Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2020-07-15 11:12:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Wed Jul 15 11:12:57 2020 rev:138 rq:819968 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2020-06-24 15:47:30.992079239 +0200 +++ /work/SRC/openSUSE:Factory/.permissions.new.3060/permissions.changes 2020-07-15 11:13:53.324935511 +0200 @@ -1,0 +2,41 @@ +Fri Jul 10 09:50:04 UTC 2020 - [email protected] + +- Update to version 20200710: + * Revert "etc/permissions: remove entries for bind-chrootenv". This + currently conflicts with the way the CheckSUIDPermissions rpmlint-check is + implemented. + +------------------------------------------------------------------- +Tue Jul 7 15:56:02 UTC 2020 - Callum Farmer <[email protected]> + +- Removed dbus-libexec.patch: contained in upstream + +------------------------------------------------------------------- +Tue Jul 07 13:25:40 UTC 2020 - [email protected] + +- Update to version 20200624: + * rework permissions.local text (boo#1173221) + * dbus-1: adjust to new libexec dir location (bsc#1171164) + * permission profiles: reinstate kdesud for kde5 + * etc/permissions: remove entries for bind-chrootenv + * etc/permissions: remove traceroute entry + * VirtualBox: remove outdated entry which is only a symlink any more + * /bin/su: remove path refering to symlink + * etc/permissions: remove legacy RPM directory entries + * /etc/permissions: remove outdated sudo directories + * singularity: remove outdated setuid-binary entries + * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588) + * dbus-1: remove deprecated alternative paths + * PolicyKit: remove outdated entries last used in SLE-11 + * pcp: remove no longer needed / conflicting entries + * gnats: remove entries for package removed from Factory + * kdelibs4: remove entries for package removed from Factory + * v4l-base: remove entries for package removed from Factory + * mailman: remove entries for package deleted from Factory + * gnome-pty-helper: remove dead entry no longer part of the vte package + * gnokii: remove entries for package no longer in Factory + * xawtv (v4l-conf): correct group ownership in easy profile + * systemd-journal: remove unnecessary profile entries + * thttp: make makeweb entry usable in the secure profile (bsc#1171580) + +------------------------------------------------------------------- Old: ---- dbus-libexec.patch permissions-20200526.tar.xz New: ---- permissions-20200710.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.V7av5q/_old 2020-07-15 11:13:56.784938935 +0200 +++ /var/tmp/diff_new_pack.V7av5q/_new 2020-07-15 11:13:56.784938935 +0200 @@ -16,7 +16,7 @@ # -%define VERSION_DATE 20200526 +%define VERSION_DATE 20200710 Name: permissions Version: %{VERSION_DATE}.%{suse_version} @@ -28,7 +28,6 @@ URL: http://github.com/openSUSE/permissions Source: permissions-%{VERSION_DATE}.tar.xz Source1: fix_version.sh -Patch0: dbus-libexec.patch BuildRequires: gcc-c++ BuildRequires: libcap-devel BuildRequires: libcap-progs @@ -41,7 +40,7 @@ Provides: aaa_base:%{_datadir}/permissions %prep -%autosetup -p1 -n permissions-%{VERSION_DATE} +%autosetup -n permissions-%{VERSION_DATE} %build make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0 ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.V7av5q/_old 2020-07-15 11:13:56.816938967 +0200 +++ /var/tmp/diff_new_pack.V7av5q/_new 2020-07-15 11:13:56.816938967 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> - <param name="changesrevision">19a5eb449122601ea1f4053b575028d1895fedbb</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">8c1d3398d1f446ac3f27b293ab9d69ad73aaea6d</param></service></servicedata> \ No newline at end of file ++++++ permissions-20200526.tar.xz -> permissions-20200710.