SHA256
1
0
forked from pool/permissions
permissions/permissions.changes
Matthias Gerstner a12c51b734 - Update to version 20230217:
* shadow: newgidmap,newuidmap: use capabilities (bsc#1208309)
  * profiles: whitelist kismet capabilities (bsc#1200954) (#171)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=316
2023-02-17 11:13:40 +00:00

2059 lines
74 KiB
Plaintext

-------------------------------------------------------------------
Fri Feb 17 11:12:44 UTC 2023 - matthias.gerstner@suse.com
- Update to version 20230217:
* shadow: newgidmap,newuidmap: use capabilities (bsc#1208309)
* profiles: whitelist kismet capabilities (bsc#1200954) (#171)
-------------------------------------------------------------------
Tue Dec 20 10:04:33 UTC 2022 - matthias.gerstner@suse.com
- Update to version 20221220:
* profiles: remove outdated kdesud, apptainer entries
-------------------------------------------------------------------
Wed Sep 21 14:30:41 UTC 2022 - Dirk Müller <dmueller@suse.com>
- skip tests on qemu user builds
-------------------------------------------------------------------
Tue Sep 13 08:38:26 UTC 2022 - matthias.gerstner@suse.com
- Update to version 20220912:
* chkstat: also consider group controlled paths (bsc#1203018,
CVE-2022-31252)
-------------------------------------------------------------------
Mon Aug 8 06:40:01 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix dependency from permissions-zypp-plugin to permissions.
-------------------------------------------------------------------
Sat Jul 30 07:14:02 UTC 2022 - Stephan Kulow <coolo@suse.com>
- Avoid different Versions for subpackages to fix build-compare
seeing the src rpm as equal. It replaces VERSION-RELEASE but
that will fail if subpackages use a different Version
-------------------------------------------------------------------
Wed Jul 13 13:52:09 UTC 2022 - matthias.gerstner@suse.com
- Update to version 20220713:
* postfix: add postlog setgid for maildrop binary (bsc#1201385)
* libexec migration: KDE utilities now properly place their helpers
* pccardctl: installation path has finally changed to /usr/sbin
-------------------------------------------------------------------
Fri Mar 11 11:14:05 UTC 2022 - matthias.gerstner@suse.com
- Update to version 20220309:
* apptainer whitelisting (bsc#1196145)
-------------------------------------------------------------------
Fri Feb 25 09:34:23 UTC 2022 - matthias.gerstner@suse.com
- Update to version 20220202:
* mount.nfs: switch from migration mode to fixed path in /usr/sbin
* changed gendered pronouns
* mgetty: faxq-helper now finally reside in /usr/libexec
-------------------------------------------------------------------
Wed Sep 01 07:33:41 UTC 2021 - matthias.gerstner@suse.com
- Update to version 20210901:
* libksysguard5: Updated path for ksgrd_network_helper
* kdesu: Updated path for kdesud
* sbin_dirs cleanup: these binaries have already been moved to /usr/sbin
* mariadb: revert auth_pam_tool to /usr/lib{,64} again
* cleanup: revert virtualbox back to plain /usr/lib
* cleanup: remove deprecated /etc/ssh/sshd_config
* hawk_invoke is not part of newer hawk2 packages anymore
* cleanup: texlive-filesystem: public now resides in libexec
* cleanup: authbind: helper now resides in libexec
* cleanup: polkit: the agent now also resides in libexec
* libexec cleanup: 'inn' news binaries now reside in libexec
-------------------------------------------------------------------
Tue May 18 11:16:07 UTC 2021 - matthias.gerstner@suse.com
- Update to version 20210518:
* whitelist please (bsc#1183669)
-------------------------------------------------------------------
Tue May 18 08:02:20 UTC 2021 - matthias.gerstner@suse.com
- Update to version 20210518:
* Fix enlightenment paths for 32-bit architectures
-------------------------------------------------------------------
Mon Jan 25 12:14:46 UTC 2021 - matthias.gerstner@suse.com
- Update to version 20210125:
* usbauth: drop compatibility variable for libexec
* usbauth: Updated path for usbauth-npriv
* profiles: finish usage of variable for polkit-agent-helper-1
-------------------------------------------------------------------
Fri Dec 4 12:58:20 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
- move man page to where the documented files are
-------------------------------------------------------------------
Wed Nov 11 09:30:37 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20201111:
* squid: remove basic_pam_auth which doesn't need special perms (bsc#1171569)
* mgetty: remove long dead (or never existing) locks directory (bsc#1171882)
* adjust squid pinger path (bsc#1171569)
* profiles: remove now superfluous squid pinger paths (bsc#1171569)
* ksgrd_network_helper: remove obviously wrong path
* etc/permissions: remove unnecessary, duplicate, outdated entries
* chkstat: implement support for variables in profile paths in new
variables.conf
* man pages: add documentation about variables, update copyrights
* profiles: use new variables feature to remove redundant entries
* profiles: prepare /usr/sbin versions of profile entries (bsc#1029961)
* Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475)
* Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476)
* README: added information about know limitations of this approach
- adjusted spec file:
- package new variables.conf
- apply %{optflags} correctly via CXXFLAGS variable
- drop FSCAPS_DEFAULT_ENABLED which isn't recognized anymore by the
refactored chkstat sources. This is now the default.
-------------------------------------------------------------------
Thu Oct 08 09:19:32 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20201008:
* cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164)
* drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
-------------------------------------------------------------------
Wed Sep 30 09:26:44 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200930:
* whitelist Xorg setuid-root wrapper (bsc#1175867)
-------------------------------------------------------------------
Wed Sep 09 10:00:18 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200909:
* screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879)
-------------------------------------------------------------------
Fri Sep 04 10:57:51 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200904:
* Add /usr/libexec for cockpit-session as new path
* physlock: whitelist with tight restrictions (bsc#1175720)
-------------------------------------------------------------------
Wed Aug 26 12:33:11 UTC 2020 - malte.kraus@suse.com
- Update to version 20200826:
* mtr-packet: stop requiring dialout group
* etc/permissions: fix mtr permission
* list_permissions: improve output format
* list_permissions: support globbing in --path argument
* list_permissions: implement simplifications suggested in PR#92
* list_permissions: new tool for better path configuration overview
-------------------------------------------------------------------
Tue Aug 11 12:06:30 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200811:
* regtest: support new getcap output format in libcap-2.42
* regtest: print individual test case errors to stderr
-------------------------------------------------------------------
Mon Jul 27 12:18:04 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200727:
* etc/permissions: remove static /var/spool/* dirs
* etc/permissions: remove outdated entries
* etc/permissions: remove unnecessary static dirs and devices
* screen: remove now unused /var/run/uscreens
-------------------------------------------------------------------
Fri Jul 10 09:50:04 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200710:
* Revert "etc/permissions: remove entries for bind-chrootenv". This
currently conflicts with the way the CheckSUIDPermissions rpmlint-check is
implemented.
-------------------------------------------------------------------
Tue Jul 7 15:56:02 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Removed dbus-libexec.patch: contained in upstream
-------------------------------------------------------------------
Tue Jul 07 13:25:40 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200624:
* rework permissions.local text (boo#1173221)
* dbus-1: adjust to new libexec dir location (bsc#1171164)
* permission profiles: reinstate kdesud for kde5
* etc/permissions: remove entries for bind-chrootenv
* etc/permissions: remove traceroute entry
* VirtualBox: remove outdated entry which is only a symlink any more
* /bin/su: remove path refering to symlink
* etc/permissions: remove legacy RPM directory entries
* /etc/permissions: remove outdated sudo directories
* singularity: remove outdated setuid-binary entries
* chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
* dbus-1: remove deprecated alternative paths
* PolicyKit: remove outdated entries last used in SLE-11
* pcp: remove no longer needed / conflicting entries
* gnats: remove entries for package removed from Factory
* kdelibs4: remove entries for package removed from Factory
* v4l-base: remove entries for package removed from Factory
* mailman: remove entries for package deleted from Factory
* gnome-pty-helper: remove dead entry no longer part of the vte package
* gnokii: remove entries for package no longer in Factory
* xawtv (v4l-conf): correct group ownership in easy profile
* systemd-journal: remove unnecessary profile entries
* thttp: make makeweb entry usable in the secure profile (bsc#1171580)
-------------------------------------------------------------------
Tue Jun 16 13:23:23 UTC 2020 - malte.kraus@suse.com
- dbus-1: adjust to new libexec dir location (bsc#1171164). This is
temporarily done through the patch in dbus-libexec.patch because
we are not completely certain the stability of current git.
