commit 4bba0fe829ef7ffa141925e99184ff94be89cfb4 Author: zyppe <210hcl@gmail.com> Date: Tue Mar 5 16:59:22 2024 +0800 Initialize for permissions diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cf424c3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +permissions-20201225.tar.xz diff --git a/.permissions.metadata b/.permissions.metadata new file mode 100644 index 0000000..078b85b --- /dev/null +++ b/.permissions.metadata @@ -0,0 +1 @@ +a70de65e31e135a2e86b3dee40d26f51bb278fc67bc8cb852d1fa77ce71a2fd0 permissions-20201225.tar.xz diff --git a/permissions.changes b/permissions.changes new file mode 100644 index 0000000..d974123 --- /dev/null +++ b/permissions.changes @@ -0,0 +1,874 @@ +* Wed Oct 19 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * permissions for enlightenment helper on 32bit arches (bsc#1194047) +* Tue Oct 11 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * fix regression introduced by backport of security fix (bsc#1203911) +* Tue Sep 13 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252) +* Fri Jul 15 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * postfix: add postlog setgid for maildrop binary (bsc#1201385) +* Mon Jul 11 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * apptainer: fix starter-suid location (bsc#1198720) +* Wed Jul 6 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * static permissions: remove deprecated bind / named chroot entries (bsc#1200747) +* Tue Apr 26 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * backport of apptainer whitelisting (bsc#1196145, bsc#1198720) +* Fri Apr 1 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649) +* Fri Mar 11 2022 matthias.gerstner@suse.com +- Update to version 20201225: + * whitelist ksysguard network helper (bsc#1151190) +* Fri Jan 14 2022 jsegitz@suse.com +- Update to version 20181225: + * setuid bit for cockpit session binary (bsc#1169614) +* Wed Dec 22 2021 matthias.gerstner@suse.com +- Update to version 20181225: + * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) +* Fri Apr 30 2021 matthias.gerstner@suse.com +- Update to version 20181225: + * etc/permissions: remove unnecessary entries (bsc#1182899) +* Thu Jan 21 2021 matthias.gerstner@suse.com +- Update to version 20181224: + * pcp: remove no longer needed / conflicting entries + (bsc#1171883, CVE-2020-8025) +* Tue Jun 2 2020 matthias.gerstner@suse.com +- Update to version 20181224: + * profiles: add entries for enlightenment (bsc#1171686) +* Thu May 28 2020 malte.kraus@suse.com +- whitelist texlive public binary (bsc#1171686) +* Mon May 11 2020 jsegitz@suse.com +- Remove setuid bit for newgidmap and newuidmap in paranoid profile + (bsc#1171173) +* Thu Apr 2 2020 jsegitz@suse.com +- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364) +* Tue Mar 24 2020 jsegitz@suse.com +- whitelist s390-tools setgid bit on log directory (bsc#1167163) +* Mon Mar 2 2020 malte.kraus@suse.com +- run testsuite during package build +- Update to version 20181224: + * testsuite: adapt expected behavior to legacy branches + * adjust testsuite to post CVE-2020-8013 link handling + * testsuite: add option to not mount /proc + * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 + * add a test for symlinked directories + * fix relative symlink handling + * regtest: fix the static PATH list which was missing /usr/bin + * regtest: also unshare the PID namespace to support /proc mounting + * Makefile: force remove upon clean target to prevent bogus errors + * regtest: by default automatically (re)build chkstat before testing + * regtest: add test for symlink targets + * regtest: make capability setting tests optional + * regtest: fix capability assertion helper logic + * regtests: add another test case that catches set*id or caps in world-writable sub-trees + * regtest: add another test that catches when privilege bits are set for special files + * regtest: add test case for user owned symlinks + * regtest: employ subuid and subgid feature in user namespace + * regtest: add another test case that covers unknown user/group config + * regtest: add another test that checks rejection of insecure mixed-owner paths + * regtest: add test that checks for rejection of world-writable paths + * regtest: add test for detection of unexpected parent directory ownership + * regtest: add further helper functions, allow access to main instance + * regtest: introduce some basic coloring support to improve readability + * regtest: sort imports, another piece of rationale + * regtest: add capability test case + * regtest: improve error flagging of test cases and introduce warnings + * regtest: support caps + * regtest: add a couple of command line parameter test cases + * regtest: add another test that checks whether the default profile works + * regtests: add tests for correct application of local profiles + * regtest: add further test cases that test correct profile application + * regtest: simplify test implementation and readability + * regtest: add helpers for permissions.d per package profiles + * regtest: support read-only bind mounts, also