testing/permissions
SHA256
3
0
Fork 0
forked from pool/permissions
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=1

Browse Source
This commit is contained in:
OBS User unknown 2006-12-18 23:17:28 +00:00 committed by Git OBS Bridge
commit 9cdb8acadc
15 changed files with 3629 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

81
SuSEconfig.permissions Normal file
View File

@ -0,0 +1,81 @@
#! /bin/sh
# Copyright (c) 2000-2002 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Burchard Steinbild, 1996-97
# Bernhard Kaindl <bk@suse.de>, 1999
# Rüdiger Oertel <ro@suse.de>, 2000-01
#
# This module checks and sets file permissions
# check if we are started as root
# only one of UID and USER must be set correctly
if test "$UID" != 0 -a "$USER" != root; then
echo "You must be root to start $0."
exit 1
fi
r=$ROOT
test -f $r/lib/YaST/SuSEconfig.functions || {
echo "ERROR - can not find $r/lib/YaST/SuSEconfig.functions!!"
echo "This should not happen. Exit..."
exit 1
}
. $r/lib/YaST/SuSEconfig.functions
for i in $r/etc/sysconfig/security $r/etc/sysconfig/suseconfig ; do
if test ! -f $i ; then
echo "No $i found."
exit 1
fi
. $i
done
if test -n "$ENABLE_SUSECONFIG" -a "$ENABLE_SUSECONFIG" = "no" ; then
echo "SuSEconfig is disabled in $r/etc/sysconfig/suseconfig."
echo "Exit..."
exit 0
fi
test -z "$r" -a ! -e $r/usr/lib/YaST/.DemoMode || exit 0
if test -n "$CHECK_PERMISSIONS" -a \
-x /usr/bin/chkstat ; then
PERMISSIONS_FILES=""
PACKAGE_PERMFILES=(/etc/permissions.d/*)
PACKAGE_PERMFILES=(${PACKAGE_PERMFILES[*]##*/})
PACKAGE_PERMFILES=(${PACKAGE_PERMFILES[*]%%\.*})
PACKS=${PACKAGE_PERMFILES[*]}
if test -n "$PACKS" ; then
test -x /usr/bin/sort && {
PACKS=`for j in $PACKS ; do echo $j ; done | /usr/bin/sort -u`
}
for i in $PACKS ; do
test -e /etc/permissions.d/$i && \
PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.d/$i"
for PERMEXT in $PERMISSION_SECURITY ; do
test -e /etc/permissions.d/$i.$PERMEXT && \
PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.d/$i.$PERMEXT"
done
done
fi
test -e /etc/permissions && \
PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions"
for PERMEXT in $PERMISSION_SECURITY ; do
test -e /etc/permissions.$PERMEXT && \
PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.$PERMEXT"
done
if test "$CHECK_PERMISSIONS" = "set" ; then
/usr/bin/chkstat -set $PERMISSIONS_FILES
elif test "$CHECK_PERMISSIONS" = "warn" ; then
/usr/bin/chkstat $PERMISSIONS_FILES
fi
fi

198
checkpermissionfiles.pl Normal file
View File

@ -0,0 +1,198 @@
#!/usr/bin/perl -w
# perform some consistency checks on permission files
use Getopt::Long;
use strict;
use Data::Dumper;
use File::Basename;
my @deflevels = ('easy', 'secure', 'paranoid');
my @defpermfiles = ('permissions', 'permissions.easy', 'permissions.secure', 'permissions.paranoid');
# filename
# - level (DEFAULT, easy, secure, paranoid)
# - owner
# - mode
my %perms;
my($nodups, $checkmissing, $defonly, $showsuid, $showsgid, $showww, $showgw,
$show, @levels, $showsame, $dump, @permfiles, $help, $checkdirs);
Getopt::Long::Configure("no_ignore_case");
GetOptions (
"nodups" => \$nodups,
"missing" => \$checkmissing,
"defonly" => \$defonly,
"show" => \$show,
"suid" => \$showsuid,
"sgid" => \$showsgid,
"ww" => \$showww,
"gw" => \$showgw,
"same" => \$showsame,
"level=s" => \@levels,
"dump" => \$dump,
"checkdirs=s" => \$checkdirs,
"help" => \$help,
);
if($help)
{
print <<EOF;
perform some consistency checks on permission files
USAGE: $0 [OPTIONS] [FILES]
OPTIONS:
--nodups skip check for duplicate entries
--same check for identical entries in all files
--missing check whether entries are in all three files (default)
--defonly run actions only on default file
--show show entries
--suid only suid files
--sgid only sgid files
--ww only world writeable files
--gw only group writeable files
--dump dump files as perl hash
--level restrict checks to this coma separated list of levels
--checkdirs DIR check for group writeable directories below DIR
EOF
exit 0;
}
@levels = @deflevels unless $#levels != -1;
@levels = split(/,/,join(',',@levels));
if($#ARGV != -1)
{
while (my $permfile = shift @ARGV)
{
push @permfiles, $permfile;
}
}
else
{
@permfiles = @defpermfiles;
}
for my $permfile (@permfiles)
{
my $level = 'DEFAULT';
$level =$1 if(basename($permfile) =~ /.*\.(.*)/);
open(FH, '<', $permfile) or next;
while(<FH>)
{
chomp;
s/#.*//;
next if(/^$/);
my ($file, $owner, $mode) = split(/\s+/);
if(!$nodups && exists($perms{$file}{$level}))
{
print STDERR "$permfile:$. File listed twice: $file already in $level\n";
}
else
{
$perms{$file}{$level}{'owner'} = $owner;
$perms{$file}{$level}{'mode'} = $mode;
}
if($checkdirs)
{
if(! -e $checkdirs.$file)
{
#print STDERR "$permfile:$.: can't check $file\n";
}
elsif(-d $checkdirs.$file && oct($mode)&020 && !(oct($mode)&01000))
{
print STDERR "$permfile:$.: $file group writeable but not sticky\n"
}
}
}
close(FH);
}
my ($file, $owner, $mode, $level);
format FORMATTED =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<< @>>>> (@*)
$file, $owner, $mode, $level
.
open FORMATTED, ">&STDOUT";
$checkmissing = 1 unless ($show || $showsuid || $showsgid || $showww || $showgw || $dump || $showsame);
foreach $file (sort keys %perms)
{
next if($defonly && !exists($perms{$file}{'DEFAULT'}));
{
my @l = ('DEFAULT');
push @l, @levels unless $defonly;
my ($om, $modechanged, $numseen);
$numseen = 0;
for $level (@l)
{
next unless exists $perms{$file}{$level};
++$numseen;
$mode = $perms{$file}{$level}{'mode'};
$om = oct($mode) unless $om;
$modechanged = 1 if($om != oct($mode));
$owner = $perms{$file}{$level}{'owner'};
next if(
($showsuid && !(oct($mode) & 04000)) ||
($showsgid && !(oct($mode) & 02000)) ||
($showww && !(oct($mode) & 0002)) ||
($showgw && !(oct($mode) & 0020))
);
write FORMATTED if ($show);
}
if($numseen > 3)
{
print STDERR "Suspicious: $file in >3 levels\n";
}
if($showsame && $numseen > 1 && !$modechanged)
{
print STDERR "Useless: $file\n";
}
}
if($checkmissing)
{
my $msg = '';
if(!exists($perms{$file}{'DEFAULT'}))
{
for $level (@levels)
{
if(!exists($perms{$file}{$level}))
{
$msg .= " not in $level\n";
}
}
}
if(length $msg)
{
print STDERR "$file:\n$msg\n";
}
}
}
close FORMATTED;
print Dumper(\%perms) if($dump);
# vim: sw=4

74
chkstat.8 Normal file
View File

@ -0,0 +1,74 @@
.\"
.\" S.u.S.E. man page for chkstat
.\" Copyright (c) 2000-2003 SuSE Linux AG, Nuernberg, Germany.
.\" please send bugfixes or comments via http://www.suse.de/feedback
.\"
.\" Author: Ruediger Oertel
.\"
.TH CHKSTAT 8 "Jul 9, 1998" "Version 0.1" "Tool to check and set file permissions"
.\"
.UC 8
.SH NAME
.\"
chkstat \- Tool to check and set file permissions
.SH SYNOPSIS
.\"
.B chkstat
.RB \|[\| \-\-set|\-set ]
.RB \|[\| \-\-noheader ]
.RB \|[\|\|[\| \-\-examine\ file\ ] ... ]
.RB \|[\|\|[\| \-\-files\ filelist\ ] ... ]
.B permission-file ...
.\"
.SH DESCRIPTION
The perl script
.I /usr/bin/chkstat
is a tool to check and set file permissions.
.PP
Multiple permissions files can be given on the commandline.
If the permission files contain multiple entries for a single
file, the last entry found will be used.
.PP
.\"
.SS General Options
.TP
.IR \-\-set ,\ \-set
This option enables setting the file permissions,
the default is to check and warn only.
.TP
.IR \-\-noheader
Omit printing the output header lines.
.TP
.IR \-\-examine\ file
Check permissions for this file and not all files listed in the permissions files.
.TP
.IR \-\-files\ filelist
Check permissions for the files listed in
.IR filelist
and not for all files listed in the permissions files.
.PP
.SH EXAMPLE
.PP
The command
.PP
.RS
.B chkstat -set /etc/permissions
.RE
.PP
will parse the file /etc/permissions and set the access mode and the
user- and group memberships each file listed. The format
for the input file is
.PP
.B FILEPATH
.B OWNER:GROUP
.B MODE
.PP
and wildcards are not supported for the filepath. Lines starting
with '#' and empty lines are treated as comments.
.SH COPYRIGHT
1996-2003 SuSE Linux AG, Nuernberg, Germany.
.SH AUTHOR
Reinhold Sojer (http:/www.suse.de/feedback)
.PP
Useful changes and additions by Tobias Burnus <burnus@gmx.de>

