diff --git a/SuSEconfig.permissions b/SuSEconfig.permissions index 30e1774..fa604d1 100644 --- a/SuSEconfig.permissions +++ b/SuSEconfig.permissions @@ -1,81 +1,86 @@ -#! /bin/sh -# Copyright (c) 2000-2002 SuSE Linux AG, Nuernberg, Germany. -# All rights reserved. +#! /bin/bash +# This module checks and sets file permissions +# Copyright (C) 1996-2007 SUSE Linux Products GmbH, Nuernberg, Germany. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Author: Burchard Steinbild, 1996-97 # Bernhard Kaindl , 1999 -# Rüdiger Oertel , 2000-01 +# Rüdiger Oertel , 2000-01 +# Ludwig Nussel 2007 # -# This module checks and sets file permissions -# check if we are started as root -# only one of UID and USER must be set correctly -if test "$UID" != 0 -a "$USER" != root; then - echo "You must be root to start $0." - exit 1 -fi +. /lib/YaST/SuSEconfig.functions || exit 1 -r=$ROOT - -test -f $r/lib/YaST/SuSEconfig.functions || { - echo "ERROR - can not find $r/lib/YaST/SuSEconfig.functions!!" - echo "This should not happen. Exit..." - exit 1 -} -. $r/lib/YaST/SuSEconfig.functions - -for i in $r/etc/sysconfig/security $r/etc/sysconfig/suseconfig ; do - if test ! -f $i ; then - echo "No $i found." - exit 1 - fi - - . $i +for i in /etc/sysconfig/security /etc/sysconfig/suseconfig ; do + . $i || exit 1 done if test -n "$ENABLE_SUSECONFIG" -a "$ENABLE_SUSECONFIG" = "no" ; then - echo "SuSEconfig is disabled in $r/etc/sysconfig/suseconfig." - echo "Exit..." + echo "SuSEconfig is disabled in /etc/sysconfig/suseconfig" exit 0 fi -test -z "$r" -a ! -e $r/usr/lib/YaST/.DemoMode || exit 0 +mode="" +case "$CHECK_PERMISSIONS" in + set) mode="-set" ;; + warn) ;; + no|"") exit 0 ;; + *) echo "invalid value '$CHECK_PERMISSIONS' for \$CHECK_PERMISSIONS" >&2 ;; +esac -if test -n "$CHECK_PERMISSIONS" -a \ - -x /usr/bin/chkstat ; then - PERMISSIONS_FILES="" - PACKAGE_PERMFILES=(/etc/permissions.d/*) - PACKAGE_PERMFILES=(${PACKAGE_PERMFILES[*]##*/}) - PACKAGE_PERMFILES=(${PACKAGE_PERMFILES[*]%%\.*}) - PACKS=${PACKAGE_PERMFILES[*]} - if test -n "$PACKS" ; then - test -x /usr/bin/sort && { - PACKS=`for j in $PACKS ; do echo $j ; done | /usr/bin/sort -u` - } - for i in $PACKS ; do - test -e /etc/permissions.d/$i && \ - PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.d/$i" - for PERMEXT in $PERMISSION_SECURITY ; do - test -e /etc/permissions.d/$i.$PERMEXT && \ - PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.d/$i.$PERMEXT" - done - done - fi - test -e /etc/permissions && \ - PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions" - for PERMEXT in $PERMISSION_SECURITY ; do - test -e /etc/permissions.$PERMEXT && \ - PERMISSIONS_FILES="$PERMISSIONS_FILES /etc/permissions.$PERMEXT" +# collect files that contain permission specifications +# +# 1. central fixed permissions file +files="/etc/permissions" + +# 2. central easy, secure paranoid as those are defined by SUSE +for level in $PERMISSION_SECURITY; do + case "$level" in + easy|secure|paranoid) + if [ -e /etc/permissions.$level ]; then + files="$files /etc/permissions.$level" + fi + ;; + esac +done + +# 3. package specific permissions +pkgfiles=(/etc/permissions.d/*) +pkgfiles=(${pkgfiles[*]##*/}) +pkgfiles=(${pkgfiles[*]%%.*}) +pkgfiles=(`for i in ${pkgfiles[@]}; do echo $i; done | /usr/bin/sort -u`) + +for file in ${pkgfiles[@]}; do + file=/etc/permissions.d/$file + [ -e $file ] && files="$files $file" + for level in $PERMISSION_SECURITY; do + [ -e $file.$level ] && files="$files $file.$level" done +done - if test "$CHECK_PERMISSIONS" = "set" ; then - /usr/bin/chkstat -set $PERMISSIONS_FILES - elif test "$CHECK_PERMISSIONS" = "warn" ; then - /usr/bin/chkstat $PERMISSIONS_FILES +# 4. central permissions files with user defined level incl 'local' +for level in $PERMISSION_SECURITY; do + case "$level" in + easy|secure|paranoid) continue ;; + esac + if [ -e /etc/permissions.$level ]; then + files="$files /etc/permissions.$level" fi +done -fi - - +/usr/bin/chkstat $mode $files diff --git a/permissions.changes b/permissions.changes index 07ac5b3..2365844 100644 --- a/permissions.changes +++ b/permissions.