games 2755
# xlogical
/usr/games/xlogical games:games 2755
# lbreakout
/usr/games/lbreakout2 games:games 2755
# xgalaga
/usr/bin/xgalaga games:games 2755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 2755
# gnome-games
/usr/bin/glines games:games 2755
/usr/bin/gnibbles games:games 2755
/usr/bin/gnobots2 games:games 2755
/usr/bin/gnometris games:games 2755
/usr/bin/gnomine games:games 2755
/usr/bin/gnotravex games:games 2755
/usr/bin/gnotski games:games 2755
/usr/bin/gtali games:games 2755
/usr/bin/mahjongg games:games 2755
/usr/bin/same-gnome games:games 2755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 4755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 4755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 4750
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 4750
/usr/lib/virtualbox/VBoxBFE root:vboxusers 4750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750
/usr/lib/virtualbox/VBoxSDL root:vboxusers 4750
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 4755

32
permissions.local
View File

@ -1,32 +0,0 @@
#
# /etc/permissions.local
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# In particular, this file will not be touched during an upgrade of the
# SuSE Linux installation. It is designed to be a placeholder for local
# additions by the administrator of the system to reflect filemodes
# of locally installed packages or to override file permissions as
# shipped with the distribution.
#
# Format:
# <file> <owner>:<group> <permission>
#
# Please see the file /etc/permissions for general usage hints of the
# /etc/permissions* files.
# Keep in mind that this file (/etc/permissions.local) is being used by
# default by SuSEconfig, the shell script that is used by yast and yast2
# after package installation and configuration changes to make the changes
# effective for the respective packages (eg generating the "real"
# configuration files).
# Always check if there are no conflicts between your "local" changes here
# and the settings in the other permissions files by calling
# "SuSEconfig" as root!
# Please remember that logfiles might be modified by the logfile
# rotation facilities (e.g. logrotate) so settings entered here might
# be overridden.
# This file needs to end with a newline.
#
# example:
#/usr/bin/sperl5.8.8 root:root 4755