- run chkstat test suite during RPM build
-------------------------------------------------------------------
Tue May 26 13:03:52 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200526:
* profiles: add entries for enlightenment (bsc#1171686)
-------------------------------------------------------------------
Wed May 20 09:02:14 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200520:
* permissions fixed profile: utempter: reinstate libexec compatibility entry
-------------------------------------------------------------------
Tue May 19 09:14:38 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200519:
* chkstat: fix sign conversion warnings on 32-bit architectures
* chkstat: allow simultaneous use of `--set` and `--system`
* regtest: adjust TestUnkownOwnership test to new warning output behaviour
-------------------------------------------------------------------
Mon May 18 12:06:10 UTC 2020 - malte.kraus@suse.com
- Update to version 20200518:
* whitelist texlive public binary (bsc#1171686)
-------------------------------------------------------------------
Fri May 15 09:49:48 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200514:
* fixed permissions: adjust to new libexec dir location (bsc#1171164)
(affects utempter path)
-------------------------------------------------------------------
Wed May 13 12:09:17 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200513:
* major rewrite of the chkstat tool
* setuid bit for cockpit (bsc#1169614)
-------------------------------------------------------------------
Thu May 07 09:50:15 UTC 2020 - malte.kraus@suse.com
- Update to version 20200506:
* add whitelist for files in /usr/lib to be also allowed in
/usr/libexec (bsc#1171164)
-------------------------------------------------------------------
Tue Mar 24 12:52:07 UTC 2020 - jsegitz@suse.de
- Update to version 20200324:
* whitelist s390-tools setgid bit on log directory (bsc#1167163)
* whitelist WMP (bsc#1161335)
* regtest: improve readability of path variables by using literals
* regtest: adjust test suite to new path locations in /usr/share/permissions
* regtest: only catch explicit FileNotFoundError
* regtest: provide valid home directory in /root
* regtest: mount permissions src repository in /usr/src/permissions
* regtest: move initialialization of TestBase paths into the prepare() function
* chkstat: suppport new --config-root command line option
* fix spelling of icingacmd group
-------------------------------------------------------------------
Fri Feb 28 12:00:44 UTC 2020 - malte.kraus@suse.com
- Update to version 20200228:
* chkstat: fix readline() on platforms with unsigned char
-------------------------------------------------------------------
Thu Feb 27 12:29:29 UTC 2020 - malte.kraus@suse.com
- Update to version 20200227:
* remove capability whitelisting for radosgw
* whitelist ceph log directory (bsc#1150366)
* adjust testsuite to post CVE-2020-8013 link handling
* testsuite: add option to not mount /proc
* do not follow symlinks that are the final path element: CVE-2020-8013
* add a test for symlinked directories
* fix relative symlink handling
* include cpp compat headers, not C headers
* Move permissions and permissions.* except .local to /usr/share/permissions
* regtest: fix the static PATH list which was missing /usr/bin
* regtest: also unshare the PID namespace to support /proc mounting
* regtest: bindMount(): explicitly reject read-only recursive mounts
* Makefile: force remove upon clean target to prevent bogus errors
* regtest: by default automatically (re)build chkstat before testing
* regtest: add test for symlink targets
* regtest: make capability setting tests optional
* regtest: fix capability assertion helper logic
* regtests: add another test case that catches set*id or caps in world-writable sub-trees
* regtest: add another test that catches when privilege bits are set for special files
* regtest: add test case for user owned symlinks
* regtest: employ subuid and subgid feature in user namespace
* regtest: add another test case that covers unknown user/group config
* regtest: add another test that checks rejection of insecure mixed-owner paths
* regtest: add test that checks for rejection of world-writable paths
* regtest: add test for detection of unexpected parent directory ownership
* regtest: add further helper functions, allow access to main instance
* regtest: introduce some basic coloring support to improve readability
* regtest: sort imports, another piece of rationale
* regtest: add capability test case
* regtest: improve error flagging of test cases and introduce warnings
* regtest: support caps
* regtest: add a couple of command line parameter test cases
* regtest: add another test that checks whether the default profile works
* regtests: add tests for correct application of local profiles
* regtest: add further test cases that test correct profile application
* regtest: simplify test implementation and readability
* regtest: add helpers for permissions.d per package profiles
* regtest: support read-only bind mounts, also bind-mount permissions repo
* tests: introduce a regression test suite for chkstat
* Makefile: allow to build test version programmatically
* README.md: add basic readme file that explains the repository's purpose
* chkstat: change and harmonize coding style
* chkstat: switch to C++ compilation unit
- add suse_version to end of permissions package version
-------------------------------------------------------------------
Thu Feb 13 12:10:41 UTC 2020 - malte.kraus@suse.com
- Update to version 20200213:
* remove obsolete/broken entries for rcp/rsh/rlogin
* chkstat: handle symlinks in final path elements correctly
* Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)""
* Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"
-------------------------------------------------------------------
Tue Feb 04 12:20:43 UTC 2020 - matthias.gerstner@suse.com
- Update to version 20200204:
* mariadb: settings for new auth_pam_tool (bsc#1160285)
* chkstat:
- add read-only fallback when /proc is not mounted (bsc#1160764)
- capability handling fixes (bsc#1161779)
- better error message when refusing to fix dir perms (#32)
-------------------------------------------------------------------
Mon Jan 27 11:58:17 UTC 2020 - malte.kraus@suse.com
- Update to version 20200127:
* fix paths of ksysguard whitelisting
* fix zero-termination of error message for overly long paths
-------------------------------------------------------------------
Thu Dec 05 14:31:49 UTC 2019 - malte.kraus@suse.com
- Update to version 20191205:
* fix privilege escalation through untrusted symlinks (bsc#1150734,
CVE-2019-3690)
-------------------------------------------------------------------
Wed Nov 27 12:47:23 UTC 2019 - matthias.gerstner@suse.com
- Update to version 20191122:
* faxq-helper: correct "secure" permission for trusted group (bsc#1157498)
-------------------------------------------------------------------
Mon Nov 18 09:52:14 UTC 2019 - malte.kraus@suse.com
- Update to version 20191118:
* whitelist ksysguard network helper (bsc#1151190)
-------------------------------------------------------------------
Tue Nov 12 12:45:12 UTC 2019 - malte.kraus@suse.com
- Update to version 20191112:
* fix syntax of paranoid profile
* fix squid permissions (bsc#1093414, CVE-2019-3688)
-------------------------------------------------------------------
Thu Oct 3 12:38:09 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Add || exit 0 on the scriptlet as it can actually fail in
rootless containers with podman. This makes sure the zypper
does not abort the container creation.
* the actual error looks like:
/dev/zero: chown: Operation not permitted
-------------------------------------------------------------------
Fri Sep 13 11:19:42 UTC 2019 - jsegitz@suse.de
- Update to version 20190913:
* setgid bit for nagios directory (bsc#1028975, bsc#1150345)
- This also restructures the sources for the permission package
-------------------------------------------------------------------
Fri Aug 30 14:20:09 UTC 2019 - malte.kraus@suse.com
- Update to version 20190830:
* dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)
-------------------------------------------------------------------
Thu Aug 29 15:38:28 UTC 2019 - malte.kraus@suse.com
- Update to version 20190829:
* add one more missing slash for icinga2
* fix more missing slashes for directories
-------------------------------------------------------------------
Tue Aug 20 08:56:35 UTC 2019 - malte.kraus@suse.com
- Update to version 20190820:
* cron directory permissions: add slashes
-------------------------------------------------------------------
Thu Jul 11 14:21:23 UTC 2019 - malte.kraus@suse.com
- Update to version 20190711:
* iputils: Add capability permissions for clockdiff (bsc#1140994)
-------------------------------------------------------------------
Wed Jul 10 12:29:08 UTC 2019 - opensuse-packaging@opensuse.org
- Update to version 20190710:
* iputils/ping: Drop effective capability
* iputils/ping6: Remove definitions
-------------------------------------------------------------------
Thu Jun 13 08:57:42 UTC 2019 - meissner@suse.com
- Update to version 20190521:
* singluarity: Add starter-suid for version 3.2.0
* adjust settings for amanda to current binary layout
-------------------------------------------------------------------
Wed Jun 5 12:02:18 UTC 2019 - <jsegitz@suse.com>
- Move BuildRequires: back to main package
-------------------------------------------------------------------
Wed Jun 5 10:38:58 UTC 2019 - <jsegitz@suse.com>
- Moved requires to subpackages (bsc#1137257)
-------------------------------------------------------------------
Thu May 2 09:46:05 UTC 2019 - jsegitz@suse.com
- Fixed versions. Removed set_version from _service file, doesn't
work with the new packaging. Call fix_version.sh to set current
date as version instead
- Fixed requires for -config and -zypp-plugin
-------------------------------------------------------------------
Tue Apr 30 08:57:37 UTC 2019 - opensuse-packaging@opensuse.org
- Update to version 20190429:
* removed entry for /var/cache/man. Conflicts with packaging and man:man is
the better setting anyway (bsc#1133678)
* fixed error in description of permissions.paranoid. Make it clear that this
is not a usable profile, but intended as a base for own developments
-------------------------------------------------------------------
Sat Apr 13 17:12:12 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Fix RPM group, fix hard requirement on documentation.
