------------------------------------------------------------------- Wed Sep 14 09:59:31 UTC 2022 - matthias.gerstner@suse.com - Update to version 20170707: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252) * add capability for prometheus-blackbox_exporter (bsc#1191194) * make btmp root:utmp (bsc#1050467) * pcp: remove no longer needed / conflicting entries ------------------------------------------------------------------- Tue Nov 02 13:05:07 UTC 2021 - matthias.gerstner@suse.com - Update to version 20170707: * add capability for prometheus-blackbox_exporter (bsc#1191194) ------------------------------------------------------------------- Tue Apr 27 08:59:06 UTC 2021 - matthias.gerstner@suse.com - Update to version 20170707: * make btmp root:utmp (bsc#1050467, bsc#1182899) ------------------------------------------------------------------- Fri Jun 12 11:41:54 UTC 2020 - matthias.gerstner@suse.com - Update to version 20170707: * pcp: remove no longer needed / conflicting entries (bsc#1171883). Fixes a potential security issue. ------------------------------------------------------------------- Tue Feb 25 17:04:32 UTC 2020 - malte.kraus@suse.com - do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstat - whitelist postgres sticky directories (bsc#1123886) - Change packaging to use a source service from Github. Drop all previously existing patches, now incorporated into the source tarball generated from git as source of truth: * bsc1110797_amanda.patch * 0002-singularity-starter-suid.patch * 0003-chkstat-fix-privesc-CVE-2019-3690.patch * 0004-squid-pinger-owner-fix-CVE-2019-3688.patch * 0005-permissions-fix-error-output.patch * 0006-chkstat-handle-missing-proc.patch * 0007-chkstat-capabilities-implicit-changes.patch ------------------------------------------------------------------- Fri Jan 31 16:50:43 UTC 2020 - Malte Kraus - fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0006-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0007-chkstat-capabilities-implicit-changes.patch) ------------------------------------------------------------------- Tue Nov 19 16:55:01 UTC 2019 - Malte Kraus - fix invalid free() when permfiles points to argv (bsc#1157198, changed 0003-chkstat-fix-privesc-CVE-2019-3690.patch) ------------------------------------------------------------------- Tue Nov 12 16:34:00 UTC 2019 - Malte Kraus - the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247, bsc#1097665, 0005-permissions-fix-error-output.patch) ------------------------------------------------------------------- Mon Oct 28 16:23:10 UTC 2019 - Malte Kraus - fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0004-squid-pinger-owner-fix-CVE-2019-3688.patch) ------------------------------------------------------------------- Mon Oct 28 12:56:17 UTC 2019 - Malte Kraus - fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0003-chkstat-fix-privesc-CVE-2019-3690.patch) ------------------------------------------------------------------- Thu Jun 13 13:46:41 UTC 2019 - Malte Kraus - Added ./0002-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid ------------------------------------------------------------------- Tue May 21 10:48:43 UTC 2019 - jsegitz@suse.com - Updated permissons for amanda, added bsc1110797_amanda.patch (bsc#1110797) ------------------------------------------------------------------- Mon Aug 06 11:05:15 UTC 2018 - mgerstner@suse.com - Update to version 20170707: * this version is based on a dedicated git upstream branch for being able to drop all patches previously held in SLES-12-SP2: - bsc975352-make-chage-sgid.patch - permission-squid-pinger-caps.patch - permissions-2015.09.28.1626.tar.bz2 - permissions-gst-ptp-helper-960173.patch - permissions-qemu-bridge-helper-988279.patch - permissions-shadow-bsc979282.patch - permissions-singularity-setuidroot.patch - permissions-singularity-setuidroot2.patch - permissions-suexec-bsc951765.patch - permissions-suexec-bsc962060.patch - permissions-suexec2-is-symlink.patch * use a version between permissions package from SLES-12-SP2 and SLES-15-GA, to avoid breakage of existing Requires: or the upgrade path. Therefore the date is made up! * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) ------------------------------------------------------------------- Thu Sep 28 10:48:31 UTC 2017 - astieger@suse.com - Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738 * permissions-singularity-setuidroot2.patch ------------------------------------------------------------------- Fri Sep 22 14:00:15 UTC 2017 - astieger@suse.com - Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304 * permissions-singularity-setuidroot.patch ------------------------------------------------------------------- Sun Aug 7 12:05:01 UTC 2016 - meissner@suse.com - permissions-suexec2-is-symlink.patch: suexec2 is just a symlink ------------------------------------------------------------------- Tue Aug 02 08:47:53 UTC 2016 - meissner@suse.com - permissions-shadow-bsc979282.patch: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap ------------------------------------------------------------------- Tue Aug 2 08:29:32 UTC 2016 - krahmer@suse.com - permissions-qemu-bridge-helper-988279.patch: adding qemu-bridge-helper mode 04750 (bsc#988279) ------------------------------------------------------------------- Tue Jul 26 13:49:46 UTC 2016 - meissner@suse.com - bsc975352-make-chage-sgid.patch: chage only needs read rights for /etc/shadow, so setgid shadow instead of setuid root. (bsc#975352) ------------------------------------------------------------------- Wed Mar 30 11:14:41 UTC 2016 - meissner@suse.com - permissions-gst-ptp-helper-960173.patch: permissions: