Hello community,
here is the log from the commit of package permissions for openSUSE:Factory
checked in at 2020-07-15 11:12:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/permissions (Old)
and /work/SRC/openSUSE:Factory/.permissions.new.3060 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions"
Wed Jul 15 11:12:57 2020 rev:138 rq:819968 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2020-06-24
15:47:30.992079239 +0200
+++ /work/SRC/openSUSE:Factory/.permissions.new.3060/permissions.changes
2020-07-15 11:13:53.324935511 +0200
@@ -1,0 +2,41 @@
+Fri Jul 10 09:50:04 UTC 2020 - matthias.gerst...@suse.com
+
+- Update to version 20200710:
+ * Revert "etc/permissions: remove entries for bind-chrootenv". This
+ currently conflicts with the way the CheckSUIDPermissions rpmlint-check is
+ implemented.
+
+-------------------------------------------------------------------
+Tue Jul 7 15:56:02 UTC 2020 - Callum Farmer <callumjfarme...@gmail.com>
+
+- Removed dbus-libexec.patch: contained in upstream
+
+-------------------------------------------------------------------
+Tue Jul 07 13:25:40 UTC 2020 - matthias.gerst...@suse.com
+
+- Update to version 20200624:
+ * rework permissions.local text (boo#1173221)
+ * dbus-1: adjust to new libexec dir location (bsc#1171164)
+ * permission profiles: reinstate kdesud for kde5
+ * etc/permissions: remove entries for bind-chrootenv
+ * etc/permissions: remove traceroute entry
+ * VirtualBox: remove outdated entry which is only a symlink any more
+ * /bin/su: remove path refering to symlink
+ * etc/permissions: remove legacy RPM directory entries
+ * /etc/permissions: remove outdated sudo directories
+ * singularity: remove outdated setuid-binary entries
+ * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
+ * dbus-1: remove deprecated alternative paths
+ * PolicyKit: remove outdated entries last used in SLE-11
+ * pcp: remove no longer needed / conflicting entries
+ * gnats: remove entries for package removed from Factory
+ * kdelibs4: remove entries for package removed from Factory
+ * v4l-base: remove entries for package removed from Factory
+ * mailman: remove entries for package deleted from Factory
+ * gnome-pty-helper: remove dead entry no longer part of the vte package
+ * gnokii: remove entries for package no longer in Factory
+ * xawtv (v4l-conf): correct group ownership in easy profile
+ * systemd-journal: remove unnecessary profile entries
+ * thttp: make makeweb entry usable in the secure profile (bsc#1171580)
+
+-------------------------------------------------------------------
Old:
----
dbus-libexec.patch
permissions-20200526.tar.xz
New:
----
permissions-20200710.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ permissions.spec ++++++
--- /var/tmp/diff_new_pack.V7av5q/_old 2020-07-15 11:13:56.784938935 +0200
+++ /var/tmp/diff_new_pack.V7av5q/_new 2020-07-15 11:13:56.784938935 +0200
@@ -16,7 +16,7 @@
#
-%define VERSION_DATE 20200526
+%define VERSION_DATE 20200710
Name: permissions
Version: %{VERSION_DATE}.%{suse_version}
@@ -28,7 +28,6 @@
URL: http://github.com/openSUSE/permissions
Source: permissions-%{VERSION_DATE}.tar.xz
Source1: fix_version.sh
-Patch0: dbus-libexec.patch
BuildRequires: gcc-c++
BuildRequires: libcap-devel
BuildRequires: libcap-progs
@@ -41,7 +40,7 @@
Provides: aaa_base:%{_datadir}/permissions
%prep
-%autosetup -p1 -n permissions-%{VERSION_DATE}
+%autosetup -n permissions-%{VERSION_DATE}
%build
make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.V7av5q/_old 2020-07-15 11:13:56.816938967 +0200
+++ /var/tmp/diff_new_pack.V7av5q/_new 2020-07-15 11:13:56.816938967 +0200
@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/permissions.git</param>
- <param
name="changesrevision">19a5eb449122601ea1f4053b575028d1895fedbb</param></service></servicedata>
\ No newline at end of file
+ <param
name="changesrevision">8c1d3398d1f446ac3f27b293ab9d69ad73aaea6d</param></service></servicedata>
\ No newline at end of file
++++++ permissions-20200526.tar.xz -> permissions-20200710.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/permissions-20200526/etc/permissions
new/permissions-20200710/etc/permissions
--- old/permissions-20200526/etc/permissions 2020-05-26 14:54:31.000000000
+0200
+++ new/permissions-20200710/etc/permissions 2020-07-10 11:44:15.000000000
+0200
@@ -69,8 +69,6 @@
/var/cache/ root:root 755
/var/run/nscd/socket root:root 666
/run/nscd/socket root:root 666
-/var/run/sudo/ root:root 700
-/run/sudo/ root:root 700
#
# login tracking
@@ -136,9 +134,6 @@
#
# legacy
-#
-# new traceroute program by Olaf Kirch does not need setuid root any more.