bind-mount permissions repo + * tests: introduce a regression test suite for chkstat +* Fri Feb 28 2020 malte.kraus@suse.com +- Update to version 20181224: + * whitelist WMP (bsc#1161335) + * Makefile: allow to build test version programmatically + * chkstat: handle symlinks in final path elements correctly + * add .gitignore for chkstat binary + * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) + * fix syntax of paranoid profile +* Thu Feb 6 2020 matthias.gerstner@suse.com +- Update to version 20181224: + * mariadb: settings for new auth_pam_tool (bsc#1160285) + * chkstat: capability handling fixes (bsc#1161779) + * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) + * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687) +* Wed Feb 5 2020 matthias.gerstner@suse.com + Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore + remove all of the following patches which are now included in the tarball: +- 0001-whitelisting-update-virtualbox.patch +- 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch +- 0004-var-cache-man.patch +- 0005-singularity-starter-suid.patch +- 0006-bsc1110797_amanda.patch +- 0007-chkstat-fix-privesc-CVE-2019-3690.patch +- 0008-squid-pinger-owner-fix-CVE-2019-3688.patch +- 0009-chkstat-handle-missing-proc.patch +- 0010-chkstat-capabilities-implicit-changes.patch + Because of inconsistencies between the upstream branch and the package state + the following previously missing changes are introduced by this update: +- Update to version 20181117: + * removed old entry for rmtab + * Fixed typo in icinga2 whitelist entry +* Fri Jan 31 2020 malte.kraus@suse.com +- fix regression where chkstat breaks without /proc available + (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) +- fix capability handling when doing multiple permission changes + at once (bsc#1161779, + 0010-chkstat-capabilities-implicit-changes.patch) +* Tue Nov 19 2019 malte.kraus@suse.com +- fix invalid free() when permfiles points to argv (bsc#1157198, + changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch) +* Mon Oct 28 2019 malte.kraus@suse.com +- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, + CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch) +* Mon Oct 28 2019 malte.kraus@suse.com +- fix privilege escalation through untrusted symlinks (bsc#1150734, + CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch) +* Thu Sep 26 2019 jsegitz@suse.com +- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch + (bsc#1110797) +* Thu Jun 13 2019 malte.kraus@suse.com +- Added ./0005-singularity-starter-suid.patch (bsc#1128598) + New whitelisting for /usr/lib/singularity/bin/starter-suid +* Tue Apr 30 2019 jsegitz@suse.com +- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. + Conflicts with packaging and man:man is the better setting anyway + (bsc#1133678) +* Tue Feb 12 2019 jsegitz@suse.com +- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) + New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed + stale entries for VirtualBox +- Added 0002-consistency-between-profiles.patch + Ensure consistency of entries, otherwise switching between settings + becomes problematic +- Added 0003-var-run-postgresql.patch (bsc#1123886) + Whitelist for postgresql. Currently the checker doesn't complain + because the directories aren't packaged, but that might change + and/or our checkers might improve +* Wed Nov 28 2018 opensuse-packaging@opensuse.org +- Update to version 20181116: + * zypper-plugin: new plugin to fix bsc#1114383 + * singularity: remove dropped -suid binaries (bsc#1028304) + * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds + * setuid whitelisting: add fusermount3 (bsc#1111230) + * setuid whitelisting: add authbind binary (bsc#1111251) + * setuid whitelisting: add firejail binary (bsc#1059013) + * setuid whitelisting: add lxc-user-nic (bsc#988348) + * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) + * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) + * Fix wrong file path in help string + * Capabilities for usage of Wireshark for non-root +- remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: + is now contained in tarball. +* Mon Aug 20 2018 matthias.gerstner@suse.com +- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add + whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved + usability. +* Thu Jan 25 2018 meissner@suse.com +- Update to version 20180125: + * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) + * make btmp root:utmp (bsc#1050467) +* Mon Jan 15 2018 krahmer@suse.com +- Update to version 20180115: + * - polkit-default-privs: usbauth (bsc#1066877) +* Mon Dec 4 2017 kukuk@suse.com +- fillup is required for post, not pre installation +* Thu Nov 30 2017 mpluskal@suse.com +- Cleanup spec file with spec-cleaner +- Drop conditions/definitions related to old distros +* Wed Nov 29 2017 astieger@suse.com +- Update to version 20171129: + * permissions: adding gvfs (bsc#1065864) + * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 + * Allow fping cap_net_raw (bsc#1047921) +* Thu Nov 23 2017 rbrown@suse.com +- Replace references to /var/adm/fillup-templates with new + %%_fillupdir macro (boo#1069468) +* Tue Nov 21 2017 krahmer@suse.com +- Update to version 20171121: + * - permissions: adding kwayland (bsc#1062182) +* Mon Nov 6 2017 eeich@suse.com +- Update to version 20171106: + * Allow setuid root for singularity (group only) bsc#1028304 +* Wed Oct 25 2017 jsegitz@suse.com +- Update to version 20171025: + * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid) +* Thu Sep 28 2017 astieger@suse.com +- Update to version 20170928: + * Fix invalid syntax bsc#1048645 bsc#1060738 +* Wed Sep 27 2017 pgajdos@suse.com +- Update to version 20170927: + * fix typos in manpages +* Fri Sep 22 2017 astieger@suse.com +- Update to version 20170922: + * Allow setuid root for singularity (group only) bsc#1028304 +* Wed Sep 13 2017 astieger@suse.com +- Update to version 20170913: + * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645) +* Wed Sep 6 2017 opensuse-packaging@opensuse.org +- Update to version 20170906: + * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 + * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425) +* Wed Jun 7 2017 dimstar@opensuse.org +- BuildIgnore group(trusted): we don't really care for this group + in the buildroot and do not want to get system-users into the + bootstrap cycle as we can avoid it. +* Sat Jun 3 2017 meissner@suse.com +- Require: group(trusted), as we are handing it out to some unsuspecting + binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc) +* Fri Jun 2 2017 meissner@suse.com +- Update to version 20170602: + * make /etc/ppp owned by root:root. The group dialout usage is no longer used +* Sun Aug 7 2016 meissner@suse.com +- Update to version 20160807: + * suexec2 is a symlink, no need for permissions handling +* Tue Aug 2 2016 meissner@suse.com +- Update to version 20160802: + * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) + * root:shadow 0755 for newuidmap/newgidmap +* Tue Aug 2 2016 krahmer@suse.com +- adding qemu-bridge-helper mode 04750 (bsc#988279) +* Mon May 23 2016 dimstar@opensuse.org +- Introduce _service to easier update the package. For simplicity, + change the version from yyyy.mm.dd to yyyymmdd (which is eactly + %%cd in the _service defintion). Upgrading is no problem. +* Mon May 23 2016 meissner@suse.com +- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352) +* Wed Mar 30 2016 meissner@suse.com +- permissions: adding gstreamer ptp file caps (bsc#960173) +* Fri Jan 15 2016 meissner@suse.com +- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060) +* Tue Jan 12 2016 meissner@suse.com +- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363 +* Thu Oct 29 2015 meissner@suse.com +- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 +- added missing / to the squid specific directories (bsc#950557) +* Mon Sep 28 2015 meissner@suse.com +- adjusted radosgw to root:www mode 0750 (bsc#943471) +* Mon Sep 28 2015 meissner@suse.com +- radosgw can get capability cap_bind_net_service (bsc#943471) +* Mon Jun 8 2015 meissner@suse.com +- remove /usr/bin/get_printing_ticket; (bnc#906336) +* Wed Dec 3 2014 krahmer@suse.com +- Added iouyap capabilities (bnc#904060) +* Wed Nov 5 2014 meissner@suse.com +- %%{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) +- permissions: incorporating squid changes from bnc#891268 +- hint that chkstat --system --set needs to be run after editing bnc#895647 +* Tue Aug 26 2014 meissner@suse.com +- Do not applies permissions from backup files (~ / .rpmsave / .rpmnew) (bnc#893370) +- do not mention SuSEconfig anymore, long dead (bnc#843083) +* Fri Aug 1 2014 meissner@suse.com +- append a / to /var/log/journal so the framework makes sure it is a directory bnc#888151 +* Wed Jul 23 2014 meissner@suse.com +- make innbind mode 4550 (bnc#876287) +- permissions: Adding systemd-journal directory (bnc#888151) +* Mon Jul 21 2014 krahmer@suse.com +- permissions: Adding new kdesud path for KDE5 (bnc#872276) +* Tue Jul 1 2014 meissner@suse.com +- vlock_main lost its permission checking, so remove from here. +* Mon Jun 16 2014 meissner@suse.com +- opiesu,wodim,vlock-main have no setuid root. (bnc#882035) +* Thu Jun 5 2014 meissner@suse.com +- tighten /etc/crontab to be always mode 600, even in easy (bnc#867799) +* Tue Apr 15 2014 meissner@suse.com +- duplicate /var/run entries to /run (bnc#873708) +* Mon Mar 24 2014 krahmer@suse.com +- permissions: incorporating capability for mtr, removing +s from ping + (bnc#865351) +* Mon Oct 28 2013 meissner@suse.com +- GIT repo moved to GITHUB. +- removed the setuid bit from "eject" (bnc#824406) +* Thu Aug 22 2013 meissner@suse.com +- do not use magic constants for strlen (bnc#834790 +* Wed Aug 21 2013 meissner@suse.com +- Chrome sandbox also allowed to be setuid root in secure mode now (bnc#718016) +* Fri Aug 16 2013 meissner@suse.com +- use PERMISSION_FSCAPS +* Fri Aug 16 2013 meissner@suse.com +- it is PERMISSIONS_FSCAPS (bnc#834790) +- qemu-bridge-helper has no special privileges currently (bnc#765948) +* Wed Jun 12 2013 meissner@suse.com +- utempter helper binary