adding gstreamer ptp file caps (bsc#960173) ------------------------------------------------------------------- Fri Jan 15 14:19:44 UTC 2016 - meissner@suse.com - permissions-suexec-bsc962060.patch: the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060) ------------------------------------------------------------------- Tue Jan 12 14:30:01 UTC 2016 - meissner@suse.com - pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363 ------------------------------------------------------------------- Thu Oct 29 09:40:30 UTC 2015 - meissner@suse.com - permissions-suexec-bsc951765.patch: add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 ------------------------------------------------------------------- Mon Sep 28 14:27:19 UTC 2015 - meissner@suse.com - adjusted radosgw to root:www mode 0750 (bsc#943471) ------------------------------------------------------------------- Mon Sep 28 13:35:10 UTC 2015 - meissner@suse.com - radosgw can get capability cap_bind_net_service (bsc#943471) ------------------------------------------------------------------- Mon Jun 8 16:22:39 UTC 2015 - meissner@suse.com - remove /usr/bin/get_printing_ticket; (bnc#906336) ------------------------------------------------------------------- Wed Dec 3 16:36:54 UTC 2014 - krahmer@suse.com - Added iouyap capabilities (bnc#904060) ------------------------------------------------------------------- Wed Nov 5 16:07:01 UTC 2014 - meissner@suse.com - %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647 ------------------------------------------------------------------- Tue Aug 26 13:00:07 UTC 2014 - meissner@suse.com - Do not applies permissions from backup files (~ / .rpmsave / .rpmnew) (bnc#893370) - do not mention SuSEconfig anymore, long dead (bnc#843083) ------------------------------------------------------------------- Fri Aug 1 11:25:40 UTC 2014 - meissner@suse.com - append a / to /var/log/journal so the framework makes sure it is a directory bnc#888151 ------------------------------------------------------------------- Wed Jul 23 11:38:42 UTC 2014 - meissner@suse.com - make innbind mode 4550 (bnc#876287) - permissions: Adding systemd-journal directory (bnc#888151) ------------------------------------------------------------------- Mon Jul 21 13:31:48 UTC 2014 - krahmer@suse.com - permissions: Adding new kdesud path for KDE5 (bnc#872276) ------------------------------------------------------------------- Tue Jul 1 11:19:57 UTC 2014 - meissner@suse.com - vlock_main lost its permission checking, so remove from here. ------------------------------------------------------------------- Mon Jun 16 11:46:15 UTC 2014 - meissner@suse.com - opiesu,wodim,vlock-main have no setuid root. (bnc#882035) ------------------------------------------------------------------- Thu Jun 5 08:10:33 UTC 2014 - meissner@suse.com - tighten /etc/crontab to be always mode 600, even in easy (bnc#867799) ------------------------------------------------------------------- Tue Apr 15 14:24:36 UTC 2014 - meissner@suse.com - duplicate /var/run entries to /run (bnc#873708) ------------------------------------------------------------------- Mon Mar 24 10:31:20 UTC 2014 - krahmer@suse.com - permissions: incorporating capability for mtr, removing +s from ping (bnc#865351) ------------------------------------------------------------------- Mon Oct 28 10:46:48 UTC 2013 - meissner@suse.com - GIT repo moved to GITHUB. - removed the setuid bit from "eject" (bnc#824406) ------------------------------------------------------------------- Thu Aug 22 11:40:20 UTC 2013 - meissner@suse.com - do not use magic constants for strlen (bnc#834790 ------------------------------------------------------------------- Wed Aug 21 12:53:39 UTC 2013 - meissner@suse.com - Chrome sandbox also allowed to be setuid root in secure mode now (bnc#718016) ------------------------------------------------------------------- Fri Aug 16 13:25:56 UTC 2013 - meissner@suse.com - use PERMISSION_FSCAPS ------------------------------------------------------------------- Fri Aug 16 13:08:10 UTC 2013 - meissner@suse.com - it is PERMISSIONS_FSCAPS (bnc#834790) - qemu-bridge-helper has no special privileges currently (bnc#765948) ------------------------------------------------------------------- Wed Jun 12 11:10:18 UTC 2013 - meissner@suse.com - utempter helper binary moved in new version to /usr/lib/utempter/utempter (bnc#823302) ------------------------------------------------------------------- Mon Jun 10 09:46:15 UTC 2013 - meissner@suse.com - cdrtools: allow some filesystem capabilities for more stable CD/DVD burning in "easy" mode. (bnc#550021) (cap_sys_nice, cap_sys_rawio, cap_sys_resource, cap_ipc_lock) ------------------------------------------------------------------- Wed May 8 14:27:12 UTC 2013 - meissner@suse.com - leave out readcd,cdda2wav,cdrecord until it is ready for the distro (bnc#550021) ------------------------------------------------------------------- Sat May 4 08:32:17 UTC 2013 - meissner@suse.com - cdrecord currently has no special permissions approved (bnc#550021) - append a / ------------------------------------------------------------------- Tue Jan 29 14:00:08 UTC 2013 - meissner@suse.com - Allow pcp to have stickybit worldwriteable directories ------------------------------------------------------------------- Tue Nov 27 15:41:16 UTC 2012 - meissner@suse.com - add /usr/bin/dumpcap to watchlist - make fscaps=1 the default on "" - added PERMISSION_FSCAPS to the sysconfig/security fillup template. - /bin/ping(6) was moved to /usr/bin/ping(6) /bin/eject was moved to /usr/bin/eject ------------------------------------------------------------------- Wed Nov 21 