-/usr/sbin/traceroute root:root 755
# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
@@ -160,57 +155,15 @@
#
# named chroot (#438045)
#
+# These currently conflict with a systemd-tmpfiles configuration file.
+# The entries in parallel serve the purpose of a whitelisting for
+# world-writable files, therefore they need to stay in place until we have a
+# better whitelisting concept.
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666
# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu root:root
0755
-# we no longer make rpm build dirs 1777
-/usr/src/packages/SOURCES/ root:root 0755
-/usr/src/packages/BUILD/ root:root 0755
-/usr/src/packages/BUILDROOT/ root:root 0755
-/usr/src/packages/RPMS/ root:root 0755
-/usr/src/packages/RPMS/alphaev56/ root:root 0755
-/usr/src/packages/RPMS/alphaev67/ root:root 0755
-/usr/src/packages/RPMS/alphaev6/ root:root 0755
-/usr/src/packages/RPMS/alpha/ root:root 0755
-/usr/src/packages/RPMS/amd64/ root:root 0755
-/usr/src/packages/RPMS/arm4l/ root:root 0755
-/usr/src/packages/RPMS/armv4l/ root:root 0755
-/usr/src/packages/RPMS/armv5tejl/ root:root 0755
-/usr/src/packages/RPMS/armv5tejvl/ root:root 0755
-/usr/src/packages/RPMS/armv5tel/ root:root 0755
-/usr/src/packages/RPMS/armv5tevl/ root:root 0755
-/usr/src/packages/RPMS/armv6l/ root:root 0755
-/usr/src/packages/RPMS/armv6vl/ root:root 0755
-/usr/src/packages/RPMS/armv7l/ root:root 0755
-/usr/src/packages/RPMS/athlon/ root:root 0755
-/usr/src/packages/RPMS/geode/ root:root 0755
-/usr/src/packages/RPMS/hppa2.0/ root:root 0755
-/usr/src/packages/RPMS/hppa/ root:root 0755
-/usr/src/packages/RPMS/i386/ root:root 0755
-/usr/src/packages/RPMS/i486/ root:root 0755
-/usr/src/packages/RPMS/i586/ root:root 0755
-/usr/src/packages/RPMS/i686/ root:root 0755
-/usr/src/packages/RPMS/ia32e/ root:root 0755
-/usr/src/packages/RPMS/ia64/ root:root 0755
-/usr/src/packages/RPMS/mips/ root:root 0755
-/usr/src/packages/RPMS/noarch/ root:root 0755
-/usr/src/packages/RPMS/pentium3/ root:root 0755
-/usr/src/packages/RPMS/pentium4/ root:root 0755
-/usr/src/packages/RPMS/powerpc64/ root:root 0755
-/usr/src/packages/RPMS/powerpc/ root:root 0755
-/usr/src/packages/RPMS/ppc64/ root:root 0755
-/usr/src/packages/RPMS/ppc/ root:root 0755
-/usr/src/packages/RPMS/s390/ root:root 0755
-/usr/src/packages/RPMS/s390x/ root:root 0755
-/usr/src/packages/RPMS/sparc64/ root:root 0755
-/usr/src/packages/RPMS/sparc/ root:root 0755
-/usr/src/packages/RPMS/sparcv9/ root:root 0755
-/usr/src/packages/RPMS/x86_64/ root:root 0755
-/usr/src/packages/SPECS/ root:root 0755
-/usr/src/packages/SRPMS/ root:root 0755
-
# ceph log directory (bsc#1150366)
/var/log/ceph/ ceph:ceph 3770
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/permissions-20200526/etc/permissions.local
new/permissions-20200710/etc/permissions.local
--- old/permissions-20200526/etc/permissions.local 2020-05-26
14:54:31.000000000 +0200
+++ new/permissions-20200710/etc/permissions.local 2020-07-10
11:44:15.000000000 +0200
@@ -7,42 +7,21 @@
#
# This file is used by chkstat (and indirectly by various RPM package scripts)
# to check or set the modes and ownerships of files and directories in
-# the installation.
