# /etc/permissions # # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Roman Drahtmueller , 2001 # # This file is used by SuSEconfig and chkstat to check or set the modes # and ownerships of files and directories in the installation. # # There is a set of files with similar meaning in a SuSE installation: # /etc/permissions (This file) # /etc/permissions.easy # /etc/permissions.secure # /etc/permissions.paranoid # /etc/permissions.local # Please see the respective files for their meaning. # # # Format: # : # # How it works: # Change the entries as you like, then call # `chkstat -set /etc/permissions´ or /etc/permissions.{easy,secure,paranoid} # respectively, or call `SuSEconfig´ as yast do after they think # that files have been modified in the system. # # SuSEconfig will use the files /etc/permissions and the ones ending # in what the variable PERMISSION_SECURITY from # /etc/sysconfig/security contains. By default, these are the files # /etc/permissions, /etc/permissions.easy and /etc/permissions.local # for local changes by the admin. In addition, the directory # /etc/permissions.d/ can contain permission files that belong to # the packages they modify file modes for. These permission files # are to switch between conflicting file modes of the same file # paths in different packages (popular example: sendmail and # postfix, path /usr/sbin/sendmail). # # SuSEconfig's usage of the chkstat program can be turned off completely # by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security. # # /etc/permissions is kept to the bare minimum. File modes that differ # from the settings in this file should be considered broken. # # Please see the headers of the files # /etc/permissions.easy # /etc/permissions.secure # /etc/permissions.paranoid # as well as # /etc/permissions.local # for more information about their particular meaning and their setup. # # root directories: # / root:root 755 /root root:root 700 /tmp root:root 1777 /tmp/.X11-unix/ root:root 1777 /tmp/.ICE-unix/ root:root 1777 /dev root:root 755 /bin root:root 755 /sbin root:root 755 /lib root:root 755 /etc root:root 755 /home root:root 755 /boot root:root 755 /opt root:root 755 /usr root:root 755 # # /var: # /var/tmp root:root 1777 /var/tmp/vi.recover/ root:root 1777 /var/log root:root 755 /var/spool root:root 755 /var/spool/atjobs at:at 700 /var/spool/atjobs/.SEQ at:at 600 /var/spool/atjobs/.lockfile at:at 600 /var/spool/atspool at:at 700 /var/spool/cron root:root 700 /var/spool/mqueue root:root 700 /var/spool/news news:news 775 /var/spool/uucp uucp:uucp 755 /var/spool/voice root:root 755 /var/spool/mail root:root 1777 /var/adm root:root 755 /var/adm/backup root:root 700 /var/cache root:root 755 /var/cache/fonts root:root 1777 /var/cache/man man:root 755 /var/yp root:root 755 /var/run/nscd/socket root:root 666 /var/run/sudo root:root 700 # # log files that do not grow remarkably # /var/log/faillog root:root 600 # This file is not writeable by gid tty so that the information # therein can be trusted. /var/log/lastlog root:tty 644 # # some device files # /dev/zero root:root 666 /dev/null root:root 666 /dev/full root:root 622 /dev/ip root:root 660 /dev/initrd root:disk 660 /dev/kmem root:kmem 640 # # /etc # /etc/lilo.conf root:root 600 /etc/passwd root:root 644 /etc/shadow root:shadow 640 /etc/init.d root:root 755 /etc/HOSTNAME root:root 644 /etc/hosts root:root 644 # Changing the hosts_access(5) files causes trouble with services # that do not run as root! /etc/hosts.allow root:root 644 /etc/hosts.deny root:root 644 /etc/hosts.equiv root:root 644 /etc/hosts.lpd root:root 644 /etc/ld.so.conf root:root 644 /etc/ld.so.cache root:root 644 /etc/opiekeys root:root 600 /etc/smpppd.conf root:root 600 /etc/smpppd-c.conf root:dialout 640 /var/run/smpppd root:dialout 750 /etc/ppp root:dialout 750 /etc/ppp/chap-secrets root:root 600 /etc/ppp/pap-secrets root:root 600 # sysconfig files: /etc/sysconfig/network/providers root:root 700 # utempter /usr/sbin/utempter root:tty 2755 # changing the global ssh client configuration makes it unreadable # and therefore useless. Keep in mind that users can bring their own client! /etc/ssh/ssh_host_key root:root 600 /etc/ssh/ssh_host_key.pub root:root 644 /etc/ssh/ssh_config root:root 644 /etc/ssh/sshd_config root:root 640 # # legacy # # don't set the setuid bit on suidperl! Set it on sperl instead if # you really need it as suidperl is a hardlink to perl nowadays. /usr/bin/suidperl root:root 755 # cdrecord does not need to be setuid root as it uses resmgr for # accessing the devices. Access to that one can be configured in # /etc/resmgr.conf /usr/bin/cdrecord root:root 755 # new traceroute program by Olaf Kirch does not need setuid root any more. /usr/sbin/traceroute root:root 755 # netatalk printer daemon: sgid not needed any more with cups. /usr/sbin/papd root:lp 0755 # safe as long as we don't change files below it (#103186) /var/games/ games:games 0775 # No longer common. Set setuid bit yourself if you need it # (#66191) #/usr/bin/ziptool root:trusted 4750