testing/permissions
SHA256
3
0
Fork 0
forked from pool/permissions
Code Pull Requests Activity
241 Commits 2 Branches 0 Tags
Commit Graph

241 Commits

This Branch
This Branch
All Branches
Author SHA256 Message Date
Matthias Gerstner
5d5b938d79 - Update to version 20201008: 
* cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164)
  * drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=287
 2020-10-08 09:20:05 +00:00
Matthias Gerstner
802df35b01 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=285 2020-09-30 09:56:48 +00:00
Matthias Gerstner
8f56b3bee2 - Update to version 20200930: 
* whitelist Xorg setuid-root wrapper (bsc#1175867)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=284
 2020-09-30 09:28:18 +00:00
Matthias Gerstner
6b2d70fbf8 - Update to version 20200909: 
* screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=282
 2020-09-09 10:01:23 +00:00
Matthias Gerstner
9d0d5227c9 - Update to version 20200904: 
* Add /usr/libexec for cockpit-session as new path
  * physlock: whitelist with tight restrictions (bsc#1175720)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=280
 2020-09-04 10:58:24 +00:00
Malte Kraus
ddf46a06b6 - Update to version 20200826: 
* mtr-packet: stop requiring dialout group
  * etc/permissions: fix mtr permission
  * list_permissions: improve output format
  * list_permissions: support globbing in --path argument
  * list_permissions: implement simplifications suggested in PR#92
  * list_permissions: new tool for better path configuration overview

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=278
 2020-08-26 15:38:36 +00:00
Matthias Gerstner
1226549810 - Update to version 20200811: 
* regtest: support new getcap output format in libcap-2.42
  * regtest: print individual test case errors to stderr

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=276
 2020-08-11 12:07:22 +00:00
Matthias Gerstner
8d415c2c98 - Update to version 20200727: 
* etc/permissions: remove static /var/spool/* dirs
  * etc/permissions: remove outdated entries
  * etc/permissions: remove unnecessary static dirs and devices
  * screen: remove now unused /var/run/uscreens

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=274
 2020-07-27 12:19:56 +00:00
Matthias Gerstner
1490c88424 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=272 2020-07-10 09:53:12 +00:00
Matthias Gerstner
79548e974d - Update to version 20200710: 
* Revert "etc/permissions: remove entries for bind-chrootenv". This
    currently conflicts with the way the CheckSUIDPermissions rpmlint-check is
    implemented.

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=271
 2020-07-10 09:51:12 +00:00
Matthias Gerstner
128acfff3a Accepting request 819264 from home:gmbr3:Active 
- Removed dbus-libexec.patch: contained in upstream

OBS-URL: https://build.opensuse.org/request/show/819264
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=270
 2020-07-08 07:50:44 +00:00
Matthias Gerstner
71f7833b2a OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=269 2020-07-07 14:32:39 +00:00
Matthias Gerstner
af3b1d9d0a - Update to version 20200624: 
* rework permissions.local text (boo#1173221)
  * dbus-1: adjust to new libexec dir location (bsc#1171164)
  * permission profiles: reinstate kdesud for kde5
  * etc/permissions: remove entries for bind-chrootenv
  * etc/permissions: remove traceroute entry
  * VirtualBox: remove outdated entry which is only a symlink any more
  * /bin/su: remove path refering to symlink
  * etc/permissions: remove legacy RPM directory entries
  * /etc/permissions: remove outdated sudo directories
  * singularity: remove outdated setuid-binary entries
  * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
  * dbus-1: remove deprecated alternative paths
  * PolicyKit: remove outdated entries last used in SLE-11
  * pcp: remove no longer needed / conflicting entries
  * gnats: remove entries for package removed from Factory
  * kdelibs4: remove entries for package removed from Factory
  * v4l-base: remove entries for package removed from Factory
  * mailman: remove entries for package deleted from Factory
  * gnome-pty-helper: remove dead entry no longer part of the vte package
  * gnokii: remove entries for package no longer in Factory
  * xawtv (v4l-conf): correct group ownership in easy profile
  * systemd-journal: remove unnecessary profile entries
  * thttp: make makeweb entry usable in the secure profile (bsc#1171580)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=268
 2020-07-07 14:19:17 +00:00
Malte Kraus
c23ecff997 Accepting request 815294 from home:mkraus:branches:Base:System 
- dbus-1: adjust to new libexec dir location (bsc#1171164). This is
  temporarily done through the patch in dbus-libexec.patch because
  we are not completely certain the stability of current git.
- run chkstat test suite during RPM build