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20200526/etc/permissions new/permissions-20200710/etc/permissions --- old/permissions-20200526/etc/permissions 2020-05-26 14:54:31.000000000 +0200 +++ new/permissions-20200710/etc/permissions 2020-07-10 11:44:15.000000000 +0200 @@ -69,8 +69,6 @@ /var/cache/ root:root 755 /var/run/nscd/socket root:root 666 /run/nscd/socket root:root 666 -/var/run/sudo/ root:root 700 -/run/sudo/ root:root 700 # # login tracking @@ -136,9 +134,6 @@ # # legacy -# -# new traceroute program by Olaf Kirch does not need setuid root any more. -/usr/sbin/traceroute root:root 755 # games:games 775 safe as long as we don't change files below it (#103186) # still people do it (#429882) so root:root 755 is the consequence. @@ -160,57 +155,15 @@ # # named chroot (#438045) # +# These currently conflict with a systemd-tmpfiles configuration file. +# The entries in parallel serve the purpose of a whitelisting for +# world-writable files, therefore they need to stay in place until we have a +# better whitelisting concept. /var/lib/named/dev/null root:root 0666 /var/lib/named/dev/random root:root 0666 # opiesu is not allowed setuid root as code quality is bad (bnc#882035) /usr/bin/opiesu root:root 0755 -# we no longer make rpm build dirs 1777 -/usr/src/packages/SOURCES/ root:root 0755 -/usr/src/packages/BUILD/ root:root 0755 -/usr/src/packages/BUILDROOT/ root:root 0755 -/usr/src/packages/RPMS/ root:root 0755 -/usr/src/packages/RPMS/alphaev56/ root:root 0755 -/usr/src/packages/RPMS/alphaev67/ root:root 0755 -/usr/src/packages/RPMS/alphaev6/ root:root 0755 -/usr/src/packages/RPMS/alpha/ root:root 0755 -/usr/src/packages/RPMS/amd64/ root:root 0755 -/usr/src/packages/RPMS/arm4l/ root:root 0755 -/usr/src/packages/RPMS/armv4l/ root:root 0755 -/usr/src/packages/RPMS/armv5tejl/ root:root 0755 -/usr/src/packages/RPMS/armv5tejvl/ root:root 0755 -/usr/src/packages/RPMS/armv5tel/ root:root 0755 -/usr/src/packages/RPMS/armv5tevl/ root:root 0755 -/usr/src/packages/RPMS/armv6l/ root:root 0755 -/usr/src/packages/RPMS/armv6vl/ root:root 0755 -/usr/src/packages/RPMS/armv7l/ root:root 0755 -/usr/src/packages/RPMS/athlon/ root:root 0755 -/usr/src/packages/RPMS/geode/ root:root 0755 -/usr/src/packages/RPMS/hppa2.0/ root:root 0755 -/usr/src/packages/RPMS/hppa/ root:root 0755 -/usr/src/packages/RPMS/i386/ root:root 0755 -/usr/src/packages/RPMS/i486/ root:root 0755 -/usr/src/packages/RPMS/i586/ root:root 0755 -/usr/src/packages/RPMS/i686/ root:root 0755 -/usr/src/packages/RPMS/ia32e/ root:root 0755 -/usr/src/packages/RPMS/ia64/ root:root 0755 -/usr/src/packages/RPMS/mips/ root:root 0755 -/usr/src/packages/RPMS/noarch/ root:root 0755 -/usr/src/packages/RPMS/pentium3/ root:root 0755 -/usr/src/packages/RPMS/pentium4/ root:root 0755 -/usr/src/packages/RPMS/powerpc64/ root:root 0755 -/usr/src/packages/RPMS/powerpc/ root:root 0755 -/usr/src/packages/RPMS/ppc64/ root:root 0755 -/usr/src/packages/RPMS/ppc/ root:root 0755 -/usr/src/packages/RPMS/s390/ root:root 0755 -/usr/src/packages/RPMS/s390x/ root:root 0755 -/usr/src/packages/RPMS/sparc64/ root:root 0755 -/usr/src/packages/RPMS/sparc/ root:root 0755 -/usr/src/packages/RPMS/sparcv9/ root:root 0755 -/usr/src/packages/RPMS/x86_64/ root:root 0755 -/usr/src/packages/SPECS/ root:root 0755 -/usr/src/packages/SRPMS/ root:root 0755 - # ceph log directory (bsc#1150366) /var/log/ceph/ ceph:ceph 3770 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20200526/etc/permissions.local new/permissions-20200710/etc/permissions.local --- old/permissions-20200526/etc/permissions.local 2020-05-26 14:54:31.000000000 +0200 +++ new/permissions-20200710/etc/permissions.local 2020-07-10 11:44:15.000000000 +0200 @@ -7,42 +7,21 @@ # # This file is used by chkstat (and indirectly by various RPM