Update description typography.
-------------------------------------------------------------------
Thu Apr 11 11:18:36 UTC 2019 - jsegitz@suse.com
- Created new subpackages -config, -doc and standalone package chkstat
where we can start a better versioning scheme and require it from the
original package
-------------------------------------------------------------------
Tue Feb 12 14:29:45 UTC 2019 - jsegitz@suse.com
- Update to version 20190212:
* removed old entry for wodim
* removed old entry for netatalk
* removed old entry for suidperl
* removed old entriy for utempter
* removed old entriy for hostname
* removed old directory entries
* removed old entry for qemu-bridge-helper
* removed old entries for pccardctl
* removed old entries for isdnctrl
* removed old entries for unix(2)_chkpwd
* removed old entries for mount.nfs
* removed old entries for (u)mount
* removed old entry for fileshareset
* removed old entries for KDE
* removed old entry for heartbeat
* removed old entry for gnome-control-center
* removed old entry for pcp
* removed old entry for lpdfilter
* removed old entry for scotty
* removed old entry for ia32el
* removed old entry for squid
* removed old qpopper whitelist
* removed pt_chown entries. Not needed anymore and a bad idea anyway
* removed old majordomo entry
* removed stale entries for old ncpfs tools
* removed old entry for rmtab
* Fixed typo in icinga2 whitelist entry
* New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale
entries for VirtualBox
* Removed whitelist for /usr/bin/su.core. According to comment a temporary
hack introduced 2012 to help moving su from coretuils to util-linux. I
couldn't find it anywhere, so we don't need it anymore
* Remove entry for /usr/bin/yaps. We don't ship it anymore and the group that
is used doesn't exists anymore starting with Leap 15, so it will not work
there anyway. Users using this (old) package can do this individually
* removed entry for /etc/ftpaccess. We currently don't have it anywhere (and
judging from my search this has been the case for quite a while)
* Ensure consistency of entries, otherwise switching between settings becomes
problematic
* Fix spelling of SUSE
* permissions.local: fix typo
-------------------------------------------------------------------
Fri Nov 16 15:15:04 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20181116:
* zypper-plugin: new plugin to fix bsc#1114383
-------------------------------------------------------------------
Mon Nov 12 12:14:18 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20181112:
* singularity: remove -suid binaries that have been dropped since version
2.4 (bsc#1028304)
-------------------------------------------------------------------
Tue Oct 30 12:13:21 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20181030:
* capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds
-------------------------------------------------------------------
Mon Oct 29 16:59:05 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20181029:
* setuid whitelisting: add fusermount3 (bsc#1111230)
-------------------------------------------------------------------
Thu Oct 25 16:13:46 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20181025:
* setuid whitelisting: add authbind binary (bsc#1111251)
-------------------------------------------------------------------
Mon Aug 27 09:12:35 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20180827:
* setuid whitelisting: add firejail binary (bsc#1059013)
-------------------------------------------------------------------
Fri Aug 10 09:22:35 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20180810:
* setuid whitelisting: add lxc-user-nic (bsc#988348)
-------------------------------------------------------------------
Thu Aug 02 16:13:33 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20180802:
* whitelisting: added smc-tools LD_PRELOAD library (bsc#1102956)
-------------------------------------------------------------------
Tue Jul 24 08:49:20 UTC 2018 - opensuse-packaging@opensuse.org
- Update to version 20180724:
* Fix wrong file path in help string
* whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420)
-------------------------------------------------------------------
Tue May 08 06:11:27 UTC 2018 - astieger@suse.com
- Update to version 20180508:
* Capabilities for usage of Wireshark for non-root (bsc#957624)
-------------------------------------------------------------------
Thu Jan 25 12:52:52 UTC 2018 - meissner@suse.com
- Update to version 20180125:
* the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247)
* make btmp root:utmp (bsc#1050467)
-------------------------------------------------------------------
Mon Jan 15 09:56:48 UTC 2018 - krahmer@suse.com
- Update to version 20180115:
* - polkit-default-privs: usbauth (bsc#1066877)
-------------------------------------------------------------------
Mon Dec 4 18:45:53 UTC 2017 - kukuk@suse.com
- fillup is required for post, not pre installation
-------------------------------------------------------------------
Thu Nov 30 08:24:44 UTC 2017 - mpluskal@suse.com
- Cleanup spec file with spec-cleaner
- Drop conditions/definitions related to old distros
-------------------------------------------------------------------
Wed Nov 29 17:02:20 UTC 2017 - astieger@suse.com
- Update to version 20171129:
* permissions: adding gvfs (bsc#1065864)
* Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410
* Allow fping cap_net_raw (bsc#1047921)
-------------------------------------------------------------------
Thu Nov 23 13:41:09 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Tue Nov 21 14:03:29 UTC 2017 - krahmer@suse.com
- Update to version 20171121:
* - permissions: adding kwayland (bsc#1062182)
-------------------------------------------------------------------
Mon Nov 06 15:55:58 UTC 2017 - eeich@suse.com
- Update to version 20171106:
* Allow setuid root for singularity (group only) bsc#1028304
-------------------------------------------------------------------
Wed Oct 25 15:51:45 UTC 2017 - jsegitz@suse.com
- Update to version 20171025:
* Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)
-------------------------------------------------------------------
Thu Sep 28 10:48:31 UTC 2017 - astieger@suse.com
- Update to version 20170928:
* Fix invalid syntax bsc#1048645 bsc#1060738
-------------------------------------------------------------------
Wed Sep 27 14:50:11 UTC 2017 - pgajdos@suse.com
- Update to version 20170927:
* fix typos in manpages
-------------------------------------------------------------------
Fri Sep 22 14:00:15 UTC 2017 - astieger@suse.com
- Update to version 20170922:
* Allow setuid root for singularity (group only) bsc#1028304
-------------------------------------------------------------------
Wed Sep 13 16:53:20 UTC 2017 - astieger@suse.com
- Update to version 20170913:
* Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)
-------------------------------------------------------------------
Wed Sep 06 09:44:00 UTC 2017 - opensuse-packaging@opensuse.org
- Update to version 20170906:
* permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764
* permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)
-------------------------------------------------------------------
Wed Jun 7 10:58:37 UTC 2017 - dimstar@opensuse.org
- BuildIgnore group(trusted): we don't really care for this group
in the buildroot and do not want to get system-users into the
bootstrap cycle as we can avoid it.
-------------------------------------------------------------------
Sat Jun 3 07:21:24 UTC 2017 - meissner@suse.com
- Require: group(trusted), as we are handing it out to some unsuspecting
binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)
-------------------------------------------------------------------
Fri Jun 2 10:55:09 UTC 2017 - meissner@suse.com
- Update to version 20170602:
* make /etc/ppp owned by root:root. The group dialout usage is no longer used
-------------------------------------------------------------------
Sun Aug 07 12:00:00 UTC 2016 - meissner@suse.com
- Update to version 20160807:
* suexec2 is a symlink, no need for permissions handling
-------------------------------------------------------------------
Tue Aug 02 08:47:53 UTC 2016 - meissner@suse.com
- Update to version 20160802:
* list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282)
* root:shadow 0755 for newuidmap/newgidmap
-------------------------------------------------------------------
Tue Aug 2 08:29:32 UTC 2016 - krahmer@suse.com
- adding qemu-bridge-helper mode 04750 (bsc#988279)
-------------------------------------------------------------------
Mon May 23 09:15:22 UTC 2016 - dimstar@opensuse.org
- Introduce _service to easier update the package. For simplicity,
change the version from yyyy.mm.dd to yyyymmdd (which is eactly
%cd in the _service defintion). Upgrading is no problem.
