# # spec file for package permissions (Version 2007.8.9) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: permissions License: GPL v2 or later Group: Productivity/Security Autoreqprov: on Version: 2007.8.9 Release: 1 Provides: aaa_base:/etc/permissions Requires: /sbin/SuSEconfig PreReq: %fillup_prereq Summary: SUSE Linux Default Permissions #Source: permissions.tar.bz2 Source1: SuSEconfig.permissions Source2: chkstat.c Source3: chkstat.8 Source4: sysconfig.security Source5: permissions Source6: permissions.easy Source7: permissions.paranoid Source8: permissions.secure Source9: permissions.local Source99: checkpermissionfiles.pl BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains specifications for permissions of specific files, directories, and devices depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security. Authors: -------- Werner Fink Roman Drahtmüller %prep %build gcc -Wall $RPM_OPT_FLAGS %{SOURCE2} -o chkstat %install mkdir -p $RPM_BUILD_ROOT/etc mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 mkdir -p $RPM_BUILD_ROOT/sbin/conf.d mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 755 chkstat $RPM_BUILD_ROOT%{_bindir} install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/sbin/conf.d install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8 install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc install -m 644 %{SOURCE9} $RPM_BUILD_ROOT/etc %post %{fillup_only -n security} %files %defattr(-,root,root,-) /etc/permissions /etc/permissions.easy /etc/permissions.secure /etc/permissions.paranoid %config(noreplace) /etc/permissions.local %{_bindir}/chkstat %{_mandir}/man8/chkstat.8* /sbin/conf.d/SuSEconfig.permissions /var/adm/fillup-templates/sysconfig.security %changelog * Wed Aug 08 2007 - lnussel@suse.de - remove nscd socket permission handling as chkstat refuses to touch that file anyways (#298334). * Tue Jun 12 2007 - schwab@suse.de - permissions.local: Fix comment to use uid:gid instead of uid.gid. * Fri Jun 01 2007 - lnussel@suse.de - package /etc/permissions.local * Wed May 30 2007 - lnussel@suse.de - add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502) * Wed Apr 18 2007 - dmueller@suse.de - create debuginfo package (#265667) * Thu Feb 22 2007 - lnussel@suse.de - prefer package specific permissions files over central ones (#246252) * Thu Feb 22 2007 - lnussel@suse.de - add /opt/kde3/bin/start_kdeinit (#203535) - remove entries for dropped packages OpenPBS and xtetris * Wed Jan 17 2007 - lnussel@suse.de - make pam authentication helpers unix_chkpwd, unix2_chkpwd and pam_auth setuid root instead of setgid shadow (#216816) * Wed Jan 10 2007 - sbrabec@suse.cz - Prefix of /opt/gnome binaries changed to /usr. - Removed gnome-stones. * Mon Nov 13 2006 - lnussel@suse.de - remove khc_indexbuilder (#188192) * Mon Oct 16 2006 - lnussel@suse.de - add zypp patch checking helper (#211286) * Wed Aug 23 2006 - lnussel@suse.de - /usr/X11R6 -> /usr - remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud * Thu Aug 17 2006 - cthiel@suse.de - change paths for v4l-conf from /usr/X11R6/bin to /usr/bin * Thu Jul 20 2006 - sndirsch@suse.de - Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of xorg-x11-server package * Tue Jun 27 2006 - lnussel@suse.de - remove setuid bit on gpg (#137562) * Fri May 19 2006 - lnussel@suse.de - add get_printing_ticket in order to enable smb printing with kerberos authentication (#177114) * Wed May 17 2006 - lnussel@suse.de - add setuid bit to gnomesu-pam-backend in level secure (#175616) * Thu Feb 23 2006 - schwab@suse.de - /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader. * Wed Jan 25 2006 - mls@suse.de - converted neededforbuild to BuildRequires * Mon Jan 16 2006 - meissner@suse.de - removed pmount, pumount. - moved pmpost to /usr/lib/pcp/pmpost. * Thu Dec 15 2005 - lnussel@suse.de - /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset * Fri Dec 09 2005 - meissner@suse.de - temporary only setuid bit for pmount and pumount. #135792 * Wed Nov 23 2005 - lnussel@suse.de - add /usr/bin/fusermount (#133657) * Mon Nov 21 2005 - lnussel@suse.de - remove Xwrapper, it's a symlink nowadays (#134611) * Wed Nov 02 2005 - dmueller@suse.de - don't build as root * Thu Oct 13 2005 - meissner@suse.de - nici moved to /var/opt/novell/... * Tue Oct 11 2005 - meissner@suse.de - Temporary added setuid binary from "nici" (Novell I? Crypto Interface), bug #127545. * Fri Sep 30 2005 - lnussel@suse.de - add slashes to several directories (#103186) - change /var/games to games:games 775 again (#103186) * Tue Aug 30 2005 - lnussel@suse.de - remove kpopup helper (#100132) * Thu Aug 25 2005 - lnussel@suse.de - add /opt/gnome/sbin/change-passwd (#104993) * Thu Aug 11 2005 - lnussel@suse.de - remove xmcd (#104040) - add suexec2 from apache2 (#66304) - add exim (#66306) * Thu Aug 11 2005 - lnussel@suse.de - remove /opt/gnome/bin/iagno (#103844) * Wed Aug 10 2005 - lnussel@suse.de - remove xbl (#103762) - clean up bsd games list (#103785) - remove score files as they are the same in all levels anyways * Wed Aug 10 2005 - lnussel@suse.de - change /var/games{,/xsok} to root:root (#103186) * Fri Aug 05 2005 - lnussel@suse.de - /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750) * Tue Aug 02 2005 - lnussel@suse.de - remove kde games again. Turned out they don't work as intended. * Tue Aug 02 2005 - lnussel@suse.de - cardctl -> pccardctl (#100120) * Fri Jul 22 2005 - lnussel@suse.de - add setgid games to some kde games * Wed Jun 08 2005 - lnussel@suse.de - use correct gnomesu-pam-backend path * Tue Jun 07 2005 - lnussel@suse.de - add gnomesu-pam-backend (#75823) - add lppasswd (#66305) - make ntping 4750 root:trusted also in easy (#66211) - add cl_status from heartbeat (#66310) - remove unused /opt/gnome/sbin/change-passwd * Tue May 17 2005 - ro@suse.de - added /opt/gnome/sbin/change-passwd * Mon Apr 25 2005 - lnussel@suse.de - add OpenPBS permissions (#66320) * Tue Mar 01 2005 - lnussel@suse.de - fix inn permissions (#67032) - remove setuid bit from ziptool (#66191) * Wed Feb 23 2005 - lnussel@suse.de - remove no longer existing files - remove setuid plpnfsd (#66207) - remove setuid bit from dga program - change vmware permissions - add /opt/kde3/bin/receivepopup (#66313) - add /opt/kde3/bin/fileshareset (#66312) - add /usr/bin/scmxx (#66309) - add some missing mailman files (#66315) - include perl script to perform some basic consistency checks * Mon Jan 31 2005 - meissner@suse.de - backported security fix from SLES 9 branch. #43035 * Sat Jan 15 2005 - schwab@suse.de - Comment fixes. * Mon Nov 22 2004 - sndirsch@suse.de - permissions.secure: set Xorg to 0711 (4711 before) * Wed Nov 10 2004 - ro@suse.de - /var/cache/fonts to 1777 (as in tetex perms before) * Mon Nov 08 2004 - kukuk@suse.de - Add nscd socket to permissions file * Tue Sep 14 2004 - ro@suse.de - do not use rpm in SuSEconfig.permissions (#45252) * Tue Sep 14 2004 - ro@suse.de - dropped check for perl in SuSEconfig.permissions (#45252) * Wed May 26 2004 - draht@suse.de - /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234) source code audit in progress (#40234) (thomas) * Fri May 14 2004 - ro@suse.de - /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid (0755,0755,0755) (#40234) * Thu Apr 15 2004 - sndirsch@suse.de - XFree86 --> Xorg in permissions files * Tue Apr 06 2004 - mls@suse.de - added --root option for buildroot operation * Mon Apr 05 2004 - mls@suse.de - chkstat: fixed relative symlink chasing - /usr/src/packages/RPMS back to 1777 in easy, as chkstat can now handle it * Sun Apr 04 2004 - mls@suse.de - chkstat: added missing link count check and safepath() function - chkstat: refuse to give away s-bits on insecure paths - chkstat: bugfix: stat file again after chown, as modes may have changed * Fri Apr 02 2004 - mls@suse.de - chkstat: re-implemented it in C to make it more secure * Thu Apr 01 2004 - kukuk@suse.de - Remove /var/lock/subsys [#37759] - Add sticky bit to /var/lock [#37759] * Wed Mar 24 2004 - draht@suse.de - make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid. [#33570]. * Tue Mar 23 2004 - draht@suse.de - #36741: /usr/src/packages/RPMS 1777->0755 in