package scripts) # to check or set the modes and ownerships of files and directories in -# the installation. +# the installation. It has priority over the distribution defaults in +# /usr/share/permissions. # -# If you want chkstat to be run automatically after zypper operations, then -# you can install the permissions-zypp-plugin. This is helpful when you are -# entering permissions in this file that get overwritten by package updates. -# The plugin keeps the custom permissions in place. -# -# In particular, this file will not be touched during an upgrade of the -# installation. It is designed to be a placeholder for local -# additions by the administrator of the system to reflect filemodes -# of locally installed packages or to override file permissions as -# shipped with the distribution. +# Please see the man page permissions(5) for general usage hints of this and +# related files. Note that operations like package updates, log rotation or +# systemd-tmpfiles can reset these file permissions. By default, changes to this +# file are therefore only really useful to override the distribution default +# permissions of files shipping with setXid permissions or capabilities. +# +# If you want entries for files installed through RPM to also be applied after +# zypper operations, then you can install the permissions-zypp-plugin. This is +# helpful when you are entering permissions in this file that get overwritten +# by package updates. # -# Format: -# <file> <owner>:<group> <permission> # -# Please see the file /etc/permissions for general usage hints of the -# /etc/permissions* files. -# Please remember that logfiles might be modified by the logfile -# rotation facilities (e.g. logrotate) so settings entered here might -# be overridden. Also devices files (/dev/*) are not static but -# managed via udev so this file can't be used to modify device -# permissions either. -# - -# -# suexec is only secure if the document root doesn't contain files -# writeable by wwwrun. Make sure you have a safe server setup -# before setting the setuid bit! See also -# https://bugzilla.novell.com/show_bug.cgi?id=263789 -# http://httpd.apache.org/docs/trunk/suexec.html -# -#/usr/sbin/suexec2 root:root 4755 -#/usr/sbin/suexec root:root 4755 - -# setuid bit on Xorg is only needed if no display manager, ie startx -# is used. Beware of CVE-2010-2240. +# Format: +# <file> <owner>:<group> <mode> # -#/usr/bin/Xorg root:root 4711 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20200526/profiles/permissions.easy new/permissions-20200710/profiles/permissions.easy --- old/permissions-20200526/profiles/permissions.easy 2020-05-26 14:54:31.000000000 +0200 +++ new/permissions-20200710/profiles/permissions.easy 2020-07-10 11:44:15.000000000 +0200 @@ -41,7 +41,6 @@ # # suid system programs that need the suid bit to work: # -/bin/su root:root 4755 /usr/bin/at root:trusted 4755 /usr/bin/crontab root:trusted 4755 /usr/bin/gpasswd root:shadow 4755 @@ -74,14 +73,11 @@ /usr/sbin/basic_pam_auth root:shadow 2750 -# still to be converted to utempter -/usr/lib/gnome-pty-helper root:utmp 2755 - # # mixed section: # -# video -/usr/bin/v4l-conf root:video 4755 +# xawtv (kind of reviewed via bsc#1171655) +/usr/bin/v4l-conf root:root 4755 # turn off write and wall by disabling sgid tty: /usr/bin/wall root:tty 2755 @@ -91,24 +87,6 @@ # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 4755 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 4755 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 2755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 2755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755 -/usr/lib/mailman/cgi-bin/options root:mailman 2755 -/usr/lib/mailman/cgi-bin/private root:mailman 2755 -/usr/lib/mailman/cgi-bin/roster