589
chkstat.c Normal file
View File

@ -0,0 +1,589 @@
/* Copyright (c) 2004 SuSE Linux AG
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING); if not, write to the
* Free Software Foundation, Inc.,
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*
****************************************************************
*/
#include <stdio.h>
#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define __USE_GNU
#include <fcntl.h>
struct perm {
struct perm *next;
char *file;
char *owner;
char *group;
mode_t mode;
};
struct perm *permlist;
char **checklist;
int nchecklist;
uid_t euid;
char *root;
int rootl;
void
add_permlist(char *file, char *owner, char *group, mode_t mode)
{
struct perm *ec, **epp;
owner = strdup(owner);
group = strdup(group);
if (rootl)
{
char *nfile;
nfile = malloc(strlen(file) + rootl + (*file != '/' ? 2 : 1));
if (nfile)
{
strcpy(nfile, root);
if (*file != '/')
strcat(nfile, "/");
strcat(nfile, file);
}
file = nfile;
}
else
file = strdup(file);
if (!owner || !group || !file)
{
perror("permlist entry alloc");
exit(1);
}
for (epp = &permlist; (ec = *epp) != 0; )
if (!strcmp(ec->file, file))
{
*epp = ec->next;
free(ec->file);
free(ec->owner);
free(ec->group);
free(ec);
}
else
epp = &ec->next;
ec = malloc(sizeof(struct perm));
if (ec == 0)
{
perror("permlist entry alloc");
exit(1);
}
ec->file = file;
ec->owner = owner;
ec->group = group;
ec->mode = mode;
ec->next = 0;
*epp = ec;
}
int
in_checklist(char *e)
{
int i;
for (i = 0; i < nchecklist; i++)
if (!strcmp(e, checklist[i]))
return 1;
return 0;
}
void
add_checklist(char *e)
{
if (in_checklist(e))
return;
e = strdup(e);
if (e == 0)
{
perror("checklist entry alloc");
exit(1);
}
if ((nchecklist & 63) == 0)
{
if (checklist == 0)
checklist = malloc(sizeof(char *) * (nchecklist + 64));
else
checklist = realloc(checklist, sizeof(char *) * (nchecklist + 64));
if (checklist == 0)
{
perror("checklist alloc");
exit(1);
}
}
checklist[nchecklist++] = e;
}
int
readline(FILE *fp, char *buf, int len)
{
int l;
if (!fgets(buf, len, fp))
return 0;
l = strlen(buf);
if (l && buf[l - 1] == '\n')
{
l--;
buf[l] = 0;
}
if (l + 1 < len)
return 1;
fprintf(stderr, "warning: buffer overrun in line starting with '%s'\n", buf);
while ((l = getc(fp)) != EOF && l != '\n')
;
buf[0] = 0;
return 1;
}
void
usage(int x)
{
fprintf(stderr, "Usage: chkstat [--set] [--noheader] [[--examine file] ...] [ [--files filelist] ...] permission-file ...\n");
exit(x);
}
int
safepath(char *path, uid_t uid, gid_t gid)
{
struct stat stb;
char pathbuf[1024];
char linkbuf[1024];
char *p, *p2;
int l, l2, lcnt;
lcnt = 0;
l2 = strlen(path);
if (l2 >= sizeof(pathbuf))
return 0;
strcpy(pathbuf, path);
if (pathbuf[0] != '/')
return 0;
p = pathbuf + rootl;
for (;;)
{
p = strchr(p, '/');
if (!p)
return 1;
*p = 0;
if (lstat(*pathbuf ? pathbuf : "/", &stb))
return 0;
if (S_ISLNK(stb.st_mode))
{
if (++lcnt >= 256)
return 0;
l = readlink(pathbuf, linkbuf, sizeof(linkbuf));
if (l <= 0 || l >= sizeof(linkbuf))
return 0;
while(l && linkbuf[l - 1] == '/')
l--;
if (l + 1 >= sizeof(linkbuf))
return 0;
linkbuf[l++] = '/';
linkbuf[l] = 0;
*p++ = '/';
if (linkbuf[0] == '/')
{
if (rootl)
{
p[-1] = 0;
fprintf(stderr, "can't handle symlink %s at the moment\n", pathbuf);
return 0;
}
l2 -= (p - pathbuf);
memmove(pathbuf + rootl, p, l2 + 1);
l2 += rootl;
p = pathbuf + rootl;
}
else
{
if (p - 1 == pathbuf)
return 0; /* huh, "/" is a symlink */
for (p2 = p - 2; p2 >= pathbuf; p2--)
if (*p2 == '/')
break;
if (p2 < pathbuf + rootl) /* cannot happen */
return 0;
p2++; /* am now after '/' */
memmove(p2, p, pathbuf + l2 - p + 1);
l2 -= (p - p2);
p = p2;
}
if (l + l2 >= sizeof(pathbuf))
return 0;
memmove(p + l, p, pathbuf + l2 - p + 1);
memmove(p, linkbuf, l);
l2 += l;
if (pathbuf[0] != '/') /* cannot happen */
return 0;
if (p == pathbuf)
p++;
continue;
}
if (!S_ISDIR(stb.st_mode))
return 0;
/* write is always forbidden for other */
if ((stb.st_mode & 02) != 0)
return 0;
/* owner must be ok as she may change the mode */
/* for euid != 0 it is also ok if the owner is euid */
if (stb.st_uid && stb.st_uid != uid && stb.st_uid != euid)
return 0;
/* group gid may do fancy things */
/* for euid != 0 we don't check this */
if ((stb.st_mode & 020) != 0 && !euid)
if (!gid || stb.st_gid != gid)
return 0;
*p++ = '/';
}
}
int
main(int argc, char **argv)
{
char *opt, *p;
int set = 0;
int told = 0;
int use_checklist = 0;
FILE *fp;
char line[512];
char *part[4];
int i, pcnt, lcnt;
int inpart;
mode_t mode;
struct perm *e;
struct stat stb, stb2;
struct passwd *pwd = 0;
struct group *grp = 0;
uid_t uid;
gid_t gid;
int fd, r;
int errors = 0;
while (argc > 1)
{
opt = argv[1];
if (*opt == '-' && opt[1] == '-')
opt++;
if (!strcmp(opt, "-s") || !strcmp(opt, "-set"))
{
set = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-n") || !strcmp(opt, "-noheader"))
{
told = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-e") || !strcmp(opt, "-examine"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "examine: argument required\n");
exit(1);
}
add_checklist(argv[1]);
use_checklist = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-f") || !strcmp(opt, "-files"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "files: argument required\n");
exit(1);
}
if ((fp = fopen(argv[1], "r")) == 0)
{
fprintf(stderr, "files: %s: %s\n", argv[1], strerror(errno));
exit(1);
}
while (readline(fp, line, sizeof(line)))
{
if (!*line)
continue;
add_checklist(line);
}
fclose(fp);
use_checklist = 1;
argc--;
argv++;
continue;
}
if (!strcmp(opt, "-r") || !strcmp(opt, "-root"))
{
argc--;
argv++;
if (argc == 1)
{
fprintf(stderr, "root: argument required\n");
exit(1);
}
root = argv[1];
rootl = strlen(root);
if (*root != '/')
{
fprintf(stderr, "root: must begin with '/'\n");
exit(1);
}
argc--;
argv++;
continue;
}
if (*opt == '-')
usage(!strcmp(opt, "-h") || !strcmp(opt, "-help") ? 0 : 1);
break;
}
if (argc <= 1)
usage(1);
for (i = 1; i < argc; i++)
{
if ((fp = fopen(argv[i], "r")) == 0)
{
perror(argv[i]);
exit(1);
}
lcnt = 0;
while (readline(fp, line, sizeof(line)))
{
lcnt++;
if (*line == 0 || *line == '#' || *line == '$')
continue;
inpart = 0;
pcnt = 0;
for (p = line; *p; p++)
{
if (*p == ' ' || *p == '\t')
{
*p = 0;
if (inpart)
{
pcnt++;
inpart = 0;
}
continue;
}
if (!inpart)
{
inpart = 1;
if (pcnt == 3)
break;
part[pcnt] = p;
}
}
if (inpart)
pcnt++;
if (pcnt != 3)
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
part[3] = part[2];
part[2] = strchr(part[1], ':');
if (!part[2])
part[2] = strchr(part[1], '.');
if (!part[2])
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
*part[2]++ = 0;
mode = strtoul(part[3], part + 3, 8);
if (mode > 07777 || part[3][0])
{
fprintf(stderr, "bad permissions line %s:%d\n", argv[i], lcnt);
continue;
}
add_permlist(part[0], part[1], part[2], mode);
}
fclose(fp);
}
euid = geteuid();
for (e = permlist; e; e = e->next)
{
if (use_checklist && !in_checklist(e->file))
continue;
if (lstat(e->file, &stb))
continue;
if (S_ISLNK(stb.st_mode))
continue;
if ((!pwd || strcmp(pwd->pw_name, e->owner)) && (pwd = getpwnam(e->owner)) == 0)
{
fprintf(stderr, "%s: unknown user %s\n", e->file, e->owner);
continue;
}
if ((!grp || strcmp(grp->gr_name, e->group)) && (grp = getgrnam(e->group)) == 0)
{
fprintf(stderr, "%s: unknown group %s\n", e->file, e->group);
continue;
}
uid = pwd->pw_uid;
gid = grp->gr_gid;
if ((stb.st_mode & 07777) == e->mode && stb.st_uid == uid && stb.st_gid == gid)
continue;
if (!told)
{
told = 1;
printf("Checking permissions and ownerships - using the permissions files\n");
for (i = 1; i < argc; i++)
printf("\t%s\n", argv[i]);
}
if (!set)
printf("%s should be %s:%s %04o.", e->file, e->owner, e->group, e->mode);
else
printf("setting %s to %s:%s %04o.", e->file, e->owner, e->group, e->mode);
printf(" (wrong");
if (stb.st_uid != uid || stb.st_gid != gid)
{
pwd = getpwuid(stb.st_uid);
grp = getgrgid(stb.st_gid);
if (pwd)
printf(" owner/group %s", pwd->pw_name);
else
printf(" owner/group %d", stb.st_uid);
if (grp)
printf(":%s", grp->gr_name);
else
printf(":%d", stb.st_gid);
pwd = 0;
grp = 0;
}
if ((stb.st_mode & 07777) != e->mode)
printf(" permissions %04o", (int)(stb.st_mode & 07777));
putchar(')');
putchar('\n');
if (!set)
continue;
fd = -1;
if (S_ISDIR(stb.st_mode))
{
fd = open(e->file, O_RDONLY|O_DIRECTORY|O_NONBLOCK|O_NOFOLLOW);
if (fd == -1)
{
perror(e->file);
errors++;
continue;
}
}
else if (S_ISREG(stb.st_mode))
{
fd = open(e->file, O_RDONLY|O_NONBLOCK|O_NOFOLLOW);
if (fd == -1)
{
perror(e->file);
errors++;
continue;
}
if (fstat(fd, &stb2))
continue;
if (stb.st_mode != stb2.st_mode || stb.st_nlink != stb2.st_nlink || stb.st_dev != stb2.st_dev || stb.st_ino != stb2.st_ino)
{
fprintf(stderr, "%s: too fluctuating\n", e->file);
errors++;
continue;
}
if (stb.st_nlink > 1 && !safepath(e->file, 0, 0))
{
fprintf(stderr, "%s: on an insecure path\n", e->file);
errors++;
continue;
}
else if (e->mode & 06000)
{
/* extra checks for s-bits */
if (!safepath(e->file, (e->mode & 02000) == 0 ? uid : 0, (e->mode & 04000) == 0 ? gid : 0))
{
fprintf(stderr, "%s: will not give away s-bits on an insecure path\n", e->file);
errors++;
continue;
}
}
}
else if (strncmp(e->file, "/dev/", 4) != 0)
{
fprintf(stderr, "%s: don't know what to do with that type of file\n", e->file);
errors++;
continue;
}
if (euid == 0 && (stb.st_uid != uid || stb.st_gid != gid))
{
if (fd >= 0)
r = fchown(fd, uid, gid);
else
r = chown(e->file, uid, gid);
if (r)
{
fprintf(stderr, "%s: chown: %s\n", e->file, strerror(errno));
errors++;
}
if (fd >= 0)
r = fstat(fd, &stb);
else
r = lstat(e->file, &stb);
if (r)
{
fprintf(stderr, "%s: too fluctuating\n", e->file);
errors++;
continue;
}
}
if ((stb.st_mode & 07777) != e->mode)
{
if (fd >= 0)
r = fchmod(fd, e->mode);
else
r = chmod(e->file, e->mode);
if (r)
{
fprintf(stderr, "%s: chmod: %s\n", e->file, strerror(errno));
errors++;
}
}
if (fd >= 0)
close(fd);
}
if (errors)
{
fprintf(stderr, "ERROR: not all operations were successful.\n");
exit(1);
}
exit(0);
}

1
get_version_number.sh Normal file
View File

@ -0,0 +1 @@
get_date_version_string `find_newest_file *.*`

183
permissions Normal file
View File

@ -0,0 +1,183 @@
# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format:
# <file> <owner>:<group> <permission>
#
# How it works:
# Change the entries as you like, then call
# `chkstat -set /etc/permissions´ or /etc/permissions.{easy,secure,paranoid}
# respectively, or call `SuSEconfig´ as yast do after they think
# that files have been modified in the system.
#
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
#
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
#
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
#
# Please see the headers of the files
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# as well as
# /etc/permissions.local
# for more information about their particular meaning and their setup.
#
# root directories:
#
/ root:root 755
/root root:root 700
/tmp root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev root:root 755
/bin root:root 755
/sbin root:root 755
/lib root:root 755
/etc root:root 755
/home root:root 755
/boot root:root 755
/opt root:root 755
/usr root:root 755
#
# /var:
#
/var/tmp root:root 1777
/var/tmp/vi.recover/ root:root 1777
/var/log root:root 755
/var/spool root:root 755
/var/spool/atjobs at:at 700
/var/spool/atjobs/.SEQ at:at 600
/var/spool/atjobs/.lockfile at:at 600
/var/spool/atspool at:at 700
/var/spool/cron root:root 700
/var/spool/mqueue root:root 700
/var/spool/news news:news 775
/var/spool/uucp uucp:uucp 755
/var/spool/voice root:root 755
/var/spool/mail root:root 1777
/var/adm root:root 755
/var/adm/backup root:root 700
/var/cache root:root 755
/var/cache/fonts root:root 1777
/var/cache/man man:root 755
/var/yp root:root 755
/var/run/nscd/socket root:root 666
/var/run/sudo root:root 700
#
# log files that do not grow remarkably
#
/var/log/faillog root:root 600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog root:tty 644
#
# some device files
#
/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 622
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640
#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 640
/etc/init.d root:root 755
/etc/HOSTNAME root:root 644
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644
/etc/opiekeys root:root 600
/etc/smpppd.conf root:root 600
/etc/smpppd-c.conf root:dialout 640
/var/run/smpppd root:dialout 750
/etc/ppp root:dialout 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600
# sysconfig files:
/etc/sysconfig/network/providers root:root 700
# utempter
/usr/sbin/utempter root:tty 2755
# changing the global ssh client configuration makes it unreadable
# and therefore useless. Keep in mind that users can bring their own client!
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640
#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl root:root 755
# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord root:root 755
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755
# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd root:lp 0755
# safe as long as we don't change files below it (#103186)
/var/games/ games:games 0775
# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750

