Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2019-02-19 13:54:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Tue Feb 19 13:54:51 2019 rev:121 rq:674669 version:20190212 Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2018-11-26 10:12:59.726246482 +0100 +++ /work/SRC/openSUSE:Factory/.permissions.new.28833/permissions.changes 2019-02-19 13:54:52.508726137 +0100 @@ -1,0 +2,46 @@ +Tue Feb 12 14:29:45 UTC 2019 - [email protected] + +- Update to version 20190212: + * removed old entry for wodim + * removed old entry for netatalk + * removed old entry for suidperl + * removed old entriy for utempter + * removed old entriy for hostname + * removed old directory entries + * removed old entry for qemu-bridge-helper + * removed old entries for pccardctl + * removed old entries for isdnctrl + * removed old entries for unix(2)_chkpwd + * removed old entries for mount.nfs + * removed old entries for (u)mount + * removed old entry for fileshareset + * removed old entries for KDE + * removed old entry for heartbeat + * removed old entry for gnome-control-center + * removed old entry for pcp + * removed old entry for lpdfilter + * removed old entry for scotty + * removed old entry for ia32el + * removed old entry for squid + * removed old qpopper whitelist + * removed pt_chown entries. Not needed anymore and a bad idea anyway + * removed old majordomo entry + * removed stale entries for old ncpfs tools + * removed old entry for rmtab + * Fixed typo in icinga2 whitelist entry + * New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale + entries for VirtualBox + * Removed whitelist for /usr/bin/su.core. According to comment a temporary + hack introduced 2012 to help moving su from coretuils to util-linux. I + couldn't find it anywhere, so we don't need it anymore + * Remove entry for /usr/bin/yaps. We don't ship it anymore and the group that + is used doesn't exists anymore starting with Leap 15, so it will not work + there anyway. Users using this (old) package can do this individually + * removed entry for /etc/ftpaccess. We currently don't have it anywhere (and + judging from my search this has been the case for quite a while) + * Ensure consistency of entries, otherwise switching between settings becomes + problematic + * Fix spelling of SUSE + * permissions.local: fix typo + +------------------------------------------------------------------- Old: ---- permissions-20181116.tar.xz New: ---- permissions-20190212.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.fZetjk/_old 2019-02-19 13:54:53.052725748 +0100 +++ /var/tmp/diff_new_pack.fZetjk/_new 2019-02-19 13:54:53.056725745 +0100 @@ -1,7 +1,7 @@ # # spec file for package permissions # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: permissions -Version: 20181116 +Version: 20190212 Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fZetjk/_old 2019-02-19 13:54:53.104725711 +0100 +++ /var/tmp/diff_new_pack.fZetjk/_new 2019-02-19 13:54:53.104725711 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> - <param name="changesrevision">c1107931c09ab5e32fffa7696ab6b09fff553a96</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">b3af647ecf37350b62e774e798e2ce4b7f0bff60</param></service></servicedata> \ No newline at end of file ++++++ permissions-20181116.tar.xz -> permissions-20190212.