OBS-URL: https://build.opensuse.org/request/show/815294
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=266
 2020-06-16 16:20:27 +00:00
Matthias Gerstner
2c673b8f18 - Update to version 20200526: 
* profiles: add entries for enlightenment (bsc#1171686)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=263
 2020-05-26 13:04:28 +00:00
Matthias Gerstner
3cb7f26448 Accepting request 807566 from home:mgerstner:branches:Base:System 
- Update to version 20200520:
  * permissions fixed profile: utempter: reinstate libexec compatibility entry

OBS-URL: https://build.opensuse.org/request/show/807566
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=262
 2020-05-20 10:22:24 +00:00
Malte Kraus
b3c2250df9 Accepting request 807173 from home:mgerstner:branches:Base:System 
- Update to version 20200519:
  * chkstat: fix sign conversion warnings on 32-bit architectures
  * chkstat: allow simultaneous use of `--set` and `--system`
  * regtest: adjust TestUnkownOwnership test to new warning output behaviour

OBS-URL: https://build.opensuse.org/request/show/807173
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=261
 2020-05-19 09:32:14 +00:00
Malte Kraus
5ae3717c19 - Update to version 20200518: 
* whitelist texlive public binary (bsc#1171686)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=260
 2020-05-18 12:07:18 +00:00
Malte Kraus
4445ad42e7 Accepting request 805788 from home:mgerstner:branches:Base:System 
- Update to version 20200514:
  * fixed permissions: adjust to new libexec dir location (bsc#1171164)
    (affects utempter path)
- Update to version 20200513:
  * major rewrite of the chkstat tool
  * setuid bit for cockpit (bsc#1169614)

OBS-URL: https://build.opensuse.org/request/show/805788
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=259
 2020-05-18 11:33:57 +00:00
Malte Kraus
50981bbfa3 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=257 2020-05-07 10:01:14 +00:00
Malte Kraus
5e5838f434 - Update to version 20200506: 
* add whitelist for files in /usr/lib to be also allowed in
    /usr/libexec (bsc#1171164)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=256
 2020-05-07 10:00:31 +00:00
Johannes Segitz
7dcf78b266 Accepting request 787822 from home:jsegitz:branches:Base:System 
- Update to version 20200324:
  * whitelist s390-tools setgid bit on log directory (bsc#1167163)
  * whitelist WMP (bsc#1161335)
  * regtest: improve readability of path variables by using literals
  * regtest: adjust test suite to new path locations in /usr/share/permissions
  * regtest: only catch explicit FileNotFoundError
  * regtest: provide valid home directory in /root
  * regtest: mount permissions src repository in /usr/src/permissions
  * regtest: move initialialization of TestBase paths into the prepare() function
  * chkstat: suppport new --config-root command line option
  * fix spelling of icingacmd group

OBS-URL: https://build.opensuse.org/request/show/787822
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=254
 2020-03-24 14:13:59 +00:00
Matthias Gerstner
c1a2fada58 Accepting request 780264 from home:mkraus:branches:Base:System 
- Update to version 20200228:
  * chkstat: fix readline() on platforms with unsigned char