+# the installation. It has priority over the distribution defaults in
+# /usr/share/permissions.
#
-# If you want chkstat to be run automatically after zypper operations, then
-# you can install the permissions-zypp-plugin. This is helpful when you are
-# entering permissions in this file that get overwritten by package updates.
-# The plugin keeps the custom permissions in place.
-#
-# In particular, this file will not be touched during an upgrade of the
-# installation. It is designed to be a placeholder for local
-# additions by the administrator of the system to reflect filemodes
-# of locally installed packages or to override file permissions as
-# shipped with the distribution.
+# Please see the man page permissions(5) for general usage hints of this and
+# related files. Note that operations like package updates, log rotation or
+# systemd-tmpfiles can reset these file permissions. By default, changes to
this
+# file are therefore only really useful to override the distribution default
+# permissions of files shipping with setXid permissions or capabilities.
+#
+# If you want entries for files installed through RPM to also be applied after
+# zypper operations, then you can install the permissions-zypp-plugin. This is
+# helpful when you are entering permissions in this file that get overwritten
+# by package updates.
#
-# Format:
-# <file> <owner>:<group> <permission>
#
-# Please see the file /etc/permissions for general usage hints of the
-# /etc/permissions* files.
-# Please remember that logfiles might be modified by the logfile
-# rotation facilities (e.g. logrotate) so settings entered here might
-# be overridden. Also devices files (/dev/*) are not static but
-# managed via udev so this file can't be used to modify device
-# permissions either.
-#
-
-#
-# suexec is only secure if the document root doesn't contain files
-# writeable by wwwrun. Make sure you have a safe server setup
-# before setting the setuid bit! See also
-# https://bugzilla.novell.com/show_bug.cgi?id=263789
-# http://httpd.apache.org/docs/trunk/suexec.html
-#
-#/usr/sbin/suexec2 root:root 4755
-#/usr/sbin/suexec root:root 4755
-
-# setuid bit on Xorg is only needed if no display manager, ie startx
-# is used. Beware of CVE-2010-2240.