moved in new version to /usr/lib/utempter/utempter (bnc#823302) +* Mon Jun 10 2013 meissner@suse.com +- cdrtools: allow some filesystem capabilities for more stable CD/DVD + burning in "easy" mode. (bnc#550021) (cap_sys_nice, cap_sys_rawio, + cap_sys_resource, cap_ipc_lock) +* Wed May 8 2013 meissner@suse.com +- leave out readcd,cdda2wav,cdrecord until it is ready for the distro (bnc#550021) +* Sat May 4 2013 meissner@suse.com +- cdrecord currently has no special permissions approved (bnc#550021) +- append a / +* Tue Jan 29 2013 meissner@suse.com +- Allow pcp to have stickybit worldwriteable directories +* Tue Nov 27 2012 meissner@suse.com +- add /usr/bin/dumpcap to watchlist +- make fscaps=1 the default on "" +- added PERMISSION_FSCAPS to the sysconfig/security fillup template. +- /bin/ping(6) was moved to /usr/bin/ping(6) /bin/eject was moved to /usr/bin/eject +* Wed Nov 21 2012 lnussel@suse.de +- apply permissions settings in %%post. During initial installation + some packages might be installed before the permissions package + due to dependency loops so we need to make sure their settings + are applied too. Also, on update of the permissions package + changed permission settings may need to be applied. +* Mon Oct 15 2012 lnussel@suse.de +- temporarily add su.core. workaround for the migration of su from + coreutils to util-linux needs to be reverted as soon as util-linux + is also in +* Tue Sep 25 2012 meissner@suse.com +- no longer install SuSEconfig.permissions, SuSEconfig is gone. +* Fri Jul 6 2012 meissner@suse.com +- enable ecryptfs-utils setuid root mount wrapper (bnc#740110) in .easy +* Mon Jun 4 2012 lnussel@suse.de +- remove /var/run/vi.recover (bnc#765288) +* Fri Jun 1 2012 lnussel@suse.de +- remove /var/cache/fonts (bnc#764885) +- remove /var/lib/xemacs/lock/ (bnc#764887) +* Thu May 31 2012 lnussel@suse.de +- Revert "Use credentials from within the root file system" + breaks use of --root option in brp-05-permissions +* Tue May 15 2012 lnussel@suse.de +- print warning when requested to check not listed files +- Use credentials from within the root file system +* Wed Feb 8 2012 lnussel@suse.de +- add duplicate entries for / and /usr (bnc#745622) +* Tue Feb 7 2012 lnussel@suse.de +- add scripts for automatic package sumission +- drop zypp-refresh-wrapper (bnc#738677) +* Mon Nov 7 2011 lnussel@suse.de +- disable run time fscaps detection (bnc#728312) +* Fri Sep 23 2011 lnussel@suse.de +- set permission by default in SuSEconfig mode as permissions are + only set when called explicitly anyways (bnc#720010). +* Wed Sep 21 2011 lnussel@suse.de +- fix typo in path +* Tue Sep 20 2011 lnussel@suse.de +- remove world writable /var/crash again (bnc#438041) +- remove world writable permissions from /usr/src/packages (bnc#719217) +* Tue Sep 20 2011 lnussel@suse.de +- add chromium browser sandbox helper (bnc#718016) +- don't offer PERMISSION_SECURITY in config anymore +- remove setgid games bits (bnc#429882) +* Tue Jun 28 2011 lnussel@suse.de +- remove setuid bit from opiesu (bnc#698772) +* Fri Jun 17 2011 lnussel@suse.de +- disable fscaps by default as factory kernel still doesn't have the + required patch for auto detection +* Thu May 26 2011 lnussel@suse.de +- read /sys/kernel/fscaps for fscaps settings +* Thu May 12 2011 lnussel@suse.de +- change path to gnome-pty-helper (bnc#690202) +* Mon Mar 7 2011 lnussel@suse.de +- setuid bit on VBoxNetDHCP (bnc#669055) +* Mon Feb 14 2011 lnussel@suse.de +- fix hawk permissions (bnc#665045) +* Wed Feb 9 2011 lnussel@suse.de +- add hawk (bnc#665045) +* Thu Dec 2 2010 lnussel@suse.de +- remove Xorg setuid bit (bnc#632737) +* Thu Nov 18 2010 lnussel@suse.de +- update permissions of lastlog, faillog, wtmp, utmp and btmp +* Wed Nov 17 2010 lnussel@suse.de +- remove permissions handling for /etc/inittab, /etc/inetd.conf and /etc/mtab +- revert previous commit, done in coreutils instead +* Tue Nov 16 2010 lnussel@suse.de +- change fillup deps to requires to avoid coreutils loop +* Tue Nov 16 2010 lnussel@suse.de +- change utempter from group tty to group utmp (bnc#652877) +* Tue Nov 9 2010 lnussel@suse.de +- add permissions man page +- update docu +- add --level option +- set perms for setuid files always if owner changes +- strip root dir when printing file names +* Tue Nov 9 2010 lnussel@suse.de +- add option to explicitly warn only +* Fri Nov 5 2010 lnussel@suse.de +- reimplement the core features in chkstat itself instead of + SuSEconfig.permissions +* Thu Nov 4 2010 lnussel@suse.de +- don't make changes if not called explicitly +* Wed Nov 3 2010 lnussel@suse.de +- add support for file system capabilities +* Mon Oct 18 2010 lnussel@suse.de +- remove vlock (bnc#629236#c13) +* Tue Oct 5 2010 lnussel@suse.de +- update path to gnome-pty-helper (bnc#634199) +* Wed Sep 22 2010 lnussel@suse.de +- vlock -> vlock-main (bnc#629236) +* Mon Jun 28 2010 jengelh@medozas.de +- use %%_smp_mflags +* Fri Apr 23 2010 lnussel@suse.de +- add lockdev (bnc#588325) +* Wed Apr 7 2010 lnussel@suse.de +- update for innd update (bnc#594393) +- remove lppasswd (bnc#574336) +* Tue