| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: permissions | Distribution: SUSE Linux Enterprise 15 |
| Version: 20201225 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: 150400.5.16.1 | Build date: Thu Oct 20 11:40:03 2022 |
| Group: Productivity/Security | Build host: ibs-arm-5 |
| Size: 153983 | Source RPM: permissions-20201225-150400.5.16.1.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: http://github.com/openSUSE/permissions | |
| Summary: SUSE Linux Default Permissions | |
Permission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.
GPL-2.0+
* Wed Oct 19 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* permissions for enlightenment helper on 32bit arches (bsc#1194047)
* Tue Oct 11 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* fix regression introduced by backport of security fix (bsc#1203911)
* Tue Sep 13 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
* Fri Jul 15 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* postfix: add postlog setgid for maildrop binary (bsc#1201385)
* Mon Jul 11 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* apptainer: fix starter-suid location (bsc#1198720)
* Wed Jul 06 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
* Tue Apr 26 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* backport of apptainer whitelisting (bsc#1196145, bsc#1198720)
* Fri Apr 01 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)
* Fri Mar 11 2022 matthias.gerstner@suse.com
- Update to version 20201225:
* whitelist ksysguard network helper (bsc#1151190)
* Fri Jan 14 2022 jsegitz@suse.com
- Update to version 20181225:
* setuid bit for cockpit session binary (bsc#1169614)
* Wed Dec 22 2021 matthias.gerstner@suse.com
- Update to version 20181225:
* drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
* Fri Apr 30 2021 matthias.gerstner@suse.com
- Update to version 20181225:
* etc/permissions: remove unnecessary entries (bsc#1182899)
* Thu Jan 21 2021 matthias.gerstner@suse.com
- Update to version 20181224:
* pcp: remove no longer needed / conflicting entries
(bsc#1171883, CVE-2020-8025)
* Tue Jun 02 2020 matthias.gerstner@suse.com
- Update to version 20181224:
* profiles: add entries for enlightenment (bsc#1171686)
* Thu May 28 2020 malte.kraus@suse.com
- whitelist texlive public binary (bsc#1171686)
* Mon May 11 2020 jsegitz@suse.com
- Remove setuid bit for newgidmap and newuidmap in paranoid profile
(bsc#1171173)
* Thu Apr 02 2020 jsegitz@suse.com
- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)
* Tue Mar 24 2020 jsegitz@suse.com
- whitelist s390-tools setgid bit on log directory (bsc#1167163)
* Mon Mar 02 2020 malte.kraus@suse.com
- run testsuite during package build
- Update to version 20181224:
* testsuite: adapt expected behavior to legacy branches
* adjust testsuite to post CVE-2020-8013 link handling
* testsuite: add option to not mount /proc
* do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922
* add a test for symlinked directories
* fix relative symlink handling
* regtest: fix the static PATH list which was missing /usr/bin
* regtest: also unshare the PID namespace to support /proc mounting
* Makefile: force remove upon clean target to prevent bogus errors
* regtest: by default automatically (re)build chkstat before testing
* regtest: add test for symlink targets
* regtest: make capability setting tests optional
* regtest: fix capability assertion helper logic
* regtests: add another test case that catches set*id or caps in world-writable sub-trees
* regtest: add another test that catches when privilege bits are set for special files
* regtest: add test case for user owned symlinks
* regtest: employ subuid and subgid feature in user namespace
* regtest: add another test case that covers unknown user/group config
* regtest: add another test that checks rejection of insecure mixed-owner paths
* regtest: add test that checks for rejection of world-writable paths
* regtest: add test for detection of unexpected parent directory ownership
* regtest: add further helper functions, allow access to main instance
* regtest: introduce some basic coloring support to improve readability
* regtest: sort imports, another piece of rationale
* regtest: add capability test case
* regtest: improve error flagging of test cases and introduce warnings
* regtest: support caps
* regtest: add a couple of command line parameter test cases
* regtest: add another test that checks whether the default profile works
* regtests: add tests for correct application of local profiles