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181116/permissions new/permissions-20190212/permissions --- old/permissions-20181116/permissions 2018-11-16 16:33:52.000000000 +0100 +++ new/permissions-20190212/permissions 2019-02-12 15:17:25.000000000 +0100 @@ -8,7 +8,7 @@ # This file is used by chkstat (and indirectly by various RPM scripts) # to check or set the modes and ownerships of files and directories in the installation. # -# There is a set of files with similar meaning in a SuSE installation: +# There is a set of files with similar meaning in a SUSE installation: # /etc/permissions (This file) # /etc/permissions.easy # /etc/permissions.secure @@ -62,14 +62,12 @@ /var/spool/ root:root 755 /var/spool/mqueue/ root:root 700 /var/spool/news/ news:news 775 -/var/spool/uucp/ uucp:uucp 755 /var/spool/voice/ root:root 755 /var/spool/mail/ root:root 1777 /var/adm/ root:root 755 /var/adm/backup/ root:root 700 /var/cache/ root:root 755 /var/cache/man/ man:root 755 -/var/yp/ root:root 755 /var/run/nscd/socket root:root 666 /run/nscd/socket root:root 666 /var/run/sudo/ root:root 700 @@ -103,7 +101,6 @@ /etc/passwd root:root 644 /etc/shadow root:shadow 640 /etc/init.d/ root:root 755 -/etc/HOSTNAME root:root 644 /etc/hosts root:root 644 # Changing the hosts_access(5) files causes trouble with services # that do not run as root! @@ -124,7 +121,6 @@ /etc/sysconfig/network/providers/ root:root 700 # utempter -/usr/sbin/utempter root:utmp 2755 /usr/lib/utempter/utempter root:utmp 2755 # ensure correct permissions on ssh files to avoid sshd refusing @@ -141,16 +137,9 @@ # # legacy # -# don't set the setuid bit on suidperl! Set it on sperl instead if -# you really need it as suidperl is a hardlink to perl nowadays. -/usr/bin/suidperl root:root 755 - # new traceroute program by Olaf Kirch does not need setuid root any more. /usr/sbin/traceroute root:root 755 -# netatalk printer daemon: sgid not needed any more with cups. -/usr/sbin/papd root:lp 0755 - # games:games 775 safe as long as we don't change files below it (#103186) # still people do it (#429882) so root:root 755 is the consequence. /var/games/ root:root 0755 @@ -176,9 +165,6 @@ # opiesu is not allowed setuid root as code quality is bad (bnc#882035) /usr/bin/opiesu root:root 0755 -# wodim is not allowed setuid root as cd burning does not strictly require -# it (bnc#882035) -/usr/bin/wodim root:root 0755 # we no longer make rpm build dirs 1777 /usr/src/packages/SOURCES/ root:root 0755 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181116/permissions.easy new/permissions-20190212/permissions.easy --- old/permissions-20181116/permissions.easy 2018-11-16 16:33:52.000000000 +0100 +++ new/permissions-20190212/permissions.easy 2019-02-12 15:17:25.000000000 +0100 @@ -27,12 +27,15 @@ /etc/crontab root:root 600 /etc/exports root:root 644 /etc/fstab root:root 644 -# we don't package it -/etc/ftpaccess root:root 644 /etc/ftpusers root:root 644 -/etc/rmtab root:root 644 /var/lib/nfs/rmtab root:root 644 /etc/syslog.conf root:root 644 +/etc/ssh/sshd_config root:root 640 +/etc/cron.d root:root 755 +/etc/cron.daily root:root 755 +/etc/cron.hourly root:root 755 +/etc/cron.monthly root:root 755 +/etc/cron.weekly root:root 755 # # suid system programs that need the suid bit to work: @@ -52,29 +55,15 @@ # opie password system # #66303 /usr/bin/opiepasswd root:root 4755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 4750 -/usr/bin/ncpumount root:trusted 4750 # #331020 /sbin/mount.nfs root:root 4755 -/bin/mount root:root 4755 -/bin/umount root:root 4755 # # #133657 /usr/bin/fusermount root:trusted 4755 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 4755 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 4755 -/usr/lib64/pt_chown root:root 4755 # needs setuid root when using shadow via NIS: # #216816 /sbin/unix_chkpwd root:shadow 4755 /sbin/unix2_chkpwd root:shadow 4755 -# qpopper -/usr/sbin/popauth pop:trusted 4755 -# from the squid package -/usr/sbin/pam_auth root:shadow 4755 # squid changes from bnc#891268 /var/cache/squid/ squid:root 0750 @@ -92,36 +81,18 @@ # # video /usr/bin/v4l-conf root:video 4755 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 4755 -# scotty: -# #66211 -/usr/bin/ntping root:trusted 4750 # turn off write and wall by disabling sgid tty: /usr/bin/wall root:tty 2755 /usr/bin/write root:tty 2755 # thttpd: /usr/bin/makeweb root:www 2755 -# yaps, pager software, accesses /dev/ttyS? -/usr/bin/yaps root:uucp 2755 -# ncpfs tool -/usr/bin/nwsfind root:trusted 4750 -/usr/bin/ncplogin root:trusted 4750 -/usr/bin/ncpmap root:trusted 4750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 4755 # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 4755 # gnokii nokia cellphone software # #66209 /usr/sbin/mgnokiidev root:uucp 4755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:root 4755 # mailman mailing list software # #66315 /usr/lib/mailman/cgi-bin/admin root:mailman 2755 @@ -141,9 +112,6 @@ # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 4755 - # # networking (need root for the privileged socket) # @@ -158,11 +126,6 @@ /usr/bin/rlogin root:root 4755 /usr/bin/rsh root:root 4755 -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 2555 - # exim /usr/sbin/exim root:root 4755 @@ -186,7 +149,7 @@ # # terminal emulators -# This and future SuSE products have support for the utempter, a small helper +# This and future SUSE products have support for the utempter, a small helper # program that does the utmp/wtmp update work with the necessary rights. # The use of utempter obsoletes the need for sgid bits on terminal emulator # binaries. We mention screen here, but all other terminal emulators have @@ -201,32 +164,18 @@ # (all of them are disabled in permissions.secure except for # the helper programs) # -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 4755 # needs setuid root when using shadow via NIS: # #66218 -/opt/kde3/bin/kcheckpass root:shadow 4755 /usr/lib/kde4/libexec/kcheckpass root:shadow 4755 /usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 2755 /usr/lib/kde4/libexec/kdesud root:nogroup 2755 /usr/lib64/kde4/libexec/kdesud root:nogroup 2755 /usr/lib/libexec/kf5/kdesud root:nogroup 2755 /usr/lib64/libexec/kf5/kdesud root:nogroup 2755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 4755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 4755 # bnc#523833 /usr/lib/kde4/libexec/start_kdeinit root:root 4755 /usr/lib64/kde4/libexec/start_kdeinit root:root 4755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 4755 - # # amanda @@ -309,8 +258,8 @@ # VirtualBox (#429725) /usr/lib/virtualbox/VirtualBox root:vboxusers 4750 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 4750 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 4750 +# bsc#1120650 +/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 4750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750 /usr/lib/virtualbox/VBoxSDL root:vboxusers 4750 # (bnc#533550) @@ -350,24 +299,9 @@ /usr/lib/singularity/bin/mount-suid root:singularity 4750 /usr/lib/singularity/bin/start-suid root:singularity 4750 -# -# XXX: / -> /usr merge and sbin -> bin merge -# XXX: duplicated entries need to be cleaned up before 12.2 /usr/bin/su root:root 4755 -# temporary hack to make the move from coreutils to util-linux work -/usr/bin/su.core root:root 4755 -/usr/sbin/mount.nfs root:root 4755 -/usr/bin/mount.nfs root:root 4755 /usr/bin/mount root:root 4755 /usr/bin/umount