728
permissions.changes Normal file
View File

@ -0,0 +1,728 @@
-------------------------------------------------------------------
Mon Nov 13 11:40:32 CET 2006 - lnussel@suse.de
- remove khc_indexbuilder (#188192)
-------------------------------------------------------------------
Mon Oct 16 16:08:06 CEST 2006 - lnussel@suse.de
- add zypp patch checking helper (#211286)
-------------------------------------------------------------------
Wed Aug 23 09:59:37 CEST 2006 - lnussel@suse.de
- /usr/X11R6 -> /usr
- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud
-------------------------------------------------------------------
Thu Aug 17 14:27:17 CEST 2006 - cthiel@suse.de
- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin
-------------------------------------------------------------------
Thu Jul 20 16:32:35 CEST 2006 - sndirsch@suse.de
- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of
xorg-x11-server package
-------------------------------------------------------------------
Tue Jun 27 08:21:00 CEST 2006 - lnussel@suse.de
- remove setuid bit on gpg (#137562)
-------------------------------------------------------------------
Fri May 19 15:48:04 CEST 2006 - lnussel@suse.de
- add get_printing_ticket in order to enable smb printing with
kerberos authentication (#177114)
-------------------------------------------------------------------
Wed May 17 11:42:30 CEST 2006 - lnussel@suse.de
- add setuid bit to gnomesu-pam-backend in level secure (#175616)
-------------------------------------------------------------------
Thu Feb 23 18:27:24 CET 2006 - schwab@suse.de
- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader.
-------------------------------------------------------------------
Wed Jan 25 21:30:49 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Mon Jan 16 13:57:03 CET 2006 - meissner@suse.de
- removed pmount, pumount.
- moved pmpost to /usr/lib/pcp/pmpost.
-------------------------------------------------------------------
Thu Dec 15 16:06:44 CET 2005 - lnussel@suse.de
- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset
-------------------------------------------------------------------
Fri Dec 9 19:57:11 CET 2005 - meissner@suse.de
- temporary only setuid bit for pmount and pumount. #135792
-------------------------------------------------------------------
Wed Nov 23 09:22:05 CET 2005 - lnussel@suse.de
- add /usr/bin/fusermount (#133657)
-------------------------------------------------------------------
Mon Nov 21 09:32:56 CET 2005 - lnussel@suse.de
- remove Xwrapper, it's a symlink nowadays (#134611)
-------------------------------------------------------------------
Wed Nov 2 22:31:11 CET 2005 - dmueller@suse.de
- don't build as root
-------------------------------------------------------------------
Thu Oct 13 13:22:49 CEST 2005 - meissner@suse.de
- nici moved to /var/opt/novell/...
-------------------------------------------------------------------
Tue Oct 11 17:34:40 CEST 2005 - meissner@suse.de
- Temporary added setuid binary from "nici" (Novell I? Crypto Interface),
bug #127545.
-------------------------------------------------------------------
Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de
- add slashes to several directories (#103186)
- change /var/games to games:games 775 again (#103186)
-------------------------------------------------------------------
Tue Aug 30 09:23:08 CEST 2005 - lnussel@suse.de
- remove kpopup helper (#100132)
-------------------------------------------------------------------
Thu Aug 25 15:17:57 CEST 2005 - lnussel@suse.de
- add /opt/gnome/sbin/change-passwd (#104993)
-------------------------------------------------------------------
Thu Aug 11 11:01:36 CEST 2005 - lnussel@suse.de
- remove xmcd (#104040)
- add suexec2 from apache2 (#66304)
- add exim (#66306)
-------------------------------------------------------------------
Thu Aug 11 08:55:45 CEST 2005 - lnussel@suse.de
- remove /opt/gnome/bin/iagno (#103844)
-------------------------------------------------------------------
Wed Aug 10 17:34:36 CEST 2005 - lnussel@suse.de
- remove xbl (#103762)
- clean up bsd games list (#103785)
- remove score files as they are the same in all levels anyways
-------------------------------------------------------------------
Wed Aug 10 10:53:31 CEST 2005 - lnussel@suse.de
- change /var/games{,/xsok} to root:root (#103186)
-------------------------------------------------------------------
Fri Aug 5 08:38:22 CEST 2005 - lnussel@suse.de
- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750)
-------------------------------------------------------------------
Tue Aug 2 16:00:09 CEST 2005 - lnussel@suse.de
- remove kde games again. Turned out they don't work as intended.
-------------------------------------------------------------------
Tue Aug 2 11:59:41 CEST 2005 - lnussel@suse.de
- cardctl -> pccardctl (#100120)
-------------------------------------------------------------------
Fri Jul 22 10:34:32 CEST 2005 - lnussel@suse.de
- add setgid games to some kde games
-------------------------------------------------------------------
Wed Jun 8 14:36:57 CEST 2005 - lnussel@suse.de
- use correct gnomesu-pam-backend path
-------------------------------------------------------------------
Tue Jun 7 10:01:22 CEST 2005 - lnussel@suse.de
- add gnomesu-pam-backend (#75823)
- add lppasswd (#66305)
- make ntping 4750 root:trusted also in easy (#66211)
- add cl_status from heartbeat (#66310)
- remove unused /opt/gnome/sbin/change-passwd
-------------------------------------------------------------------
Tue May 17 00:29:21 CEST 2005 - ro@suse.de
- added /opt/gnome/sbin/change-passwd
-------------------------------------------------------------------
Mon Apr 25 16:45:30 CEST 2005 - lnussel@suse.de
- add OpenPBS permissions (#66320)
-------------------------------------------------------------------
Tue Mar 1 16:14:48 CET 2005 - lnussel@suse.de
- fix inn permissions (#67032)
- remove setuid bit from ziptool (#66191)
-------------------------------------------------------------------
Wed Feb 23 11:53:33 CET 2005 - lnussel@suse.de
- remove no longer existing files
- remove setuid plpnfsd (#66207)
- remove setuid bit from dga program
- change vmware permissions
- add /opt/kde3/bin/receivepopup (#66313)
- add /opt/kde3/bin/fileshareset (#66312)
- add /usr/bin/scmxx (#66309)
- add some missing mailman files (#66315)
- include perl script to perform some basic consistency checks
-------------------------------------------------------------------
Mon Jan 31 16:32:14 CET 2005 - meissner@suse.de
- backported security fix from SLES 9 branch. #43035
-------------------------------------------------------------------
Sat Jan 15 20:40:04 CET 2005 - schwab@suse.de
- Comment fixes.
-------------------------------------------------------------------
Mon Nov 22 21:02:36 CET 2004 - sndirsch@suse.de
- permissions.secure: set Xorg to 0711 (4711 before)
-------------------------------------------------------------------
Wed Nov 10 15:07:02 CET 2004 - ro@suse.de
- /var/cache/fonts to 1777 (as in tetex perms before)
-------------------------------------------------------------------
Mon Nov 8 14:37:25 CET 2004 - kukuk@suse.de
- Add nscd socket to permissions file
-------------------------------------------------------------------
Tue Sep 14 18:50:46 CEST 2004 - ro@suse.de
- do not use rpm in SuSEconfig.permissions (#45252)
-------------------------------------------------------------------
Tue Sep 14 17:21:40 CEST 2004 - ro@suse.de
- dropped check for perl in SuSEconfig.permissions (#45252)
-------------------------------------------------------------------
Wed May 26 12:34:57 MEST 2004 - draht@suse.de
- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234)
source code audit in progress (#40234) (thomas)
-------------------------------------------------------------------
Fri May 14 15:26:23 CEST 2004 - ro@suse.de
- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid
(0755,0755,0755) (#40234)
-------------------------------------------------------------------
Thu Apr 15 14:16:03 CEST 2004 - sndirsch@suse.de
- XFree86 --> Xorg in permissions files
-------------------------------------------------------------------
Tue Apr 6 12:45:32 CEST 2004 - mls@suse.de
- added --root option for buildroot operation
-------------------------------------------------------------------
Mon Apr 5 15:27:52 CEST 2004 - mls@suse.de
- chkstat: fixed relative symlink chasing
- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can
now handle it
-------------------------------------------------------------------
Sun Apr 4 21:30:02 CEST 2004 - mls@suse.de
- chkstat: added missing link count check and safepath() function
- chkstat: refuse to give away s-bits on insecure paths
- chkstat: bugfix: stat file again after chown, as modes may have
changed
-------------------------------------------------------------------
Fri Apr 2 17:44:08 CEST 2004 - mls@suse.de
- chkstat: re-implemented it in C to make it more secure
-------------------------------------------------------------------
Thu Apr 1 10:17:00 CEST 2004 - kukuk@suse.de
- Remove /var/lock/subsys [#37759]
- Add sticky bit to /var/lock [#37759]
-------------------------------------------------------------------
Wed Mar 24 01:13:41 MET 2004 - draht@suse.de
- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid.
#33570.
-------------------------------------------------------------------
Tue Mar 23 19:06:18 MET 2004 - draht@suse.de
- #36741: /usr/src/packages/RPMS 1777->0755 in easy.
-------------------------------------------------------------------
Mon Mar 22 15:28:59 CET 2004 - kukuk@suse.de
- Fix syntax error in permission.easy
- /usr/bin/ssh should be always 0755
-------------------------------------------------------------------
Fri Feb 13 12:09:14 MET 2004 - draht@suse.de
- /var/run/uscreens (root:root 1777) added
-------------------------------------------------------------------
Thu Feb 12 14:18:55 CET 2004 - kukuk@suse.de
- Don't modify group of crontab and at useless
-------------------------------------------------------------------
Fri Jan 9 23:17:42 CET 2004 - kukuk@suse.de
- Add RPM directory for hppa2.0
-------------------------------------------------------------------
Fri Nov 21 01:02:32 CET 2003 - ro@suse.de
- fpexec decrease go rights to 11
-------------------------------------------------------------------
Wed Nov 5 00:12:41 CET 2003 - ro@suse.de
- inn scripts: u-w (not needed)
-------------------------------------------------------------------
Mon Nov 3 13:08:38 CET 2003 - schwab@suse.de
- chkstat: fix option parsing.
-------------------------------------------------------------------
Wed Oct 29 09:18:20 CET 2003 - kukuk@suse.de
- Sync permissions for shadow package
-------------------------------------------------------------------
Tue Oct 28 16:24:10 CET 2003 - ro@suse.de
- require /sbin/SuSEconfig
-------------------------------------------------------------------
Tue Oct 28 16:06:42 CET 2003 - ro@suse.de
- chkstat: added some new extensions:
allow specifying singular files or a filelist to be checked
output previous/current mode of a failed file
adapted manpage
-------------------------------------------------------------------
Tue Oct 21 19:40:33 MEST 2003 - draht@suse.de
- permissions.secure: /etc/ftpusers 0640 root.root -> 0644
-------------------------------------------------------------------
Mon Oct 20 18:07:29 CEST 2003 - ro@suse.de
- permissions.*: use ":" and not "." to separate user/group
- chkstat: output also which of (permissions/owner) is wrong
- chkstat: don't try to chown if not root
-------------------------------------------------------------------
