commit permissions for openSUSE:Factory

Thu, 14 May 2026 12:45:00 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package permissions for openSUSE:Factory 
checked in at 2026-05-14 21:42:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/permissions (Old)
 and      /work/SRC/openSUSE:Factory/.permissions.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "permissions"

Thu May 14 21:42:26 2026 rev:173 rq:1352762 version:1699_20260512

Changes:
--------
--- /work/SRC/openSUSE:Factory/permissions/permissions.changes  2026-02-25 
21:06:35.156341028 +0100
+++ /work/SRC/openSUSE:Factory/.permissions.new.1966/permissions.changes        
2026-05-14 21:43:11.179164267 +0200
@@ -1,0 +2,8 @@
+Tue May 12 13:21:44 UTC 2026 - Matthias Gerstner <[email protected]>
+
+- Update to version 1699_20260512:
+  * iputils: Fix capability permissions for clockdiff
+  * profiles: drop nfs-utils rmtab entry
+  * README: document RPM installation time race condition
+
+-------------------------------------------------------------------

Old:
----
  permissions-1699_20260217.tar.xz

New:
----
  permissions-1699_20260512.tar.xz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ permissions.spec ++++++
--- /var/tmp/diff_new_pack.EyZTrW/_old  2026-05-14 21:43:12.335211689 +0200
+++ /var/tmp/diff_new_pack.EyZTrW/_new  2026-05-14 21:43:12.339211853 +0200
@@ -1,6 +1,7 @@
 #
 # spec file for package permissions
 #
+# Copyright (c) 2026 SUSE LLC
 # Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,7 +19,7 @@
 
 Name:           permissions
 # NOTE: the version prefix is synced with %%suse_version currently
-Version:        1699_20260217
+Version:        1699_20260512
 Release:        0
 Summary:        SUSE Linux Default Permissions
 # Maintained in github by the security team.

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.EyZTrW/_old  2026-05-14 21:43:12.387213822 +0200
+++ /var/tmp/diff_new_pack.EyZTrW/_new  2026-05-14 21:43:12.391213986 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
             <param 
name="url">https://github.com/openSUSE/permissions.git</param>
-          <param 
name="changesrevision">c5a7bb047f9f1f86a420d1c06abf5473a299b64d</param></service></servicedata>
+          <param 
name="changesrevision">bf7fffbed89d1be8e2401d00cd485b536cfde617</param></service></servicedata>
 (No newline at EOF)
 

++++++ permissions-1699_20260217.tar.xz -> permissions-1699_20260512.tar.xz 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/permissions-1699_20260217/README.md 
new/permissions-1699_20260512/README.md
--- old/permissions-1699_20260217/README.md     2026-02-17 11:40:54.000000000 
+0100
+++ new/permissions-1699_20260512/README.md     2026-05-12 15:20:23.000000000 
+0200
@@ -1,6 +1,6 @@
 # SUSE permissions Package
 
-This repository contains the source for the SUSE Base:System/permissions
+This repository contains the source for the SUSE `Base:System/permissions`
 package. This package provides the `permctl` (formerly `chkstat`) utility and
 a set of different file permission profiles. These profiles can be changed by
 administrators of SUSE Linux distributions. The profiles consist of a list of
@@ -15,7 +15,7 @@
 
 Therefore the permission profiles govern an important aspect of system
 security on SUSE distributions. The different profiles allow an administrator
-to select a base security level and also allow to customize settings. See the
+to select a base security level and to customize settings. Refer to the
 accompanying man pages for more detailed information.
 
 The permissions package is a base package on SUSE Linux distributions and
@@ -52,3 +52,23 @@
 permissions might already have put the system at risk. Also the root cause for
 bad file permission settings can obscured this way, maybe hiding a deeper
 rooting problem that should be fixed.
+
+# Race Conditions upon RPM Installation
+
+When an RPM is installed or updated then the permissions of files managed by
+`permctl` are initially controlled by the metadata stored in the RPM. Only a
+short while after, when the RPM's `%post` scriptlet runs, will `permctl` be
+invoked to apply the settings based on runtime configuration. This can mean
+that certain privileges are given out to programs for a short time before
+`permctl` adjusts them to the desired configuration settings again.
+
+It is difficult to fix this race condition without hooking directly into RPM,
+which we decided against until now, to avoid a lot of added complexity.
+
+We don't expect programs carrying e.g. a setuid-root bit for a short time to
+easily allow a local root exploit or similar attack vectors. Software with
+problematic security is not allowed into SUSE distributions in the first
+place. The permissions package intends to establish a security baseline
+for daily operation e.g. to avoid users running programs offering unnecessary
+extra attack surface. Thus we consider this RPM installation time race
+condition an acceptable risk.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/permissions-1699_20260217/profiles/permissions.easy 
new/permissions-1699_20260512/profiles/permissions.easy
--- old/permissions-1699_20260217/profiles/permissions.easy     2026-02-17 
11:40:54.000000000 +0100
+++ new/permissions-1699_20260512/profiles/permissions.easy     2026-05-12 
15:20:23.000000000 +0200
@@ -20,9 +20,6 @@
 :package: netcfg
 /etc/exports                                            root:root          644
 
-:package: nfs-kernel-server # from nfs-utils
-/var/lib/nfs/rmtab                                      root:root          644
-
 :package: syslogd
 /etc/syslog.conf                                        root:root          644
 
@@ -87,7 +84,7 @@
 
 :package: iputils # needs privileged socket access
 /usr/bin/clockdiff                                      root:root         0755
- +capabilities cap_net_raw=p
+ +capabilities cap_net_raw,cap_sys_nice=ep
 :package: mtr
 /usr/sbin/mtr-packet                                    root:root         0755
  +capabilities cap_net_raw=ep
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/permissions-1699_20260217/profiles/permissions.paranoid 
new/permissions-1699_20260512/profiles/permissions.paranoid
--- old/permissions-1699_20260217/profiles/permissions.paranoid 2026-02-17 
11:40:54.000000000 +0100
+++ new/permissions-1699_20260512/profiles/permissions.paranoid 2026-05-12 
15:20:23.000000000 +0200
@@ -28,9 +28,6 @@
 :package: netcfg
 /etc/exports                                            root:root          600
 
-:package: nfs-kernel-server # from nfs-utils
-/var/lib/nfs/rmtab                                      root:root          600
-
 :package: syslogd
 /etc/syslog.conf                                        root:root          600
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/permissions-1699_20260217/profiles/permissions.secure 
new/permissions-1699_20260512/profiles/permissions.secure
--- old/permissions-1699_20260217/profiles/permissions.secure   2026-02-17 
11:40:54.000000000 +0100
+++ new/permissions-1699_20260512/profiles/permissions.secure   2026-05-12 
15:20:23.000000000 +0200
@@ -18,9 +18,6 @@
 :package: netcfg
 /etc/exports                                            root:root          644
 
-:package: nfs-kernel-server # from nfs-utils
-/var/lib/nfs/rmtab                                      root:root          644
-
 :package: syslogd
 /etc/syslog.conf                                        root:root          600
 
@@ -86,7 +83,7 @@
 
 :package: iputils # needs privileged socket access
 /usr/bin/clockdiff                                      root:root         0755
- +capabilities cap_net_raw=p
+ +capabilities cap_net_raw,cap_sys_nice=ep
 :package: mtr
 /usr/sbin/mtr-packet                                    root:root         0755

Reply via email to