Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2016-01-16 11:55:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2015-10-06 13:23:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.permissions.new/permissions.changes 2016-01-16 11:55:51.000000000 +0100 @@ -1,0 +2,16 @@ +Fri Jan 15 14:19:44 UTC 2016 - [email protected] + +- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060) + +------------------------------------------------------------------- +Tue Jan 12 14:30:01 UTC 2016 - [email protected] + +- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363 + +------------------------------------------------------------------- +Thu Oct 29 09:40:30 UTC 2015 - [email protected] + +- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 +- added missing / to the squid specific directories (bsc#950557) + +------------------------------------------------------------------- Old: ---- permissions-2015.09.28.1626.tar.bz2 New: ---- permissions-2016.01.15.1451.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.tokRE3/_old 2016-01-16 11:55:52.000000000 +0100 +++ /var/tmp/diff_new_pack.tokRE3/_new 2016-01-16 11:55:52.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package permissions # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ BuildRequires: libcap-devel Name: permissions -Version: 2015.09.28.1626 +Version: 2016.01.15.1451 Release: 0 Provides: aaa_base:/etc/permissions PreReq: %fillup_prereq ++++++ permissions-2015.09.28.1626.tar.bz2 -> permissions-2016.01.15.1451.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-2015.09.28.1626/permissions.easy new/permissions-2016.01.15.1451/permissions.easy --- old/permissions-2015.09.28.1626/permissions.easy 2015-09-28 16:26:23.000000000 +0200 +++ new/permissions-2016.01.15.1451/permissions.easy 2016-01-15 14:51:59.000000000 +0100 @@ -77,9 +77,9 @@ /usr/sbin/pam_auth root:shadow 4755 # squid changes from bnc#891268 -/var/cache/squid squid:root 0750 -/var/log/squid squid:root 0750 -/usr/sbin/pinger root:squid 0750 +/var/cache/squid/ squid:root 0750 +/var/log/squid/ squid:root 0750 +/usr/sbin/pinger squid:root 0750 +capabilities cap_net_raw=ep /usr/sbin/basic_pam_auth root:shadow 2750 @@ -375,3 +375,13 @@ # radosgw (bsc#943471) /usr/bin/radosgw root:www 0750 +capabilities cap_net_bind_service=ep +# +# suexec is only secure if the document root doesn't contain files +# writeable by wwwrun. Make sure you have a safe server setup +# before setting the setuid bit! See also +# https://bugzilla.novell.com/show_bug.cgi?id=263789 +# http://httpd.apache.org/docs/trunk/suexec.html +# You need to override this in permissions.local. +# +/usr/sbin/suexec2 root:root 0755 +/usr/sbin/suexec root:root 0755 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-2015.09.28.1626/permissions.local new/permissions-2016.01.15.1451/permissions.local --- old/permissions-2015.09.28.1626/permissions.local 2015-09-28 16:26:23.000000000 +0200 +++ new/permissions-2016.01.15.1451/permissions.local 2016-01-15 14:51:59.000000000 +0100 @@ -35,6 +35,7 @@ # http://httpd.apache.org/docs/trunk/suexec.html # #/usr/sbin/suexec2 root:root 4755 +#/usr/sbin/suexec root:root 4755 # setuid bit on Xorg is only needed if no display manager, ie startx # is used. Beware of CVE-2010-2240. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-2015.09.28.1626/permissions.paranoid new/permissions-2016.01.15.1451/permissions.paranoid --- old/permissions-2015.09.28.1626/permissions.paranoid 2015-09-28 16:26:23.000000000 +0200 +++ new/permissions-2016.01.15.1451/permissions.paranoid 2016-01-15 14:51:59.000000000 +0100 @@ -91,10 +91,10 @@ # from the squid package /usr/sbin/pam_auth root:shadow 0755 -# squid changes from bnc#891268 -/var/cache/squid squid:root 0750 -/var/log/squid squid:root 0750 -/usr/sbin/pinger root:squid 0750 +# /quid changes from bnc#891268 +/var/cache/squid/ squid:root 0750 +/var/log/squid/ squid:root 0750 +/usr/sbin/pinger squid:root 0750 /usr/sbin/basic_pam_auth root:shadow 0750 @@ -381,3 +381,13 @@ # radosgw (bsc#943471) /usr/bin/radosgw root:root 0755 +# +# suexec is only secure if the document root doesn't contain files +# writeable by wwwrun. Make sure you have a safe server setup +# before setting the setuid bit! See also +# https://bugzilla.novell.com/show_bug.cgi?id=263789 +# http://httpd.apache.org/docs/trunk/suexec.html +# You need to override this in permissions.local. +# +/usr/sbin/suexec2 root:root 0755 +/usr/sbin/suexec root:root 0755 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-2015.09.28.1626/permissions.secure new/permissions-2016.01.15.1451/permissions.secure --- old/permissions-2015.09.28.1626/permissions.secure 2015-09-28 16:26:23.000000000 +0200 +++ new/permissions-2016.01.15.1451/permissions.secure 2016-01-15 14:51:59.000000000 +0100 @@ -115,9 +115,9 @@ /usr/sbin/pam_auth root:shadow 4755 # squid changes from bnc#891268 -/var/cache/squid squid:root 0750 -/var/log/squid squid:root 0750 -/usr/sbin/pinger root:squid 0750 +/var/cache/squid/ squid:root 0750 +/var/log/squid/ squid:root 0750 +/usr/sbin/pinger squid:root 0750 +capabilities cap_net_raw=ep /usr/sbin/basic_pam_auth root:shadow 2750 @@ -410,3 +410,14 @@ # radosgw (bsc#943471) /usr/bin/radosgw root:www 0750 +capabilities cap_net_bind_service=ep + +# +# suexec is only secure if the document root doesn't contain files +# writeable by wwwrun. Make sure you have a safe server setup +# before setting the setuid bit! See also +# https://bugzilla.novell.com/show_bug.cgi?id=263789 +# http://httpd.apache.org/docs/trunk/suexec.html +# You need to override this in permissions.local. +# +/usr/sbin/suexec2 root:root 0755 +/usr/sbin/suexec root:root 0755