root:mailman 2755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 2755 -/usr/lib/mailman/cgi-bin/create root:mailman 2755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 2755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755 -/usr/lib/mailman/mail/mailman root:mailman 2755 # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 @@ -132,10 +110,6 @@ # dialup networking programs # /usr/sbin/pppoe-wrapper root:dialout 4750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 4750 -# #66111 -/usr/bin/vboxbeep root:trusted 4755 # @@ -159,24 +133,10 @@ # framebuffer terminal emulator (japanese) /usr/bin/jfbterm root:tty 6755 -# -# kde -# (all of them are disabled in permissions.secure except for -# the helper programs) -# -# needs setuid root when using shadow via NIS: -# #66218 -/usr/lib/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib/kde4/libexec/kdesud root:nogroup 2755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 2755 +# kdesud (bsc#872276) /usr/lib/libexec/kf5/kdesud root:nogroup 2755 /usr/lib64/libexec/kf5/kdesud root:nogroup 2755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 4755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 4755 - # # amanda # @@ -199,14 +159,6 @@ # -# gnats -# -/usr/lib/gnats/gen-index gnats:root 4555 -/usr/lib/gnats/pr-edit gnats:root 4555 -/usr/lib/gnats/queue-pr gnats:root 4555 - - -# # news (inn) # # the inn start script changes it's uid to news:news. Later innbind @@ -242,40 +194,19 @@ /usr/lib/uucp/uuxqt uucp:uucp 6555 /usr/libexec/uucp/uuxqt uucp:uucp 6555 -# pcp (bnc#782967) -/var/lib/pcp/tmp/ root:root 1777 -/var/lib/pcp/tmp/pmdabash/ root:root 1777 -/var/lib/pcp/tmp/mmv/ root:root 1777 -/var/lib/pcp/tmp/pmlogger/ root:root 1777 -/var/lib/pcp/tmp/pmie/ root:root 1777 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750 - # polkit new (bnc#523377) /usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755 /usr/libexec/polkit-1/polkit-agent-helper-1 root:root 4755 /usr/bin/pkexec root:root 4755 -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -# dbus-1 in /usr #1056764) +# dbus-1 (#333361, #1056764, bsc#1171164) /usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 +/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 # policycoreutils (#440596) /usr/bin/newrole root:root 4755 -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 4750 -/usr/libexec/virtualbox/VirtualBox root:vboxusers 4750 -# bsc#1120650 +# VirtualBox (#429725, bsc#1120650) /usr/lib/virtualbox/VirtualBoxVM root:vboxusers 4750 /usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 4750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750 @@ -302,9 +233,6 @@ /usr/sbin/hawk_chkpwd root:haclient 4750 /usr/sbin/hawk_invoke root:haclient 4750 -# chromium (bnc#718016) -/usr/lib/chrome_sandbox root:root 4755 - # ecryptfs-utils (bnc#740110) /sbin/mount.ecryptfs_private root:root 4755 @@ -312,15 +240,6 @@ /usr/bin/dumpcap root:wireshark 0750 +capabilities cap_net_raw,cap_net_admin=ep -# singularity (bsc#1028304) -# these have been dropped in version 2.4 (see bsc#1111411, comment 4) -#/usr/lib/singularity/bin/expand-suid root:singularity 4750 -#/usr/lib/singularity/bin/create-suid root:singularity 4750 -#/usr/lib/singularity/bin/export-suid root:singularity 4750 -#/usr/lib/singularity/bin/import-suid root:singularity 4750 -/usr/lib/singularity/bin/action-suid root:singularity 4750 -/usr/lib/singularity/bin/mount-suid root:singularity 4750 -/usr/lib/singularity/bin/start-suid root:singularity 4750 # singularity version 3 (bsc#1128598) /usr/lib/singularity/bin/starter-suid root:singularity 4750 /usr/libexec/singularity/bin/starter-suid root:singularity 4750 @@ -342,9 +261,6 @@ /usr/lib/qemu-bridge-helper root:kvm 04750 /usr/libexec/qemu-bridge-helper