13:56:34 UTC 2012 - lnussel@suse.de - apply permissions settings in %post. During initial installation some packages might be installed before the permissions package due to dependency loops so we need to make sure their settings are applied too. Also, on update of the permissions package changed permission settings may need to be applied. ------------------------------------------------------------------- Mon Oct 15 11:49:04 UTC 2012 - lnussel@suse.de - temporarily add su.core. workaround for the migration of su from coreutils to util-linux needs to be reverted as soon as util-linux is also in ------------------------------------------------------------------- Tue Sep 25 14:55:21 UTC 2012 - meissner@suse.com - no longer install SuSEconfig.permissions, SuSEconfig is gone. ------------------------------------------------------------------- Fri Jul 6 09:01:18 UTC 2012 - meissner@suse.com - enable ecryptfs-utils setuid root mount wrapper (bnc#740110) in .easy ------------------------------------------------------------------- Mon Jun 4 11:37:27 UTC 2012 - lnussel@suse.de - remove /var/run/vi.recover (bnc#765288) ------------------------------------------------------------------- Fri Jun 1 07:23:46 UTC 2012 - lnussel@suse.de - remove /var/cache/fonts (bnc#764885) - remove /var/lib/xemacs/lock/ (bnc#764887) ------------------------------------------------------------------- Thu May 31 11:07:25 UTC 2012 - lnussel@suse.de - Revert "Use credentials from within the root file system" breaks use of --root option in brp-05-permissions ------------------------------------------------------------------- Tue May 15 14:46:22 UTC 2012 - lnussel@suse.de - print warning when requested to check not listed files - Use credentials from within the root file system ------------------------------------------------------------------- Wed Feb 8 08:15:50 UTC 2012 - lnussel@suse.de - add duplicate entries for / and /usr (bnc#745622) ------------------------------------------------------------------- Tue Feb 7 12:09:17 UTC 2012 - lnussel@suse.de - add scripts for automatic package sumission - drop zypp-refresh-wrapper (bnc#738677) ------------------------------------------------------------------- Mon Nov 7 09:39:43 UTC 2011 - lnussel@suse.de - disable run time fscaps detection (bnc#728312) ------------------------------------------------------------------- Fri Sep 23 08:37:21 UTC 2011 - lnussel@suse.de - set permission by default in SuSEconfig mode as permissions are only set when called explicitly anyways (bnc#720010). ------------------------------------------------------------------- Wed Sep 21 08:00:28 UTC 2011 - lnussel@suse.de - fix typo in path ------------------------------------------------------------------- Tue Sep 20 14:47:30 UTC 2011 - lnussel@suse.de - remove world writable /var/crash again (bnc#438041) - remove world writable permissions from /usr/src/packages (bnc#719217) ------------------------------------------------------------------- Tue Sep 20 13:38:48 UTC 2011 - lnussel@suse.de - add chromium browser sandbox helper (bnc#718016) - don't offer PERMISSION_SECURITY in config anymore - remove setgid games bits (bnc#429882) ------------------------------------------------------------------- Tue Jun 28 12:53:22 UTC 2011 - lnussel@suse.de - remove setuid bit from opiesu (bnc#698772) ------------------------------------------------------------------- Fri Jun 17 09:46:29 UTC 2011 - lnussel@suse.de - disable fscaps by default as factory kernel still doesn't have the required patch for auto detection ------------------------------------------------------------------- Thu May 26 15:23:49 UTC 2011 - lnussel@suse.de - read /sys/kernel/fscaps for fscaps settings ------------------------------------------------------------------- Thu May 12 11:48:36 UTC 2011 - lnussel@suse.de - change path to gnome-pty-helper (bnc#690202) ------------------------------------------------------------------- Mon Mar 7 15:08:33 UTC 2011 - lnussel@suse.de - setuid bit on VBoxNetDHCP (bnc#669055) ------------------------------------------------------------------- Mon Feb 14 08:09:21 UTC 2011 - lnussel@suse.de - fix hawk permissions (bnc#665045) ------------------------------------------------------------------- Wed Feb 9 13:25:29 UTC 2011 - lnussel@suse.de - add hawk (bnc#665045) ------------------------------------------------------------------- Thu Dec 2 10:20:11 UTC 2010 - lnussel@suse.de - remove Xorg setuid bit (bnc#632737) ------------------------------------------------------------------- Thu Nov 18 10:52:39 UTC 2010 - lnussel@suse.de - update permissions of lastlog, faillog, wtmp, utmp and btmp ------------------------------------------------------------------- Wed Nov 17 11:02:37 UTC 2010 - lnussel@suse.de - remove permissions handling for /etc/inittab, /etc/inetd.conf and /etc/mtab - revert previous commit, done in coreutils instead ------------------------------------------------------------------- Tue Nov 16 16:10:09 UTC 2010 - lnussel@suse.de - change fillup deps to requires to avoid coreutils loop ------------------------------------------------------------------- Tue Nov 16 15:10:53 UTC 2010 - lnussel@suse.de - change utempter from group tty to group utmp (bnc#652877) ------------------------------------------------------------------- Tue Nov 9 12:51:10 UTC 2010 - lnussel@suse.de - add permissions man page - update docu - add --level option - set perms for setuid files always if owner changes - strip root dir when printing file names ------------------------------------------------------------------- Tue Nov 9 09:25:17 UTC 2010 - lnussel@suse.de - add option to explicitly warn only ------------------------------------------------------------------- Fri Nov 5 14:00:30 UTC 2010 - lnussel@suse.de - reimplement the core features in chkstat itself instead of SuSEconfig.permissions ------------------------------------------------------------------- Thu Nov 4 16:17:25 UTC 2010 - lnussel@suse.de - don't make changes if not called explicitly ------------------------------------------------------------------- Wed Nov 3 14:16:54 UTC 2010 - lnussel@suse.de - add support for file system capabilities ------------------------------------------------------------------- Mon Oct 18 13:37:40 UTC 2010 - lnussel@suse.de - remove vlock (bnc#629236#c13) ------------------------------------------------------------------- Tue Oct 5 13:33:08 UTC 2010 - lnussel@suse.de - update path to gnome-pty-helper (bnc#634199) ------------------------------------------------------------------- Wed Sep 22 15:29:43 UTC 2010 - lnussel@suse.de - vlock -> vlock-main (bnc#629236) ------------------------------------------------------------------- Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de - use %_smp_mflags ------------------------------------------------------------------- Fri Apr 23 09:41:10 UTC 2010 - lnussel@suse.de - add lockdev (bnc#588325) ------------------------------------------------------------------- Wed Apr 7 14:45:28 UTC 2010 - lnussel@suse.de - update for innd update (bnc#594393) - remove lppasswd (bnc#574336) ------------------------------------------------------------------- Tue Dec 8 10:16:07 CET 2009 - jengelh@medozas.de - enable parallel building ------------------------------------------------------------------- Wed Oct 7 14:54:21 UTC 2009 - lnussel@suse.de - add /usr/lib/virtualbox/VBoxNetAdpCtl (bnc#533550) ------------------------------------------------------------------- Thu Aug 27 10:00:19 UTC 2009 - lnussel@suse.de - add /usr/src/packages/BUILDROOT/ for rpm 4.7 ------------------------------------------------------------------- Wed Aug 26 13:09:55 UTC 2009 - lnussel@suse.de - add more arm directories to /usr/src/packages/RPMS/ ------------------------------------------------------------------- Mon Aug 24 09:53:25 UTC 2009 - lnussel@suse.de - remove permissions handling for traceroute6 and cdrecord which are symlinks nowadays ------------------------------------------------------------------- Thu Aug 20 08:30:02 UTC 2009 - lnussel@suse.de - fix weird sendfax permissions (bnc#525954) ------------------------------------------------------------------- Wed Aug 19 11:17:53 UTC 2009 - lnussel@suse.de - permissions now maintained at gitorious so use tarball instead of individual files ------------------------------------------------------------------- Wed Aug 12 09:57:12 CEST 2009 - meissner@suse.de - added polkit setuid root helpers after review (bnc#523377) ------------------------------------------------------------------- Fri Aug 7 10:42:53 CEST 2009 - meissner@suse.de - also added KDE4 start_kdeinit (same source as kde3 start_kdeinit), bnc#523833 ------------------------------------------------------------------- Thu Aug 6 16:38:20 CEST 2009 - meissner@suse.de - open-vm-tools gets setuid root:root in mode easy (bnc#474285) ------------------------------------------------------------------- Tue Jul 28 13:00:44 UTC 2009 - lnussel@suse.de - hylafax directory permissions are handled by the package - change group of amanda binaries (bnc#523006) ------------------------------------------------------------------- Mon Mar 2 11:26:53 CET 2009 - lnussel@suse.de - add some missing slashes to directories and remove entries for at and cron (bnc#480855) ------------------------------------------------------------------- Tue Nov 25 14:10:13 CET 2008 - lnussel@suse.de - add VirtualBox (bnc#429725) ------------------------------------------------------------------- Fri Nov 7 14:39:10 CET 2008 - lnussel@suse.de - add newrole from policycoreutils (bnc#440596) ------------------------------------------------------------------- Thu Oct 23 09:23:59 CEST 2008 - lnussel@suse.de - add udev device files (bnc#438039) - add system crash dump directory (bnc#438041) - add bind chroot devices (bnc#438045) ------------------------------------------------------------------- Mon Oct 20 17:05:30 CEST 2008 - lnussel@suse.de - dbus-daemon-launch-helper neeeds to be setuid in level secure (bnc#435776) ------------------------------------------------------------------- Thu Sep 25 15:38:39 CEST 2008 - lnussel@suse.de - change /var/games to 755 to prevent ill-considered maneuvers there (bnc#429882) ------------------------------------------------------------------- Thu Sep 11 17:03:04 CEST 2008 - lnussel@suse.de - remove static smpppd config file permissions - fix permissions of polkit-set-default-helper - grant permissions to PolicyKit helpers also in level secure ------------------------------------------------------------------- Tue Jul 15 11:40:22 CEST 2008 - lnussel@suse.de - ensure correct permissions on ssh files to avoid sshd refusing logins (bnc#398250) ------------------------------------------------------------------- Thu Jul 3 11:33:29 CEST 2008 - lnussel@suse.de - adapt permissions of lppasswd for current cups setup (bnc#406058) ------------------------------------------------------------------- Mon Jun 2 11:46:30 CEST 2008 - lnussel@suse.de - add mount.nfs due to an ever increasing number of users hit by the regression (bnc#331020, bnc#304318) ------------------------------------------------------------------- Wed May 7 15:18:04 CEST 2008 - lnussel@suse.de - zypp-checkpatches-wrapper -> zypp-refresh-wrapper (bnc#385207) ------------------------------------------------------------------- Mon Apr 21 16:03:22 CEST 2008 - lnussel@suse.de - /dev/full should be 0666 (bnc#379545) ------------------------------------------------------------------- Thu Apr 17 09:45:03 CEST 2008 - lnussel@suse.de - update chkstat manpage and support '--' argument for chkstat (bnc#57438) ------------------------------------------------------------------- Wed Mar 12 13:09:51 CET 2008 - lnussel@suse.de - new PolicyKit permissions (bnc#295341) - remove obsolete entries for scmxx and zapping ------------------------------------------------------------------- Mon Jan 7 12:24:47 CET 2008 - lnussel@suse.de - remove setuid bits on man (#351988) ------------------------------------------------------------------- Mon Dec 3 15:46:50 CET 2007 - lnussel@suse.de - add dbus-daemon-launch-helper (#333361) ------------------------------------------------------------------- Fri Nov 2 23:11:57 CET 2007 - dmueller@suse.de - kcheckpass/kdesud moved to %_libdir/kde4/libexec ------------------------------------------------------------------- Wed Oct 17 16:09:03 CEST 2007 - lnussel@suse.de - remove bing (#306626) ------------------------------------------------------------------- Fri Oct 12 13:30:57 CEST 2007 - lnussel@suse.de - remove suexec2 (#263789) ------------------------------------------------------------------- Fri Aug 10 21:02:03 CEST 2007 - aj@suse.de - Readd nscd socket permissions, otherwise glibc build will fail. ------------------------------------------------------------------- Fri Aug 10 09:23:16 CEST 2007 - lnussel@suse.de - add PolicyKit helpers (#295341) ------------------------------------------------------------------- Wed Aug 8 11:11:43 CEST 2007 - lnussel@suse.de - remove nscd socket permission handling as chkstat refuses to touch that file anyways (#298334). ------------------------------------------------------------------- Tue Jun 12 15:22:22 CEST 2007 - schwab@suse.de - permissions.local: Fix comment to use uid:gid instead of uid.gid. ------------------------------------------------------------------- Fri Jun 1 15:44:55 CEST 2007 - lnussel@suse.de - package /etc/permissions.local ------------------------------------------------------------------- Wed May 30 10:47:52 CEST 2007 - lnussel@suse.de - add /usr/bin/kcheckpass and /usr/bin/kdesud (#276502) ------------------------------------------------------------------- Wed Apr 18 18:23:19 CEST 2007 - dmueller@suse.de - create debuginfo package (#265667) ------------------------------------------------------------------- Thu Feb 22 17:50:27 CET 2007 - lnussel@suse.de - prefer package specific permissions files over central ones (#246252) ------------------------------------------------------------------- Thu Feb 22 16:51:06 CET 2007 - lnussel@suse.de - add /opt/kde3/bin/start_kdeinit (#203535) - remove entries for dropped packages OpenPBS and xtetris ------------------------------------------------------------------- Wed Jan 17 13:53:28 CET 2007 - lnussel@suse.de - make pam authentication helpers unix_chkpwd, unix2_chkpwd and pam_auth setuid root instead of setgid shadow (#216816) ------------------------------------------------------------------- Wed Jan 10 15:12:53 CET 2007 - sbrabec@suse.cz - Prefix of /opt/gnome binaries changed to /usr. - Removed gnome-stones. ------------------------------------------------------------------- Mon Nov 13 11:40:32 CET 2006 - lnussel@suse.de - remove khc_indexbuilder (#188192) ------------------------------------------------------------------- Mon Oct 16 16:08:06 CEST 2006 - lnussel@suse.de - add zypp patch checking helper (#211286) ------------------------------------------------------------------- Wed Aug 23 09:59:37 CEST 2006 - lnussel@suse.de - /usr/X11R6 -> /usr - remove obsolete entries for xmris,pcmcia-cardinfo,geki2,vmware,nicimud ------------------------------------------------------------------- Thu Aug 17 14:27:17 CEST 2006 - cthiel@suse.de - change paths for v4l-conf from /usr/X11R6/bin to /usr/bin ------------------------------------------------------------------- Thu Jul 20 16:32:35 CEST 2006 - sndirsch@suse.de - Xorg moved from /usr/X11R6/bin to /usr/bin; fixes build of xorg-x11-server package ------------------------------------------------------------------- Tue Jun 27 08:21:00 CEST 2006 - lnussel@suse.de - remove setuid bit on gpg (#137562) ------------------------------------------------------------------- Fri May 19 15:48:04 CEST 2006 - lnussel@suse.de - add get_printing_ticket in order to enable smb printing with kerberos authentication (#177114) ------------------------------------------------------------------- Wed May 17 11:42:30 CEST 2006 - lnussel@suse.de - add setuid bit to gnomesu-pam-backend in level secure (#175616) ------------------------------------------------------------------- Thu Feb 23 18:27:24 CET 2006 - schwab@suse.de - /usr/lib/ia32el/suid_libia32x.so renamed to suid_ia32x_loader. ------------------------------------------------------------------- Wed Jan 25 21:30:49 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Mon Jan 16 13:57:03 CET 2006 - meissner@suse.de - removed pmount, pumount. - moved pmpost to /usr/lib/pcp/pmpost. ------------------------------------------------------------------- Thu Dec 15 16:06:44 CET 2005 - lnussel@suse.de - /opt/kde3/bin/fileshareset -> /usr/bin/fileshareset ------------------------------------------------------------------- Fri Dec 9 19:57:11 CET 2005 - meissner@suse.de - temporary only setuid bit for pmount and pumount. #135792 ------------------------------------------------------------------- Wed Nov 23 09:22:05 CET 2005 - lnussel@suse.de - add /usr/bin/fusermount (#133657) ------------------------------------------------------------------- Mon Nov 21 09:32:56 