root:root 4755 -/usr/sbin/unix_chkpwd root:shadow 4755 -/usr/bin/unix_chkpwd root:shadow 4755 -/usr/sbin/unix2_chkpwd root:shadow 4755 -/usr/bin/unix2_chkpwd root:shadow 4755 -/usr/sbin/isdnctrl root:dialout 4750 -/usr/bin/isdnctrl root:dialout 4750 -/usr/sbin/pccardctl root:trusted 4755 -/usr/bin/pccardctl root:trusted 4755 # cdrecord of cdrtools from Joerg Schilling (bnc#550021) # Please note that additional capabilities are provided only for reliable @@ -380,8 +314,6 @@ # qemu-bridge-helper (bnc#765948, bsc#988279) /usr/lib/qemu-bridge-helper root:kvm 04750 -/usr/lib64/qemu-bridge-helper root:kvm 04750 - # systemd-journal (bnc#888151) /var/log/journal/ root:systemd-journal 2755 @@ -421,8 +353,8 @@ /usr/lib/gvfs/gvfsd-nfs root:root 0755 +capabilities cap_net_bind_service=ep -# incinga2 (bsc#1069410) -/run/incinga2/cmd icinga:icingagmd 2750 +# icinga2 (bsc#1069410) +/run/icinga2/cmd icinga:icingagmd 2750 # fping (bsc#1047921) /usr/sbin/fping root:root 0755 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181116/permissions.local new/permissions-20190212/permissions.local --- old/permissions-20181116/permissions.local 2018-11-16 16:33:52.000000000 +0100 +++ new/permissions-20190212/permissions.local 2019-02-12 15:17:25.000000000 +0100 @@ -9,8 +9,8 @@ # to check or set the modes and ownerships of files and directories in # the installation. # -# If you want chkstat to be run automically after zypper operations, then you -# can install the permissions-zypp-plugin. This is helpful when you are +# If you want chkstat to be run automatically after zypper operations, then +# you can install the permissions-zypp-plugin. This is helpful when you are # entering permissions in this file that get overwritten by package updates. # The plugin keeps the custom permissions in place. # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181116/permissions.paranoid new/permissions-20190212/permissions.paranoid --- old/permissions-20181116/permissions.paranoid 2018-11-16 16:33:52.000000000 +0100 +++ new/permissions-20190212/permissions.paranoid 2019-02-12 15:17:25.000000000 +0100 @@ -42,9 +42,7 @@ /etc/crontab root:root 600 /etc/exports root:root 600 /etc/fstab root:root 600 -/etc/ftpaccess root:root 600 /etc/ftpusers root:root 600 -/etc/rmtab root:root 600 /var/lib/nfs/rmtab root:root 600 /etc/syslog.conf root:root 600 /etc/ssh/sshd_config root:root 600 @@ -73,29 +71,15 @@ # opie password system # #66303 /usr/bin/opiepasswd root:root 0755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 0755 -/usr/bin/ncpumount root:trusted 0755 # #331020 /sbin/mount.nfs root:root 0755 -/bin/mount root:root 0755 -/bin/umount root:root 0755 # # #133657 /usr/bin/fusermount root:trusted 0755 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 0755 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 0755 -/usr/lib64/pt_chown root:root 0755 # needs setuid root when using shadow via NIS: # #216816 /sbin/unix_chkpwd root:shadow 0755 /sbin/unix2_chkpwd root:shadow 0755 -# qpopper -/usr/sbin/popauth pop:trusted 0755 -# from the squid package -/usr/sbin/pam_auth root:shadow 0755 # /quid changes from bnc#891268 /var/cache/squid/ squid:root 0750 @@ -108,41 +92,22 @@ /usr/lib/gnome-pty-helper root:utmp 0755 # -# mixed section: most of it is disabled in this permissions.secure: +# mixed section: most of it is disabled in this permissions.paranoid: # # video /usr/bin/v4l-conf root:video 0755 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 0755 -######################################################################### -# scotty: -# #66211 -/usr/bin/ntping