431
permissions.paranoid
View File

@ -1,431 +0,0 @@
# /etc/permissions.paranoid
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.paranoid is NOT designed to be used in a single-user as
# well as a multi-user installation, be it networked or not.
# Derived from /etc/permissions.secure, it has _all_ sgid and suid bits
# cleared - therefore, the system might be useable for non-privileged users
# except for simple tasks like changing passwords and such. In addition,
# some of the configuration files are not readable for world any more.
#
# Feel free to use this file as a basis of a system configuration that meets
# your understanding of "secure", for the case that you're a bit paranoid.
# Since there is no such thing as "it works" with this configuration, please
# use these settings with care. Some experience on behalf of the administrator
# is needed to have a system running flawlessly when users are present.
# In particular, all terminal emulators will not be able to write to utmp
# and wtmp any more, which renders who(1) and finger(1) useless.
#
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
#
# Directories
#
# no lock files for emacs:
/var/lib/xemacs/lock/ root:trusted 1775
# for screen's session sockets:
/var/run/uscreens/ root:trusted 1775
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 600
/etc/fstab root:root 600
/etc/ftpaccess root:root 600
/etc/ftpusers root:root 600
/etc/inetd.conf root:root 600
/etc/inittab root:root 600
/etc/mtab root:root 600
/etc/rmtab root:root 600
/var/lib/nfs/rmtab root:root 600
/etc/syslog.conf root:root 600
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 0755
# disable at and cron for non-root users
/usr/bin/at root:trusted 0755
/usr/bin/crontab root:trusted 0755
/usr/bin/gpasswd root:shadow 0755
/usr/bin/newgrp root:root 0755
/usr/bin/passwd root:shadow 0755
/usr/bin/chfn root:shadow 0755
/usr/bin/chage root:shadow 0755
/usr/bin/chsh root:shadow 0755
/usr/bin/expiry root:shadow 0755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 0755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 0755
/usr/bin/opiesu root:root 0755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 0755
/usr/bin/ncpumount root:trusted 0755
# #331020
/sbin/mount.nfs root:root 0755
# mount/umount have had their problems already:
/bin/mount root:root 0755
/bin/umount root:root 0755
/bin/eject root:audio 0755
#
# #133657
/usr/bin/fusermount root:trusted 0755
# #66203
/usr/lib/majordomo/wrapper root:daemon 0755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 0755
/usr/lib64/pt_chown root:root 0755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 0755
/sbin/unix2_chkpwd root:shadow 0755
# qpopper
/usr/sbin/popauth pop:trusted 0755
# from the squid package
/usr/sbin/pam_auth root:shadow 0755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 0755
#
# mixed section: most of it is disabled in this permissions.secure:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 700
/usr/src/packages/BUILD/ root:root 700
/usr/src/packages/RPMS/ root:root 700
/usr/src/packages/RPMS/alpha/ root:root 700
/usr/src/packages/RPMS/alphaev56/ root:root 700
/usr/src/packages/RPMS/alphaev67/ root:root 700
/usr/src/packages/RPMS/alphaev6/ root:root 700
/usr/src/packages/RPMS/arm4l/ root:root 700
/usr/src/packages/RPMS/athlon/ root:root 700
/usr/src/packages/RPMS/i386/ root:root 700
/usr/src/packages/RPMS/i486/ root:root 700
/usr/src/packages/RPMS/i586/ root:root 700
/usr/src/packages/RPMS/i686/ root:root 700
/usr/src/packages/RPMS/ia64/ root:root 700
/usr/src/packages/RPMS/mips/ root:root 700
/usr/src/packages/RPMS/ppc/ root:root 700
/usr/src/packages/RPMS/ppc64/ root:root 700
/usr/src/packages/RPMS/powerpc/ root:root 700
/usr/src/packages/RPMS/powerpc64/ root:root 700
/usr/src/packages/RPMS/s390/ root:root 700
/usr/src/packages/RPMS/s390x/ root:root 700
/usr/src/packages/RPMS/sparc/ root:root 700
/usr/src/packages/RPMS/sparcv9/ root:root 700
/usr/src/packages/RPMS/sparc64/ root:root 700
/usr/src/packages/RPMS/x86_64/ root:root 700
/usr/src/packages/RPMS/armv4l/ root:root 700
/usr/src/packages/RPMS/hppa/ root:root 700
/usr/src/packages/RPMS/hppa2.0/ root:root 700
/usr/src/packages/RPMS/noarch/ root:root 700
/usr/src/packages/SPECS/ root:root 700
/usr/src/packages/SRPMS/ root:root 700
#########################################################################
# video
/usr/bin/v4l-conf root:video 0755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
#########################################################################
# scotty:
# #66211
/usr/bin/ntping root:trusted 0755
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd
/usr/bin/makeweb root:www 0750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 0750
/usr/bin/ncplogin root:trusted 0750
/usr/bin/ncpmap root:trusted 0750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 0755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 0755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 0755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 0755
/usr/lib/mailman/cgi-bin/admindb root:mailman 0755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755
/usr/lib/mailman/cgi-bin/options root:mailman 0755
/usr/lib/mailman/cgi-bin/private root:mailman 0755
/usr/lib/mailman/cgi-bin/roster root:mailman 0755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755
/usr/lib/mailman/cgi-bin/confirm root:mailman 0755
/usr/lib/mailman/cgi-bin/create root:mailman 0755
/usr/lib/mailman/cgi-bin/editarch root:mailman 0755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755
/usr/lib/mailman/mail/mailman root:mailman 0755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 0755
#
# cups (#66305,#406058)
#
/usr/bin/lppasswd lp:lp 0755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 0755
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 0755
/bin/ping6 root:root 0755
/usr/sbin/traceroute6 root:root 0755
# mtr is linked against ncurses.
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 0755
/usr/bin/rlogin root:root 0755
/usr/bin/rsh root:root 0755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 0555
# exim
/usr/sbin/exim root:root 0755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 0750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 0750
# #66111
/usr/bin/vboxbeep root:trusted 0755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# framebuffer terminal emulator (japanese).
/usr/bin/jfbterm root:tty 0755
#
# kde
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 0755
/usr/lib/kde4/libexec/kcheckpass root:shadow 0755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 0755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 0755
/usr/lib/kde4/libexec/kdesud root:nogroup 0755
/usr/lib64/kde4/libexec/kdesud root:nogroup 0755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 0755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 0755
/usr/lib64/kde4/libexec/start_kdeinit root:root 0755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
#
# amanda
#
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 0555
/usr/lib/gnats/pr-edit gnats:root 0555
/usr/lib/gnats/queue-pr gnats:root 0555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 0555
/usr/lib/news/bin/startinnfeed root:news 0555
/usr/lib/news/bin/inndstart root:news 0555
/usr/lib/news/bin/inews news:news 0555
#
# sendfax
#
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 0711
/var/spool/fax/outgoing/ fax:trusted 1770
/var/spool/fax/outgoing/locks fax:trusted 1770
#
# uucp
#
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 0555
/usr/bin/uuname uucp:uucp 0555
/usr/bin/uustat uucp:uucp 0555
/usr/bin/uux uucp:uucp 0555
/usr/lib/uucp/uucico uucp:uucp 0555
/usr/lib/uucp/uuxqt uucp:uucp 0555
#
# games of all kinds, toys
#
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/usr/bin/glines games:games 0755
/usr/bin/gnibbles games:games 0755
/usr/bin/gnobots2 games:games 0755
/usr/bin/gnometris games:games 0755
/usr/bin/gnomine games:games 0755
/usr/bin/gnotravex games:games 0755
/usr/bin/gnotski games:games 0755
/usr/bin/gtali games:games 0755
/usr/bin/mahjongg games:games 0755
/usr/bin/same-gnome games:games 0755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 0755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 0755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 0755
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 0755
/usr/bin/pkexec root:root 0755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755
/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755