-------------------------------------------------------------------
Mon May 23 09:00:11 UTC 2016 - meissner@suse.com
- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)
-------------------------------------------------------------------
Wed Mar 30 11:14:41 UTC 2016 - meissner@suse.com
- permissions: adding gstreamer ptp file caps (bsc#960173)
-------------------------------------------------------------------
Fri Jan 15 14:19:44 UTC 2016 - meissner@suse.com
- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)
-------------------------------------------------------------------
Tue Jan 12 14:30:01 UTC 2016 - meissner@suse.com
- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363
-------------------------------------------------------------------
Thu Oct 29 09:40:30 UTC 2015 - meissner@suse.com
- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789
- added missing / to the squid specific directories (bsc#950557)
-------------------------------------------------------------------
Mon Sep 28 14:27:19 UTC 2015 - meissner@suse.com
- adjusted radosgw to root:www mode 0750 (bsc#943471)
-------------------------------------------------------------------
Mon Sep 28 13:35:10 UTC 2015 - meissner@suse.com
- radosgw can get capability cap_bind_net_service (bsc#943471)
-------------------------------------------------------------------
Mon Jun 8 16:22:39 UTC 2015 - meissner@suse.com
- remove /usr/bin/get_printing_ticket; (bnc#906336)
-------------------------------------------------------------------
Wed Dec 3 16:36:54 UTC 2014 - krahmer@suse.com
- Added iouyap capabilities (bnc#904060)
-------------------------------------------------------------------
Wed Nov 5 16:07:01 UTC 2014 - meissner@suse.com
- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093)
- permissions: incorporating squid changes from bnc#891268
- hint that chkstat --system --set needs to be run after editing bnc#895647
-------------------------------------------------------------------
Tue Aug 26 13:00:07 UTC 2014 - meissner@suse.com
- Do not applies permissions from backup files (~ / .rpmsave / .rpmnew) (bnc#893370)
- do not mention SuSEconfig anymore, long dead (bnc#843083)
-------------------------------------------------------------------
Fri Aug 1 11:25:40 UTC 2014 - meissner@suse.com
- append a / to /var/log/journal so the framework makes sure it is a directory bnc#888151
-------------------------------------------------------------------
Wed Jul 23 11:38:42 UTC 2014 - meissner@suse.com
- make innbind mode 4550 (bnc#876287)
- permissions: Adding systemd-journal directory (bnc#888151)
-------------------------------------------------------------------
Mon Jul 21 13:31:48 UTC 2014 - krahmer@suse.com
- permissions: Adding new kdesud path for KDE5 (bnc#872276)
-------------------------------------------------------------------
Tue Jul 1 11:19:57 UTC 2014 - meissner@suse.com
- vlock_main lost its permission checking, so remove from here.
-------------------------------------------------------------------
Mon Jun 16 11:46:15 UTC 2014 - meissner@suse.com
- opiesu,wodim,vlock-main have no setuid root. (bnc#882035)
-------------------------------------------------------------------
Thu Jun 5 08:10:33 UTC 2014 - meissner@suse.com
- tighten /etc/crontab to be always mode 600, even in easy (bnc#867799)
-------------------------------------------------------------------
Tue Apr 15 14:24:36 UTC 2014 - meissner@suse.com
- duplicate /var/run entries to /run (bnc#873708)
-------------------------------------------------------------------
Mon Mar 24 10:31:20 UTC 2014 - krahmer@suse.com
- permissions: incorporating capability for mtr, removing +s from ping
(bnc#865351)
-------------------------------------------------------------------
Mon Oct 28 10:46:48 UTC 2013 - meissner@suse.com
- GIT repo moved to GITHUB.
- removed the setuid bit from "eject" (bnc#824406)
-------------------------------------------------------------------
Thu Aug 22 11:40:20 UTC 2013 - meissner@suse.com
- do not use magic constants for strlen (bnc#834790
-------------------------------------------------------------------
Wed Aug 21 12:53:39 UTC 2013 - meissner@suse.com
- Chrome sandbox also allowed to be setuid root in secure mode now (bnc#718016)
-------------------------------------------------------------------
Fri Aug 16 13:25:56 UTC 2013 - meissner@suse.com
- use PERMISSION_FSCAPS
-------------------------------------------------------------------
Fri Aug 16 13:08:10 UTC 2013 - meissner@suse.com
- it is PERMISSIONS_FSCAPS (bnc#834790)
- qemu-bridge-helper has no special privileges currently (bnc#765948)
-------------------------------------------------------------------
Wed Jun 12 11:10:18 UTC 2013 - meissner@suse.com
- utempter helper binary moved in new version to /usr/lib/utempter/utempter (bnc#823302)
-------------------------------------------------------------------
Mon Jun 10 09:46:15 UTC 2013 - meissner@suse.com
- cdrtools: allow some filesystem capabilities for more stable CD/DVD
burning in "easy" mode. (bnc#550021) (cap_sys_nice, cap_sys_rawio,
cap_sys_resource, cap_ipc_lock)
-------------------------------------------------------------------
Wed May 8 14:27:12 UTC 2013 - meissner@suse.com
- leave out readcd,cdda2wav,cdrecord until it is ready for the distro (bnc#550021)
-------------------------------------------------------------------
Sat May 4 08:32:17 UTC 2013 - meissner@suse.com
- cdrecord currently has no special permissions approved (bnc#550021)
- append a /
-------------------------------------------------------------------
Tue Jan 29 14:00:08 UTC 2013 - meissner@suse.com
- Allow pcp to have stickybit worldwriteable directories
-------------------------------------------------------------------
Tue Nov 27 15:41:16 UTC 2012 - meissner@suse.com
- add /usr/bin/dumpcap to watchlist
- make fscaps=1 the default on ""
- added PERMISSION_FSCAPS to the sysconfig/security fillup template.
- /bin/ping(6) was moved to /usr/bin/ping(6) /bin/eject was moved to /usr/bin/eject
-------------------------------------------------------------------
Wed Nov 21 13:56:34 UTC 2012 - lnussel@suse.de
- apply permissions settings in %post. During initial installation
some packages might be installed before the permissions package
due to dependency loops so we need to make sure their settings
are applied too. Also, on update of the permissions package
changed permission settings may need to be applied.
-------------------------------------------------------------------
Mon Oct 15 11:49:04 UTC 2012 - lnussel@suse.de
- temporarily add su.core. workaround for the migration of su from
coreutils to util-linux needs to be reverted as soon as util-linux
is also in
-------------------------------------------------------------------
Tue Sep 25 14:55:21 UTC 2012 - meissner@suse.com
- no longer install SuSEconfig.permissions, SuSEconfig is gone.
-------------------------------------------------------------------
Fri Jul 6 09:01:18 UTC 2012 - meissner@suse.com
- enable ecryptfs-utils setuid root mount wrapper (bnc#740110) in .easy
-------------------------------------------------------------------
Mon Jun 4 11:37:27 UTC 2012 - lnussel@suse.de
- remove /var/run/vi.recover (bnc#765288)
-------------------------------------------------------------------
Fri Jun 1 07:23:46 UTC 2012 - lnussel@suse.de
- remove /var/cache/fonts (bnc#764885)
- remove /var/lib/xemacs/lock/ (bnc#764887)
-------------------------------------------------------------------
Thu May 31 11:07:25 UTC 2012 - lnussel@suse.de
- Revert "Use credentials from within the root file system"
breaks use of --root option in brp-05-permissions
-------------------------------------------------------------------
Tue May 15 14:46:22 UTC 2012 - lnussel@suse.de
- print warning when requested to check not listed files
- Use credentials from within the root file system
-------------------------------------------------------------------
Wed Feb 8 08:15:50 UTC 2012 - lnussel@suse.de
- add duplicate entries for / and /usr (bnc#745622)
-------------------------------------------------------------------
Tue Feb 7 12:09:17 UTC 2012 - lnussel@suse.de
- add scripts for automatic package sumission
- drop zypp-refresh-wrapper (bnc#738677)
-------------------------------------------------------------------
Mon Nov 7 09:39:43 UTC 2011 - lnussel@suse.de
- disable run time fscaps detection (bnc#728312)
-------------------------------------------------------------------
Fri Sep 23 08:37:21 UTC 2011 - lnussel@suse.de
- set permission by default in SuSEconfig mode as permissions are
only set when called explicitly anyways (bnc#720010).