easy. * Mon Mar 22 2004 - kukuk@suse.de - Fix syntax error in permission.easy - /usr/bin/ssh should be always 0755 * Fri Feb 13 2004 - draht@suse.de - /var/run/uscreens (root:root 1777) added * Thu Feb 12 2004 - kukuk@suse.de - Don't modify group of crontab and at useless * Fri Jan 09 2004 - kukuk@suse.de - Add RPM directory for hppa2.0 * Fri Nov 21 2003 - ro@suse.de - fpexec decrease go rights to 11 * Wed Nov 05 2003 - ro@suse.de - inn scripts: u-w (not needed) * Mon Nov 03 2003 - schwab@suse.de - chkstat: fix option parsing. * Wed Oct 29 2003 - kukuk@suse.de - Sync permissions for shadow package * Tue Oct 28 2003 - ro@suse.de - require /sbin/SuSEconfig * Tue Oct 28 2003 - ro@suse.de - chkstat: added some new extensions: allow specifying singular files or a filelist to be checked output previous/current mode of a failed file adapted manpage * Tue Oct 21 2003 - draht@suse.de - permissions.secure: /etc/ftpusers 0640 root.root -> 0644 * Mon Oct 20 2003 - ro@suse.de - permissions.*: use ":" and not "." to separate user/group - chkstat: output also which of (permissions/owner) is wrong - chkstat: don't try to chown if not root * Tue Oct 14 2003 - draht@suse.de - reformatting of all 4 permissions files. xkobo, rocksndiamonds, xlogical, lbreakout2 and ltris path adoptions. for future reference: :-) for i in permissions permissions.easy permissions.secure permissions.paranoid; do cat $i | \ awk '/^(#|$)/ { print $0; next; } { if(NF > 3) {printf("error: %%s\n",$0);exit}; printf("%%-55s %%-17s %%4s\n",$1,$2,$3)}' \ > $i.. && mv $i.. $i; done * Thu Sep 18 2003 - kukuk@suse.de - Fix group of straps, popauth and ntping - Remove some GNOME games which do not need special rights anymore * Tue Sep 16 2003 - kukuk@suse.de - permissions.easy: change group of bing, vboxbeep, plpnfsd to trusted, majordomo/wrapper to daemon * Tue Sep 16 2003 - kukuk@suse.de - permissions.easy: change group of gpasswd and ziptool to trusted * Tue Sep 02 2003 - kkeil@suse.de - fix user fax for hylafax specific files * Tue Sep 02 2003 - kukuk@suse.de - fix path to cons.saver, remove setuid bit in paranoid (#25907) - remove screen - remove smail (dropped years ago) * Mon Sep 01 2003 - kkeil@suse.de - fix group for isdnctrl uucp --> dialout (#28997) * Mon Sep 01 2003 - draht@suse.de - feedback@suse.de -> http://www.suse.de/feedback in all files of the package. #29635. * Sat Aug 23 2003 - sndirsch@suse.de - added martian entries of package pachi * Tue Aug 19 2003 - mmj@suse.de - Add sysconfig metadata [#28937] * Tue Jul 29 2003 - draht@suse.de - fax changes from Tomas Crhak: faxq-helper and spool directories. * Tue Jul 29 2003 - ro@suse.de - gnome games moved back to /opt/gnome * Mon Jul 28 2003 - kukuk@suse.de - Remove /var/run from permissions file list [Bug #28289] * Mon Jul 28 2003 - kukuk@suse.de - /var/lib/gdm: Removed to solve [Bug #28257] for future products. * Fri Jul 25 2003 - draht@suse.de - /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper The same with /opt/gnome/lib64/. * Fri Jun 13 2003 - kukuk@suse.de - /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure * Fri May 02 2003 - sndirsch@suse.de - added /usr/games/pachi and /var/games/pachi.scores * Mon Mar 10 2003 - sndirsch@suse.de - added /usr/games/falconseye.bin - removed /usr/games/falconseye * Mon Mar 10 2003 - kukuk@suse.de - added /usr/lib64/vte/gnome-pty-helper until ported to utempter * Sun Mar 09 2003 - sndirsch@suse.de - added /usr/games/falconseye - removed old falconseye entries * Thu Mar 06 2003 - ro@suse.de - added /usr/lib/vte/gnome-pty-helper until ported to utempter * Thu Feb 20 2003 - mmj@suse.de - Add sysconfig metadata [#22686] * Tue Feb 18 2003 - kssingvo@suse.de - removed squid entries. They will be added and corrected to squids own permission file /etc/permissions.d/squid (bugzilla#23752): /var/squid /var/squid/cache /var/squid/logs * Tue Feb 18 2003 - draht@suse.de - /usr/games/trackballs added 2755 games.games in easy. * Sun Feb 16 2003 - adrian@suse.de - allow khc_indexbuilder to write into /var/cache/susehelp in easy mode - remove old entries (kreatecd