Tue Oct 14 16:06:06 MEST 2003 - draht@suse.de
- reformatting of all 4 permissions files. xkobo, rocksndiamonds,
xlogical, lbreakout2 and ltris path adoptions.
for future reference: :-)
for i in permissions permissions.easy permissions.secure
permissions.paranoid; do cat $i | \
awk '/^(#|$)/ { print $0; next; }
{ if(NF > 3) {printf("error: %s\n",$0);exit};
printf("%-55s %-17s %4s\n",$1,$2,$3)}' \
> $i.. && mv $i.. $i; done
-------------------------------------------------------------------
Thu Sep 18 16:05:54 CEST 2003 - kukuk@suse.de
- Fix group of straps, popauth and ntping
- Remove some GNOME games which do not need special rights anymore
-------------------------------------------------------------------
Tue Sep 16 22:34:41 CEST 2003 - kukuk@suse.de
- permissions.easy: change group of bing, vboxbeep, plpnfsd to
trusted, majordomo/wrapper to daemon
-------------------------------------------------------------------
Tue Sep 16 11:39:04 CEST 2003 - kukuk@suse.de
- permissions.easy: change group of gpasswd and ziptool to trusted
-------------------------------------------------------------------
Tue Sep 2 17:11:52 CEST 2003 - kkeil@suse.de
- fix user fax for hylafax specific files
-------------------------------------------------------------------
Tue Sep 2 08:47:35 CEST 2003 - kukuk@suse.de
- fix path to cons.saver, remove setuid bit in paranoid (#25907)
- remove screen
- remove smail (dropped years ago)
-------------------------------------------------------------------
Mon Sep 1 18:26:32 CEST 2003 - kkeil@suse.de
- fix group for isdnctrl uucp --> dialout (#28997)
-------------------------------------------------------------------
Mon Sep 1 15:06:09 MEST 2003 - draht@suse.de
- feedback@suse.de -> http://www.suse.de/feedback in all files of
the package. #29635.
-------------------------------------------------------------------
Sat Aug 23 15:54:13 CEST 2003 - sndirsch@suse.de
- added martian entries of package pachi
-------------------------------------------------------------------
Tue Aug 19 11:48:29 CEST 2003 - mmj@suse.de
- Add sysconfig metadata [#28937]
-------------------------------------------------------------------
Tue Jul 29 19:12:03 MEST 2003 - draht@suse.de
- fax changes from Tomas Crhak: faxq-helper and spool directories.
-------------------------------------------------------------------
Tue Jul 29 14:08:49 CEST 2003 - ro@suse.de
- gnome games moved back to /opt/gnome
-------------------------------------------------------------------
Mon Jul 28 16:56:27 CEST 2003 - kukuk@suse.de
- Remove /var/run from permissions file list [Bug #28289]
-------------------------------------------------------------------
Mon Jul 28 08:47:31 CEST 2003 - kukuk@suse.de
- /var/lib/gdm: Removed to solve [Bug #28257] for future products.
-------------------------------------------------------------------
Fri Jul 25 15:28:10 MEST 2003 - draht@suse.de
- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper
The same with /opt/gnome/lib64/.
-------------------------------------------------------------------
Fri Jun 13 09:11:40 CEST 2003 - kukuk@suse.de
- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure
-------------------------------------------------------------------
Fri May 2 11:42:47 CEST 2003 - sndirsch@suse.de
- added /usr/games/pachi and /var/games/pachi.scores
-------------------------------------------------------------------
Mon Mar 10 15:46:45 CET 2003 - sndirsch@suse.de
- added /usr/games/falconseye.bin
- removed /usr/games/falconseye
-------------------------------------------------------------------
Mon Mar 10 10:45:30 CET 2003 - kukuk@suse.de
- added /usr/lib64/vte/gnome-pty-helper until ported to utempter
-------------------------------------------------------------------
Sun Mar 9 01:15:10 CET 2003 - sndirsch@suse.de
- added /usr/games/falconseye
- removed old falconseye entries
-------------------------------------------------------------------
Thu Mar 6 23:58:24 CET 2003 - ro@suse.de
- added /usr/lib/vte/gnome-pty-helper until ported to utempter
-------------------------------------------------------------------
Thu Feb 20 11:22:35 CET 2003 - mmj@suse.de
- Add sysconfig metadata [#22686]
-------------------------------------------------------------------
Tue Feb 18 16:38:12 CET 2003 - kssingvo@suse.de
- removed squid entries. They will be added and corrected to squids own
permission file /etc/permissions.d/squid (bugzilla#23752):
/var/squid
/var/squid/cache
/var/squid/logs
-------------------------------------------------------------------
Tue Feb 18 02:55:30 MET 2003 - draht@suse.de
- /usr/games/trackballs added 2755 games.games in easy.
-------------------------------------------------------------------
Sun Feb 16 17:19:29 CET 2003 - adrian@suse.de
- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode
- remove old entries (kreatecd and kscd)
-------------------------------------------------------------------
Mon Feb 10 01:37:01 MET 2003 - draht@suse.de
- additions/changes (from #17012, Tobias Burnus):
* read all files from the commandline at once and override
entries given multiple times by the last entry
* enable option --set in addition to -set
* manpage adoptions
* call chkstat only once from SuSEconfig.permissions
-------------------------------------------------------------------
Thu Feb 6 01:52:49 CET 2003 - ro@suse.de
- /var/mtrack -> /var/lib/mtrack
-------------------------------------------------------------------
Tue Nov 19 15:16:41 CET 2002 - ro@suse.de
- zapping_setup_fb moved to /opt/gnome/sbin
-------------------------------------------------------------------
Thu Nov 14 13:44:56 CET 2002 - bg@suse.de
- added hppa to rpm subsystem in permissions files to be able to
finish autobuild
-------------------------------------------------------------------
Thu Oct 24 13:50:20 CEST 2002 - ro@suse.de
- two more nethack flavors with sgid games in easy
-------------------------------------------------------------------
Tue Sep 10 17:40:44 MEST 2002 - draht@suse.de
- cda entries below /usr/X11R6/lib/X11/xmcd removed.
index.html under /var/lib/xmcd/discog directories added
world-writeable. This is not satisfactory. New user xmcd will be
added in next release.
-------------------------------------------------------------------
Thu Sep 5 18:43:44 MEST 2002 - draht@suse.de
- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added.
-------------------------------------------------------------------
Mon Aug 26 17:22:29 MEST 2002 - draht@suse.de
- removed all occurrences of kv4lsetup upon request by adrian+uli.
- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132)
- /usr/src/packages/RPMS/alphaev67 added.
- added /sbin/unix2_chkpwd root.shadow 2755
- -s /usr/sbin/papd (#18103)
-------------------------------------------------------------------
Wed Aug 21 16:29:43 MEST 2002 - draht@suse.de
- removed suid bits from heimdal's su and otp (#18104)
-------------------------------------------------------------------
Wed Aug 21 16:13:29 MEST 2002 - draht@suse.de
- remove setuid bit from traceroute due to new implementation by
Olaf Kirch which doesn't need euid root. (#18101)
-------------------------------------------------------------------
Wed Aug 21 14:16:47 MEST 2002 - draht@suse.de
- removed lprng entries because of conflicts cups <-> lprng
-------------------------------------------------------------------
Wed Aug 21 14:14:05 MEST 2002 - draht@suse.de
- vboxbeep -> 0755 in secure.
-------------------------------------------------------------------
Mon Aug 19 15:27:09 CEST 2002 - ro@suse.de
- added prereq (#17956)
-------------------------------------------------------------------
Mon Aug 19 13:45:43 CEST 2002 - uli@suse.de
- added nethack for lib64 archs
-------------------------------------------------------------------
Mon Aug 19 12:32:56 CEST 2002 - uli@suse.de
- added xmcd for archs != i386
-------------------------------------------------------------------
Tue Aug 13 13:48:05 MEST 2002 - draht@suse.de
- gnome-games2 entries changed/adopted to /opt/gnome2 path.
-------------------------------------------------------------------
Tue Aug 13 13:30:30 CEST 2002 - draht@suse.de
- changed kcheckpass from 2755 root.shadow to 4755. (#17664)
-------------------------------------------------------------------
Wed Jul 31 07:55:06 CEST 2002 - olh@suse.de
- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750
-------------------------------------------------------------------
Sat Jul 27 13:19:26 CEST 2002 - kukuk@suse.de
- Rename group wwwadmin to www
- Rename group game to games
-------------------------------------------------------------------
Tue Jul 23 12:54:24 MEST 2002 - draht@suse.de
- added sapdb files, not setuid root in secure,paranoid.
-------------------------------------------------------------------
Mon Jul 22 18:26:43 MEST 2002 - draht@suse.de
- added frontpage files
-------------------------------------------------------------------
Tue Jul 16 15:18:14 MEST 2002 - draht@suse.de
- changed entries for mailman: group mdom -> mailman
-------------------------------------------------------------------
Tue Jul 16 03:51:29 MEST 2002 - draht@suse.de
- mailman sgid mdom files added to easy, secure and paranoid.
-------------------------------------------------------------------
Wed Jul 10 14:33:50 MEST 2002 - draht@suse.de
- .paranoid comment fixed about at and cron (#12159)
-------------------------------------------------------------------
Mon Jul 8 17:24:21 MEST 2002 - draht@suse.de
- ppp dialup networking fixes and cleanup.
-------------------------------------------------------------------
Mon Jul 8 15:56:23 MEST 2002 - draht@suse.de
- modifications: -s for pppd, world-writeable directories for
kdemultimedia3-sound, gift, mips and armv4l RPMS directory.
-------------------------------------------------------------------
Fri Jul 5 21:13:08 CEST 2002 - kukuk@suse.de
- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid.
-------------------------------------------------------------------
Thu Jul 4 16:26:47 MEST 2002 - draht@suse.de
- /usr/lib64/pt_chown added to easy,secure,paranoid.
-------------------------------------------------------------------
Mon Jul 1 19:56:10 MEST 2002 - draht@suse.de
- entries for packages added or changed:
squid
geki2
d1x
falconseye
fdutils
gewels
gnome-games
heimdal
lbreakout
lpdfilter
lprng
man
mgetty (/var/spool/fax/outgoing/* need discussion)
mtrack (locfile+satfile -> 0644)
nethack
nvi-m17n (/var/preserve/vi.recover -> 1777)
opie (/bin -> /usr/bin)
pcp
plptools
qpopper
rp-pppoe (/usr/sbin/pppoe-wrapper)
smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750)
squid (/usr/sbin/pam_auth)
su-wrapper
xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs)
xgalaga
xmcd
xscrabble
-------------------------------------------------------------------
Mon Jul 1 01:01:10 CEST 2002 - ro@suse.de
- don't install all sources (spec file etc.)
-------------------------------------------------------------------
Fri Jun 28 14:40:07 MEST 2002 - draht@suse.de
- minor spec file change
-------------------------------------------------------------------
Fri Jun 28 12:56:43 MEST 2002 - draht@suse.de
- entries for packages added:
ftpdir
gnokii
kamplus
geki2
aaa_dir (/tmp/.ICE-unix)
-------------------------------------------------------------------
Fri Jun 28 12:56:18 MEST 2002 - draht@suse.de
- unpack tar archive in source for convenience.
-------------------------------------------------------------------
Thu Jun 27 23:05:51 CEST 2002 - olh@suse.de
- update permissions of /usr/src/packages/RPMS/<arch>
-------------------------------------------------------------------
Fri Jun 21 02:10:26 CEST 2002 - ro@suse.de
- created package as split off from aaa_base