-------------------------------------------------------------------
Wed Sep 21 08:00:28 UTC 2011 - lnussel@suse.de
- fix typo in path
-------------------------------------------------------------------
Tue Sep 20 14:47:30 UTC 2011 - lnussel@suse.de
- remove world writable /var/crash again (bnc#438041)
- remove world writable permissions from /usr/src/packages (bnc#719217)
-------------------------------------------------------------------
Tue Sep 20 13:38:48 UTC 2011 - lnussel@suse.de
- add chromium browser sandbox helper (bnc#718016)
- don't offer PERMISSION_SECURITY in config anymore
- remove setgid games bits (bnc#429882)
-------------------------------------------------------------------
Tue Jun 28 12:53:22 UTC 2011 - lnussel@suse.de
- remove setuid bit from opiesu (bnc#698772)
-------------------------------------------------------------------
Fri Jun 17 09:46:29 UTC 2011 - lnussel@suse.de
- disable fscaps by default as factory kernel still doesn't have the
required patch for auto detection
-------------------------------------------------------------------
Thu May 26 15:23:49 UTC 2011 - lnussel@suse.de
- read /sys/kernel/fscaps for fscaps settings
-------------------------------------------------------------------
Thu May 12 11:48:36 UTC 2011 - lnussel@suse.de
- change path to gnome-pty-helper (bnc#690202)
-------------------------------------------------------------------
Mon Mar 7 15:08:33 UTC 2011 - lnussel@suse.de
- setuid bit on VBoxNetDHCP (bnc#669055)
-------------------------------------------------------------------
Mon Feb 14 08:09:21 UTC 2011 - lnussel@suse.de
- fix hawk permissions (bnc#665045)
-------------------------------------------------------------------
Wed Feb 9 13:25:29 UTC 2011 - lnussel@suse.de
- add hawk (bnc#665045)
-------------------------------------------------------------------
Thu Dec 2 10:20:11 UTC 2010 - lnussel@suse.de
- remove Xorg setuid bit (bnc#632737)
-------------------------------------------------------------------
Thu Nov 18 10:52:39 UTC 2010 - lnussel@suse.de
- update permissions of lastlog, faillog, wtmp, utmp and btmp
-------------------------------------------------------------------
Wed Nov 17 11:02:37 UTC 2010 - lnussel@suse.de
- remove permissions handling for /etc/inittab, /etc/inetd.conf and /etc/mtab
- revert previous commit, done in coreutils instead
-------------------------------------------------------------------
Tue Nov 16 16:10:09 UTC 2010 - lnussel@suse.de
- change fillup deps to requires to avoid coreutils loop
-------------------------------------------------------------------
Tue Nov 16 15:10:53 UTC 2010 - lnussel@suse.de
- change utempter from group tty to group utmp (bnc#652877)
-------------------------------------------------------------------
Tue Nov 9 12:51:10 UTC 2010 - lnussel@suse.de
- add permissions man page
- update docu
- add --level option
- set perms for setuid files always if owner changes
- strip root dir when printing file names
-------------------------------------------------------------------
Tue Nov 9 09:25:17 UTC 2010 - lnussel@suse.de
- add option to explicitly warn only
-------------------------------------------------------------------
Fri Nov 5 14:00:30 UTC 2010 - lnussel@suse.de
- reimplement the core features in chkstat itself instead of
SuSEconfig.permissions
-------------------------------------------------------------------
Thu Nov 4 16:17:25 UTC 2010 - lnussel@suse.de
- don't make changes if not called explicitly
-------------------------------------------------------------------
Wed Nov 3 14:16:54 UTC 2010 - lnussel@suse.de
- add support for file system capabilities
-------------------------------------------------------------------
Mon Oct 18 13:37:40 UTC 2010 - lnussel@suse.de
- remove vlock (bnc#629236#c13)
-------------------------------------------------------------------
Tue Oct 5 13:33:08 UTC 2010 - lnussel@suse.de
- update path to gnome-pty-helper (bnc#634199)
-------------------------------------------------------------------
Wed Sep 22 15:29:43 UTC 2010 - lnussel@suse.de
- vlock -> vlock-main (bnc#629236)
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Fri Apr 23 09:41:10 UTC 2010 - lnussel@suse.de
- add lockdev (bnc#588325)
-------------------------------------------------------------------
Wed Apr 7 14:45:28 UTC 2010 - lnussel@suse.de
- update for innd update (bnc#594393)
- remove lppasswd (bnc#574336)
-------------------------------------------------------------------
Tue Dec 8 10:16:07 CET 2009 - jengelh@medozas.de
- enable parallel building
-------------------------------------------------------------------
Wed Oct 7 14:54:21 UTC 2009 - lnussel@suse.de
- add /usr/lib/virtualbox/VBoxNetAdpCtl (bnc#533550)
-------------------------------------------------------------------
Thu Aug 27 10:00:19 UTC 2009 - lnussel@suse.de
- add /usr/src/packages/BUILDROOT/ for rpm 4.7
-------------------------------------------------------------------
Wed Aug 26 13:09:55 UTC 2009 - lnussel@suse.de
- add more arm directories to /usr/src/packages/RPMS/
-------------------------------------------------------------------
Mon Aug 24 09:53:25 UTC 2009 - lnussel@suse.de
- remove permissions handling for traceroute6 and cdrecord which are
symlinks nowadays
-------------------------------------------------------------------
Thu Aug 20 08:30:02 UTC 2009 - lnussel@suse.de
- fix weird sendfax permissions (bnc#525954)
-------------------------------------------------------------------
Wed Aug 19 11:17:53 UTC 2009 - lnussel@suse.de
- permissions now maintained at gitorious so use tarball instead of
individual files
-------------------------------------------------------------------
Wed Aug 12 09:57:12 CEST 2009 - meissner@suse.de
- added polkit setuid root helpers after review (bnc#523377)
-------------------------------------------------------------------
Fri Aug 7 10:42:53 CEST 2009 - meissner@suse.de
- also added KDE4 start_kdeinit (same source as kde3 start_kdeinit),
bnc#523833
-------------------------------------------------------------------
Thu Aug 6 16:38:20 CEST 2009 - meissner@suse.de
- open-vm-tools gets setuid root:root in mode easy (bnc#474285)
-------------------------------------------------------------------
Tue Jul 28 13:00:44 UTC 2009 - lnussel@suse.de
- hylafax directory permissions are handled by the package
- change group of amanda binaries (bnc#523006)
-------------------------------------------------------------------
Mon Mar 2 11:26:53 CET 2009 - lnussel@suse.de
- add some missing slashes to directories and remove entries for at
and cron (bnc#480855)
-------------------------------------------------------------------
Tue Nov 25 14:10:13 CET 2008 - lnussel@suse.de
- add VirtualBox (bnc#429725)
-------------------------------------------------------------------
Fri Nov 7 14:39:10 CET 2008 - lnussel@suse.de
- add newrole from policycoreutils (bnc#440596)
-------------------------------------------------------------------
Thu Oct 23 09:23:59 CEST 2008 - lnussel@suse.de
- add udev device files (bnc#438039)
- add system crash dump directory (bnc#438041)
- add bind chroot devices (bnc#438045)
-------------------------------------------------------------------
Mon Oct 20 17:05:30 CEST 2008 - lnussel@suse.de
- dbus-daemon-launch-helper neeeds to be setuid in level secure
(bnc#435776)
-------------------------------------------------------------------
Thu Sep 25 15:38:39 CEST 2008 - lnussel@suse.de
- change /var/games to 755 to prevent ill-considered maneuvers there
(bnc#429882)
-------------------------------------------------------------------
Thu Sep 11 17:03:04 CEST 2008 - lnussel@suse.de
- remove static smpppd config file permissions
- fix permissions of polkit-set-default-helper
- grant permissions to PolicyKit helpers also in level secure
-------------------------------------------------------------------
Tue Jul 15 11:40:22 CEST 2008 - lnussel@suse.de
- ensure correct permissions on ssh files to avoid sshd refusing
logins (bnc#398250)
-------------------------------------------------------------------
Thu Jul 3 11:33:29 CEST 2008 - lnussel@suse.de
- adapt permissions of lppasswd for current cups setup (bnc#406058)
-------------------------------------------------------------------
Mon Jun 2 11:46:30 CEST 2008 - lnussel@suse.de
- add mount.nfs due to an ever increasing number of users
hit by the regression (bnc#331020, bnc#304318)
-------------------------------------------------------------------
Wed May 7 15:18:04 CEST 2008 - lnussel@suse.de
- zypp-checkpatches-wrapper -> zypp-refresh-wrapper (bnc#385207)
-------------------------------------------------------------------
Mon Apr 21 16:03:22 CEST 2008 - lnussel@suse.de
- /dev/full should be 0666 (bnc#379545)
-------------------------------------------------------------------
Thu Apr 17 09:45:03 CEST 2008 - lnussel@suse.de
- update chkstat manpage and support '--' argument for chkstat
(bnc#57438)
-------------------------------------------------------------------
Wed Mar 12 13:09:51 CET 2008 - lnussel@suse.de
- new PolicyKit permissions (bnc#295341)
- remove obsolete entries for scmxx and zapping
-------------------------------------------------------------------
Mon Jan 7 12:24:47 CET 2008 - lnussel@suse.de
- remove setuid bits on man (#351988)
-------------------------------------------------------------------
Mon Dec 3 15:46:50 CET 2007 - lnussel@suse.de
- add dbus-daemon-launch-helper (#333361)
-------------------------------------------------------------------
Fri Nov 2 23:11:57 CET 2007 - dmueller@suse.de
- kcheckpass/kdesud moved to %_libdir/kde4/libexec
-------------------------------------------------------------------
Wed Oct 17 16:09:03 CEST 2007 - lnussel@suse.de
- remove bing (#306626)
-------------------------------------------------------------------
Fri Oct 12 13:30:57 CEST 2007 - lnussel@suse.de
- remove suexec2 (#263789)
-------------------------------------------------------------------
Fri Aug 10 21:02:03 CEST 2007 - aj@suse.de
- Readd nscd socket permissions, otherwise glibc build will fail.