- Update to version 20200227:
  * remove capability whitelisting for radosgw
  * whitelist ceph log directory (bsc#1150366)
  * adjust testsuite to post CVE-2020-8013 link handling
  * testsuite: add option to not mount /proc
  * do not follow symlinks that are the final path element: CVE-2020-8013
  * add a test for symlinked directories
  * fix relative symlink handling
  * include cpp compat headers, not C headers
  * Move permissions and permissions.* except .local to /usr/share/permissions
  * regtest: fix the static PATH list which was missing /usr/bin
  * regtest: also unshare the PID namespace to support /proc mounting
  * regtest: bindMount(): explicitly reject read-only recursive mounts
  * Makefile: force remove upon clean target to prevent bogus errors
  * regtest: by default automatically (re)build chkstat before testing
  * regtest: add test for symlink targets
  * regtest: make capability setting tests optional
  * regtest: fix capability assertion helper logic
  * regtests: add another test case that catches set*id or caps in world-writable sub-trees
  * regtest: add another test that catches when privilege bits are set for special files
  * regtest: add test case for user owned symlinks
  * regtest: employ subuid and subgid feature in user namespace
  * regtest: add another test case that covers unknown user/group config
  * regtest: add another test that checks rejection of insecure mixed-owner paths
  * regtest: add test that checks for rejection of world-writable paths
  * regtest: add test for detection of unexpected parent directory ownership
  * regtest: add further helper functions, allow access to main instance

OBS-URL: https://build.opensuse.org/request/show/780264
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=252
 2020-03-02 13:50:40 +00:00
Malte Kraus
a115569e05 - Update to version 20200213: 
* remove obsolete/broken entries for rcp/rsh/rlogin
  * chkstat: handle symlinks in final path elements correctly
  * Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)""
  * Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=250
 2020-02-13 12:20:20 +00:00
Matthias Gerstner
d9ba7c2f04 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=248 2020-02-04 12:30:29 +00:00
Matthias Gerstner
a4023dfa6b - Update to version 20200204: 
* mariadb: settings for new auth_pam_tool (bsc#1160285)
  * chkstat:
    - add read-only fallback when /proc is not mounted (bsc#1160764)
    - capability handling fixes (bsc#1161779)
    - better error message when refusing to fix dir perms (#32)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=247
 2020-02-04 12:22:39 +00:00
Malte Kraus
70de14a4ec - Update to version 20200127: 
* fix paths of ksysguard whitelisting
  * fix zero-termination of error message for overly long paths

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=246
 2020-01-27 12:02:43 +00:00
Malte Kraus
cba6c7245b fix version 
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=244
 2019-12-05 14:37:17 +00:00
Malte Kraus
ac5efb502f - Update to version 20191205: 
* fix privilege escalation through untrusted symlinks (bsc#1150734,
    CVE-2019-3690)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=243
 2019-12-05 14:34:56 +00:00
Matthias Gerstner
671dc94a75 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=242 2019-11-27 12:48:34 +00:00
Matthias Gerstner
5feb66e055 - Update to version 20191122: 
* faxq-helper: correct "secure" permission for trusted group (bsc#1157498)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=241
 2019-11-27 12:48:04 +00:00
Malte Kraus
20fbab7702 - Update to version 20191118: 
* whitelist ksysguard network helper (bsc#1151190)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=239
 2019-11-18 09:54:19 +00:00
Malte Kraus
bdb9837e95 - Update to version 20191112: 
* fix syntax of paranoid profile
  * fix squid permissions (bsc#1093414, CVE-2019-3688)

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=238
 2019-11-12 12:51:22 +00:00
Marcus Meissner
4e0657a187 Accepting request 734796 from home:scarabeus_iv:branches:Base:System 
- Add || exit 0 on the scriptlet as it can actually fail in
  rootless containers with podman. This makes sure the zypper
  does not abort the container creation.
  * the actual error looks like:
    /dev/zero: chown: Operation not permitted

OBS-URL: https://build.opensuse.org/request/show/734796
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=236
 2019-10-03 13:03:49 +00:00
Johannes Segitz
13d46ae0a1 Accepting request 730731 from home:jsegitz:branches:Base:System 
- Update to version 20190913:
  * setgid bit for nagios directory (bsc#1028975, bsc#1150345)
- This also restructures the sources for the permission package