411
permissions.easy Normal file
View File

@ -0,0 +1,411 @@
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.easy is set up for the use in a standalone and single-user
# installation to make things "work" out-of-the box.
# Some of the settings might be considered somewhat lax from the security
# standpoint. These aspects are handled differently in the permissions.secure
# file.
#
#
# Directories
#
# lock file for emacs
/var/lib/xemacs/lock root:root 1777
# for screen's session sockets:
/var/run/uscreens root:root 1777
#
# /etc
#
/etc/crontab root:root 644
/etc/exports root:root 644
/etc/fstab root:root 644
# we don't package it
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 644
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
/usr/bin/at root:trusted 4755
/usr/bin/crontab root:trusted 4755
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 4755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4755
#
# #133657
/usr/bin/fusermount root:trusted 4755
# #66203
/usr/lib/majordomo/wrapper root:daemon 4755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
/sbin/unix_chkpwd root:shadow 2755
/sbin/unix2_chkpwd root:shadow 2755
# qpopper
/usr/sbin/popauth pop:trusted 4755
# from the squid package
/usr/sbin/pam_auth root:shadow 2755
# still to be converted to utempter
/opt/gnome/lib/vte/gnome-pty-helper root:tty 2755
#
# mixed section:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 1777
/usr/src/packages/BUILD/ root:root 1777
/usr/src/packages/RPMS/ root:root 1777
/usr/src/packages/RPMS/alpha/ root:root 1777
/usr/src/packages/RPMS/alphaev56/ root:root 1777
/usr/src/packages/RPMS/alphaev67/ root:root 1777
/usr/src/packages/RPMS/alphaev6/ root:root 1777
/usr/src/packages/RPMS/arm4l/ root:root 1777
/usr/src/packages/RPMS/athlon/ root:root 1777
/usr/src/packages/RPMS/i386/ root:root 1777
/usr/src/packages/RPMS/i486/ root:root 1777
/usr/src/packages/RPMS/i586/ root:root 1777
/usr/src/packages/RPMS/i686/ root:root 1777
/usr/src/packages/RPMS/ia64/ root:root 1777
/usr/src/packages/RPMS/mips/ root:root 1777
/usr/src/packages/RPMS/ppc/ root:root 1777
/usr/src/packages/RPMS/ppc64/ root:root 1777
/usr/src/packages/RPMS/powerpc/ root:root 1777
/usr/src/packages/RPMS/powerpc64/ root:root 1777
/usr/src/packages/RPMS/s390/ root:root 1777
/usr/src/packages/RPMS/s390x/ root:root 1777
/usr/src/packages/RPMS/sparc/ root:root 1777
/usr/src/packages/RPMS/sparcv9/ root:root 1777
/usr/src/packages/RPMS/sparc64/ root:root 1777
/usr/src/packages/RPMS/x86_64/ root:root 1777
/usr/src/packages/RPMS/armv4l/ root:root 1777
/usr/src/packages/RPMS/hppa/ root:root 1777
/usr/src/packages/RPMS/hppa2.0/ root:root 1777
/usr/src/packages/RPMS/noarch/ root:root 1777
/usr/src/packages/SPECS/ root:root 1777
/usr/src/packages/SRPMS/ root:root 1777
#########################################################################
# video
/usr/bin/v4l-conf root:video 4755
/opt/gnome/sbin/zapping_setup_fb root:video 4755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 4755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# screen savers:
/usr/bin/vlock root:shadow 2755
/usr/bin/Xorg root:root 4711
/usr/bin/man root:root 4755
/usr/bin/mandb root:root 4755
# turn off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 2755
/usr/bin/write root:tty 2755
# thttpd:
/usr/bin/makeweb root:www 2755
# yaps, pager software, accesses /dev/ttyS?
/usr/bin/yaps root:uucp 2755
# scmxx, tool for mobile phone, accesses /dev/ttyS?
# #66309
/usr/bin/scmxx root:uucp 2755
# ncpfs tool
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 4755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:root 4755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/opt/gnome/sbin/change-passwd root:root 4755
#
# cups (#66305)
#
/usr/bin/lppasswd lp:sys 4755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 4750
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/bin/bing root:trusted 4755
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. For dialout only.
/usr/sbin/mtr root:dialout 4750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# OpenPBS #66320
/var/spool/pbs/spool root:root 1777
/var/spool/pbs/undelivered root:root 1777
/opt/pbs/sbin/pbs_iff root:root 4755
/opt/pbs/sbin/pbs_rcp root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# apache2
/usr/sbin/suexec2 root:root 4755
# exim
/usr/sbin/exim root:root 4755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 4755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 4755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 6755
#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 4755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 4755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 4755
#
# amanda
#
/usr/sbin/amcheck root:disk 4750
/usr/lib/amanda/calcsize root:disk 4750
/usr/lib/amanda/rundump root:disk 4750
/usr/lib/amanda/planner root:disk 4750
/usr/lib/amanda/runtar root:disk 4750
/usr/lib/amanda/dumper root:disk 4750
/usr/lib/amanda/killpgrp root:disk 4750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
#
# fax
#
# faxq helper:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing fax:root 1755
/var/spool/fax/outgoing/locks fax:root 0777
# TODO: package should set this permissions
/var/spool/fax/archive fax:uucp 700
/var/spool/fax/bin fax:uucp 755
/var/spool/fax/client fax:uucp 755
/var/spool/fax/config fax:uucp 755
/var/spool/fax/dev fax:uucp 755
/var/spool/fax/docq fax:uucp 700
/var/spool/fax/doneq fax:uucp 700
/var/spool/fax/etc fax:uucp 755
/var/spool/fax/info fax:uucp 755
/var/spool/fax/log fax:uucp 755
/var/spool/fax/pollq fax:uucp 700
/var/spool/fax/recvq fax:uucp 755
/var/spool/fax/sendq fax:uucp 700
/var/spool/fax/status fax:uucp 755
/var/spool/fax/tmp fax:uucp 700
#
# uucp
#
/var/spool/uucppublic root:root 1777
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
#
# games of all kinds, toys
#
# bsd-games
/usr/games/atc games:games 2755
/usr/games/battlestar games:games 2755
/usr/games/canfield games:games 2755
/usr/games/cribbage games:games 2755
/usr/games/phantasia games:games 2755
/usr/games/robots games:games 2755
/usr/games/sail games:games 2755
/usr/games/snake games:games 2755
/usr/games/tetris-bsd games:games 2755
# Maelstrom
/usr/games/Maelstrom games:games 2755
# pachi
/usr/games/pachi games:games 2755
/usr/games/martian games:games 2755
# nethack
/usr/lib/nethack/nethack.tty games:games 2755
# chromium,
/usr/games/chromium games:games 2755
# xscrabble
/usr/games/xscrab games:games 2755
# trackballs
/usr/games/trackballs games:games 2755
# ltris
/usr/games/ltris games:games 2755
# xlogical
/usr/games/xlogical games:games 2755
# lbreakout
/usr/games/lbreakout2 games:games 2755
# xgalaga
/usr/bin/xgalaga games:games 2755
# xtetris
/usr/bin/xtetris games:games 2755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 2755
# gnome-games
/opt/gnome/bin/gtali games:games 2755
/opt/gnome/bin/gnotski games:games 2755
/opt/gnome/bin/gnome-stones games:games 2755
/opt/gnome/bin/glines games:games 2755
/opt/gnome/bin/gnibbles games:games 2755
/opt/gnome/bin/gnotravex games:games 2755
/opt/gnome/bin/mahjongg games:games 2755
/opt/gnome/bin/gnometris games:games 2755
/opt/gnome/bin/gnobots2 games:games 2755
/opt/gnome/bin/gnomine games:games 2755
/opt/gnome/bin/same-gnome games:games 2755
# zypp (#211286)
/usr/sbin/zypp-checkpatches-wrapper root:root 4755