456
permissions.secure
View File

@ -1,456 +0,0 @@
# /etc/permissions.secure
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.secure is designed for the use in a multi-user and
# networked installation. Most privileged file modes are disabled here.
# Many programs that still have their suid- or sgid-modes have had their
# security problems in the past already.
# The primary target of this configuration is to make the basic things
# such as changing passwords, the basic networking programs as well as
# some of the all-day work programs properly function for the unprivileged
# user. The dial-out packages are executable for users belonging to the
# "dialout" group - therefore, these users are to be treated "privileged".
# Packages such as (remote-) batch queueing systems, games, programs for
# the linux text console, everything linked against OOP libraries and
# most other exotic utilities are turned into unprivileged binary files
# in order for them not to cause any security problems if one or more of
# the programs turn out to have buffer overruns or otherwise locally
# exploitable programming errors.
# This file is not designed to make your system as closed and as restrictive
# as at all possible. In many cases, restricted access to a configuration
# file is of no use since the data used can be obtained from the /proc file
# system or interface configuration as well. Also, system programs such as
# /sbin/ifconfig or /sbin/route are not changed because nosey users can
# bring their own. "Security by obscurity" will add any significant
# security-related advantage to the system. Keep in mind that curiosity
# is a major motivation for your users to try to see behind the curtain.
#
# If you need the functionality of a program that usually runs as a
# privileged user, then use it as root, or, if you are not root, ask your
# system administrator for advice. In many cases, adding a user to the
# "trusted" group gives her access to the resources that are not accessible
# any more if the admin chose to select "secure" as the permissions default.
#
# Please make use of the diff program to see the differences between the
# permissions.easy and permissions.secure files if things don't work as
# they should and you suspect a permission or privilege problem.
# The word "easy" is a reference for the /etc/permissions.easy file.
#
# As usual, these settings are "suggested". If you feel so inclined,
# please feel free to change the modes in this files, but keep a log
# of your changes for future reference.
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
#
# Directories
#
# no lock files for emacs:
/var/lib/xemacs/lock/ root:trusted 1775
# for screen's session sockets:
/var/run/uscreens/ root:root 1777
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 644
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# #331020
/sbin/mount.nfs root:root 0755
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4750
#
# #133657
/usr/bin/fusermount root:trusted 4750
# #66203
/usr/lib/majordomo/wrapper root:daemon 4750
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
# needs setuid root when using shadow via NIS:
# #216816
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755
# qpopper
/usr/sbin/popauth pop:trusted 4750
# from the squid package
/usr/sbin/pam_auth root:shadow 4755
# still to be converted to utempter
/usr/lib/vte/gnome-pty-helper root:tty 2755
#
# mixed section: most of it is disabled in this permissions.secure:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 755
/usr/src/packages/BUILD/ root:root 755
/usr/src/packages/RPMS/ root:root 755
/usr/src/packages/RPMS/alpha/ root:root 755
/usr/src/packages/RPMS/alphaev56/ root:root 755
/usr/src/packages/RPMS/alphaev67/ root:root 755
/usr/src/packages/RPMS/alphaev6/ root:root 755
/usr/src/packages/RPMS/arm4l/ root:root 755
/usr/src/packages/RPMS/athlon/ root:root 755
/usr/src/packages/RPMS/i386/ root:root 755
/usr/src/packages/RPMS/i486/ root:root 755
/usr/src/packages/RPMS/i586/ root:root 755
/usr/src/packages/RPMS/i686/ root:root 755
/usr/src/packages/RPMS/ia64/ root:root 755
/usr/src/packages/RPMS/mips/ root:root 755
/usr/src/packages/RPMS/ppc/ root:root 755
/usr/src/packages/RPMS/ppc64/ root:root 755
/usr/src/packages/RPMS/powerpc/ root:root 755
/usr/src/packages/RPMS/powerpc64/ root:root 755
/usr/src/packages/RPMS/s390/ root:root 755
/usr/src/packages/RPMS/s390x/ root:root 755
/usr/src/packages/RPMS/sparc/ root:root 755
/usr/src/packages/RPMS/sparcv9/ root:root 755
/usr/src/packages/RPMS/sparc64/ root:root 755
/usr/src/packages/RPMS/x86_64/ root:root 755
/usr/src/packages/RPMS/armv4l/ root:root 755
/usr/src/packages/RPMS/hppa/ root:root 755
/usr/src/packages/RPMS/hppa2.0/ root:root 755
/usr/src/packages/RPMS/noarch/ root:root 755
/usr/src/packages/SPECS/ root:root 755
/usr/src/packages/SRPMS/ root:root 755
#########################################################################
# video
/usr/bin/v4l-conf root:video 4750
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 4750
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/usr/sbin/change-passwd root:root 4755
#
# cups (#66305,#406058)
#
/usr/bin/lppasswd lp:lp 2755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 4750
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# exim
/usr/sbin/exim root:root 4755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755
#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# used to distract the oom killer
# #203535
/opt/kde3/bin/start_kdeinit root:root 4755
# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
#
# amanda
#
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
#
# sendfax
#
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755
#
# uucp
#
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
#
# games of all kinds, toys
# all suid and sgid bits cleared.
#
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/usr/bin/glines games:games 0755
/usr/bin/gnibbles games:games 0755
/usr/bin/gnobots2 games:games 0755
/usr/bin/gnometris games:games 0755
/usr/bin/gnomine games:games 0755
/usr/bin/gnotravex games:games 0755
/usr/bin/gnotski games:games 0755
/usr/bin/gtali games:games 0755
/usr/bin/mahjongg games:games 0755
/usr/bin/same-gnome games:games 0755
# zypp (#385207)
/usr/sbin/zypp-refresh-wrapper root:root 0755
# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755
/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755