-------------------------------------------------------------------
Fri Aug 10 09:23:16 CEST 2007 - lnussel@suse.de
- add PolicyKit helpers (#295341)
-------------------------------------------------------------------
Wed Aug 8 11:11:43 CEST 2007 - lnussel@suse.de
- remove nscd socket permission handling as chkstat refuses to touch
that file anyways (#298334).
-------------------------------------------------------------------
Tue Jun 12 15:22:22 CEST 2007 - schwab@suse.de
- permissions.local: Fix comment to use uid:gid instead of uid.gid.
-------------------------------------------------------------------
Fri Jun 1 15:44:55 CEST 2007 - lnussel@suse.de
- package /etc/permissions.local
-------------------------------------------------------------------
Wed May 30 10:47:52 CEST 2007 - lnussel@suse.de
- add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502)
-------------------------------------------------------------------
Wed Apr 18 18:23:19 CEST 2007 - dmueller@suse.de
- create debuginfo package (#265667)
-------------------------------------------------------------------
Thu Feb 22 17:50:27 CET 2007 - lnussel@suse.de
- prefer package specific permissions files over central ones
(#246252)
-------------------------------------------------------------------
Thu Feb 22 16:51:06 CET 2007 - lnussel@suse.de
- add /opt/kde3/bin/start_kdeinit (#203535)
- remove entries for dropped packages OpenPBS and xtetris
-------------------------------------------------------------------
Wed Jan 17 13:53:28 CET 2007 - lnussel@suse.de
- make pam authentication helpers unix_chkpwd, unix2_chkpwd and
pam_auth setuid root instead of setgid shadow (#216816)
-------------------------------------------------------------------
Wed Jan 10 15:12:53 CET 2007 - sbrabec@suse.cz
- Prefix of /opt/gnome binaries changed to /usr.
- Removed gnome-stones.
-------------------------------------------------------------------
Mon Nov 13 11:40:32 CET 2006 - lnussel@suse.de
- remove khc_indexbuilder (#188192)
-------------------------------------------------------------------
Mon Oct 16 16:08:06 CEST 2006 - lnussel@suse.de
- add zypp patch checking helper (#211286)
-------------------------------------------------------------------
Wed Aug 23 09:59:37 CEST 2006 - lnussel@suse.de
- /usr/X11R6 -> /usr
- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud
-------------------------------------------------------------------
Thu Aug 17 14:27:17 CEST 2006 - cthiel@suse.de
- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin
-------------------------------------------------------------------
Thu Jul 20 16:32:35 CEST 2006 - sndirsch@suse.de
- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of
xorg-x11-server package
-------------------------------------------------------------------
Tue Jun 27 08:21:00 CEST 2006 - lnussel@suse.de
- remove setuid bit on gpg (#137562)
-------------------------------------------------------------------
Fri May 19 15:48:04 CEST 2006 - lnussel@suse.de
- add get_printing_ticket in order to enable smb printing with
kerberos authentication (#177114)
-------------------------------------------------------------------
Wed May 17 11:42:30 CEST 2006 - lnussel@suse.de
- add setuid bit to gnomesu-pam-backend in level secure (#175616)
-------------------------------------------------------------------
Thu Feb 23 18:27:24 CET 2006 - schwab@suse.de
- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader.
-------------------------------------------------------------------
Wed Jan 25 21:30:49 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Mon Jan 16 13:57:03 CET 2006 - meissner@suse.de
- removed pmount, pumount.
- moved pmpost to /usr/lib/pcp/pmpost.
-------------------------------------------------------------------
Thu Dec 15 16:06:44 CET 2005 - lnussel@suse.de
- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset
-------------------------------------------------------------------
Fri Dec 9 19:57:11 CET 2005 - meissner@suse.de
- temporary only setuid bit for pmount and pumount. #135792
-------------------------------------------------------------------
Wed Nov 23 09:22:05 CET 2005 - lnussel@suse.de
- add /usr/bin/fusermount (#133657)
-------------------------------------------------------------------
Mon Nov 21 09:32:56 CET 2005 - lnussel@suse.de
- remove Xwrapper, it's a symlink nowadays (#134611)
-------------------------------------------------------------------
Wed Nov 2 22:31:11 CET 2005 - dmueller@suse.de
- don't build as root
-------------------------------------------------------------------
Thu Oct 13 13:22:49 CEST 2005 - meissner@suse.de
- nici moved to /var/opt/novell/...
-------------------------------------------------------------------
Tue Oct 11 17:34:40 CEST 2005 - meissner@suse.de
- Temporary added setuid binary from "nici" (Novell I? Crypto Interface),
bug #127545.
-------------------------------------------------------------------
Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de
- add slashes to several directories (#103186)
- change /var/games to games:games 775 again (#103186)
-------------------------------------------------------------------
Tue Aug 30 09:23:08 CEST 2005 - lnussel@suse.de
- remove kpopup helper (#100132)
-------------------------------------------------------------------
Thu Aug 25 15:17:57 CEST 2005 - lnussel@suse.de
- add /opt/gnome/sbin/change-passwd (#104993)
-------------------------------------------------------------------
Thu Aug 11 11:01:36 CEST 2005 - lnussel@suse.de
- remove xmcd (#104040)
- add suexec2 from apache2 (#66304)
- add exim (#66306)
-------------------------------------------------------------------
Thu Aug 11 08:55:45 CEST 2005 - lnussel@suse.de
- remove /opt/gnome/bin/iagno (#103844)
-------------------------------------------------------------------
Wed Aug 10 17:34:36 CEST 2005 - lnussel@suse.de
- remove xbl (#103762)
- clean up bsd games list (#103785)
- remove score files as they are the same in all levels anyways
-------------------------------------------------------------------
Wed Aug 10 10:53:31 CEST 2005 - lnussel@suse.de
- change /var/games{,/xsok} to root:root (#103186)
-------------------------------------------------------------------
Fri Aug 5 08:38:22 CEST 2005 - lnussel@suse.de
- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750)
-------------------------------------------------------------------
Tue Aug 2 16:00:09 CEST 2005 - lnussel@suse.de
- remove kde games again. Turned out they don't work as intended.
-------------------------------------------------------------------
Tue Aug 2 11:59:41 CEST 2005 - lnussel@suse.de
- cardctl -> pccardctl (#100120)
-------------------------------------------------------------------
Fri Jul 22 10:34:32 CEST 2005 - lnussel@suse.de
- add setgid games to some kde games
-------------------------------------------------------------------
Wed Jun 8 14:36:57 CEST 2005 - lnussel@suse.de
- use correct gnomesu-pam-backend path
-------------------------------------------------------------------
Tue Jun 7 10:01:22 CEST 2005 - lnussel@suse.de
- add gnomesu-pam-backend (#75823)
- add lppasswd (#66305)
- make ntping 4750 root:trusted also in easy (#66211)
- add cl_status from heartbeat (#66310)
- remove unused /opt/gnome/sbin/change-passwd
-------------------------------------------------------------------
Tue May 17 00:29:21 CEST 2005 - ro@suse.de
- added /opt/gnome/sbin/change-passwd
-------------------------------------------------------------------
Mon Apr 25 16:45:30 CEST 2005 - lnussel@suse.de
- add OpenPBS permissions (#66320)
-------------------------------------------------------------------
Tue Mar 1 16:14:48 CET 2005 - lnussel@suse.de
- fix inn permissions (#67032)
- remove setuid bit from ziptool (#66191)
-------------------------------------------------------------------
Wed Feb 23 11:53:33 CET 2005 - lnussel@suse.de
- remove no longer existing files
- remove setuid plpnfsd (#66207)
- remove setuid bit from dga program
- change vmware permissions
- add /opt/kde3/bin/receivepopup (#66313)
- add /opt/kde3/bin/fileshareset (#66312)
- add /usr/bin/scmxx (#66309)
- add some missing mailman files (#66315)
- include perl script to perform some basic consistency checks
-------------------------------------------------------------------
Mon Jan 31 16:32:14 CET 2005 - meissner@suse.de
- backported security fix from SLES 9 branch. #43035
-------------------------------------------------------------------
Sat Jan 15 20:40:04 CET 2005 - schwab@suse.de
- Comment fixes.
