forked from pool/permissions
184 lines
8.7 KiB
Plaintext
184 lines
8.7 KiB
Plaintext
# /etc/permissions
|
||
#
|
||
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
|
||
#
|
||
# Author: Roman Drahtmueller <draht@suse.de>, 2001
|
||
#
|
||
# This file is used by SuSEconfig and chkstat to check or set the modes
|
||
# and ownerships of files and directories in the installation.
|
||
#
|
||
# There is a set of files with similar meaning in a SuSE installation:
|
||
# /etc/permissions (This file)
|
||
# /etc/permissions.easy
|
||
# /etc/permissions.secure
|
||
# /etc/permissions.paranoid
|
||
# /etc/permissions.local
|
||
# Please see the respective files for their meaning.
|
||
#
|
||
#
|
||
# Format:
|
||
# <file> <owner>:<group> <permission>
|
||
#
|
||
# How it works:
|
||
# Change the entries as you like, then call
|
||
# `chkstat -set /etc/permissions´ or /etc/permissions.{easy,secure,paranoid}
|
||
# respectively, or call `SuSEconfig´ as yast do after they think
|
||
# that files have been modified in the system.
|
||
#
|
||
# SuSEconfig will use the files /etc/permissions and the ones ending
|
||
# in what the variable PERMISSION_SECURITY from
|
||
# /etc/sysconfig/security contains. By default, these are the files
|
||
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
|
||
# for local changes by the admin. In addition, the directory
|
||
# /etc/permissions.d/ can contain permission files that belong to
|
||
# the packages they modify file modes for. These permission files
|
||
# are to switch between conflicting file modes of the same file
|
||
# paths in different packages (popular example: sendmail and
|
||
# postfix, path /usr/sbin/sendmail).
|
||
#
|
||
# SuSEconfig's usage of the chkstat program can be turned off completely
|
||
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
|
||
#
|
||
# /etc/permissions is kept to the bare minimum. File modes that differ
|
||
# from the settings in this file should be considered broken.
|
||
#
|
||
# Please see the headers of the files
|
||
# /etc/permissions.easy
|
||
# /etc/permissions.secure
|
||
# /etc/permissions.paranoid
|
||
# as well as
|
||
# /etc/permissions.local
|
||
# for more information about their particular meaning and their setup.
|
||
|
||
#
|
||
# root directories:
|
||
#
|
||
|
||
/ root:root 755
|
||
/root root:root 700
|
||
/tmp root:root 1777
|
||
/tmp/.X11-unix/ root:root 1777
|
||
/tmp/.ICE-unix/ root:root 1777
|
||
/dev root:root 755
|
||
/bin root:root 755
|
||
/sbin root:root 755
|
||
/lib root:root 755
|
||
/etc root:root 755
|
||
/home root:root 755
|
||
/boot root:root 755
|
||
/opt root:root 755
|
||
/usr root:root 755
|
||
|
||
#
|
||
# /var:
|
||
#
|
||
|
||
/var/tmp root:root 1777
|
||
/var/tmp/vi.recover/ root:root 1777
|
||
/var/log root:root 755
|
||
/var/spool root:root 755
|
||
/var/spool/atjobs at:at 700
|
||
/var/spool/atjobs/.SEQ at:at 600
|
||
/var/spool/atjobs/.lockfile at:at 600
|
||
/var/spool/atspool at:at 700
|
||
/var/spool/cron root:root 700
|
||
/var/spool/mqueue root:root 700
|
||
/var/spool/news news:news 775
|
||
/var/spool/uucp uucp:uucp 755
|
||
/var/spool/voice root:root 755
|
||
/var/spool/mail root:root 1777
|
||
/var/adm root:root 755
|
||
/var/adm/backup root:root 700
|
||
/var/cache root:root 755
|
||
/var/cache/fonts root:root 1777
|
||
/var/cache/man man:root 755
|
||
/var/yp root:root 755
|
||
/var/run/nscd/socket root:root 666
|
||
/var/run/sudo root:root 700
|
||
|
||
#
|
||
# log files that do not grow remarkably
|
||
#
|
||
/var/log/faillog root:root 600
|
||
# This file is not writeable by gid tty so that the information
|
||
# therein can be trusted.
|
||
/var/log/lastlog root:tty 644
|
||
|
||
|
||
#
|
||
# some device files
|
||
#
|
||
|
||
/dev/zero root:root 666
|
||
/dev/null root:root 666
|
||
/dev/full root:root 622
|
||
/dev/ip root:root 660
|
||
/dev/initrd root:disk 660
|
||
/dev/kmem root:kmem 640
|
||
|
||
#
|
||
# /etc
|
||
#
|
||
/etc/lilo.conf root:root 600
|
||
/etc/passwd root:root 644
|
||
/etc/shadow root:shadow 640
|
||
/etc/init.d root:root 755
|
||
/etc/HOSTNAME root:root 644
|
||
/etc/hosts root:root 644
|
||
# Changing the hosts_access(5) files causes trouble with services
|
||
# that do not run as root!
|
||
/etc/hosts.allow root:root 644
|
||
/etc/hosts.deny root:root 644
|
||
/etc/hosts.equiv root:root 644
|
||
/etc/hosts.lpd root:root 644
|
||
/etc/ld.so.conf root:root 644
|
||
/etc/ld.so.cache root:root 644
|
||
|
||
/etc/opiekeys root:root 600
|
||
|
||
/etc/smpppd.conf root:root 600
|
||
/etc/smpppd-c.conf root:dialout 640
|
||
/var/run/smpppd root:dialout 750
|
||
|
||
/etc/ppp root:dialout 750
|
||
/etc/ppp/chap-secrets root:root 600
|
||
/etc/ppp/pap-secrets root:root 600
|
||
|
||
# sysconfig files:
|
||
/etc/sysconfig/network/providers root:root 700
|
||
|
||
# utempter
|
||
/usr/sbin/utempter root:tty 2755
|
||
|
||
# changing the global ssh client configuration makes it unreadable
|
||
# and therefore useless. Keep in mind that users can bring their own client!
|
||
/etc/ssh/ssh_host_key root:root 600
|
||
/etc/ssh/ssh_host_key.pub root:root 644
|
||
/etc/ssh/ssh_config root:root 644
|
||
/etc/ssh/sshd_config root:root 640
|
||
|
||
#
|
||
# legacy
|
||
#
|
||
# don't set the setuid bit on suidperl! Set it on sperl instead if
|
||
# you really need it as suidperl is a hardlink to perl nowadays.
|
||
/usr/bin/suidperl root:root 755
|
||
|
||
# cdrecord does not need to be setuid root as it uses resmgr for
|
||
# accessing the devices. Access to that one can be configured in
|
||
# /etc/resmgr.conf
|
||
/usr/bin/cdrecord root:root 755
|
||
|
||
# new traceroute program by Olaf Kirch does not need setuid root any more.
|
||
/usr/sbin/traceroute root:root 755
|
||
|
||
# netatalk printer daemon: sgid not needed any more with cups.
|
||
/usr/sbin/papd root:lp 0755
|
||
|
||
# safe as long as we don't change files below it (#103186)
|
||
/var/games/ games:games 0775
|
||
|
||
# No longer common. Set setuid bit yourself if you need it
|
||
# (#66191)
|
||
#/usr/bin/ziptool root:trusted 4750
|