+# Format:
+# <file> <owner>:<group> <mode>
#
-#/usr/bin/Xorg root:root 4711
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/permissions-20200526/profiles/permissions.easy
new/permissions-20200710/profiles/permissions.easy
--- old/permissions-20200526/profiles/permissions.easy 2020-05-26
14:54:31.000000000 +0200
+++ new/permissions-20200710/profiles/permissions.easy 2020-07-10
11:44:15.000000000 +0200
@@ -41,7 +41,6 @@
#
# suid system programs that need the suid bit to work:
#
-/bin/su root:root 4755
/usr/bin/at root:trusted 4755
/usr/bin/crontab root:trusted 4755
/usr/bin/gpasswd root:shadow 4755
@@ -74,14 +73,11 @@
/usr/sbin/basic_pam_auth root:shadow 2750
-# still to be converted to utempter
-/usr/lib/gnome-pty-helper root:utmp 2755
-
#
# mixed section:
#
-# video
-/usr/bin/v4l-conf root:video 4755
+# xawtv (kind of reviewed via bsc#1171655)
+/usr/bin/v4l-conf root:root 4755
# turn off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 2755
@@ -91,24 +87,6 @@
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4755
-# gnokii nokia cellphone software
-# #66209
-/usr/sbin/mgnokiidev root:uucp 4755
-# mailman mailing list software
-# #66315
-/usr/lib/mailman/cgi-bin/admin root:mailman 2755
-/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
-/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
-/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
-/usr/lib/mailman/cgi-bin/options root:mailman 2755
-/usr/lib/mailman/cgi-bin/private root:mailman 2755
-/usr/lib/mailman/cgi-bin/roster root:mailman 2755
-/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
-/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
-/usr/lib/mailman/cgi-bin/create root:mailman 2755
-/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
-/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
-/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
@@ -132,10 +110,6 @@
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
-# i4l package (#100750):
-/sbin/isdnctrl root:dialout 4750
-# #66111
-/usr/bin/vboxbeep root:trusted 4755
#
@@ -159,24 +133,10 @@
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 6755
-#
-# kde
-# (all of them are disabled in permissions.secure except for
-# the helper programs)
-#
-# needs setuid root when using shadow via NIS:
-# #66218
-/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
-/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
-/usr/lib/kde4/libexec/kdesud root:nogroup 2755
-/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
+# kdesud (bsc#872276)
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755
-# bnc#523833
-/usr/lib/kde4/libexec/start_kdeinit root:root 4755
-/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
-
#
# amanda
#
@@ -199,14 +159,6 @@
#
-# gnats
-#
-/usr/lib/gnats/gen-index gnats:root 4555
-/usr/lib/gnats/pr-edit gnats:root 4555
-/usr/lib/gnats/queue-pr gnats:root 4555
-
-
-#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innbind
@@ -242,40 +194,19 @@
/usr/lib/uucp/uuxqt uucp:uucp 6555
/usr/libexec/uucp/uuxqt uucp:uucp 6555
-# pcp (bnc#782967)
-/var/lib/pcp/tmp/ root:root 1777
-/var/lib/pcp/tmp/pmdabash/ root:root 1777
-/var/lib/pcp/tmp/mmv/ root:root 1777
-/var/lib/pcp/tmp/pmlogger/ root:root 1777
-/var/lib/pcp/tmp/pmie/ root:root 1777
-
-# PolicyKit (#295341)
-/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
-/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
-
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/libexec/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
-# dbus-1 (#333361)
-/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-# dbus-1 in /usr #1056764)