50
permissions.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package permissions (Version 2009.8.13)
# spec file for package permissions (Version 2009.08.24.1152)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -16,30 +16,22 @@
#
# norootforbuild
# icecream 0
Name: permissions
License: GPL v2 or later
Group: Productivity/Security
AutoReqProv: on
Version: 2009.8.13
Version: 2009.08.24.1152
Release: 1
Provides: aaa_base:/etc/permissions
Requires: /sbin/SuSEconfig
PreReq: %fillup_prereq
Summary: SUSE Linux Default Permissions
#Source: permissions.tar.bz2
Source1: SuSEconfig.permissions
Source2: chkstat.c
Source3: chkstat.8
Source4: sysconfig.security
Source5: permissions
Source6: permissions.easy
Source7: permissions.paranoid
Source8: permissions.secure
Source9: permissions.local
Source99: checkpermissionfiles.pl
Source: permissions-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: http://gitorious.org/opensuse/permissions
%description
This package contains specifications for permissions of specific files,
@ -51,39 +43,29 @@ local security setting (easy, secure, or paranoid) can be configured in
Authors:
--------
Werner Fink <werner@suse.de>
Roman Drahtmüller <draht@suse.de>
Werner Fink
Roman Drahtmüller
Michael Schröder
Ludwig Nussel
%prep
%setup -q
%build
gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o chkstat
make CFLAGS="-W -Wall $RPM_OPT_FLAGS"
%install
mkdir -p $RPM_BUILD_ROOT/etc
mkdir -p $RPM_BUILD_ROOT%{_bindir}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/sbin/conf.d
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 755 chkstat $RPM_BUILD_ROOT%{_bindir}
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT/etc
make DESTDIR="$RPM_BUILD_ROOT" install
%post
%{fillup_only -n security}
%files
%defattr(-,root,root,-)
/etc/permissions
/etc/permissions.easy
/etc/permissions.secure
/etc/permissions.paranoid
%config /etc/permissions
%config /etc/permissions.easy
%config /etc/permissions.secure
%config /etc/permissions.paranoid
%config(noreplace) /etc/permissions.local
%{_bindir}/chkstat
%{_mandir}/man8/chkstat.8*

25
sysconfig.security
View File

@ -1,25 +0,0 @@
## Path: System/Security/Permissions
## Description: Configuration of permissions on the system
## Type: list(set,warn,no)
## Default: set
## Config: permissions
#
# SuSEconfig can call chkstat to check permissions and ownerships for
# files and directories (using /etc/permissions).
# Setting to "set" will correct it, "warn" produces warnings, if
# something strange is found. Disable this feature with "no".
#
CHECK_PERMISSIONS="set"
## Type: string
## Default: "easy local"
#
# SuSE Linux contains two different configurations for
# chkstat. The differences can be found in /etc/permissions.secure
# and /etc/permissions.easy. If you create your own configuration
# (e.g. permissions.foo), you can enter the extension here as well.
#
# (easy/secure local foo whateveryouwant).
#
PERMISSION_SECURITY="easy local"