root:kvm 04750 -# systemd-journal (bnc#888151) -/var/log/journal/ root:systemd-journal 2755 - #iouyap (bnc#904060) /usr/lib/iouyap root:iouyap 0750 +capabilities cap_net_raw,cap_net_admin=ep diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20200526/profiles/permissions.paranoid new/permissions-20200710/profiles/permissions.paranoid --- old/permissions-20200526/profiles/permissions.paranoid 2020-05-26 14:54:31.000000000 +0200 +++ new/permissions-20200710/profiles/permissions.paranoid 2020-07-10 11:44:15.000000000 +0200 @@ -58,7 +58,6 @@ # # suid system programs that need the suid bit to work: # -/bin/su root:root 0755 # disable at and cron for non-root users /usr/bin/at root:trusted 0755 /usr/bin/crontab root:trusted 0755 @@ -91,13 +90,10 @@ /usr/sbin/basic_pam_auth root:shadow 0750 -# still to be converted to utempter -/usr/lib/gnome-pty-helper root:utmp 0755 - # # mixed section: most of it is disabled in this permissions.paranoid: # -# video +# xawtv (kind of reviewed via bsc#1171655) /usr/bin/v4l-conf root:video 0755 # turned off write and wall by disabling sgid tty: @@ -108,24 +104,6 @@ # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 0755 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 755 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 0755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 0755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755 -/usr/lib/mailman/cgi-bin/options root:mailman 0755 -/usr/lib/mailman/cgi-bin/private root:mailman 0755 -/usr/lib/mailman/cgi-bin/roster root:mailman 0755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 0755 -/usr/lib/mailman/cgi-bin/create root:mailman 0755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 0755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755 -/usr/lib/mailman/mail/mailman root:mailman 0755 # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755 @@ -146,10 +124,6 @@ # dialup networking programs # /usr/sbin/pppoe-wrapper root:dialout 0750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 0750 -# #66111 -/usr/bin/vboxbeep root:trusted 0755 # @@ -172,22 +146,10 @@ # framebuffer terminal emulator (japanese). /usr/bin/jfbterm root:tty 0755 -# -# kde -# -# needs setuid root when using shadow via NIS: -# #66218 -/usr/lib/kde4/libexec/kcheckpass root:shadow 0755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 0755 -/usr/lib/kde4/libexec/kdesud root:nogroup 0755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 0755 +# kdesud (bsc#872276) /usr/lib/libexec/kf5/kdesud root:nogroup 0755 /usr/lib64/libexec/kf5/kdesud root:nogroup 0755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 0755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 0755 - # # amanda # @@ -210,14 +172,6 @@ # -# gnats -# -/usr/lib/gnats/gen-index gnats:root 0555 -/usr/lib/gnats/pr-edit gnats:root 0555 -/usr/lib/gnats/queue-pr gnats:root 0555 - - -# # news (inn) # # the inn start script changes it's uid to news:news. Later innbind @@ -253,40 +207,19 @@ /usr/lib/uucp/uuxqt uucp:uucp 0555 /usr/libexec/uucp/uuxqt uucp:uucp 0555 -# pcp (bnc#782967) -/var/lib/pcp/tmp/ root:root 0755 -/var/lib/pcp/tmp/pmdabash/ root:root 0755 -/var/lib/pcp/tmp/mmv/ root:root 0755 -/var/lib/pcp/tmp/pmlogger/ root:root 0755 -/var/lib/pcp/tmp/pmie/ root:root 0755 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 0755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 0755 - # polkit new (bnc#523377) /usr/lib/polkit-1/polkit-agent-helper-1 root:root 0755 /usr/libexec/polkit-1/polkit-agent-helper-1 root:root 0755 /usr/bin/pkexec root:root 0755 -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 -# dbus-1 in /usr #1056764) +# dbus-1 (#333361, #1056764, bsc#1171164) /usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 -/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 +/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 0750 # policycoreutils (#440596) /usr/bin/newrole root:root 0755 -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/libexec/virtualbox/VirtualBox root:vboxusers 0755 -# bsc#1120650 +# VirtualBox (#429725, bsc#1120650) /usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 @@ -314,24 +247,12 @@ /usr/sbin/hawk_chkpwd root:haclient 0755 /usr/sbin/hawk_invoke root:haclient 0755 -# chromium (bnc#718016) -/usr/lib/chrome_sandbox root:root 0755 - # ecryptfs-utils (bnc#740110) /sbin/mount.ecryptfs_private root:root 0755 # wireshark (bsc#957624) /usr/bin/dumpcap root:root 0755 -# singularity (bsc#1028304) -# these have been dropped in version 2.4 (see bsc#1111411, comment 4) -#/usr/lib/singularity/bin/expand-suid root:singularity 0750 -#/usr/lib/singularity/bin/create-suid root:singularity 0750 -#/usr/lib/singularity/bin/export-suid root:singularity 0750 -#/usr/lib/singularity/bin/import-suid root:singularity 0750 -/usr/lib/singularity/bin/action-suid root:singularity 0750 -/usr/lib/singularity/bin/mount-suid root:singularity 0750 -/usr/lib/singularity/bin/start-suid root:singularity 0750 # singularity version 3 (bsc#1128598) /usr/lib/singularity/bin/starter-suid root:singularity 0750 /usr/libexec/singularity/bin/starter-suid root:singularity 0750 @@ -351,9 +272,6 @@ /usr/lib/qemu-bridge-helper root:root 755 /usr/libexec/qemu-bridge-helper root:root 755 -# systemd-journal (bnc#888151) -/var/log/journal/ root:systemd-journal 2755 - #iouyap (bnc#904060) /usr/lib/iouyap root:iouyap 0750 /usr/libexec/iouyap root:iouyap 0750 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20200526/profiles/permissions.secure new/permissions-20200710/profiles/permissions.secure --- old/permissions-20200526/profiles/permissions.secure 2020-05-26 14:54:31.000000000 +0200 +++ new/permissions-20200710/profiles/permissions.secure 2020-07-10 11:44:15.000000000 +0200 @@ -81,7 +81,6 @@ # # suid system programs that need the suid bit to work: # -/bin/su root:root 4755 # disable at and cron for users that do not belong to the group "trusted" /usr/bin/at root:trusted 4750 /usr/bin/crontab root:trusted 4750 @@ -115,41 +114,20 @@ /usr/sbin/basic_pam_auth root:shadow 2750 -# still to be converted to utempter -/usr/lib/gnome-pty-helper root:utmp 2755 - # # mixed section: most of it is disabled in this permissions.secure: # -# video +# xawtv (kind of reviewed via bsc#1171655) /usr/bin/v4l-conf root:video 4750 # turned off write and wall by disabling sgid tty: /usr/bin/wall root:tty 0755 /usr/bin/write root:tty 0755 -# thttpd: sgid + executeable only for group www. Useless... -/usr/bin/makeweb root:www 2750 +# thttpd (bsc#1171580) +/usr/bin/makeweb root:www 2751 # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 4750 -# gnokii nokia cellphone software -# #66209 -/usr/sbin/mgnokiidev root:uucp 755 -# mailman mailing list software -# #66315 -/usr/lib/mailman/cgi-bin/admin root:mailman 2755 -/usr/lib/mailman/cgi-bin/admindb root:mailman 2755 -/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755 -/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755 -/usr/lib/mailman/cgi-bin/options root:mailman 2755 -/usr/lib/mailman/cgi-bin/private root:mailman 2755 -/usr/lib/mailman/cgi-bin/roster root:mailman 2755 -/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755 -/usr/lib/mailman/cgi-bin/confirm root:mailman 2755 -/usr/lib/mailman/cgi-bin/create root:mailman 2755 -/usr/lib/mailman/cgi-bin/editarch root:mailman 2755 -/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755 -/usr/lib/mailman/mail/mailman root:mailman 2755 # libgnomesu (#75823, #175616) /usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755 @@ -172,10 +150,6 @@ # dialup networking programs # /usr/sbin/pppoe-wrapper root:dialout 4750 -# i4l package (#100750): -/sbin/isdnctrl root:dialout 4750 -# #66111 -/usr/bin/vboxbeep root:trusted 0755 # @@ -199,24 +173,10 @@ # framebuffer terminal emulator (japanese) /usr/bin/jfbterm root:tty 0755 -# -# kde -# (all of them are disabled in permissions.secure except for -# the helper programs) -# -# needs setuid root when using shadow via NIS: -# #66218 -/usr/lib/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755 -/usr/lib/kde4/libexec/kdesud root:nogroup 2755 -/usr/lib64/kde4/libexec/kdesud root:nogroup 2755 +# kdesud (bsc#872276) /usr/lib/libexec/kf5/kdesud root:nogroup 2755 /usr/lib64/libexec/kf5/kdesud root:nogroup 2755 -# bnc#523833 -/usr/lib/kde4/libexec/start_kdeinit root:root 4755 -/usr/lib64/kde4/libexec/start_kdeinit root:root 4755 - # # amanda # @@ -239,14 +199,6 @@ # -# gnats -# -/usr/lib/gnats/gen-index gnats:root 4555 -/usr/lib/gnats/pr-edit gnats:root 4555 -/usr/lib/gnats/queue-pr gnats:root 4555 - - -# # news (inn) # # the inn start script changes it's uid to news:news. Later innbind @@ -283,40 +235,19 @@ /usr/libexec/uucp/uuxqt uucp:uucp 6555 -# pcp (bnc#782967) -/var/lib/pcp/tmp/ root:root 0755 -/var/lib/pcp/tmp/pmdabash/ root:root 0755 -/var/lib/pcp/tmp/mmv/ root:root 0755 -/var/lib/pcp/tmp/pmlogger/ root:root 0755 -/var/lib/pcp/tmp/pmie/ root:root 0755 - -# PolicyKit (#295341) -/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755 -/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755 -/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750 - # polkit new (bnc#523377) /usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755 /usr/libexec/polkit-1/polkit-agent-helper-1 root:root 4755 /usr/bin/pkexec root:root 4755 -# dbus-1 (#333361) -/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -# dbus-1 in /usr #1056764) +# dbus-1 (#333361 #1056764, bsc#1171164) /usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 -/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 +/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 4750 # policycoreutils (#440596) /usr/bin/newrole root:root 0755 -# VirtualBox (#429725) -/usr/lib/virtualbox/VirtualBox root:vboxusers 0755 -/usr/libexec/virtualbox/VirtualBox root:vboxusers 0755 -# bsc#1120650 +# VirtualBox (#429725, bsc#1120650) /usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 0750 /usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755 @@ -344,9 +275,6 @@ /usr/sbin/hawk_chkpwd root:haclient 4750 /usr/sbin/hawk_invoke root:haclient 4750 -# chromium (bnc#718016) -/usr/lib/chrome_sandbox root:root 4755 - # ecryptfs-utils (bnc#740110) /sbin/mount.ecryptfs_private root:root 0755 @@ -354,15 +282,6 @@ /usr/bin/dumpcap root:wireshark 0750 +capabilities cap_net_raw,cap_net_admin=ep -# singularity (bsc#1028304) -# these have been dropped in version 2.4 (see bsc#1111411, comment 4) -#/usr/lib/singularity/bin/expand-suid root:singularity 4750 -#/usr/lib/singularity/bin/create-suid root:singularity 4750 -#/usr/lib/singularity/bin/export-suid root:singularity 4750 -#/usr/lib/singularity/bin/import-suid root:singularity 4750 -/usr/lib/singularity/bin/action-suid root:singularity 4750 -/usr/lib/singularity/bin/mount-suid root:singularity 4750 -/usr/lib/singularity/bin/start-suid root:singularity 4750 # singularity version 3 (bsc#1128598) /usr/lib/singularity/bin/starter-suid root:singularity 4750 /usr/libexec/singularity/bin/starter-suid root:singularity 4750 @@ -382,9 +301,6 @@ /usr/lib/qemu-bridge-helper root:kvm 04750 /usr/libexec/qemu-bridge-helper root:kvm 04750 -# systemd-journal (bnc#888151) -/var/log/journal/ root:systemd-journal 2755 - #iouyap (bnc#904060) /usr/lib/iouyap root:iouyap 0750 /usr/libexec/iouyap root:iouyap 0750