-------------------------------------------------------------------
Mon Nov 22 21:02:36 CET 2004 - sndirsch@suse.de
- permissions.secure: set Xorg to 0711 (4711 before)
-------------------------------------------------------------------
Wed Nov 10 15:07:02 CET 2004 - ro@suse.de
- /var/cache/fonts to 1777 (as in tetex perms before)
-------------------------------------------------------------------
Mon Nov 8 14:37:25 CET 2004 - kukuk@suse.de
- Add nscd socket to permissions file
-------------------------------------------------------------------
Tue Sep 14 18:50:46 CEST 2004 - ro@suse.de
- do not use rpm in SuSEconfig.permissions (#45252)
-------------------------------------------------------------------
Tue Sep 14 17:21:40 CEST 2004 - ro@suse.de
- dropped check for perl in SuSEconfig.permissions (#45252)
-------------------------------------------------------------------
Wed May 26 12:34:57 MEST 2004 - draht@suse.de
- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234)
source code audit in progress (#40234) (thomas)
-------------------------------------------------------------------
Fri May 14 15:26:23 CEST 2004 - ro@suse.de
- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid
(0755,0755,0755) (#40234)
-------------------------------------------------------------------
Thu Apr 15 14:16:03 CEST 2004 - sndirsch@suse.de
- XFree86 --> Xorg in permissions files
-------------------------------------------------------------------
Tue Apr 6 12:45:32 CEST 2004 - mls@suse.de
- added --root option for buildroot operation
-------------------------------------------------------------------
Mon Apr 5 15:27:52 CEST 2004 - mls@suse.de
- chkstat: fixed relative symlink chasing
- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can
now handle it
-------------------------------------------------------------------
Sun Apr 4 21:30:02 CEST 2004 - mls@suse.de
- chkstat: added missing link count check and safepath() function
- chkstat: refuse to give away s-bits on insecure paths
- chkstat: bugfix: stat file again after chown, as modes may have
changed
-------------------------------------------------------------------
Fri Apr 2 17:44:08 CEST 2004 - mls@suse.de
- chkstat: re-implemented it in C to make it more secure
-------------------------------------------------------------------
Thu Apr 1 10:17:00 CEST 2004 - kukuk@suse.de
- Remove /var/lock/subsys [#37759]
- Add sticky bit to /var/lock [#37759]
-------------------------------------------------------------------
Wed Mar 24 01:13:41 MET 2004 - draht@suse.de
- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid.
#33570.
-------------------------------------------------------------------
Tue Mar 23 19:06:18 MET 2004 - draht@suse.de
- #36741: /usr/src/packages/RPMS 1777->0755 in easy.
-------------------------------------------------------------------
Mon Mar 22 15:28:59 CET 2004 - kukuk@suse.de
- Fix syntax error in permission.easy
- /usr/bin/ssh should be always 0755
-------------------------------------------------------------------
Fri Feb 13 12:09:14 MET 2004 - draht@suse.de
- /var/run/uscreens (root:root 1777) added
-------------------------------------------------------------------
Thu Feb 12 14:18:55 CET 2004 - kukuk@suse.de
- Don't modify group of crontab and at useless
-------------------------------------------------------------------
Fri Jan 9 23:17:42 CET 2004 - kukuk@suse.de
- Add RPM directory for hppa2.0
-------------------------------------------------------------------
Fri Nov 21 01:02:32 CET 2003 - ro@suse.de
- fpexec decrease go rights to 11
-------------------------------------------------------------------
Wed Nov 5 00:12:41 CET 2003 - ro@suse.de
- inn scripts: u-w (not needed)
-------------------------------------------------------------------
Mon Nov 3 13:08:38 CET 2003 - schwab@suse.de
- chkstat: fix option parsing.
-------------------------------------------------------------------
Wed Oct 29 09:18:20 CET 2003 - kukuk@suse.de
- Sync permissions for shadow package
-------------------------------------------------------------------
Tue Oct 28 16:24:10 CET 2003 - ro@suse.de
- require /sbin/SuSEconfig
-------------------------------------------------------------------
Tue Oct 28 16:06:42 CET 2003 - ro@suse.de
- chkstat: added some new extensions:
allow specifying singular files or a filelist to be checked
output previous/current mode of a failed file
adapted manpage
-------------------------------------------------------------------
Tue Oct 21 19:40:33 MEST 2003 - draht@suse.de
- permissions.secure: /etc/ftpusers 0640 root.root -> 0644
-------------------------------------------------------------------
Mon Oct 20 18:07:29 CEST 2003 - ro@suse.de
- permissions.*: use ":" and not "." to separate user/group
- chkstat: output also which of (permissions/owner) is wrong
- chkstat: don't try to chown if not root
-------------------------------------------------------------------
Tue Oct 14 16:06:06 MEST 2003 - draht@suse.de
- reformatting of all 4 permissions files. xkobo, rocksndiamonds,
xlogical, lbreakout2 and ltris path adoptions.
for future reference: :-)
for i in permissions permissions.easy permissions.secure
permissions.paranoid; do cat $i | \
awk '/^(#|$)/ { print $0; next; }
{ if(NF > 3) {printf("error: %s\n",$0);exit};
printf("%-55s %-17s %4s\n",$1,$2,$3)}' \
> $i.. && mv $i.. $i; done
-------------------------------------------------------------------
Thu Sep 18 16:05:54 CEST 2003 - kukuk@suse.de
- Fix group of straps, popauth and ntping
- Remove some GNOME games which do not need special rights anymore
-------------------------------------------------------------------
Tue Sep 16 22:34:41 CEST 2003 - kukuk@suse.de
- permissions.easy: change group of bing, vboxbeep, plpnfsd to
trusted, majordomo/wrapper to daemon
-------------------------------------------------------------------
Tue Sep 16 11:39:04 CEST 2003 - kukuk@suse.de
- permissions.easy: change group of gpasswd and ziptool to trusted
-------------------------------------------------------------------
Tue Sep 2 17:11:52 CEST 2003 - kkeil@suse.de
- fix user fax for hylafax specific files
-------------------------------------------------------------------
Tue Sep 2 08:47:35 CEST 2003 - kukuk@suse.de
- fix path to cons.saver, remove setuid bit in paranoid (#25907)
- remove screen
- remove smail (dropped years ago)
-------------------------------------------------------------------
Mon Sep 1 18:26:32 CEST 2003 - kkeil@suse.de
- fix group for isdnctrl uucp --> dialout (#28997)
-------------------------------------------------------------------
Mon Sep 1 15:06:09 MEST 2003 - draht@suse.de
- feedback@suse.de -> http://www.suse.de/feedback in all files of
the package. #29635.
-------------------------------------------------------------------
Sat Aug 23 15:54:13 CEST 2003 - sndirsch@suse.de
- added martian entries of package pachi
-------------------------------------------------------------------
Tue Aug 19 11:48:29 CEST 2003 - mmj@suse.de
- Add sysconfig metadata [#28937]
-------------------------------------------------------------------
Tue Jul 29 19:12:03 MEST 2003 - draht@suse.de
- fax changes from Tomas Crhak: faxq-helper and spool directories.
-------------------------------------------------------------------
Tue Jul 29 14:08:49 CEST 2003 - ro@suse.de
- gnome games moved back to /opt/gnome
-------------------------------------------------------------------
Mon Jul 28 16:56:27 CEST 2003 - kukuk@suse.de
- Remove /var/run from permissions file list [Bug #28289]
-------------------------------------------------------------------
Mon Jul 28 08:47:31 CEST 2003 - kukuk@suse.de
- /var/lib/gdm: Removed to solve [Bug #28257] for future products.
-------------------------------------------------------------------
Fri Jul 25 15:28:10 MEST 2003 - draht@suse.de
- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper
The same with /opt/gnome/lib64/.