428
permissions.paranoid Normal file
View File

@ -0,0 +1,428 @@
# /etc/permissions.paranoid
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.paranoid is NOT designed to be used in a single-user as
# well as a multi-user installation, be it networked or not.
# Derived from /etc/permissions.secure, it has _all_ sgid and suid bits
# cleared - therefore, the system might be useable for non-privileged users
# except for simple tasks like changing passwords and such. In addition,
# some of the configuration files are not readable for world any more.
#
# Feel free to use this file as a basis of a system configuration that meets
# your understanding of "secure", for the case that you're a bit paranoid.
# Since there is no such thing as "it works" with this configuration, please
# use these settings with care. Some experience on behalf of the administrator
# is needed to have a system running flawlessly when users are present.
# In particular, all terminal emulators will not be able to write to utmp
# and wtmp any more, which renders who(1) and finger(1) useless.
#
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
#
# Directories
#
# no lock files for emacs:
/var/lib/xemacs/lock root:trusted 1775
# for screen's session sockets:
/var/run/uscreens root:trusted 1775
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 600
/etc/fstab root:root 600
/etc/ftpaccess root:root 600
/etc/ftpusers root:root 600
/etc/inetd.conf root:root 600
/etc/inittab root:root 600
/etc/mtab root:root 600
/etc/rmtab root:root 600
/var/lib/nfs/rmtab root:root 600
/etc/syslog.conf root:root 600
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 0755
# disable at and cron for non-root users
/usr/bin/at root:trusted 0755
/usr/bin/crontab root:trusted 0755
/usr/bin/gpasswd root:shadow 0755
/usr/bin/newgrp root:root 0755
/usr/bin/passwd root:shadow 0755
/usr/bin/chfn root:shadow 0755
/usr/bin/chage root:shadow 0755
/usr/bin/chsh root:shadow 0755
/usr/bin/expiry root:shadow 0755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 0755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 0755
/usr/bin/opiesu root:root 0755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 0755
/usr/bin/ncpumount root:trusted 0755
# mount/umount have had their problems already:
/bin/mount root:root 0755
/bin/umount root:root 0755
/bin/eject root:audio 0755
#
# #133657
/usr/bin/fusermount root:trusted 0755
# #66203
/usr/lib/majordomo/wrapper root:daemon 0755
# glibc backwards compatibility
/usr/lib/pt_chown root:root 0755
/usr/lib64/pt_chown root:root 0755
/sbin/unix_chkpwd root:shadow 0755
/sbin/unix2_chkpwd root:shadow 0755
# qpopper
/usr/sbin/popauth pop:trusted 0755
# from the squid package
/usr/sbin/pam_auth root:shadow 0755
# still to be converted to utempter
/opt/gnome/lib/vte/gnome-pty-helper root:tty 0755
#
# mixed section: most of it is disabled in this permissions.secure:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 700
/usr/src/packages/BUILD/ root:root 700
/usr/src/packages/RPMS/ root:root 700
/usr/src/packages/RPMS/alpha/ root:root 700
/usr/src/packages/RPMS/alphaev56/ root:root 700
/usr/src/packages/RPMS/alphaev67/ root:root 700
/usr/src/packages/RPMS/alphaev6/ root:root 700
/usr/src/packages/RPMS/arm4l/ root:root 700
/usr/src/packages/RPMS/athlon/ root:root 700
/usr/src/packages/RPMS/i386/ root:root 700
/usr/src/packages/RPMS/i486/ root:root 700
/usr/src/packages/RPMS/i586/ root:root 700
/usr/src/packages/RPMS/i686/ root:root 700
/usr/src/packages/RPMS/ia64/ root:root 700
/usr/src/packages/RPMS/mips/ root:root 700
/usr/src/packages/RPMS/ppc/ root:root 700
/usr/src/packages/RPMS/ppc64/ root:root 700
/usr/src/packages/RPMS/powerpc/ root:root 700
/usr/src/packages/RPMS/powerpc64/ root:root 700
/usr/src/packages/RPMS/s390/ root:root 700
/usr/src/packages/RPMS/s390x/ root:root 700
/usr/src/packages/RPMS/sparc/ root:root 700
/usr/src/packages/RPMS/sparcv9/ root:root 700
/usr/src/packages/RPMS/sparc64/ root:root 700
/usr/src/packages/RPMS/x86_64/ root:root 700
/usr/src/packages/RPMS/armv4l/ root:root 700
/usr/src/packages/RPMS/hppa/ root:root 700
/usr/src/packages/RPMS/hppa2.0/ root:root 700
/usr/src/packages/RPMS/noarch/ root:root 700
/usr/src/packages/SPECS/ root:root 700
/usr/src/packages/SRPMS/ root:root 700
#########################################################################
# video
/usr/bin/v4l-conf root:video 0755
/opt/gnome/sbin/zapping_setup_fb root:video 0755
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
#########################################################################
# scotty:
# #66211
/usr/bin/ntping root:trusted 0755
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
/usr/bin/man root:root 0755
/usr/bin/mandb root:root 0755
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd
/usr/bin/makeweb root:www 0750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# scmxx, tool for mobile phone, accesses /dev/ttyS?
# #66309
/usr/bin/scmxx root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 0750
/usr/bin/ncplogin root:trusted 0750
/usr/bin/ncpmap root:trusted 0750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 0755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 0755
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 0755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 0755
/usr/lib/mailman/cgi-bin/admindb root:mailman 0755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755
/usr/lib/mailman/cgi-bin/options root:mailman 0755
/usr/lib/mailman/cgi-bin/private root:mailman 0755
/usr/lib/mailman/cgi-bin/roster root:mailman 0755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755
/usr/lib/mailman/cgi-bin/confirm root:mailman 0755
/usr/lib/mailman/cgi-bin/create root:mailman 0755
/usr/lib/mailman/cgi-bin/editarch root:mailman 0755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755
/usr/lib/mailman/mail/mailman root:mailman 0755
# libgnomesu (#75823, #175616)
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend root:root 0755
# control-center2 (#104993)
/opt/gnome/sbin/change-passwd root:root 0755
#
# cups (#66305)
#
/usr/bin/lppasswd lp:sys 0755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 0755
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 0755
/bin/ping6 root:root 0755
/usr/bin/bing root:trusted 0755
/usr/sbin/traceroute6 root:root 0755
# mtr is linked against ncurses.
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 0755
/usr/bin/rlogin root:root 0755
/usr/bin/rsh root:root 0755
# OpenPBS #66320
/var/spool/pbs/spool root:root 0755
/var/spool/pbs/undelivered root:root 0755
/opt/pbs/sbin/pbs_iff root:root 0755
/opt/pbs/sbin/pbs_rcp root:root 0755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 0555
# apache2
/usr/sbin/suexec2 root:root 0755
# exim
/usr/sbin/exim root:root 0755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 0750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 0750
# #66111
/usr/bin/vboxbeep root:trusted 0755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# framebuffer terminal emulator (japanese).
/usr/bin/jfbterm root:tty 0755
#
# kde
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 0755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 0755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
#
# amanda
#
# Well, if you are gid disk already, you don't need these amanda binaries
# to get root.
# Anyway, we don't keep the suid bits.
/usr/sbin/amcheck root:disk 0750
/usr/lib/amanda/calcsize root:disk 0750
/usr/lib/amanda/rundump root:disk 0750
/usr/lib/amanda/planner root:disk 0750
/usr/lib/amanda/runtar root:disk 0750
/usr/lib/amanda/dumper root:disk 0750
/usr/lib/amanda/killpgrp root:disk 0750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 0555
/usr/lib/gnats/pr-edit gnats:root 0555
/usr/lib/gnats/queue-pr gnats:root 0555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 0555
/usr/lib/news/bin/startinnfeed root:news 0555
/usr/lib/news/bin/inndstart root:news 0555
/usr/lib/news/bin/inews news:news 0555
#
# fax
#
# restrictive, only for "trusted" group users:
# faxq helper:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 0711
/var/spool/fax/outgoing fax:trusted 1770
/var/spool/fax/outgoing/locks fax:trusted 1770
# TODO: package should set this permissions
/var/spool/fax/archive fax:uucp 700
/var/spool/fax/bin fax:uucp 755
/var/spool/fax/client fax:uucp 755
/var/spool/fax/config fax:uucp 755
/var/spool/fax/dev fax:uucp 755
/var/spool/fax/docq fax:uucp 700
/var/spool/fax/doneq fax:uucp 700
/var/spool/fax/etc fax:uucp 755
/var/spool/fax/info fax:uucp 755
/var/spool/fax/log fax:uucp 755
/var/spool/fax/pollq fax:uucp 700
/var/spool/fax/recvq fax:uucp 755
/var/spool/fax/sendq fax:uucp 700
/var/spool/fax/status fax:uucp 755
/var/spool/fax/tmp fax:uucp 700
#
# uucp
#
/var/spool/uucppublic root:uucp 1770
/usr/bin/uucp uucp:uucp 0555
/usr/bin/uuname uucp:uucp 0555
/usr/bin/uustat uucp:uucp 0555
/usr/bin/uux uucp:uucp 0555
/usr/lib/uucp/uucico uucp:uucp 0555
/usr/lib/uucp/uuxqt uucp:uucp 0555
#
# games of all kinds, toys
#
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# xtetris
/usr/bin/xtetris games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/opt/gnome/bin/gtali games:games 0755
/opt/gnome/bin/gnotski games:games 0755
/opt/gnome/bin/gnome-stones games:games 0755
/opt/gnome/bin/glines games:games 0755
/opt/gnome/bin/gnibbles games:games 0755
/opt/gnome/bin/gnotravex games:games 0755
/opt/gnome/bin/mahjongg games:games 0755
/opt/gnome/bin/gnometris games:games 0755
/opt/gnome/bin/gnobots2 games:games 0755
/opt/gnome/bin/gnomine games:games 0755
/opt/gnome/bin/same-gnome games:games 0755
# zypp (#211286)
/usr/sbin/zypp-checkpatches-wrapper root:root 0755

453
permissions.secure Normal file
View File

@ -0,0 +1,453 @@
# /etc/permissions.secure
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