+# dbus-1 (#333361, #1056764, bsc#1171164)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
+/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 4755
-# VirtualBox (#429725)
-/usr/lib/virtualbox/VirtualBox root:vboxusers 4750
-/usr/libexec/virtualbox/VirtualBox root:vboxusers 4750
-# bsc#1120650
+# VirtualBox (#429725, bsc#1120650)
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 4750
/usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 4750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 4750
@@ -302,9 +233,6 @@
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750
-# chromium (bnc#718016)
-/usr/lib/chrome_sandbox root:root 4755
-
# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 4755
@@ -312,15 +240,6 @@
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep
-# singularity (bsc#1028304)
-# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
-#/usr/lib/singularity/bin/expand-suid root:singularity 4750
-#/usr/lib/singularity/bin/create-suid root:singularity 4750
-#/usr/lib/singularity/bin/export-suid root:singularity 4750
-#/usr/lib/singularity/bin/import-suid root:singularity 4750
-/usr/lib/singularity/bin/action-suid root:singularity 4750
-/usr/lib/singularity/bin/mount-suid root:singularity 4750
-/usr/lib/singularity/bin/start-suid root:singularity 4750
# singularity version 3 (bsc#1128598)
/usr/lib/singularity/bin/starter-suid root:singularity 4750
/usr/libexec/singularity/bin/starter-suid root:singularity 4750
@@ -342,9 +261,6 @@
/usr/lib/qemu-bridge-helper root:kvm 04750
/usr/libexec/qemu-bridge-helper root:kvm 04750
-# systemd-journal (bnc#888151)
-/var/log/journal/ root:systemd-journal
2755
-
#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap
0750
+capabilities cap_net_raw,cap_net_admin=ep
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/permissions-20200526/profiles/permissions.paranoid
new/permissions-20200710/profiles/permissions.paranoid
--- old/permissions-20200526/profiles/permissions.paranoid 2020-05-26
14:54:31.000000000 +0200
+++ new/permissions-20200710/profiles/permissions.paranoid 2020-07-10
11:44:15.000000000 +0200
@@ -58,7 +58,6 @@
#
# suid system programs that need the suid bit to work:
#
-/bin/su root:root 0755
# disable at and cron for non-root users
/usr/bin/at root:trusted 0755
/usr/bin/crontab root:trusted 0755
@@ -91,13 +90,10 @@
/usr/sbin/basic_pam_auth root:shadow 0750
-# still to be converted to utempter
-/usr/lib/gnome-pty-helper root:utmp 0755
-
#
# mixed section: most of it is disabled in this permissions.paranoid:
#
-# video
+# xawtv (kind of reviewed via bsc#1171655)
/usr/bin/v4l-conf root:video 0755
# turned off write and wall by disabling sgid tty:
@@ -108,24 +104,6 @@
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 0755
-# gnokii nokia cellphone software
-# #66209
-/usr/sbin/mgnokiidev root:uucp 755
-# mailman mailing list software
-# #66315
-/usr/lib/mailman/cgi-bin/admin root:mailman 0755
-/usr/lib/mailman/cgi-bin/admindb root:mailman 0755
-/usr/lib/mailman/cgi-bin/edithtml root:mailman 0755
-/usr/lib/mailman/cgi-bin/listinfo root:mailman 0755
-/usr/lib/mailman/cgi-bin/options root:mailman 0755
-/usr/lib/mailman/cgi-bin/private root:mailman 0755
-/usr/lib/mailman/cgi-bin/roster root:mailman 0755
-/usr/lib/mailman/cgi-bin/subscribe root:mailman 0755
-/usr/lib/mailman/cgi-bin/confirm root:mailman 0755
-/usr/lib/mailman/cgi-bin/create root:mailman 0755
-/usr/lib/mailman/cgi-bin/editarch root:mailman 0755
-/usr/lib/mailman/cgi-bin/rmlist root:mailman 0755
-/usr/lib/mailman/mail/mailman root:mailman 0755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 0755
@@ -146,10 +124,6 @@
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 0750
-# i4l package (#100750):