Dec 8 2009 jengelh@medozas.de +- enable parallel building +* Wed Oct 7 2009 lnussel@suse.de +- add /usr/lib/virtualbox/VBoxNetAdpCtl (bnc#533550) +* Thu Aug 27 2009 lnussel@suse.de +- add /usr/src/packages/BUILDROOT/ for rpm 4.7 +* Wed Aug 26 2009 lnussel@suse.de +- add more arm directories to /usr/src/packages/RPMS/ +* Mon Aug 24 2009 lnussel@suse.de +- remove permissions handling for traceroute6 and cdrecord which are + symlinks nowadays +* Thu Aug 20 2009 lnussel@suse.de +- fix weird sendfax permissions (bnc#525954) +* Wed Aug 19 2009 lnussel@suse.de +- permissions now maintained at gitorious so use tarball instead of + individual files +* Wed Aug 12 2009 meissner@suse.de +- added polkit setuid root helpers after review (bnc#523377) +* Fri Aug 7 2009 meissner@suse.de +- also added KDE4 start_kdeinit (same source as kde3 start_kdeinit), + bnc#523833 +* Thu Aug 6 2009 meissner@suse.de +- open-vm-tools gets setuid root:root in mode easy (bnc#474285) +* Tue Jul 28 2009 lnussel@suse.de +- hylafax directory permissions are handled by the package + - change group of amanda binaries (bnc#523006) +* Mon Mar 2 2009 lnussel@suse.de +- add some missing slashes to directories and remove entries for at + and cron (bnc#480855) +* Tue Nov 25 2008 lnussel@suse.de +- add VirtualBox (bnc#429725) +* Fri Nov 7 2008 lnussel@suse.de +- add newrole from policycoreutils (bnc#440596) +* Thu Oct 23 2008 lnussel@suse.de +- add udev device files (bnc#438039) +- add system crash dump directory (bnc#438041) +- add bind chroot devices (bnc#438045) +* Mon Oct 20 2008 lnussel@suse.de +- dbus-daemon-launch-helper neeeds to be setuid in level secure + (bnc#435776) +* Thu Sep 25 2008 lnussel@suse.de +- change /var/games to 755 to prevent ill-considered maneuvers there + (bnc#429882) +* Thu Sep 11 2008 lnussel@suse.de +- remove static smpppd config file permissions +- fix permissions of polkit-set-default-helper +- grant permissions to PolicyKit helpers also in level secure +* Tue Jul 15 2008 lnussel@suse.de +- ensure correct permissions on ssh files to avoid sshd refusing + logins (bnc#398250) +* Thu Jul 3 2008 lnussel@suse.de +- adapt permissions of lppasswd for current cups setup (bnc#406058) +* Mon Jun 2 2008 lnussel@suse.de +- add mount.nfs due to an ever increasing number of users + hit by the regression (bnc#331020, bnc#304318) +* Wed May 7 2008 lnussel@suse.de +- zypp-checkpatches-wrapper -> zypp-refresh-wrapper (bnc#385207) +* Mon Apr 21 2008 lnussel@suse.de +- /dev/full should be 0666 (bnc#379545) +* Thu Apr 17 2008 lnussel@suse.de +- update chkstat manpage and support '--' argument for chkstat + (bnc#57438) +* Wed Mar 12 2008 lnussel@suse.de +- new PolicyKit permissions (bnc#295341) +- remove obsolete entries for scmxx and zapping +* Mon Jan 7 2008 lnussel@suse.de +- remove setuid bits on man (#351988) +* Mon Dec 3 2007 lnussel@suse.de +- add dbus-daemon-launch-helper (#333361) +* Fri Nov 2 2007 dmueller@suse.de +- kcheckpass/kdesud moved to %%_libdir/kde4/libexec +* Wed Oct 17 2007 lnussel@suse.de +- remove bing (#306626) +* Fri Oct 12 2007 lnussel@suse.de +- remove suexec2 (#263789) +* Fri Aug 10 2007 aj@suse.de +- Readd nscd socket permissions, otherwise glibc build will fail. +* Fri Aug 10 2007 lnussel@suse.de +- add PolicyKit helpers (#295341) +* Wed Aug 8 2007 lnussel@suse.de +- remove nscd socket permission handling as chkstat refuses to touch + that file anyways (#298334). +* Tue Jun 12 2007 schwab@suse.de +- permissions.local: Fix comment to use uid:gid instead of uid.gid. +* Fri Jun 1 2007 lnussel@suse.de +- package /etc/permissions.local +* Wed May 30 2007 lnussel@suse.de +- add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502) +* Wed Apr 18 2007 dmueller@suse.de +- create debuginfo package (#265667) +* Thu Feb 22 2007 lnussel@suse.de +- prefer package specific permissions files over central ones + (#246252) +* Thu Feb 22 2007 lnussel@suse.de +- add /opt/kde3/bin/start_kdeinit (#203535) +- remove entries for dropped packages OpenPBS and xtetris +* Wed Jan 17 2007 lnussel@suse.de +- make pam authentication helpers unix_chkpwd, unix2_chkpwd and + pam_auth setuid root instead of setgid shadow (#216816) +* Wed Jan 10 2007 sbrabec@suse.cz +- Prefix of /opt/gnome binaries changed to /usr. +- Removed gnome-stones. +* Mon Nov 13 2006 lnussel@suse.de +- remove khc_indexbuilder (#188192) +* Mon Oct 16 2006 lnussel@suse.de +- add zypp patch checking helper (#211286) +* Wed Aug 23 2006 lnussel@suse.de +- /usr/X11R6 -> /usr +- remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud +* Thu Aug 17 2006 cthiel@suse.de +- change paths for v4l-conf from /usr/X11R6/bin to /usr/bin +* Thu Jul 20 2006 sndirsch@suse.de +- Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of + xorg-x11-server package +* Tue Jun 27 2006 lnussel@suse.de +- remove setuid bit on gpg (#137562) +* Fri May 19 2006 lnussel@suse.de +- add get_printing_ticket in order to enable smb printing with + kerberos authentication (#177114) +* Wed May 17 2006 lnussel@suse.de +- add setuid bit to gnomesu-pam-backend in level secure (#175616) +* Thu Feb 23 2006 schwab@suse.de +- /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader. +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Jan 16 2006 meissner@suse.de +- removed pmount, pumount. +- moved pmpost to /usr/lib/pcp/pmpost. +* Thu Dec 15 2005 lnussel@suse.de +- /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset +* Fri Dec 9 2005 meissner@suse.de +- temporary only setuid bit for pmount and pumount. #135792 +* Wed Nov 23 2005 lnussel@suse.de +- add /usr/bin/fusermount (#133657) +* Mon Nov 21 2005 lnussel@suse.de +- remove Xwrapper, it's a symlink nowadays (#134611) +* Wed Nov 2 2005 dmueller@suse.de +- don't build as root +* Thu Oct 13 2005 meissner@suse.de +- nici moved to /var/opt/novell/... +* Tue Oct 11 2005 meissner@suse.de +- Temporary added setuid binary from "nici" (Novell I? Crypto Interface), + bug #127545. +* Fri Sep 30 2005 lnussel@suse.de +- add slashes to several directories (#103186) +- change /var/games to games:games 775 again (#103186) +* Tue Aug 30 2005 lnussel@suse.de +- remove kpopup helper (#100132) +* Thu Aug 25 2005 lnussel@suse.de +- add /opt/gnome/sbin/change-passwd (#104993) +* Thu Aug 11 2005 lnussel@suse.de +- remove xmcd (#104040) +- add suexec2 from apache2 (#66304) +- add exim (#66306) +* Thu Aug 11 2005 lnussel@suse.de +- remove /opt/gnome/bin/iagno (#103844) +* Wed Aug 10 2005 lnussel@suse.de +- remove xbl (#103762) +- clean up bsd games list (#103785) +- remove score files as they are the same in all levels anyways +* Wed Aug 10 2005 lnussel@suse.de +- change /var/games{,/xsok} to root:root (#103186) +* Fri Aug 5 2005 lnussel@suse.de +- /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750) +* Tue Aug 2 2005 lnussel@suse.de +- remove kde games again. Turned out they don't work as intended. +* Tue Aug 2 2005 lnussel@suse.de +- cardctl -> pccardctl (#100120) +* Fri Jul 22 2005 lnussel@suse.de +- add setgid games to some kde games +* Wed Jun 8 2005 lnussel@suse.de +- use correct gnomesu-pam-backend path +* Tue Jun 7 2005 lnussel@suse.de +- add gnomesu-pam-backend (#75823) +- add lppasswd (#66305) +- make ntping 4750 root:trusted also in easy (#66211) +- add cl_status from heartbeat (#66310) +- remove unused /opt/gnome/sbin/change-passwd +* Mon May 16 2005 ro@suse.de +- added /opt/gnome/sbin/change-passwd +* Mon Apr 25 2005 lnussel@suse.de +- add OpenPBS permissions (#66320) +* Tue Mar 1 2005 lnussel@suse.de +- fix inn permissions (#67032) +- remove setuid bit from ziptool (#66191) +* Wed Feb 23 2005 lnussel@suse.de +- remove no longer existing files +- remove setuid plpnfsd (#66207) +- remove setuid bit from dga program +- change vmware permissions +- add /opt/kde3/bin/receivepopup (#66313) +- add /opt/kde3/bin/fileshareset (#66312) +- add /usr/bin/scmxx (#66309) +- add some missing mailman files (#66315) +- include perl script to perform some basic consistency checks +* Mon Jan 31 2005 meissner@suse.de +- backported security fix from SLES 9 branch. #43035 +* Sat Jan 15 2005 schwab@suse.de +- Comment fixes. +* Mon Nov 22 2004 sndirsch@suse.de +- permissions.secure: set Xorg to 0711 (4711 before) +* Wed Nov 10 2004 ro@suse.de +- /var/cache/fonts to 1777 (as in tetex perms before) +* Mon Nov 8 2004 kukuk@suse.de +- Add nscd socket to permissions file +* Tue Sep 14 2004 ro@suse.de +- do not use rpm in SuSEconfig.permissions (#45252) +* Tue Sep 14 2004 ro@suse.de +- dropped check for perl in SuSEconfig.permissions (#45252) +* Wed May 26 2004 draht@suse.de +- /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234) + source code audit in progress (#40234) (thomas) +* Fri May 14 2004 ro@suse.de +- /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid + (0755,0755,0755) (#40234) +* Thu Apr 15 2004 sndirsch@suse.de +- XFree86 --> Xorg in permissions files +* Tue Apr 6 2004 mls@suse.de +- added --root option for buildroot operation +* Mon Apr 5 2004 mls@suse.de +- chkstat: fixed relative symlink chasing +- /usr/src/packages/RPMS back to 1777 in easy, as chkstat can + now handle it +* Sun Apr 4 2004 mls@suse.de +- chkstat: added missing link count check and safepath() function +- chkstat: refuse to give away s-bits on insecure paths +- chkstat: bugfix: stat file again after chown, as modes may have + changed +* Fri Apr 2 2004 mls@suse.de +- chkstat: re-implemented it in C to make it more secure +* Thu Apr 1 2004 kukuk@suse.de +- Remove /var/lock/subsys [#37759] +- Add sticky bit to /var/lock [#37759] +* Wed Mar 24 2004 draht@suse.de +- make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid. + [#33570]. +* Tue Mar 23 2004 draht@suse.de +- #36741: /usr/src/packages/RPMS 1777->0755 in easy. +* Mon Mar 22 2004 kukuk@suse.de +- Fix syntax error in permission.easy +- /usr/bin/ssh should be always 0755 +* Fri Feb 13 2004 draht@suse.de +- /var/run/uscreens (root:root 1777) added +* Thu Feb 12 2004 kukuk@suse.de +- Don't modify group of crontab and at useless +* Fri Jan 9 2004 kukuk@suse.de +- Add RPM directory for hppa2.0 +* Fri Nov 21 2003 ro@suse.de +- fpexec decrease go rights to 11 +* Tue Nov 4 2003 ro@suse.de +- inn scripts: u-w (not needed) +* Mon Nov 3 2003 schwab@suse.de +- chkstat: fix option parsing. +* Wed Oct 29 2003 kukuk@suse.de +- Sync permissions for shadow package +* Tue Oct 28 2003 ro@suse.de +- require /sbin/SuSEconfig +* Tue Oct 28 2003 ro@suse.de +- chkstat: added some new extensions: + allow specifying singular files or a filelist to be checked + output previous/current mode of a failed file + adapted manpage +* Tue Oct 21 2003 draht@suse.de +- permissions.secure: /etc/ftpusers 0640 root.root -> 0644 +* Mon Oct 20 2003 ro@suse.de +- permissions.