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Feb 22 17:50:27 CET 2007 - lnussel@suse.de + +- prefer package specific permissions files over central ones + (#246252) + +------------------------------------------------------------------- +Thu Feb 22 16:51:06 CET 2007 - lnussel@suse.de + +- add /opt/kde3/bin/start_kdeinit (#203535) +- remove entries for dropped packages OpenPBS and xtetris + ------------------------------------------------------------------- Wed Jan 17 13:53:28 CET 2007 - lnussel@suse.de diff --git a/permissions.easy b/permissions.easy index ea62257..fa38b82 100644 --- a/permissions.easy +++ b/permissions.easy @@ -208,12 +208,6 @@ /usr/bin/rlogin root:root 4755 /usr/bin/rsh root:root 4755 -# OpenPBS #66320 -/var/spool/pbs/spool root:root 1777 -/var/spool/pbs/undelivered root:root 1777 -/opt/pbs/sbin/pbs_iff root:root 4755 -/opt/pbs/sbin/pbs_rcp root:root 4755 - # heartbeat #66310 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid # bit is removed, one can manually add users to the haclient group instead. @@ -269,6 +263,9 @@ /opt/kde3/bin/kdesud root:nogroup 2755 # used for getting proxy settings from dhcp /opt/kde3/bin/kpac_dhcp_helper root:root 4755 +# used to distract the oom killer +# #203535 +/opt/kde3/bin/start_kdeinit root:root 4755 # edits /etc/smb.conf # #66312 /usr/bin/fileshareset root:root 4755 @@ -390,9 +387,6 @@ # xgalaga /usr/bin/xgalaga games:games 2755 -# xtetris -/usr/bin/xtetris games:games 2755 - # rocksndiamonds /usr/games/rocksndiamonds games:games 2755 diff --git a/permissions.paranoid b/permissions.paranoid index bffb43b..139d2f3 100644 --- a/permissions.paranoid +++ b/permissions.paranoid @@ -224,12 +224,6 @@ /usr/bin/rlogin root:root 0755 /usr/bin/rsh root:root 0755 -# OpenPBS #66320 -/var/spool/pbs/spool root:root 0755 -/var/spool/pbs/undelivered root:root 0755 -/opt/pbs/sbin/pbs_iff root:root 0755 -/opt/pbs/sbin/pbs_rcp root:root 0755 - # heartbeat #66310 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid # bit is removed, one can manually add users to the haclient group instead. @@ -282,6 +276,9 @@ /opt/kde3/bin/kdesud root:nogroup 0755 # used for getting proxy settings from dhcp /opt/kde3/bin/kpac_dhcp_helper root:root 0755 +# used to distract the oom killer +# #203535 +/opt/kde3/bin/start_kdeinit root:root 0755 # edits /etc/smb.conf # #66312 /usr/bin/fileshareset root:root 0755 @@ -407,9 +404,6 @@ # xgalaga /usr/bin/xgalaga games:games 0755 -# xtetris -/usr/bin/xtetris games:games 0755 - # rocksndiamonds /usr/games/rocksndiamonds games:games 0755 diff --git a/permissions.secure b/permissions.secure index 339ac6c..856f15b 100644 --- a/permissions.secure +++ b/permissions.secure @@ -246,12 +246,6 @@ /usr/bin/rlogin root:root 4755 /usr/bin/rsh root:root 4755 -# OpenPBS #66320 -/var/spool/pbs/spool root:root 1777 -/var/spool/pbs/undelivered root:root 1777 -/opt/pbs/sbin/pbs_iff root:root 4755 -/opt/pbs/sbin/pbs_rcp root:root 4755 - # heartbeat #66310 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid # bit is removed, one can manually add users to the haclient group instead. @@ -307,6 +301,9 @@ /opt/kde3/bin/kdesud root:nogroup 2755 # used for getting proxy settings from dhcp /opt/kde3/bin/kpac_dhcp_helper root:root 0755 +# used to distract the oom killer +# #203535 +/opt/kde3/bin/start_kdeinit root:root 4755 # edits /etc/smb.conf # #66312 /usr/bin/fileshareset root:root 0755 @@ -432,9 +429,6 @@ # xgalaga /usr/bin/xgalaga games:games 0755 -# xtetris -/usr/bin/xtetris games:games 0755 - # rocksndiamonds /usr/games/rocksndiamonds games:games 0755 diff --git a/permissions.spec b/permissions.spec index 95101ba..dc4a811 100644 --- a/permissions.spec +++ b/permissions.spec @@ -1,5 +1,5 @@ # -# spec file for package permissions (Version 2007.1.18) +# spec file for package permissions (Version 2007.2.25) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -14,7 +14,7 @@ Name: permissions License: GNU General Public License (GPL) Group: Productivity/Security Autoreqprov: on -Version: 2007.1.18 +Version: 2007.2.25 Release: 1 Provides: aaa_base:/etc/permissions Requires: /sbin/SuSEconfig @@ -75,7 +75,13 @@ install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc /sbin/conf.d/SuSEconfig.permissions /var/adm/fillup-templates/sysconfig.security -%changelog -n permissions +%changelog +* Thu Feb 22 2007 - lnussel@suse.de +- prefer package specific permissions files over central ones + (#246252) +* Thu Feb 22 2007 - lnussel@suse.de +- add /opt/kde3/bin/start_kdeinit (#203535) +- remove entries for dropped packages OpenPBS and xtetris * Wed Jan 17 2007 - lnussel@suse.de - make pam authentication helpers unix_chkpwd, unix2_chkpwd and pam_auth setuid root instead of setgid shadow (#216816)