#
# See /etc/permissions for general hints on how to use this file.
#
# /etc/permissions.secure is designed for the use in a multi-user and
# networked installation. Most privileged file modes are disabled here.
# Many programs that still have their suid- or sgid-modes have had their
# security problems in the past already.
# The primary target of this configuration is to make the basic things
# such as changing passwords, the basic networking programs as well as
# some of the all-day work programs properly function for the unprivileged
# user. The dial-out packages are executable for users belonging to the
# "dialout" group - therefore, these users are to be treated "privileged".
# Packages such as (remote-) batch queueing systems, games, programs for
# the linux text console, everything linked against OOP libraries and
# most other exotic utilities are turned into unprivileged binary files
# in order for them not to cause any security problems if one or more of
# the programs turn out to have buffer overruns or otherwise locally
# exploitable programming errors.
# This file is not designed to make your system as closed and as restrictive
# as at all possible. In many cases, restricted access to a configuration
# file is of no use since the data used can be obtained from the /proc file
# system or interface configuration as well. Also, system programs such as
# /sbin/ifconfig or /sbin/route are not changed because nosey users can
# bring their own. "Security by obscurity" will add any significant
# security-related advantage to the system. Keep in mind that curiosity
# is a major motivation for your users to try to see behind the curtain.
#
# If you need the functionality of a program that usually runs as a
# privileged user, then use it as root, or, if you are not root, ask your
# system administrator for advice. In many cases, adding a user to the
# "trusted" group gives her access to the resources that are not accessible
# any more if the admin chose to select "secure" as the permissions default.
#
# Please make use of the diff program to see the differences between the
# permissions.easy and permissions.secure files if things don't work as
# they should and you suspect a permission or privilege problem.
# The word "easy" is a reference for the /etc/permissions.easy file.
#
# As usual, these settings are "suggested". If you feel so inclined,
# please feel free to change the modes in this files, but keep a log
# of your changes for future reference.
# Please always keep in mind that your system listens on network sockets
# in the default configuration. Change this by disabling the services that
# you do not need or by restricting access to them using packet filters
# or tcp wrappers (see hosts_access(5)) to gain a higher level of security
# in your system.
#
# Directories
#
# no lock files for emacs:
/var/lib/xemacs/lock root:trusted 1775
# for screen's session sockets:
/var/run/uscreens root:root 1777
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 644
/etc/ftpaccess root:root 644
/etc/ftpusers root:root 644
/etc/inetd.conf root:root 644
/etc/inittab root:root 644
/etc/mtab root:root 644
/etc/rmtab root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 4755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
# the default configuration of the sudo package in SuSE distribution is to
# intimidate users.
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# #66303
/usr/bin/opiepasswd root:root 4755
/usr/bin/opiesu root:root 4755
# "user" entries in /etc/fstab make mount work for non-root users:
/usr/bin/ncpmount root:trusted 4750
/usr/bin/ncpumount root:trusted 4750
# mount/umount have had their problems already:
/bin/mount root:root 4755
/bin/umount root:root 4755
/bin/eject root:audio 4750
#
# #133657
/usr/bin/fusermount root:trusted 4750
# #66203
/usr/lib/majordomo/wrapper root:daemon 4750
# glibc backwards compatibility
/usr/lib/pt_chown root:root 4755
/usr/lib64/pt_chown root:root 4755
/sbin/unix_chkpwd root:shadow 2755
/sbin/unix2_chkpwd root:shadow 2755
# qpopper
/usr/sbin/popauth pop:trusted 4750
# from the squid package
/usr/sbin/pam_auth root:shadow 2755
# still to be converted to utempter
/opt/gnome/lib/vte/gnome-pty-helper root:tty 2755
#
# mixed section: most of it is disabled in this permissions.secure:
#
#########################################################################
# rpm subsystem:
/usr/src/packages/SOURCES/ root:root 755
/usr/src/packages/BUILD/ root:root 755
/usr/src/packages/RPMS/ root:root 755
/usr/src/packages/RPMS/alpha/ root:root 755
/usr/src/packages/RPMS/alphaev56/ root:root 755
/usr/src/packages/RPMS/alphaev67/ root:root 755
/usr/src/packages/RPMS/alphaev6/ root:root 755
/usr/src/packages/RPMS/arm4l/ root:root 755
/usr/src/packages/RPMS/athlon/ root:root 755
/usr/src/packages/RPMS/i386/ root:root 755
/usr/src/packages/RPMS/i486/ root:root 755
/usr/src/packages/RPMS/i586/ root:root 755
/usr/src/packages/RPMS/i686/ root:root 755
/usr/src/packages/RPMS/ia64/ root:root 755
/usr/src/packages/RPMS/mips/ root:root 755
/usr/src/packages/RPMS/ppc/ root:root 755
/usr/src/packages/RPMS/ppc64/ root:root 755
/usr/src/packages/RPMS/powerpc/ root:root 755
/usr/src/packages/RPMS/powerpc64/ root:root 755
/usr/src/packages/RPMS/s390/ root:root 755
/usr/src/packages/RPMS/s390x/ root:root 755
/usr/src/packages/RPMS/sparc/ root:root 755
/usr/src/packages/RPMS/sparcv9/ root:root 755
/usr/src/packages/RPMS/sparc64/ root:root 755
/usr/src/packages/RPMS/x86_64/ root:root 755
/usr/src/packages/RPMS/armv4l/ root:root 755
/usr/src/packages/RPMS/hppa/ root:root 755
/usr/src/packages/RPMS/hppa2.0/ root:root 755
/usr/src/packages/RPMS/noarch/ root:root 755
/usr/src/packages/SPECS/ root:root 755
/usr/src/packages/SRPMS/ root:root 755
#########################################################################
# video
/usr/bin/v4l-conf root:video 4750
/opt/gnome/sbin/zapping_setup_fb root:video 4750
# Itanium ia32 emulator
/usr/lib/ia32el/suid_ia32x_loader root:root 0755
# scotty:
# #66211
/usr/bin/ntping root:trusted 4750
# This is not extensively tested.
/usr/bin/vlock root:shadow 0755
/usr/bin/Xorg root:root 0711
/usr/bin/man root:root 4755
/usr/bin/mandb root:root 4755
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
/usr/bin/yaps root:uucp 0755
# scmxx, tool for mobile phone, accesses /dev/ttyS?
# #66309
/usr/bin/scmxx root:uucp 0755
# ncpfs tool: trusted only
/usr/bin/nwsfind root:trusted 4750
/usr/bin/ncplogin root:trusted 4750
/usr/bin/ncpmap root:trusted 4750
# lpdfilter:
# checks itself that only lp and root can call it
/usr/lib/lpdfilter/bin/runlpr root:root 4755
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# pcp, performance co-pilot
# setuid root is used to write /var/log/pcp/NOTICES
# #66205
/usr/lib/pcp/pmpost root:trusted 4750
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/opt/gnome/lib/libgnomesu/gnomesu-pam-backend root:root 4755
# control-center2 (#104993)
/opt/gnome/sbin/change-passwd root:root 4755
#
# cups (#66305)
#
/usr/bin/lppasswd lp:sys 4755
#
# smb printing with kerberos authentication (#177114)
#
/usr/bin/get_printing_ticket root:lp 4750
#
# networking (need root for the privileged socket)
#
/bin/ping root:root 4755
/bin/ping6 root:root 4755
/usr/bin/bing root:trusted 4750
/usr/sbin/traceroute6 root:root 4755
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0755
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755
# OpenPBS #66320
/var/spool/pbs/spool root:root 1777
/var/spool/pbs/undelivered root:root 1777
/opt/pbs/sbin/pbs_iff root:root 4755
/opt/pbs/sbin/pbs_rcp root:root 4755
# heartbeat #66310
# cl_status needs to be allowed to connect to the heartbeat API. If the setgid
# bit is removed, one can manually add users to the haclient group instead.
/usr/bin/cl_status root:haclient 2555
# apache2
/usr/sbin/suexec2 root:root 0755
# exim
/usr/sbin/exim root:root 4755
#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755
#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755
#
# terminal emulators
# This and future SuSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.
# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755
#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# arts wrapper, normally suid root:
/opt/kde3/bin/artswrapper root:root 0755
# needs setuid root when using shadow via NIS:
# #66218
/opt/kde3/bin/kcheckpass root:shadow 4755
# This has a meaning... hmm...
/opt/kde3/bin/kdesud root:nogroup 2755
# used for getting proxy settings from dhcp
/opt/kde3/bin/kpac_dhcp_helper root:root 0755
# edits /etc/smb.conf
# #66312
/usr/bin/fileshareset root:root 0755
#
# amanda
#
# Well, if you are gid disk already, you don't need these amanda binaries
# to get root.
# Anyway, we don't keep the suid bits.
/usr/sbin/amcheck root:disk 0750
/usr/lib/amanda/calcsize root:disk 0750
/usr/lib/amanda/rundump root:disk 0750
/usr/lib/amanda/planner root:disk 0750
/usr/lib/amanda/runtar root:disk 0750
/usr/lib/amanda/dumper root:disk 0750
/usr/lib/amanda/killpgrp root:disk 0750
#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555
#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innstart and
# innfeed are called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required for
# operation. (#67032)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/startinnfeed root:news 4554
/usr/lib/news/bin/inndstart root:news 4554
/usr/lib/news/bin/inews news:news 2555
#
# fax
#
# restrictive, only for "trusted" group users:
# faxq helper:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4711
/var/spool/fax/outgoing fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755
# TODO: package should set this permissions
/var/spool/fax/archive fax:uucp 700
/var/spool/fax/bin fax:uucp 755
/var/spool/fax/client fax:uucp 755
/var/spool/fax/config fax:uucp 755
/var/spool/fax/dev fax:uucp 755
/var/spool/fax/docq fax:uucp 700
/var/spool/fax/doneq fax:uucp 700
/var/spool/fax/etc fax:uucp 755
/var/spool/fax/info fax:uucp 755
/var/spool/fax/log fax:uucp 755
/var/spool/fax/pollq fax:uucp 700
/var/spool/fax/recvq fax:uucp 755
/var/spool/fax/sendq fax:uucp 700
/var/spool/fax/status fax:uucp 755
/var/spool/fax/tmp fax:uucp 700
#
# uucp
#
/var/spool/uucppublic root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555
#
# games of all kinds, toys
# all suid and sgid bits cleared.
#
# bsd-games
/usr/games/atc games:games 0755
/usr/games/battlestar games:games 0755
/usr/games/canfield games:games 0755
/usr/games/cribbage games:games 0755
/usr/games/phantasia games:games 0755
/usr/games/robots games:games 0755
/usr/games/sail games:games 0755
/usr/games/snake games:games 0755
/usr/games/tetris-bsd games:games 0755
# Maelstrom
/usr/games/Maelstrom games:games 0755
# pachi
/usr/games/pachi games:games 0755
/usr/games/martian games:games 0755
# nethack
/usr/lib/nethack/nethack.tty games:games 0755
# chromium,
/usr/games/chromium games:games 0755
# xscrabble
/usr/games/xscrab games:games 0755
# trackballs
/usr/games/trackballs games:games 0755
# ltris
/usr/games/ltris games:games 0755
# xlogical
/usr/games/xlogical games:games 0755
# lbreakout
/usr/games/lbreakout2 games:games 0755
# xgalaga
/usr/bin/xgalaga games:games 0755
# xtetris
/usr/bin/xtetris games:games 0755
# rocksndiamonds
/usr/games/rocksndiamonds games:games 0755
# gnome-games
/opt/gnome/bin/gtali games:games 0755
/opt/gnome/bin/gnotski games:games 0755
/opt/gnome/bin/gnome-stones games:games 0755
/opt/gnome/bin/glines games:games 0755
/opt/gnome/bin/gnibbles games:games 0755
/opt/gnome/bin/gnotravex games:games 0755
/opt/gnome/bin/mahjongg games:games 0755
/opt/gnome/bin/gnometris games:games 0755
/opt/gnome/bin/gnobots2 games:games 0755
/opt/gnome/bin/gnomine games:games 0755
/opt/gnome/bin/same-gnome games:games 0755
# zypp (#211286)
/usr/sbin/zypp-checkpatches-wrapper root:root 0755