*: use ":" and not "." to separate user/group +- chkstat: output also which of (permissions/owner) is wrong +- chkstat: don't try to chown if not root +* Tue Oct 14 2003 draht@suse.de +- reformatting of all 4 permissions files. xkobo, rocksndiamonds, + xlogical, lbreakout2 and ltris path adoptions. + for future reference: :-) + for i in permissions permissions.easy permissions.secure + permissions.paranoid; do cat $i | \ + awk '/^(#|$)/ { print $0; next; } + { if(NF > 3) {printf("error: %%s\n",$0);exit}; + printf("%%-55s %%-17s %%4s\n",$1,$2,$3)}' \ + > $i.. && mv $i.. $i; done +* Thu Sep 18 2003 kukuk@suse.de +- Fix group of straps, popauth and ntping +- Remove some GNOME games which do not need special rights anymore +* Tue Sep 16 2003 kukuk@suse.de +- permissions.easy: change group of bing, vboxbeep, plpnfsd to + trusted, majordomo/wrapper to daemon +* Tue Sep 16 2003 kukuk@suse.de +- permissions.easy: change group of gpasswd and ziptool to trusted +* Tue Sep 2 2003 kkeil@suse.de +- fix user fax for hylafax specific files +* Tue Sep 2 2003 kukuk@suse.de +- fix path to cons.saver, remove setuid bit in paranoid (#25907) +- remove screen +- remove smail (dropped years ago) +* Mon Sep 1 2003 kkeil@suse.de +- fix group for isdnctrl uucp --> dialout (#28997) +* Mon Sep 1 2003 draht@suse.de +- feedback@suse.de -> http://www.suse.de/feedback in all files of + the package. #29635. +* Sat Aug 23 2003 sndirsch@suse.de +- added martian entries of package pachi +* Tue Aug 19 2003 mmj@suse.de +- Add sysconfig metadata [#28937] +* Tue Jul 29 2003 draht@suse.de +- fax changes from Tomas Crhak: faxq-helper and spool directories. +* Tue Jul 29 2003 ro@suse.de +- gnome games moved back to /opt/gnome +* Mon Jul 28 2003 kukuk@suse.de +- Remove /var/run from permissions file list [Bug #28289] +* Mon Jul 28 2003 kukuk@suse.de +- /var/lib/gdm: Removed to solve [Bug #28257] for future products. +* Fri Jul 25 2003 draht@suse.de +- /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper + The same with /opt/gnome/lib64/. +* Fri Jun 13 2003 kukuk@suse.de +- /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure +* Fri May 2 2003 sndirsch@suse.de +- added /usr/games/pachi and /var/games/pachi.scores +* Mon Mar 10 2003 sndirsch@suse.de +- added /usr/games/falconseye.bin +- removed /usr/games/falconseye +* Mon Mar 10 2003 kukuk@suse.de +- added /usr/lib64/vte/gnome-pty-helper until ported to utempter +* Sun Mar 9 2003 sndirsch@suse.de +- added /usr/games/falconseye +- removed old falconseye entries +* Thu Mar 6 2003 ro@suse.de +- added /usr/lib/vte/gnome-pty-helper until ported to utempter +* Thu Feb 20 2003 mmj@suse.de +- Add sysconfig metadata [#22686] +* Tue Feb 18 2003 kssingvo@suse.de +- removed squid entries. They will be added and corrected to squids own + permission file /etc/permissions.d/squid (bugzilla#23752): + /var/squid + /var/squid/cache + /var/squid/logs +* Tue Feb 18 2003 draht@suse.de +- /usr/games/trackballs added 2755 games.games in easy. +* Sun Feb 16 2003 adrian@suse.de +- allow khc_indexbuilder to write into /var/cache/susehelp in easy mode +- remove old entries (kreatecd and kscd) +* Mon Feb 10 2003 draht@suse.de +- additions/changes (from #17012, Tobias Burnus): + * read all files from the commandline at once and override + entries given multiple times by the last entry + * enable option --set in addition to -set + * manpage adoptions + * call chkstat only once from SuSEconfig.permissions +* Thu Feb 6 2003 ro@suse.de +- /var/mtrack -> /var/lib/mtrack +* Tue Nov 19 2002 ro@suse.de +- zapping_setup_fb moved to /opt/gnome/sbin +* Thu Nov 14 2002 bg@suse.de +- added hppa to rpm subsystem in permissions files to be able to + finish autobuild +* Thu Oct 24 2002 ro@suse.de +- two more nethack flavors with sgid games in easy +* Tue Sep 10 2002 draht@suse.de +- cda entries below /usr/X11R6/lib/X11/xmcd removed. + index.html under /var/lib/xmcd/discog directories added + world-writeable. This is not satisfactory. New user xmcd will be + added in next release. +* Thu Sep 5 2002 draht@suse.de +- /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added. +* Mon Aug 26 2002 draht@suse.de +- removed all occurrences of kv4lsetup upon request by adrian+uli. +- -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132) +- /usr/src/packages/RPMS/alphaev67 added. +- added /sbin/unix2_chkpwd root.shadow 2755 +- -s /usr/sbin/papd (#18103) +* Wed Aug 21 2002 draht@suse.de +- removed suid bits from heimdal's su and otp (#18104) +* Wed Aug 21 2002 draht@suse.de +- remove setuid bit from traceroute due to new implementation by + Olaf Kirch which doesn't need euid root. (#18101) +* Wed Aug 21 2002 draht@suse.de +- removed lprng entries because of conflicts cups <-> lprng +* Wed Aug 21 2002 draht@suse.de +- vboxbeep -> 0755 in secure. +* Mon Aug 19 2002 ro@suse.de +- added prereq (#17956) +* Mon Aug 19 2002 uli@suse.de +- added nethack for lib64 archs +* Mon Aug 19 2002 uli@suse.de +- added xmcd for archs != i386 +* Tue Aug 13 2002 draht@suse.de +- gnome-games2 entries changed/adopted to /opt/gnome2 path. +* Tue Aug 13 2002 draht@suse.de +- changed kcheckpass from 2755 root.shadow to 4755. (#17664) +* Wed Jul 31 2002 olh@suse.de +- ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750 +* Sat Jul 27 2002 kukuk@suse.de +- Rename group wwwadmin to www +- Rename group game to games +* Tue Jul 23 2002 draht@suse.de +- added sapdb files, not setuid root in secure,paranoid. +* Mon Jul 22 2002 draht@suse.de +- added frontpage files +* Tue Jul 16 2002 draht@suse.de +- changed entries for mailman: group mdom -> mailman +* Tue Jul 16 2002 draht@suse.de +- mailman sgid mdom files added to easy, secure and paranoid. +* Wed Jul 10 2002 draht@suse.de +- .paranoid comment fixed about at and cron (#12159) +* Mon Jul 8 2002 draht@suse.de +- ppp dialup networking fixes and cleanup. +* Mon Jul 8 2002 draht@suse.de +- modifications: -s for pppd, world-writeable directories for + kdemultimedia3-sound, gift, mips and armv4l RPMS directory. +* Fri Jul 5 2002 kukuk@suse.de +- Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid. +* Thu Jul 4 2002 draht@suse.de +- /usr/lib64/pt_chown added to easy,secure,paranoid. +* Mon Jul 1 2002 draht@suse.de +- entries for packages added or changed: + squid + geki2 + d1x + falconseye + fdutils + gewels + gnome-games + heimdal + lbreakout + lpdfilter + lprng + man + mgetty (/var/spool/fax/outgoing/* need discussion) + mtrack (locfile+satfile -> 0644) + nethack + nvi-m17n (/var/preserve/vi.recover -> 1777) + opie (/bin -> /usr/bin) + pcp + plptools + qpopper + rp-pppoe (/usr/sbin/pppoe-wrapper) + smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750) + squid (/usr/sbin/pam_auth) + su-wrapper + xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs) + xgalaga + xmcd + xscrabble +* Sun Jun 30 2002 ro@suse.de +- don't install all sources (spec file etc.) +* Fri Jun 28 2002 draht@suse.de +- minor spec file change +* Fri Jun 28 2002 draht@suse.de +- entries for packages added: + ftpdir + gnokii + kamplus + geki2 + aaa_dir (/tmp/.ICE-unix) +* Fri Jun 28 2002 draht@suse.de +- unpack tar archive in source for convenience. +* Thu Jun 27 2002 olh@suse.de +- update permissions of /usr/src/packages/RPMS/ +* Fri Jun 21 2002 ro@suse.de +- created package as split off from aaa_base diff --git a/permissions.spec b/permissions.spec new file mode 100644 index 0000000..7c89e27 --- /dev/null +++ b/permissions.spec @@ -0,0 +1,77 @@ +# +# spec file for package permissions +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: permissions +Version: 20201225 +Release: 150400.5.16.1 +Summary: SUSE Linux Default Permissions +# Maintained in github by the security team. +License: GPL-2.0+ +Group: Productivity/Security +Url: http://github.com/openSUSE/permissions +Source: permissions-%{version}.tar.xz +BuildRequires: libcap-devel +BuildRequires: python3 +#!BuildIgnore: group(trusted) +Requires(post): %fillup_prereq +Requires(pre): group(trusted) +Provides: aaa_base:%{_sysconfdir}/permissions + +%description +Permission settings of files and directories depending on the local +security settings. The local security setting (easy, secure, or paranoid) +can be configured in /etc/sysconfig/security. + +%prep +%setup -q + +%build +make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0 + +%install +%make_install fillupdir=%{_fillupdir} + +%check +# we can't test with sanitizers in SLE15, compiler is too old for some of them +tests/regtest.py --skip-make + +%post +%{fillup_only -n security} +# apply all potentially changed permissions +%{_bindir}/chkstat --system + +%files +%config %{_sysconfdir}/permissions +%config %{_sysconfdir}/permissions.easy +%config %{_sysconfdir}/permissions.secure +%config %{_sysconfdir}/permissions.paranoid +%config(noreplace) %{_sysconfdir}/permissions.local +%{_bindir}/chkstat +%{_mandir}/man5/permissions.5%{ext_man} +%{_mandir}/man8/chkstat.8%{ext_man} +%{_fillupdir}/sysconfig.security + +%package -n permissions-zypp-plugin +BuildArch: noarch +Requires: permissions = %version +Requires: python3-zypp-plugin +Requires: libzypp(plugin:commit) = 1 +Summary: A zypper commit plugin for calling chkstat +Group: Productivity/Security + +%description -n permissions-zypp-plugin +This package contains a plugin for zypper that calls `chkstat --system` after +new packages have been installed. This is helpful for maintaining custom +entries in /etc/permissions.local. + +%files -n permissions-zypp-plugin +%dir /usr/lib/zypp +%dir /usr/lib/zypp/plugins +%dir /usr/lib/zypp/plugins/commit +/usr/lib/zypp/plugins/commit/permissions.py + +%changelog