-/sbin/isdnctrl root:dialout 0750
-# #66111
-/usr/bin/vboxbeep root:trusted 0755
#
@@ -172,22 +146,10 @@
# framebuffer terminal emulator (japanese).
/usr/bin/jfbterm root:tty 0755
-#
-# kde
-#
-# needs setuid root when using shadow via NIS:
-# #66218
-/usr/lib/kde4/libexec/kcheckpass root:shadow 0755
-/usr/lib64/kde4/libexec/kcheckpass root:shadow 0755
-/usr/lib/kde4/libexec/kdesud root:nogroup 0755
-/usr/lib64/kde4/libexec/kdesud root:nogroup 0755
+# kdesud (bsc#872276)
/usr/lib/libexec/kf5/kdesud root:nogroup 0755
/usr/lib64/libexec/kf5/kdesud root:nogroup 0755
-# bnc#523833
-/usr/lib/kde4/libexec/start_kdeinit root:root 0755
-/usr/lib64/kde4/libexec/start_kdeinit root:root 0755
-
#
# amanda
#
@@ -210,14 +172,6 @@
#
-# gnats
-#
-/usr/lib/gnats/gen-index gnats:root 0555
-/usr/lib/gnats/pr-edit gnats:root 0555
-/usr/lib/gnats/queue-pr gnats:root 0555
-
-
-#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innbind
@@ -253,40 +207,19 @@
/usr/lib/uucp/uuxqt uucp:uucp 0555
/usr/libexec/uucp/uuxqt uucp:uucp 0555
-# pcp (bnc#782967)
-/var/lib/pcp/tmp/ root:root 0755
-/var/lib/pcp/tmp/pmdabash/ root:root 0755
-/var/lib/pcp/tmp/mmv/ root:root 0755
-/var/lib/pcp/tmp/pmlogger/ root:root 0755
-/var/lib/pcp/tmp/pmie/ root:root 0755
-
-# PolicyKit (#295341)
-/usr/lib/PolicyKit/polkit-set-default-helper root:polkituser 0755
-/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 0755
-/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 0755
-/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 0755
-/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 0755
-/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 0755
-
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 0755
/usr/libexec/polkit-1/polkit-agent-helper-1 root:root 0755
/usr/bin/pkexec root:root 0755
-# dbus-1 (#333361)
-/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
-/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
-# dbus-1 in /usr #1056764)
+# dbus-1 (#333361, #1056764, bsc#1171164)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
-/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
+/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 0750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
-# VirtualBox (#429725)
-/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
-/usr/libexec/virtualbox/VirtualBox root:vboxusers 0755
-# bsc#1120650
+# VirtualBox (#429725, bsc#1120650)
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
@@ -314,24 +247,12 @@
/usr/sbin/hawk_chkpwd root:haclient 0755
/usr/sbin/hawk_invoke root:haclient 0755
-# chromium (bnc#718016)
-/usr/lib/chrome_sandbox root:root 0755
-
# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755
# wireshark (bsc#957624)
/usr/bin/dumpcap root:root 0755
-# singularity (bsc#1028304)
-# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
-#/usr/lib/singularity/bin/expand-suid root:singularity 0750
-#/usr/lib/singularity/bin/create-suid root:singularity 0750
-#/usr/lib/singularity/bin/export-suid root:singularity 0750
-#/usr/lib/singularity/bin/import-suid root:singularity 0750
-/usr/lib/singularity/bin/action-suid root:singularity 0750
-/usr/lib/singularity/bin/mount-suid root:singularity 0750
-/usr/lib/singularity/bin/start-suid root:singularity 0750
# singularity version 3 (bsc#1128598)
/usr/lib/singularity/bin/starter-suid root:singularity 0750
/usr/libexec/singularity/bin/starter-suid root:singularity 0750
@@ -351,9 +272,6 @@
/usr/lib/qemu-bridge-helper root:root 755
/usr/libexec/qemu-bridge-helper root:root 755
-# systemd-journal (bnc#888151)
-/var/log/journal/ root:systemd-journal
2755
-
#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap
0750
/usr/libexec/iouyap root:iouyap 0750
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/permissions-20200526/profiles/permissions.secure
new/permissions-20200710/profiles/permissions.secure
--- old/permissions-20200526/profiles/permissions.secure 2020-05-26
14:54:31.000000000 +0200
+++ new/permissions-20200710/profiles/permissions.secure 2020-07-10
11:44:15.000000000 +0200
@@ -81,7 +81,6 @@
#
# suid system programs that need the suid bit to work:
#
-/bin/su root:root 4755
# disable at and cron for users that do not belong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
@@ -115,41 +114,20 @@
/usr/sbin/basic_pam_auth root:shadow 2750
-# still to be converted to utempter
-/usr/lib/gnome-pty-helper root:utmp 2755
-
#
# mixed section: most of it is disabled in this permissions.secure:
#
-# video
+# xawtv (kind of reviewed via bsc#1171655)
/usr/bin/v4l-conf root:video 4750
# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
-# thttpd: sgid + executeable only for group www. Useless...