434
permissions.spec Normal file
View File

@ -0,0 +1,434 @@
#
# spec file for package permissions (Version 2006.11.13)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: permissions
License: GNU General Public License (GPL) - all versions
Group: Productivity/Security
Autoreqprov: on
Version: 2006.11.13
Release: 1
Provides: aaa_base:/etc/permissions
Requires: /sbin/SuSEconfig
PreReq: %fillup_prereq
Summary: SUSE Linux Default Permissions
#Source: permissions.tar.bz2
Source1: SuSEconfig.permissions
Source2: chkstat.c
Source3: chkstat.8
Source4: sysconfig.security
Source5: permissions
Source6: permissions.easy
Source7: permissions.paranoid
Source8: permissions.secure
Source9: checkpermissionfiles.pl
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package contains specifications for permissions of specific files,
directories, and devices depending on the local security settings. The
local security setting (easy, secure, or paranoid) can be configured in
/etc/sysconfig/security.
Authors:
--------
Werner Fink <werner@suse.de>
Roman Drahtmüller <draht@suse.de>
%build
mkdir -p $RPM_BUILD_ROOT/usr/bin
gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o $RPM_BUILD_ROOT/usr/bin/chkstat
%install
mkdir -p $RPM_BUILD_ROOT/etc
mkdir -p $RPM_BUILD_ROOT/usr/bin
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/sbin/conf.d
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
%post
%{fillup_only -n security}
%files
%defattr(-,root,root,-)
/etc/permissions*
/usr/bin/chkstat
%{_mandir}/man8/chkstat.8*
/sbin/conf.d/SuSEconfig.permissions
/var/adm/fillup-templates/sysconfig.security
%changelog -n permissions
* Mon Nov 13 2006 - lnussel@suse.de
- remove khc_indexbuilder (#188192)
* Mon Oct 16 2006 - lnussel@suse.de
- add zypp patch checking helper (#211286)
* Wed Aug 23 2006 - lnussel@suse.de
- /usr/X11R6 -> /usr
- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud
* Thu Aug 17 2006 - cthiel@suse.de
- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin
* Thu Jul 20 2006 - sndirsch@suse.de
- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of
xorg-x11-server package
* Tue Jun 27 2006 - lnussel@suse.de
- remove setuid bit on gpg (#137562)
* Fri May 19 2006 - lnussel@suse.de
- add get_printing_ticket in order to enable smb printing with
kerberos authentication (#177114)
* Wed May 17 2006 - lnussel@suse.de
- add setuid bit to gnomesu-pam-backend in level secure (#175616)
* Thu Feb 23 2006 - schwab@suse.de
- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader.
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Mon Jan 16 2006 - meissner@suse.de
- removed pmount, pumount.
- moved pmpost to /usr/lib/pcp/pmpost.
* Thu Dec 15 2005 - lnussel@suse.de
- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset
* Fri Dec 09 2005 - meissner@suse.de
- temporary only setuid bit for pmount and pumount. #135792
* Wed Nov 23 2005 - lnussel@suse.de
- add /usr/bin/fusermount (#133657)
* Mon Nov 21 2005 - lnussel@suse.de
- remove Xwrapper, it's a symlink nowadays (#134611)
* Wed Nov 02 2005 - dmueller@suse.de
- don't build as root
* Thu Oct 13 2005 - meissner@suse.de
- nici moved to /var/opt/novell/...
* Tue Oct 11 2005 - meissner@suse.de
- Temporary added setuid binary from "nici" (Novell I? Crypto Interface),
bug #127545.
* Fri Sep 30 2005 - lnussel@suse.de
- add slashes to several directories (#103186)
- change /var/games to games:games 775 again (#103186)
* Tue Aug 30 2005 - lnussel@suse.de
- remove kpopup helper (#100132)
* Thu Aug 25 2005 - lnussel@suse.de
- add /opt/gnome/sbin/change-passwd (#104993)
* Thu Aug 11 2005 - lnussel@suse.de
- remove xmcd (#104040)
- add suexec2 from apache2 (#66304)
- add exim (#66306)
* Thu Aug 11 2005 - lnussel@suse.de
- remove /opt/gnome/bin/iagno (#103844)
* Wed Aug 10 2005 - lnussel@suse.de
- remove xbl (#103762)
- clean up bsd games list (#103785)
- remove score files as they are the same in all levels anyways
* Wed Aug 10 2005 - lnussel@suse.de
- change /var/games{,/xsok} to root:root (#103186)
* Fri Aug 05 2005 - lnussel@suse.de
- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750)
* Tue Aug 02 2005 - lnussel@suse.de
- remove kde games again. Turned out they don't work as intended.
* Tue Aug 02 2005 - lnussel@suse.de
- cardctl -> pccardctl (#100120)
* Fri Jul 22 2005 - lnussel@suse.de
- add setgid games to some kde games
* Wed Jun 08 2005 - lnussel@suse.de
- use correct gnomesu-pam-backend path
* Tue Jun 07 2005 - lnussel@suse.de
- add gnomesu-pam-backend (#75823)
- add lppasswd (#66305)
- make ntping 4750 root:trusted also in easy (#66211)
- add cl_status from heartbeat (#66310)
- remove unused /opt/gnome/sbin/change-passwd
* Tue May 17 2005 - ro@suse.de
- added /opt/gnome/sbin/change-passwd
* Mon Apr 25 2005 - lnussel@suse.de
- add OpenPBS permissions (#66320)
* Tue Mar 01 2005 - lnussel@suse.de
- fix inn permissions (#67032)
- remove setuid bit from ziptool (#66191)
* Wed Feb 23 2005 - lnussel@suse.de
- remove no longer existing files
- remove setuid plpnfsd (#66207)
- remove setuid bit from dga program
- change vmware permissions
- add /opt/kde3/bin/receivepopup (#66313)
- add /opt/kde3/bin/fileshareset (#66312)
- add /usr/bin/scmxx (#66309)
- add some missing mailman files (#66315)
- include perl script to perform some basic consistency checks
* Mon Jan 31 2005 - meissner@suse.de
- backported security fix from SLES 9 branch. #43035
* Sat Jan 15 2005 - schwab@suse.de
- Comment fixes.
* Mon Nov 22 2004 - sndirsch@suse.de
- permissions.secure: set Xorg to 0711 (4711 before)
* Wed Nov 10 2004 - ro@suse.de
- /var/cache/fonts to 1777 (as in tetex perms before)
* Mon Nov 08 2004 - kukuk@suse.de
- Add nscd socket to permissions file
* Tue Sep 14 2004 - ro@suse.de
- do not use rpm in SuSEconfig.permissions (#45252)
* Tue Sep 14 2004 - ro@suse.de
- dropped check for perl in SuSEconfig.permissions (#45252)
* Wed May 26 2004 - draht@suse.de
- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234)
source code audit in progress (#40234) (thomas)
* Fri May 14 2004 - ro@suse.de
- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid
(0755,0755,0755) (#40234)
* Thu Apr 15 2004 - sndirsch@suse.de
- XFree86 --> Xorg in permissions files
* Tue Apr 06 2004 - mls@suse.de
- added --root option for buildroot operation
* Mon Apr 05 2004 - mls@suse.de
- chkstat: fixed relative symlink chasing
- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can
now handle it
* Sun Apr 04 2004 - mls@suse.de
- chkstat: added missing link count check and safepath() function
- chkstat: refuse to give away s-bits on insecure paths
- chkstat: bugfix: stat file again after chown, as modes may have
changed
* Fri Apr 02 2004 - mls@suse.de
- chkstat: re-implemented it in C to make it more secure
* Thu Apr 01 2004 - kukuk@suse.de
- Remove /var/lock/subsys [#37759]
- Add sticky bit to /var/lock [#37759]
* Wed Mar 24 2004 - draht@suse.de
- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid.
[#33570].
* Tue Mar 23 2004 - draht@suse.de
- #36741: /usr/src/packages/RPMS 1777->0755 in easy.
* Mon Mar 22 2004 - kukuk@suse.de
- Fix syntax error in permission.easy
- /usr/bin/ssh should be always 0755
* Fri Feb 13 2004 - draht@suse.de
- /var/run/uscreens (root:root 1777) added
* Thu Feb 12 2004 - kukuk@suse.de
- Don't modify group of crontab and at useless
* Fri Jan 09 2004 - kukuk@suse.de
- Add RPM directory for hppa2.0
* Fri Nov 21 2003 - ro@suse.de
- fpexec decrease go rights to 11
* Wed Nov 05 2003 - ro@suse.de
- inn scripts: u-w (not needed)
* Mon Nov 03 2003 - schwab@suse.de
- chkstat: fix option parsing.
* Wed Oct 29 2003 - kukuk@suse.de
- Sync permissions for shadow package
* Tue Oct 28 2003 - ro@suse.de
- require /sbin/SuSEconfig
* Tue Oct 28 2003 - ro@suse.de
- chkstat: added some new extensions:
allow specifying singular files or a filelist to be checked
output previous/current mode of a failed file
adapted manpage
* Tue Oct 21 2003 - draht@suse.de
- permissions.secure: /etc/ftpusers 0640 root.root -> 0644
* Mon Oct 20 2003 - ro@suse.de
- permissions.*: use ":" and not "." to separate user/group
- chkstat: output also which of (permissions/owner) is wrong
- chkstat: don't try to chown if not root
* Tue Oct 14 2003 - draht@suse.de
- reformatting of all 4 permissions files. xkobo, rocksndiamonds,
xlogical, lbreakout2 and ltris path adoptions.
for future reference: :-)
for i in permissions permissions.easy permissions.secure
permissions.paranoid; do cat $i | \
awk '/^(#|$)/ { print $0; next; }
{ if(NF > 3) {printf("error: %%s\n",$0);exit};
printf("%%-55s %%-17s %%4s\n",$1,$2,$3)}' \
> $i.. && mv $i.. $i; done
* Thu Sep 18 2003 - kukuk@suse.de
- Fix group of straps, popauth and ntping
- Remove some GNOME games which do not need special rights anymore
* Tue Sep 16 2003 - kukuk@suse.de
- permissions.easy: change group of bing, vboxbeep, plpnfsd to
trusted, majordomo/wrapper to daemon
* Tue Sep 16 2003 - kukuk@suse.de
- permissions.easy: change group of gpasswd and ziptool to trusted
* Tue Sep 02 2003 - kkeil@suse.de
- fix user fax for hylafax specific files
* Tue Sep 02 2003 - kukuk@suse.de
- fix path to cons.saver, remove setuid bit in paranoid (#25907)
- remove screen
- remove smail (dropped years ago)
* Mon Sep 01 2003 - kkeil@suse.de
- fix group for isdnctrl uucp --> dialout (#28997)
* Mon Sep 01 2003 - draht@suse.de
- feedback@suse.de -> http://www.suse.de/feedback in all files of
the package. #29635.
* Sat Aug 23 2003 - sndirsch@suse.de
- added martian entries of package pachi
* Tue Aug 19 2003 - mmj@suse.de
- Add sysconfig metadata [#28937]
* Tue Jul 29 2003 - draht@suse.de
- fax changes from Tomas Crhak: faxq-helper and spool directories.
* Tue Jul 29 2003 - ro@suse.de
- gnome games moved back to /opt/gnome
* Mon Jul 28 2003 - kukuk@suse.de
- Remove /var/run from permissions file list [Bug #28289]
* Mon Jul 28 2003 - kukuk@suse.de
- /var/lib/gdm: Removed to solve [Bug #28257] for future products.
* Fri Jul 25 2003 - draht@suse.de
- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper
The same with /opt/gnome/lib64/.
* Fri Jun 13 2003 - kukuk@suse.de
- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure
* Fri May 02 2003 - sndirsch@suse.de
- added /usr/games/pachi and /var/games/pachi.scores
* Mon Mar 10 2003 - sndirsch@suse.de
- added /usr/games/falconseye.bin
- removed /usr/games/falconseye
* Mon Mar 10 2003 - kukuk@suse.de
- added /usr/lib64/vte/gnome-pty-helper until ported to utempter
* Sun Mar 09 2003 - sndirsch@suse.de
- added /usr/games/falconseye
- removed old falconseye entries
* Thu Mar 06 2003 - ro@suse.de
- added /usr/lib/vte/gnome-pty-helper until ported to utempter
* Thu Feb 20 2003 - mmj@suse.de
- Add sysconfig metadata [#22686]
* Tue Feb 18 2003 - kssingvo@suse.de
- removed squid entries. They will be added and corrected to squids own
permission file /etc/permissions.d/squid (bugzilla#23752):
/var/squid
/var/squid/cache
/var/squid/logs
* Tue Feb 18 2003 - draht@suse.de
- /usr/games/trackballs added 2755 games.games in easy.
* Sun Feb 16 2003 - adrian@suse.de
- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode
- remove old entries (kreatecd and kscd)
* Mon Feb 10 2003 - draht@suse.de
- additions/changes (from #17012, Tobias Burnus):
* read all files from the commandline at once and override
entries given multiple times by the last entry
* enable option --set in addition to -set
* manpage adoptions
* call chkstat only once from SuSEconfig.permissions
* Thu Feb 06 2003 - ro@suse.de
- /var/mtrack -> /var/lib/mtrack
* Tue Nov 19 2002 - ro@suse.de
- zapping_setup_fb moved to /opt/gnome/sbin
* Thu Nov 14 2002 - bg@suse.de
- added hppa to rpm subsystem in permissions files to be able to
finish autobuild
* Thu Oct 24 2002 - ro@suse.de
- two more nethack flavors with sgid games in easy
* Tue Sep 10 2002 - draht@suse.de
- cda entries below /usr/X11R6/lib/X11/xmcd removed.
index.html under /var/lib/xmcd/discog directories added
world-writeable. This is not satisfactory. New user xmcd will be
added in next release.
* Thu Sep 05 2002 - draht@suse.de
- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added.
* Mon Aug 26 2002 - draht@suse.de
- removed all occurrences of kv4lsetup upon request by adrian+uli.
- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132)
- /usr/src/packages/RPMS/alphaev67 added.
- added /sbin/unix2_chkpwd root.shadow 2755
- -s /usr/sbin/papd (#18103)
* Wed Aug 21 2002 - draht@suse.de
- removed suid bits from heimdal's su and otp (#18104)
* Wed Aug 21 2002 - draht@suse.de
- remove setuid bit from traceroute due to new implementation by
Olaf Kirch which doesn't need euid root. (#18101)
* Wed Aug 21 2002 - draht@suse.de
- removed lprng entries because of conflicts cups <-> lprng
* Wed Aug 21 2002 - draht@suse.de
- vboxbeep -> 0755 in secure.
* Mon Aug 19 2002 - ro@suse.de
- added prereq (#17956)
* Mon Aug 19 2002 - uli@suse.de
- added nethack for lib64 archs
* Mon Aug 19 2002 - uli@suse.de
- added xmcd for archs != i386
* Tue Aug 13 2002 - draht@suse.de
- gnome-games2 entries changed/adopted to /opt/gnome2 path.
* Tue Aug 13 2002 - draht@suse.de
- changed kcheckpass from 2755 root.shadow to 4755. (#17664)
* Wed Jul 31 2002 - olh@suse.de
- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750
* Sat Jul 27 2002 - kukuk@suse.de
- Rename group wwwadmin to www
- Rename group game to games
* Tue Jul 23 2002 - draht@suse.de
- added sapdb files, not setuid root in secure,paranoid.
* Mon Jul 22 2002 - draht@suse.de
- added frontpage files
* Tue Jul 16 2002 - draht@suse.de
- changed entries for mailman: group mdom -> mailman
* Tue Jul 16 2002 - draht@suse.de
- mailman sgid mdom files added to easy, secure and paranoid.
* Wed Jul 10 2002 - draht@suse.de
- .paranoid comment fixed about at and cron (#12159)
* Mon Jul 08 2002 - draht@suse.de
- ppp dialup networking fixes and cleanup.
* Mon Jul 08 2002 - draht@suse.de
- modifications: -s for pppd, world-writeable directories for
kdemultimedia3-sound, gift, mips and armv4l RPMS directory.
* Fri Jul 05 2002 - kukuk@suse.de
- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid.
* Thu Jul 04 2002 - draht@suse.de
- /usr/lib64/pt_chown added to easy,secure,paranoid.
* Mon Jul 01 2002 - draht@suse.de
- entries for packages added or changed:
squid
geki2
d1x
falconseye
fdutils
gewels
gnome-games
heimdal
lbreakout
lpdfilter
lprng
man
mgetty (/var/spool/fax/outgoing/* need discussion)
mtrack (locfile+satfile -> 0644)
nethack
nvi-m17n (/var/preserve/vi.recover -> 1777)
opie (/bin -> /usr/bin)
pcp
plptools
qpopper
rp-pppoe (/usr/sbin/pppoe-wrapper)
smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750)
squid (/usr/sbin/pam_auth)
su-wrapper
xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs)
xgalaga
xmcd
xscrabble
* Mon Jul 01 2002 - ro@suse.de
- don't install all sources (spec file etc.)
* Fri Jun 28 2002 - draht@suse.de
- minor spec file change
* Fri Jun 28 2002 - draht@suse.de
- entries for packages added:
ftpdir
gnokii
kamplus
geki2
aaa_dir (/tmp/.ICE-unix)
* Fri Jun 28 2002 - draht@suse.de
- unpack tar archive in source for convenience.
* Thu Jun 27 2002 - olh@suse.de
- update permissions of /usr/src/packages/RPMS/<arch>
* Fri Jun 21 2002 - ro@suse.de
- created package as split off from aaa_base

0
ready Normal file
View File

25
sysconfig.security Normal file
View File

@ -0,0 +1,25 @@
## Path: System/Security/Permissions
## Description: Configuration of permissions on the system
## Type: list(set,warn,no)
## Default: set
## Config: permissions
#
# SuSEconfig can call chkstat to check permissions and ownerships for
# files and directories (using /etc/permissions).
# Setting to "set" will correct it, "warn" produces warnings, if
# something strange is found. Disable this feature with "no".
#
CHECK_PERMISSIONS="set"
## Type: string
## Default: "easy local"
#
# SuSE Linux contains two different configurations for
# chkstat. The differences can be found in /etc/permissions.secure
# and /etc/permissions.easy. If you create your own configuration
# (e.g. permissions.foo), you can enter the extension here as well.
#
# (easy/secure local foo whateveryouwant).
#
PERMISSION_SECURITY="easy local"