-------------------------------------------------------------------
Fri Jun 13 09:11:40 CEST 2003 - kukuk@suse.de
- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure
-------------------------------------------------------------------
Fri May 2 11:42:47 CEST 2003 - sndirsch@suse.de
- added /usr/games/pachi and /var/games/pachi.scores
-------------------------------------------------------------------
Mon Mar 10 15:46:45 CET 2003 - sndirsch@suse.de
- added /usr/games/falconseye.bin
- removed /usr/games/falconseye
-------------------------------------------------------------------
Mon Mar 10 10:45:30 CET 2003 - kukuk@suse.de
- added /usr/lib64/vte/gnome-pty-helper until ported to utempter
-------------------------------------------------------------------
Sun Mar 9 01:15:10 CET 2003 - sndirsch@suse.de
- added /usr/games/falconseye
- removed old falconseye entries
-------------------------------------------------------------------
Thu Mar 6 23:58:24 CET 2003 - ro@suse.de
- added /usr/lib/vte/gnome-pty-helper until ported to utempter
-------------------------------------------------------------------
Thu Feb 20 11:22:35 CET 2003 - mmj@suse.de
- Add sysconfig metadata [#22686]
-------------------------------------------------------------------
Tue Feb 18 16:38:12 CET 2003 - kssingvo@suse.de
- removed squid entries. They will be added and corrected to squids own
permission file /etc/permissions.d/squid (bugzilla#23752):
/var/squid
/var/squid/cache
/var/squid/logs
-------------------------------------------------------------------
Tue Feb 18 02:55:30 MET 2003 - draht@suse.de
- /usr/games/trackballs added 2755 games.games in easy.
-------------------------------------------------------------------
Sun Feb 16 17:19:29 CET 2003 - adrian@suse.de
- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode
- remove old entries (kreatecd and kscd)
-------------------------------------------------------------------
Mon Feb 10 01:37:01 MET 2003 - draht@suse.de
- additions/changes (from #17012, Tobias Burnus):
* read all files from the commandline at once and override
entries given multiple times by the last entry
* enable option --set in addition to -set
* manpage adoptions
* call chkstat only once from SuSEconfig.permissions
-------------------------------------------------------------------
Thu Feb 6 01:52:49 CET 2003 - ro@suse.de
- /var/mtrack -> /var/lib/mtrack
-------------------------------------------------------------------
Tue Nov 19 15:16:41 CET 2002 - ro@suse.de
- zapping_setup_fb moved to /opt/gnome/sbin
-------------------------------------------------------------------
Thu Nov 14 13:44:56 CET 2002 - bg@suse.de
- added hppa to rpm subsystem in permissions files to be able to
finish autobuild
-------------------------------------------------------------------
Thu Oct 24 13:50:20 CEST 2002 - ro@suse.de
- two more nethack flavors with sgid games in easy
-------------------------------------------------------------------
Tue Sep 10 17:40:44 MEST 2002 - draht@suse.de
- cda entries below /usr/X11R6/lib/X11/xmcd removed.
index.html under /var/lib/xmcd/discog directories added
world-writeable. This is not satisfactory. New user xmcd will be
added in next release.
-------------------------------------------------------------------
Thu Sep 5 18:43:44 MEST 2002 - draht@suse.de
- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added.
-------------------------------------------------------------------
Mon Aug 26 17:22:29 MEST 2002 - draht@suse.de
- removed all occurrences of kv4lsetup upon request by adrian+uli.
- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132)
- /usr/src/packages/RPMS/alphaev67 added.
- added /sbin/unix2_chkpwd root.shadow 2755
- -s /usr/sbin/papd (#18103)
-------------------------------------------------------------------
Wed Aug 21 16:29:43 MEST 2002 - draht@suse.de
- removed suid bits from heimdal's su and otp (#18104)
-------------------------------------------------------------------
Wed Aug 21 16:13:29 MEST 2002 - draht@suse.de
- remove setuid bit from traceroute due to new implementation by
Olaf Kirch which doesn't need euid root. (#18101)
-------------------------------------------------------------------
Wed Aug 21 14:16:47 MEST 2002 - draht@suse.de
- removed lprng entries because of conflicts cups <-> lprng
-------------------------------------------------------------------
Wed Aug 21 14:14:05 MEST 2002 - draht@suse.de
- vboxbeep -> 0755 in secure.
-------------------------------------------------------------------
Mon Aug 19 15:27:09 CEST 2002 - ro@suse.de
- added prereq (#17956)
-------------------------------------------------------------------
Mon Aug 19 13:45:43 CEST 2002 - uli@suse.de
- added nethack for lib64 archs
-------------------------------------------------------------------
Mon Aug 19 12:32:56 CEST 2002 - uli@suse.de
- added xmcd for archs != i386
-------------------------------------------------------------------
Tue Aug 13 13:48:05 MEST 2002 - draht@suse.de
- gnome-games2 entries changed/adopted to /opt/gnome2 path.
-------------------------------------------------------------------
Tue Aug 13 13:30:30 CEST 2002 - draht@suse.de
- changed kcheckpass from 2755 root.shadow to 4755. (#17664)
-------------------------------------------------------------------
Wed Jul 31 07:55:06 CEST 2002 - olh@suse.de
- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750
-------------------------------------------------------------------
Sat Jul 27 13:19:26 CEST 2002 - kukuk@suse.de
- Rename group wwwadmin to www
- Rename group game to games
-------------------------------------------------------------------
Tue Jul 23 12:54:24 MEST 2002 - draht@suse.de
- added sapdb files, not setuid root in secure,paranoid.
-------------------------------------------------------------------
Mon Jul 22 18:26:43 MEST 2002 - draht@suse.de
- added frontpage files
-------------------------------------------------------------------
Tue Jul 16 15:18:14 MEST 2002 - draht@suse.de
- changed entries for mailman: group mdom -> mailman
-------------------------------------------------------------------
Tue Jul 16 03:51:29 MEST 2002 - draht@suse.de
- mailman sgid mdom files added to easy, secure and paranoid.
-------------------------------------------------------------------
Wed Jul 10 14:33:50 MEST 2002 - draht@suse.de
- .paranoid comment fixed about at and cron (#12159)
-------------------------------------------------------------------
Mon Jul 8 17:24:21 MEST 2002 - draht@suse.de
- ppp dialup networking fixes and cleanup.
-------------------------------------------------------------------
Mon Jul 8 15:56:23 MEST 2002 - draht@suse.de
- modifications: -s for pppd, world-writeable directories for
kdemultimedia3-sound, gift, mips and armv4l RPMS directory.
-------------------------------------------------------------------
Fri Jul 5 21:13:08 CEST 2002 - kukuk@suse.de
- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid.
-------------------------------------------------------------------
Thu Jul 4 16:26:47 MEST 2002 - draht@suse.de
- /usr/lib64/pt_chown added to easy,secure,paranoid.
-------------------------------------------------------------------
Mon Jul 1 19:56:10 MEST 2002 - draht@suse.de
- entries for packages added or changed:
squid
geki2
d1x
falconseye
fdutils
gewels
gnome-games
heimdal
lbreakout
lpdfilter
lprng
man
mgetty (/var/spool/fax/outgoing/* need discussion)
mtrack (locfile+satfile -> 0644)
nethack
nvi-m17n (/var/preserve/vi.recover -> 1777)
opie (/bin -> /usr/bin)
pcp
plptools
qpopper
rp-pppoe (/usr/sbin/pppoe-wrapper)
smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750)
squid (/usr/sbin/pam_auth)
su-wrapper
xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs)
xgalaga
xmcd
xscrabble
-------------------------------------------------------------------
Mon Jul 1 01:01:10 CEST 2002 - ro@suse.de
- don't install all sources (spec file etc.)
-------------------------------------------------------------------
Fri Jun 28 14:40:07 MEST 2002 - draht@suse.de
- minor spec file change
-------------------------------------------------------------------
Fri Jun 28 12:56:43 MEST 2002 - draht@suse.de
- entries for packages added:
ftpdir
gnokii
kamplus
geki2
aaa_dir (/tmp/.ICE-unix)
-------------------------------------------------------------------
Fri Jun 28 12:56:18 MEST 2002 - draht@suse.de
- unpack tar archive in source for convenience.
-------------------------------------------------------------------
Thu Jun 27 23:05:51 CEST 2002 - olh@suse.de
- update permissions of /usr/src/packages/RPMS/<arch>
-------------------------------------------------------------------
Fri Jun 21 02:10:26 CEST 2002 - ro@suse.de
- created package as split off from aaa_base