-/usr/bin/makeweb root:www 2750
+# thttpd (bsc#1171580)
+/usr/bin/makeweb root:www 2751
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
-# gnokii nokia cellphone software
-# #66209
-/usr/sbin/mgnokiidev root:uucp 755
-# mailman mailing list software
-# #66315
-/usr/lib/mailman/cgi-bin/admin root:mailman 2755
-/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
-/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
-/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
-/usr/lib/mailman/cgi-bin/options root:mailman 2755
-/usr/lib/mailman/cgi-bin/private root:mailman 2755
-/usr/lib/mailman/cgi-bin/roster root:mailman 2755
-/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
-/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
-/usr/lib/mailman/cgi-bin/create root:mailman 2755
-/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
-/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
-/usr/lib/mailman/mail/mailman root:mailman 2755
# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755
@@ -172,10 +150,6 @@
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
-# i4l package (#100750):
-/sbin/isdnctrl root:dialout 4750
-# #66111
-/usr/bin/vboxbeep root:trusted 0755
#
@@ -199,24 +173,10 @@
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755
-#
-# kde
-# (all of them are disabled in permissions.secure except for
-# the helper programs)
-#
-# needs setuid root when using shadow via NIS:
-# #66218
-/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
-/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
-/usr/lib/kde4/libexec/kdesud root:nogroup 2755
-/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
+# kdesud (bsc#872276)
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755
-# bnc#523833
-/usr/lib/kde4/libexec/start_kdeinit root:root 4755
-/usr/lib64/kde4/libexec/start_kdeinit root:root 4755
-
#
# amanda
#
@@ -239,14 +199,6 @@
#
-# gnats
-#
-/usr/lib/gnats/gen-index gnats:root 4555
-/usr/lib/gnats/pr-edit gnats:root 4555
-/usr/lib/gnats/queue-pr gnats:root 4555
-
-
-#
# news (inn)
#
# the inn start script changes it's uid to news:news. Later innbind
@@ -283,40 +235,19 @@
/usr/libexec/uucp/uuxqt uucp:uucp 6555
-# pcp (bnc#782967)
-/var/lib/pcp/tmp/ root:root 0755
-/var/lib/pcp/tmp/pmdabash/ root:root 0755
-/var/lib/pcp/tmp/mmv/ root:root 0755
-/var/lib/pcp/tmp/pmlogger/ root:root 0755
-/var/lib/pcp/tmp/pmie/ root:root 0755
-
-# PolicyKit (#295341)
-/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
-/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
-/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750
-
# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/libexec/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755
-# dbus-1 (#333361)
-/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-# dbus-1 in /usr #1056764)
+# dbus-1 (#333361 #1056764, bsc#1171164)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
-/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
+/usr/libexec/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# policycoreutils (#440596)
/usr/bin/newrole root:root 0755
-# VirtualBox (#429725)
-/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
-/usr/libexec/virtualbox/VirtualBox root:vboxusers 0755
-# bsc#1120650
+# VirtualBox (#429725, bsc#1120650)
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/libexec/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
@@ -344,9 +275,6 @@
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750
-# chromium (bnc#718016)
-/usr/lib/chrome_sandbox root:root 4755
-
# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755
@@ -354,15 +282,6 @@
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep
-# singularity (bsc#1028304)
-# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
-#/usr/lib/singularity/bin/expand-suid root:singularity 4750
-#/usr/lib/singularity/bin/create-suid root:singularity 4750
-#/usr/lib/singularity/bin/export-suid root:singularity 4750
-#/usr/lib/singularity/bin/import-suid root:singularity 4750
-/usr/lib/singularity/bin/action-suid root:singularity 4750
-/usr/lib/singularity/bin/mount-suid root:singularity 4750
-/usr/lib/singularity/bin/start-suid root:singularity 4750
# singularity version 3 (bsc#1128598)
/usr/lib/singularity/bin/starter-suid root:singularity 4750
/usr/libexec/singularity/bin/starter-suid root:singularity 4750
@@ -382,9 +301,6 @@
/usr/lib/qemu-bridge-helper root:kvm 04750
/usr/libexec/qemu-bridge-helper root:kvm 04750
-# systemd-journal (bnc#888151)
-/var/log/journal/ root:systemd-journal
2755
-
#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap
0750
/usr/libexec/iouyap root:iouyap 0750