* regtest: add further test cases that test correct profile application
* regtest: simplify test implementation and readability
* regtest: add helpers for permissions.d per package profiles
* regtest: support read-only bind mounts, also bind-mount permissions repo
* tests: introduce a regression test suite for chkstat
* Fri Feb 28 2020 malte.kraus@suse.com
- Update to version 20181224:
* whitelist WMP (bsc#1161335)
* Makefile: allow to build test version programmatically
* chkstat: handle symlinks in final path elements correctly
* add .gitignore for chkstat binary
* faxq-helper: correct "secure" permission for trusted group (bsc#1157498)
* fix syntax of paranoid profile
* Thu Feb 06 2020 matthias.gerstner@suse.com
- Update to version 20181224:
* mariadb: settings for new auth_pam_tool (bsc#1160285)
* chkstat: capability handling fixes (bsc#1161779)
* chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594)
* dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)
* Wed Feb 05 2020 matthias.gerstner@suse.com
Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore
remove all of the following patches which are now included in the tarball:
- 0001-whitelisting-update-virtualbox.patch
- 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch
- 0004-var-cache-man.patch
- 0005-singularity-starter-suid.patch
- 0006-bsc1110797_amanda.patch
- 0007-chkstat-fix-privesc-CVE-2019-3690.patch
- 0008-squid-pinger-owner-fix-CVE-2019-3688.patch
- 0009-chkstat-handle-missing-proc.patch
- 0010-chkstat-capabilities-implicit-changes.patch
Because of inconsistencies between the upstream branch and the package state
the following previously missing changes are introduced by this update:
- Update to version 20181117:
* removed old entry for rmtab
* Fixed typo in icinga2 whitelist entry
* Fri Jan 31 2020 malte.kraus@suse.com
- fix regression where chkstat breaks without /proc available
(bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch)
- fix capability handling when doing multiple permission changes
at once (bsc#1161779,
0010-chkstat-capabilities-implicit-changes.patch)
* Tue Nov 19 2019 malte.kraus@suse.com
- fix invalid free() when permfiles points to argv (bsc#1157198,
changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)
* Mon Oct 28 2019 malte.kraus@suse.com
- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414,
CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)
* Mon Oct 28 2019 malte.kraus@suse.com
- fix privilege escalation through untrusted symlinks (bsc#1150734,
CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)
* Thu Sep 26 2019 jsegitz@suse.com
- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch
(bsc#1110797)
* Thu Jun 13 2019 malte.kraus@suse.com
- Added ./0005-singularity-starter-suid.patch (bsc#1128598)
New whitelisting for /usr/lib/singularity/bin/starter-suid
* Tue Apr 30 2019 jsegitz@suse.com
- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man.
Conflicts with packaging and man:man is the better setting anyway
(bsc#1133678)
* Tue Feb 12 2019 jsegitz@suse.com
- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650)
New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed
stale entries for VirtualBox
- Added 0002-consistency-between-profiles.patch
Ensure consistency of entries, otherwise switching between settings
becomes problematic
- Added 0003-var-run-postgresql.patch (bsc#1123886)
Whitelist for postgresql. Currently the checker doesn't complain
because the directories aren't packaged, but that might change
and/or our checkers might improve
* Wed Nov 28 2018 opensuse-packaging@opensuse.org
- Update to version 20181116:
* zypper-plugin: new plugin to fix bsc#1114383
* singularity: remove dropped -suid binaries (bsc#1028304)
* capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds
* setuid whitelisting: add fusermount3 (bsc#1111230)
* setuid whitelisting: add authbind binary (bsc#1111251)
* setuid whitelisting: add firejail binary (bsc#1059013)
* setuid whitelisting: add lxc-user-nic (bsc#988348)
* whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956)
* whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420)
* Fix wrong file path in help string
* Capabilities for usage of Wireshark for non-root
- remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch:
is now contained in tarball.
* Mon Aug 20 2018 matthias.gerstner@suse.com
- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add
whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved
usability.