OBS-URL: https://build.opensuse.org/request/show/730731
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=234
 2019-09-13 13:17:47 +00:00
Malte Kraus
c9ec3a7362 - Update to version 20190830: 
* dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)

- Update to version 20190829:
  * add one more missing slash for icinga2
  * fix more missing slashes for directories

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=232
 2019-08-30 14:26:48 +00:00
Malte Kraus
7bd46e85c9 - Update to version 20190820: 
* cron directory permissions: add slashes

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=231
 2019-08-20 09:47:17 +00:00
Johannes Segitz
90513df40a OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=229 2019-07-12 09:23:21 +00:00
Johannes Segitz
617c5f2df9 Accepting request 714669 from home:mkraus:branches:Base:System 
- Update to version 20190711:
  * iputils: Add capability permissions for clockdiff (bsc#1140994)

OBS-URL: https://build.opensuse.org/request/show/714669
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=228
 2019-07-12 09:02:35 +00:00
Matthias Gerstner
a83a90964a OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=227 2019-07-10 12:30:49 +00:00
Matthias Gerstner
6cbfeb58bb - Update to version 20190710: 
* iputils/ping: Drop effective capability
  * iputils/ping6: Remove definitions

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=226
 2019-07-10 12:30:03 +00:00
Marcus Meissner
f1694e5736 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=224 2019-06-13 10:04:14 +00:00
Marcus Meissner
5b398c37ea - Update to version 20190521: 
* singluarity: Add starter-suid for version 3.2.0
  * adjust settings for amanda to current binary layout

OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=223
 2019-06-13 08:58:09 +00:00
Marcus Meissner
6d800560d0 Accepting request 707829 from home:jsegitz:branches:Base:System 
- Move BuildRequires: back to main package

OBS-URL: https://build.opensuse.org/request/show/707829
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=222
 2019-06-05 12:35:17 +00:00
Matthias Gerstner
c817154009 Accepting request 707806 from home:jsegitz:branches:Base:System 
- Moved requires to subpackages (bsc#1137257)

OBS-URL: https://build.opensuse.org/request/show/707806
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=221
 2019-06-05 11:28:29 +00:00
Marcus Meissner
7ef24ac09f OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=219 2019-05-02 13:38:50 +00:00
Marcus Meissner
9bbb7deff7 Accepting request 700150 from home:jsegitz:branches:Base:System 
- Fixed versions. Removed set_version from _service file, doesn't
  work with the new packaging. Call fix_version.sh to set current
  date as version instead
- Fixed requires for -config and -zypp-plugin

OBS-URL: https://build.opensuse.org/request/show/700150
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=218
 2019-05-02 13:24:27 +00:00
Marcus Meissner
741577cc7c Accepting request 699578 from home:jsegitz:branches:Base:System 
- Update to version 20190429:
  * removed entry for /var/cache/man. Conflicts with packaging and man:man is
    the better setting anyway (bsc#1133678)
  * fixed error in description of permissions.paranoid. Make it clear that this
    is not a usable profile, but intended as a base for own developments

OBS-URL: https://build.opensuse.org/request/show/699578
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=217
 2019-05-01 06:26:24 +00:00
Dirk Mueller
edfc5837d1 Accepting request 693920 from home:jengelh:branches:Base:System 
- Fix RPM group, fix hard requirement on documentation.
  Update description typography.

OBS-URL: https://build.opensuse.org/request/show/693920
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=216
 2019-04-15 18:37:33 +00:00
Marcus Meissner
e7563d435d Accepting request 693721 from home:jsegitz:branches:Base:System 
- Created new subpackages -config, -doc and standalone package chkstat 
  where we can start a better versioning scheme and require it from the 
  original package

OBS-URL: https://build.opensuse.org/request/show/693721
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=215
 2019-04-12 13:08:09 +00:00