root:trusted 0755 # turned off write and wall by disabling sgid tty: /usr/bin/wall root:tty 0755 /usr/bin/write root:tty 0755 # thttpd /usr/bin/makeweb root:www 0750 -# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. -/usr/bin/yaps root:uucp 0755 -# ncpfs tool: trusted only -/usr/bin/nwsfind root:trusted 0750 -/usr/bin/ncplogin root:trusted 0750 -/usr/bin/ncpmap root:trusted 0750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 0755 # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 0755 # gnokii nokia cellphone software # #66209 /usr/sbin/mgnokiidev root:uucp 755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:trusted 0755 # mailman mailing list software # #66315 /usr/lib/mailman/cgi-bin/admin root:mailman 0755 @@ -162,9 +127,6 @@ # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755 -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 0755 - # # networking (need root for the privileged socket) # @@ -176,11 +138,6 @@ /usr/bin/rlogin root:root 0755 /usr/bin/rsh root:root 0755 -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 0555 - # exim /usr/sbin/exim root:root 0755 @@ -204,7 +161,7 @@ # # terminal emulators -# This and future SuSE products have support for the utempter, a small helper +# This and future SUSE products have support for the utempter, a small helper # program that does the utmp/wtmp update work with the necessary rights. # The use of utempter obsoletes the need for sgid bits on terminal emulator # binaries. We mention screen here, but all other terminal emulators have @@ -216,32 +173,18 @@ # # kde # -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 0755 # needs setuid root when using shadow via NIS: # #66218 -/opt/kde3/bin/kcheckpass root:shadow 0755 /usr/lib/kde4/libexec/kcheckpass root:shadow 0755 /usr/lib64/kde4/libexec/kcheckpass root:shadow 0755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 0755 /usr/lib/kde4/libexec/kdesud root:nogroup 0755 /usr/lib64/kde4/libexec/kdesud root:nogroup 0755 /usr/lib/libexec/kf5/kdesud root:nogroup 0755 /usr/lib64/libexec/kf5/kdesud root:nogroup 0755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 0755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 0755 # bnc#523833 /usr/lib/kde4/libexec/start_kdeinit root:root 0755 /usr/lib64/kde4/libexec/start_kdeinit root:root 0755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 0755 - # # amanda @@ -325,8 +268,8 @@ # VirtualBox (#429725) /usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755 +# bsc#1120650 +/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 /usr/lib/virtualbox/VBoxSDL root:vboxusers 0755 # (bnc#533550) @@ -366,24 +309,9 @@ /usr/lib/singularity/bin/mount-suid root:singularity 0750 /usr/lib/singularity/bin/start-suid root:singularity 0750 -# -# XXX: / -> /usr merge and sbin -> bin merge -# XXX: duplicated entries need to be cleaned up before 12.2 /usr/bin/su root:root 0755 -# temporary hack to make the move from coreutils to util-linux work -/usr/bin/su.core root:root 0755 -/usr/sbin/mount.nfs root:root 0755 -/usr/bin/mount.nfs root:root 0755 /usr/bin/mount root:root 0755 /usr/bin/umount root:root 0755 -/usr/sbin/unix_chkpwd root:shadow 0755 -/usr/bin/unix_chkpwd root:shadow 0755 -/usr/sbin/unix2_chkpwd root:shadow 0755 -/usr/bin/unix2_chkpwd root:shadow 0755 -/usr/sbin/isdnctrl root:dialout 0755 -/usr/bin/isdnctrl root:dialout 0755 -/usr/sbin/pccardctl root:trusted 0755 -/usr/bin/pccardctl root:trusted 0755 # cdrecord of cdrtools from Joerg Schilling (bnc#550021) # in paranoid mode, no provisions are made for reliable cd burning, as admins @@ -394,8 +322,6 @@ # qemu-bridge-helper has no special privileges currently (bnc#765948) /usr/lib/qemu-bridge-helper root:root 755 -/usr/lib64/qemu-bridge-helper root:root 755 - # systemd-journal (bnc#888151) /var/log/journal/ root:systemd-journal 2755 @@ -432,8 +358,11 @@ # gvfs (bsc#1065864) /usr/lib/gvfs/gvfsd-nfs root:root 0755 -# incinga2 (bsc#1069410) -/run/incinga2/cmd icinga:icingagmd 0750 +# icinga2 (bsc#1069410) +/run/icinga2/cmd icinga:icingagmd 0750 + +# fping (bsc#1047921) +/usr/sbin/fping root:root 0755 # usbauth (bsc#1066877) /usr/bin/usbauth-npriv root:usbauth 0750 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181116/permissions.secure new/permissions-20190212/permissions.secure --- old/permissions-20181116/permissions.secure 2018-11-16 16:33:52.000000000 +0100 +++ new/permissions-20190212/permissions.secure 2019-02-12 15:17:25.000000000 +0100 @@ -65,12 +65,17 @@ /etc/crontab root:root 600 /etc/exports root:root 644 /etc/fstab root:root 644 -/etc/ftpaccess root:root 644 /etc/ftpusers root:root 644 -/etc/rmtab root:root 644 /var/lib/nfs/rmtab root:root 644 /etc/syslog.conf root:root 600 /etc/ssh/sshd_config root:root 600 +# we might want to tighten that up in the future in this profile (remove the +# ability for others to read/enter) +/etc/cron.d root:root 755 +/etc/cron.daily root:root 755 +/etc/cron.hourly root:root 755 +/etc/cron.monthly root:root 755 +/etc/cron.weekly root:root 755 # # suid system programs that need the suid bit to work: @@ -91,29 +96,15 @@ # opie password system # #66303 /usr/bin/opiepasswd root:root 4755 -# "user" entries in /etc/fstab make mount work for non-root users: -/usr/bin/ncpmount root:trusted 4750 -/usr/bin/ncpumount root:trusted 4750 # #331020 /sbin/mount.nfs root:root 0755 -/bin/mount root:root 4755 -/bin/umount root:root 4755 # # #133657 /usr/bin/fusermount root:trusted 4750 -# #66203 -/usr/lib/majordomo/wrapper root:daemon 4750 -# glibc backwards compatibility -/usr/lib/pt_chown root:root 4755 -/usr/lib64/pt_chown root:root 4755 # needs setuid root when using shadow via NIS: # #216816 /sbin/unix_chkpwd root:shadow 4755 /sbin/unix2_chkpwd root:shadow 4755 -# qpopper -/usr/sbin/popauth pop:trusted 4750 -# from the squid package -/usr/sbin/pam_auth root:shadow 4755 # squid changes from bnc#891268 /var/cache/squid/ squid:root 0750 @@ -131,36 +122,18 @@ # # video /usr/bin/v4l-conf root:video 4750 -# Itanium ia32 emulator -/usr/lib/ia32el/suid_ia32x_loader root:root 0755 -# scotty: -# #66211 -/usr/bin/ntping root:trusted 4750 # turned off write and wall by disabling sgid tty: /usr/bin/wall root:tty 0755 /usr/bin/write root:tty 0755 # thttpd: sgid + executeable only for group www. Useless... /usr/bin/makeweb root:www 2750 -# yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. -/usr/bin/yaps root:uucp 0755 -# ncpfs tool: trusted only -/usr/bin/nwsfind root:trusted 4750 -/usr/bin/ncplogin root:trusted 4750 -/usr/bin/ncpmap root:trusted 4750 -# lpdfilter: -# checks itself that only lp and root can call it -/usr/lib/lpdfilter/bin/runlpr root:root 4755 # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 4750 # gnokii nokia cellphone software # #66209 /usr/sbin/mgnokiidev root:uucp 755 -# pcp, performance co-pilot -# setuid root is used to write /var/log/pcp/NOTICES -# #66205 -/usr/lib/pcp/pmpost root:trusted 4750 # mailman mailing list software # #66315 /usr/lib/mailman/cgi-bin/admin root:mailman 2755 @@ -180,9 +153,6 @@ # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 -# control-center2 (#104993) -/usr/sbin/change-passwd root:root 4755 - # # networking (need root for the