* Thu Jan 25 2018 meissner@suse.com
- Update to version 20180125:
* the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247)
* make btmp root:utmp (bsc#1050467)
* Mon Jan 15 2018 krahmer@suse.com
- Update to version 20180115:
* - polkit-default-privs: usbauth (bsc#1066877)
* Mon Dec 04 2017 kukuk@suse.com
- fillup is required for post, not pre installation
* Thu Nov 30 2017 mpluskal@suse.com
- Cleanup spec file with spec-cleaner
- Drop conditions/definitions related to old distros
* Wed Nov 29 2017 astieger@suse.com
- Update to version 20171129:
* permissions: adding gvfs (bsc#1065864)
* Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410
* Allow fping cap_net_raw (bsc#1047921)
* Thu Nov 23 2017 rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
* Tue Nov 21 2017 krahmer@suse.com
- Update to version 20171121:
* - permissions: adding kwayland (bsc#1062182)
* Mon Nov 06 2017 eeich@suse.com
- Update to version 20171106:
* Allow setuid root for singularity (group only) bsc#1028304
* Wed Oct 25 2017 jsegitz@suse.com
- Update to version 20171025:
* Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)
* Thu Sep 28 2017 astieger@suse.com
- Update to version 20170928:
* Fix invalid syntax bsc#1048645 bsc#1060738
* Wed Sep 27 2017 pgajdos@suse.com
- Update to version 20170927:
* fix typos in manpages
* Fri Sep 22 2017 astieger@suse.com
- Update to version 20170922:
* Allow setuid root for singularity (group only) bsc#1028304
* Wed Sep 13 2017 astieger@suse.com
- Update to version 20170913:
* Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)
* Wed Sep 06 2017 opensuse-packaging@opensuse.org
- Update to version 20170906:
* permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764
* permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)
* Wed Jun 07 2017 dimstar@opensuse.org
- BuildIgnore group(trusted): we don't really care for this group
in the buildroot and do not want to get system-users into the
bootstrap cycle as we can avoid it.
* Sat Jun 03 2017 meissner@suse.com
- Require: group(trusted), as we are handing it out to some unsuspecting
binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)
* Fri Jun 02 2017 meissner@suse.com
- Update to version 20170602:
* make /etc/ppp owned by root:root. The group dialout usage is no longer used
* Sun Aug 07 2016 meissner@suse.com
- Update to version 20160807:
* suexec2 is a symlink, no need for permissions handling
* Tue Aug 02 2016 meissner@suse.com
- Update to version 20160802:
* list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282)
* root:shadow 0755 for newuidmap/newgidmap
* Tue Aug 02 2016 krahmer@suse.com
- adding qemu-bridge-helper mode 04750 (bsc#988279)
* Mon May 23 2016 dimstar@opensuse.org
- Introduce _service to easier update the package. For simplicity,
change the version from yyyy.mm.dd to yyyymmdd (which is eactly
%cd in the _service defintion). Upgrading is no problem.
* Mon May 23 2016 meissner@suse.com
- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)
* Wed Mar 30 2016 meissner@suse.com
- permissions: adding gstreamer ptp file caps (bsc#960173)
* Fri Jan 15 2016 meissner@suse.com
- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)
* Tue Jan 12 2016 meissner@suse.com
- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363
* Thu Oct 29 2015 meissner@suse.com
- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789
- added missing / to the squid specific directories (bsc#950557)
* Mon Sep 28 2015 meissner@suse.com
- adjusted radosgw to root:www mode 0750 (bsc#943471)
* Mon Sep 28 2015 meissner@suse.com
- radosgw can get capability cap_bind_net_service (bsc#943471)
* Mon Jun 08 2015 meissner@suse.com
- remove /usr/bin/get_printing_ticket; (bnc#906336)
* Wed Dec 03 2014 krahmer@suse.com
- Added iouyap capabilities (bnc#904060)
* Wed Nov 05 2014 meissner@suse.com
- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093)
- permissions: incorporating squid changes from bnc#891268
- hint that chkstat --system --set needs to be run after editing bnc#895647
/etc/permissions /etc/permissions.easy /etc/permissions.local /etc/permissions.paranoid /etc/permissions.secure /usr/bin/chkstat /usr/share/fillup-templates/sysconfig.security /usr/share/man/man5/permissions.5.gz /usr/share/man/man8/chkstat.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 20:14:19 2024