CET 2005 - lnussel@suse.de - remove Xwrapper, it's a symlink nowadays (#134611) ------------------------------------------------------------------- Wed Nov 2 22:31:11 CET 2005 - dmueller@suse.de - don't build as root ------------------------------------------------------------------- Thu Oct 13 13:22:49 CEST 2005 - meissner@suse.de - nici moved to /var/opt/novell/... ------------------------------------------------------------------- Tue Oct 11 17:34:40 CEST 2005 - meissner@suse.de - Temporary added setuid binary from "nici" (Novell I? Crypto Interface), bug #127545. ------------------------------------------------------------------- Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de - add slashes to several directories (#103186) - change /var/games to games:games 775 again (#103186) ------------------------------------------------------------------- Tue Aug 30 09:23:08 CEST 2005 - lnussel@suse.de - remove kpopup helper (#100132) ------------------------------------------------------------------- Thu Aug 25 15:17:57 CEST 2005 - lnussel@suse.de - add /opt/gnome/sbin/change-passwd (#104993) ------------------------------------------------------------------- Thu Aug 11 11:01:36 CEST 2005 - lnussel@suse.de - remove xmcd (#104040) - add suexec2 from apache2 (#66304) - add exim (#66306) ------------------------------------------------------------------- Thu Aug 11 08:55:45 CEST 2005 - lnussel@suse.de - remove /opt/gnome/bin/iagno (#103844) ------------------------------------------------------------------- Wed Aug 10 17:34:36 CEST 2005 - lnussel@suse.de - remove xbl (#103762) - clean up bsd games list (#103785) - remove score files as they are the same in all levels anyways ------------------------------------------------------------------- Wed Aug 10 10:53:31 CEST 2005 - lnussel@suse.de - change /var/games{,/xsok} to root:root (#103186) ------------------------------------------------------------------- Fri Aug 5 08:38:22 CEST 2005 - lnussel@suse.de - /usr/sbin/isdnctrl -> /sbin/isdnctrl (#100750) ------------------------------------------------------------------- Tue Aug 2 16:00:09 CEST 2005 - lnussel@suse.de - remove kde games again. Turned out they don't work as intended. ------------------------------------------------------------------- Tue Aug 2 11:59:41 CEST 2005 - lnussel@suse.de - cardctl -> pccardctl (#100120) ------------------------------------------------------------------- Fri Jul 22 10:34:32 CEST 2005 - lnussel@suse.de - add setgid games to some kde games ------------------------------------------------------------------- Wed Jun 8 14:36:57 CEST 2005 - lnussel@suse.de - use correct gnomesu-pam-backend path ------------------------------------------------------------------- Tue Jun 7 10:01:22 CEST 2005 - lnussel@suse.de - add gnomesu-pam-backend (#75823) - add lppasswd (#66305) - make ntping 4750 root:trusted also in easy (#66211) - add cl_status from heartbeat (#66310) - remove unused /opt/gnome/sbin/change-passwd ------------------------------------------------------------------- Tue May 17 00:29:21 CEST 2005 - ro@suse.de - added /opt/gnome/sbin/change-passwd ------------------------------------------------------------------- Mon Apr 25 16:45:30 CEST 2005 - lnussel@suse.de - add OpenPBS permissions (#66320) ------------------------------------------------------------------- Tue Mar 1 16:14:48 CET 2005 - lnussel@suse.de - fix inn permissions (#67032) - remove setuid bit from ziptool (#66191) ------------------------------------------------------------------- Wed Feb 23 11:53:33 CET 2005 - lnussel@suse.de - remove no longer existing files - remove setuid plpnfsd (#66207) - remove setuid bit from dga program - change vmware permissions - add /opt/kde3/bin/receivepopup (#66313) - add /opt/kde3/bin/fileshareset (#66312) - add /usr/bin/scmxx (#66309) - add some missing mailman files (#66315) - include perl script to perform some basic consistency checks ------------------------------------------------------------------- Mon Jan 31 16:32:14 CET 2005 - meissner@suse.de - backported security fix from SLES 9 branch. #43035 ------------------------------------------------------------------- Sat Jan 15 20:40:04 CET 2005 - schwab@suse.de - Comment fixes. ------------------------------------------------------------------- Mon Nov 22 21:02:36 CET 2004 - sndirsch@suse.de - permissions.secure: set Xorg to 0711 (4711 before) ------------------------------------------------------------------- Wed Nov 10 15:07:02 CET 2004 - ro@suse.de - /var/cache/fonts to 1777 (as in tetex perms before) ------------------------------------------------------------------- Mon Nov 8 14:37:25 CET 2004 - kukuk@suse.de - Add nscd socket to permissions file ------------------------------------------------------------------- Tue Sep 14 18:50:46 CEST 2004 - ro@suse.de - do not use rpm in SuSEconfig.permissions (#45252) ------------------------------------------------------------------- Tue Sep 14 17:21:40 CEST 2004 - ro@suse.de - dropped check for perl in SuSEconfig.permissions (#45252) ------------------------------------------------------------------- Wed May 26 12:34:57 MEST 2004 - draht@suse.de - /usr/lib/ia32el/suid_libia32x.so set to (6755,0755,0755) (#40234) source code audit in progress (#40234) (thomas) ------------------------------------------------------------------- Fri May 14 15:26:23 CEST 2004 - ro@suse.de - /usr/lib/ia32el/suid_libia32x.so added to easy,secure,paranoid (0755,0755,0755) (#40234) ------------------------------------------------------------------- Thu Apr 15 14:16:03 CEST 2004 - sndirsch@suse.de - XFree86 --> Xorg in permissions files ------------------------------------------------------------------- Tue