SHA256
1
0
forked from pool/permissions
permissions/permissions

205 lines
9.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format:
# <file> <owner>:<group> <permission>
#
# How it works:
# Change the entries as you like, then call
# `chkstat -set /etc/permissions´ or /etc/permissions.{easy,secure,paranoid}
# respectively, or call `SuSEconfig´ as yast do after they think
# that files have been modified in the system.
#
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
#
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
#
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
#
# Please see the headers of the files
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# as well as
# /etc/permissions.local
# for more information about their particular meaning and their setup.
#
# root directories:
#
/ root:root 755
/root root:root 700
/tmp root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev root:root 755
/bin root:root 755
/sbin root:root 755
/lib root:root 755
/etc root:root 755
/home root:root 755
/boot root:root 755
/opt root:root 755
/usr root:root 755
#
# /var:
#
/var/tmp root:root 1777
/var/tmp/vi.recover/ root:root 1777
/var/log root:root 755
/var/spool root:root 755
/var/spool/atjobs at:at 700
/var/spool/atjobs/.SEQ at:at 600
/var/spool/atjobs/.lockfile at:at 600
/var/spool/atspool at:at 700
/var/spool/cron root:root 700
/var/spool/mqueue root:root 700
/var/spool/news news:news 775
/var/spool/uucp uucp:uucp 755
/var/spool/voice root:root 755
/var/spool/mail root:root 1777
/var/adm root:root 755
/var/adm/backup root:root 700
/var/cache root:root 755
/var/cache/fonts root:root 1777
/var/cache/man man:root 755
/var/yp root:root 755
/var/run/nscd/socket root:root 666
/var/run/sudo root:root 700
#
# log files that do not grow remarkably
#
/var/log/faillog root:root 600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog root:tty 644
#
# some device files
#
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 640
/etc/init.d root:root 755
/etc/HOSTNAME root:root 644
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644
/etc/opiekeys root:root 600
/etc/ppp root:dialout 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers root:root 700
# utempter
/usr/sbin/utempter root:tty 2755
# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644
/etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl root:root 755
# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord root:root 755
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd root:lp 0755
# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750
#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666
#
# directory for system crash dumps (#438041)
#
/var/crash root:root 1777
#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666