privileged socket) # @@ -196,11 +166,6 @@ /usr/bin/rlogin root:root 4755 /usr/bin/rsh root:root 4755 -# heartbeat #66310 -# cl_status needs to be allowed to connect to the heartbeat API. If the setgid -# bit is removed, one can manually add users to the haclient group instead. -/usr/bin/cl_status root:haclient 2555 - # exim /usr/sbin/exim root:root 4755 @@ -224,7 +189,7 @@ # # terminal emulators -# This and future SuSE products have support for the utempter, a small helper +# This and future SUSE products have support for the utempter, a small helper # program that does the utmp/wtmp update work with the necessary rights. # The use of utempter obsoletes the need for sgid bits on terminal emulator # binaries. We mention screen here, but all other terminal emulators have @@ -239,31 +204,18 @@ # (all of them are disabled in permissions.secure except for # the helper programs) # -# arts wrapper, normally suid root: -/opt/kde3/bin/artswrapper root:root 0755 # needs setuid root when using shadow via NIS: # #66218 -/opt/kde3/bin/kcheckpass root:shadow 4755 /usr/lib/kde4/libexec/kcheckpass root:shadow 4755 /usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -# This has a meaning... hmm... -/opt/kde3/bin/kdesud root:nogroup 2755 /usr/lib/kde4/libexec/kdesud root:nogroup 2755 /usr/lib64/kde4/libexec/kdesud root:nogroup 2755 /usr/lib/libexec/kf5/kdesud root:nogroup 2755 /usr/lib64/libexec/kf5/kdesud root:nogroup 2755 -# used for getting proxy settings from dhcp -/opt/kde3/bin/kpac_dhcp_helper root:root 0755 -# used to distract the oom killer -# #203535 -/opt/kde3/bin/start_kdeinit root:root 4755 # bnc#523833 /usr/lib/kde4/libexec/start_kdeinit root:root 4755 /usr/lib64/kde4/libexec/start_kdeinit root:root 4755 -# edits /etc/smb.conf -# #66312 -/usr/bin/fileshareset root:root 0755 # # amanda @@ -348,8 +300,8 @@ # VirtualBox (#429725) /usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/lib/virtualbox/VirtualBox3 root:vboxusers 0755 -/usr/lib/virtualbox/VBoxBFE root:vboxusers 0755 +# bsc#1120650 +/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 /usr/lib/virtualbox/VBoxSDL root:vboxusers 0755 # (bnc#533550) @@ -390,24 +342,9 @@ /usr/lib/singularity/bin/mount-suid root:singularity 4750 /usr/lib/singularity/bin/start-suid root:singularity 4750 -# -# XXX: / -> /usr merge and sbin -> bin merge -# XXX: duplicated entries need to be cleaned up before 12.2 /usr/bin/su root:root 4755 -# temporary hack to make the move from coreutils to util-linux work -/usr/bin/su.core root:root 4755 -/usr/sbin/mount.nfs root:root 0755 -/usr/bin/mount.nfs root:root 0755 /usr/bin/mount root:root 4755 /usr/bin/umount root:root 4755 -/usr/sbin/unix_chkpwd root:shadow 4755 -/usr/bin/unix_chkpwd root:shadow 4755 -/usr/sbin/unix2_chkpwd root:shadow 4755 -/usr/bin/unix2_chkpwd root:shadow 4755 -/usr/sbin/isdnctrl root:dialout 4750 -/usr/bin/isdnctrl root:dialout 4750 -/usr/sbin/pccardctl root:trusted 4750 -/usr/bin/pccardctl root:trusted 4750 # cdrecord of cdrtools from Joerg Schilling (bnc#550021) # in secure mode, no provisions are made for reliable cd burning, as admins @@ -418,7 +355,6 @@ # qemu-bridge-helper (bnc#765948, bsc#988279) /usr/lib/qemu-bridge-helper root:kvm 04750 -/usr/lib64/qemu-bridge-helper root:kvm 04750 # systemd-journal (bnc#888151) /var/log/journal/ root:systemd-journal 2755 @@ -457,8 +393,8 @@ # gvfs (bsc#1065864) /usr/lib/gvfs/gvfsd-nfs root:root 0755 -# incinga2 (bsc#1069410) -/run/incinga2/cmd icinga:icingagmd 2750 +# icinga2 (bsc#1069410) +/run/icinga2/cmd icinga:icingagmd 2750 # fping (bsc#1047921) /usr/sbin/fping root:root 0755