Apr 6 12:45:32 CEST 2004 - mls@suse.de - added --root option for buildroot operation ------------------------------------------------------------------- Mon Apr 5 15:27:52 CEST 2004 - mls@suse.de - chkstat: fixed relative symlink chasing - /usr/src/packages/RPMS back to 1777 in easy, as chkstat can now handle it ------------------------------------------------------------------- Sun Apr 4 21:30:02 CEST 2004 - mls@suse.de - chkstat: added missing link count check and safepath() function - chkstat: refuse to give away s-bits on insecure paths - chkstat: bugfix: stat file again after chown, as modes may have changed ------------------------------------------------------------------- Fri Apr 2 17:44:08 CEST 2004 - mls@suse.de - chkstat: re-implemented it in C to make it more secure ------------------------------------------------------------------- Thu Apr 1 10:17:00 CEST 2004 - kukuk@suse.de - Remove /var/lock/subsys [#37759] - Add sticky bit to /var/lock [#37759] ------------------------------------------------------------------- Wed Mar 24 01:13:41 MET 2004 - draht@suse.de - make /usr/bin/gpg setuid root in easy+secure, 0755 in paranoid. #33570. ------------------------------------------------------------------- Tue Mar 23 19:06:18 MET 2004 - draht@suse.de - #36741: /usr/src/packages/RPMS 1777->0755 in easy. ------------------------------------------------------------------- Mon Mar 22 15:28:59 CET 2004 - kukuk@suse.de - Fix syntax error in permission.easy - /usr/bin/ssh should be always 0755 ------------------------------------------------------------------- Fri Feb 13 12:09:14 MET 2004 - draht@suse.de - /var/run/uscreens (root:root 1777) added ------------------------------------------------------------------- Thu Feb 12 14:18:55 CET 2004 - kukuk@suse.de - Don't modify group of crontab and at useless ------------------------------------------------------------------- Fri Jan 9 23:17:42 CET 2004 - kukuk@suse.de - Add RPM directory for hppa2.0 ------------------------------------------------------------------- Fri Nov 21 01:02:32 CET 2003 - ro@suse.de - fpexec decrease go rights to 11 ------------------------------------------------------------------- Wed Nov 5 00:12:41 CET 2003 - ro@suse.de - inn scripts: u-w (not needed) ------------------------------------------------------------------- Mon Nov 3 13:08:38 CET 2003 - schwab@suse.de - chkstat: fix option parsing. ------------------------------------------------------------------- Wed Oct 29 09:18:20 CET 2003 - kukuk@suse.de - Sync permissions for shadow package ------------------------------------------------------------------- Tue Oct 28 16:24:10 CET 2003 - ro@suse.de - require /sbin/SuSEconfig ------------------------------------------------------------------- Tue Oct 28 16:06:42 CET 2003 - ro@suse.de - chkstat: added some new extensions: allow specifying singular files or a filelist to be checked output previous/current mode of a failed file adapted manpage ------------------------------------------------------------------- Tue Oct 21 19:40:33 MEST 2003 - draht@suse.de - permissions.secure: /etc/ftpusers 0640 root.root -> 0644 ------------------------------------------------------------------- Mon Oct 20 18:07:29 CEST 2003 - ro@suse.de - permissions.*: use ":" and not "." to separate user/group - chkstat: output also which of (permissions/owner) is wrong - chkstat: don't try to chown if not root ------------------------------------------------------------------- Tue Oct 14 16:06:06 MEST 2003 - draht@suse.de - reformatting of all 4 permissions files. xkobo, rocksndiamonds, xlogical, lbreakout2 and ltris path adoptions. for future reference: :-) for i in permissions permissions.easy permissions.secure permissions.paranoid; do cat $i | \ awk '/^(#|$)/ { print $0; next; } { if(NF > 3) {printf("error: %s\n",$0);exit}; printf("%-55s %-17s %4s\n",$1,$2,$3)}' \ > $i.. && mv $i.. $i; done ------------------------------------------------------------------- Thu Sep 18 16:05:54 CEST 2003 - kukuk@suse.de - Fix group of straps, popauth and ntping - Remove some GNOME games which do not need special rights anymore ------------------------------------------------------------------- Tue Sep 16 22:34:41 CEST 2003 - kukuk@suse.de - permissions.easy: change group of bing, vboxbeep, plpnfsd to trusted, majordomo/wrapper to daemon ------------------------------------------------------------------- Tue Sep 16 11:39:04 CEST 2003 - kukuk@suse.de - permissions.easy: change group of gpasswd and ziptool to trusted ------------------------------------------------------------------- Tue Sep 2 17:11:52 CEST 2003 - kkeil@suse.de - fix user fax for hylafax specific files ------------------------------------------------------------------- Tue Sep 2 08:47:35 CEST 2003 - kukuk@suse.de - fix path to cons.saver, remove setuid bit in paranoid (#25907) - remove screen - remove smail (dropped years ago) ------------------------------------------------------------------- Mon Sep 1 18:26:32 CEST 2003 - kkeil@suse.de - fix group for isdnctrl uucp --> dialout (#28997) ------------------------------------------------------------------- Mon Sep 1 15:06:09 MEST 2003 - draht@suse.de - feedback@suse.de -> http://www.suse.de/feedback in all files of the package. #29635. ------------------------------------------------------------------- Sat Aug 23 15:54:13 CEST 2003 - sndirsch@suse.de - added martian entries of package pachi ------------------------------------------------------------------- Tue Aug 19 11:48:29 CEST 2003 - mmj@suse.de - Add sysconfig metadata [#28937] ------------------------------------------------------------------- Tue Jul 29 19:12:03 