and kscd) * Mon Feb 10 2003 - draht@suse.de - additions/changes (from #17012, Tobias Burnus): * read all files from the commandline at once and override entries given multiple times by the last entry * enable option --set in addition to -set * manpage adoptions * call chkstat only once from SuSEconfig.permissions * Thu Feb 06 2003 - ro@suse.de - /var/mtrack -> /var/lib/mtrack * Tue Nov 19 2002 - ro@suse.de - zapping_setup_fb moved to /opt/gnome/sbin * Thu Nov 14 2002 - bg@suse.de - added hppa to rpm subsystem in permissions files to be able to finish autobuild * Thu Oct 24 2002 - ro@suse.de - two more nethack flavors with sgid games in easy * Tue Sep 10 2002 - draht@suse.de - cda entries below /usr/X11R6/lib/X11/xmcd removed. index.html under /var/lib/xmcd/discog directories added world-writeable. This is not satisfactory. New user xmcd will be added in next release. * Thu Sep 05 2002 - draht@suse.de - /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added. * Mon Aug 26 2002 - draht@suse.de - removed all occurrences of kv4lsetup upon request by adrian+uli. - -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132) - /usr/src/packages/RPMS/alphaev67 added. - added /sbin/unix2_chkpwd root.shadow 2755 - -s /usr/sbin/papd (#18103) * Wed Aug 21 2002 - draht@suse.de - removed suid bits from heimdal's su and otp (#18104) * Wed Aug 21 2002 - draht@suse.de - remove setuid bit from traceroute due to new implementation by Olaf Kirch which doesn't need euid root. (#18101) * Wed Aug 21 2002 - draht@suse.de - removed lprng entries because of conflicts cups <-> lprng * Wed Aug 21 2002 - draht@suse.de - vboxbeep -> 0755 in secure. * Mon Aug 19 2002 - ro@suse.de - added prereq (#17956) * Mon Aug 19 2002 - uli@suse.de - added nethack for lib64 archs * Mon Aug 19 2002 - uli@suse.de - added xmcd for archs != i386 * Tue Aug 13 2002 - draht@suse.de - gnome-games2 entries changed/adopted to /opt/gnome2 path. * Tue Aug 13 2002 - draht@suse.de - changed kcheckpass from 2755 root.shadow to 4755. (#17664) * Wed Jul 31 2002 - olh@suse.de - ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750 * Sat Jul 27 2002 - kukuk@suse.de - Rename group wwwadmin to www - Rename group game to games * Tue Jul 23 2002 - draht@suse.de - added sapdb files, not setuid root in secure,paranoid. * Mon Jul 22 2002 - draht@suse.de - added frontpage files * Tue Jul 16 2002 - draht@suse.de - changed entries for mailman: group mdom -> mailman * Tue Jul 16 2002 - draht@suse.de - mailman sgid mdom files added to easy, secure and paranoid. * Wed Jul 10 2002 - draht@suse.de - .paranoid comment fixed about at and cron (#12159) * Mon Jul 08 2002 - draht@suse.de - ppp dialup networking fixes and cleanup. * Mon Jul 08 2002 - draht@suse.de - modifications: -s for pppd, world-writeable directories for kdemultimedia3-sound, gift, mips and armv4l RPMS directory. * Fri Jul 05 2002 - kukuk@suse.de - Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid. * Thu Jul 04 2002 - draht@suse.de - /usr/lib64/pt_chown added to easy,secure,paranoid. * Mon Jul 01 2002 - draht@suse.de - entries for packages added or changed: squid geki2 d1x falconseye fdutils gewels gnome-games heimdal lbreakout lpdfilter lprng man mgetty (/var/spool/fax/outgoing/* need discussion) mtrack (locfile+satfile -> 0644) nethack nvi-m17n (/var/preserve/vi.recover -> 1777) opie (/bin -> /usr/bin) pcp plptools qpopper rp-pppoe (/usr/sbin/pppoe-wrapper) smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750) squid (/usr/sbin/pam_auth) su-wrapper xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs) xgalaga xmcd xscrabble * Mon Jul 01 2002 - ro@suse.de - don't install all sources (spec file etc.) * Fri Jun 28 2002 - draht@suse.de - minor spec file change * Fri Jun 28 2002 - draht@suse.de - entries for packages added: ftpdir gnokii kamplus geki2 aaa_dir (/tmp/.ICE-unix) * Fri Jun 28 2002 - draht@suse.de - unpack tar archive in source for convenience. * Thu Jun 27 2002 - olh@suse.de - update permissions of /usr/src/packages/RPMS/ * Fri Jun 21 2002 - ro@suse.de - created package as split off from aaa_base