MEST 2003 - draht@suse.de - fax changes from Tomas Crhak: faxq-helper and spool directories. ------------------------------------------------------------------- Tue Jul 29 14:08:49 CEST 2003 - ro@suse.de - gnome games moved back to /opt/gnome ------------------------------------------------------------------- Mon Jul 28 16:56:27 CEST 2003 - kukuk@suse.de - Remove /var/run from permissions file list [Bug #28289] ------------------------------------------------------------------- Mon Jul 28 08:47:31 CEST 2003 - kukuk@suse.de - /var/lib/gdm: Removed to solve [Bug #28257] for future products. ------------------------------------------------------------------- Fri Jul 25 15:28:10 MEST 2003 - draht@suse.de - /usr/lib/vte/gnome-pty-helper -> /opt/gnome/lib/vte/gnome-pty-helper The same with /opt/gnome/lib64/. ------------------------------------------------------------------- Fri Jun 13 09:11:40 CEST 2003 - kukuk@suse.de - /usr/lib/mgetty+sendfax/faxq-helper added 4711 in easy and secure ------------------------------------------------------------------- Fri May 2 11:42:47 CEST 2003 - sndirsch@suse.de - added /usr/games/pachi and /var/games/pachi.scores ------------------------------------------------------------------- Mon Mar 10 15:46:45 CET 2003 - sndirsch@suse.de - added /usr/games/falconseye.bin - removed /usr/games/falconseye ------------------------------------------------------------------- Mon Mar 10 10:45:30 CET 2003 - kukuk@suse.de - added /usr/lib64/vte/gnome-pty-helper until ported to utempter ------------------------------------------------------------------- Sun Mar 9 01:15:10 CET 2003 - sndirsch@suse.de - added /usr/games/falconseye - removed old falconseye entries ------------------------------------------------------------------- Thu Mar 6 23:58:24 CET 2003 - ro@suse.de - added /usr/lib/vte/gnome-pty-helper until ported to utempter ------------------------------------------------------------------- Thu Feb 20 11:22:35 CET 2003 - mmj@suse.de - Add sysconfig metadata [#22686] ------------------------------------------------------------------- Tue Feb 18 16:38:12 CET 2003 - kssingvo@suse.de - removed squid entries. They will be added and corrected to squids own permission file /etc/permissions.d/squid (bugzilla#23752): /var/squid /var/squid/cache /var/squid/logs ------------------------------------------------------------------- Tue Feb 18 02:55:30 MET 2003 - draht@suse.de - /usr/games/trackballs added 2755 games.games in easy. ------------------------------------------------------------------- Sun Feb 16 17:19:29 CET 2003 - adrian@suse.de - allow khc_indexbuilder to write into /var/cache/susehelp in easy mode - remove old entries (kreatecd and kscd) ------------------------------------------------------------------- Mon Feb 10 01:37:01 MET 2003 - draht@suse.de - additions/changes (from #17012, Tobias Burnus): * read all files from the commandline at once and override entries given multiple times by the last entry * enable option --set in addition to -set * manpage adoptions * call chkstat only once from SuSEconfig.permissions ------------------------------------------------------------------- Thu Feb 6 01:52:49 CET 2003 - ro@suse.de - /var/mtrack -> /var/lib/mtrack ------------------------------------------------------------------- Tue Nov 19 15:16:41 CET 2002 - ro@suse.de - zapping_setup_fb moved to /opt/gnome/sbin ------------------------------------------------------------------- Thu Nov 14 13:44:56 CET 2002 - bg@suse.de - added hppa to rpm subsystem in permissions files to be able to finish autobuild ------------------------------------------------------------------- Thu Oct 24 13:50:20 CEST 2002 - ro@suse.de - two more nethack flavors with sgid games in easy ------------------------------------------------------------------- Tue Sep 10 17:40:44 MEST 2002 - draht@suse.de - cda entries below /usr/X11R6/lib/X11/xmcd removed. index.html under /var/lib/xmcd/discog directories added world-writeable. This is not satisfactory. New user xmcd will be added in next release. ------------------------------------------------------------------- Thu Sep 5 18:43:44 MEST 2002 - draht@suse.de - /usr/X11R6/lib/X11/xmcd/bin-Linux-ia64/{cda,xmcd} added. ------------------------------------------------------------------- Mon Aug 26 17:22:29 MEST 2002 - draht@suse.de - removed all occurrences of kv4lsetup upon request by adrian+uli. - -s for xlock, xlock-mesa + xscreensaver (#18125), (#18132) - /usr/src/packages/RPMS/alphaev67 added. - added /sbin/unix2_chkpwd root.shadow 2755 - -s /usr/sbin/papd (#18103) ------------------------------------------------------------------- Wed Aug 21 16:29:43 MEST 2002 - draht@suse.de - removed suid bits from heimdal's su and otp (#18104) ------------------------------------------------------------------- Wed Aug 21 16:13:29 MEST 2002 - draht@suse.de - remove setuid bit from traceroute due to new implementation by Olaf Kirch which doesn't need euid root. (#18101) ------------------------------------------------------------------- Wed Aug 21 14:16:47 MEST 2002 - draht@suse.de - removed lprng entries because of conflicts cups <-> lprng ------------------------------------------------------------------- Wed Aug 21 14:14:05 MEST 2002 - draht@suse.de - vboxbeep -> 0755 in secure. ------------------------------------------------------------------- Mon Aug 19 15:27:09 CEST 2002 - ro@suse.de - added prereq (#17956) ------------------------------------------------------------------- Mon Aug 19 13:45:43 CEST 2002 - uli@suse.de - added nethack for lib64 archs ------------------------------------------------------------------- Mon Aug 19 12:32:56 CEST 2002 - uli@suse.de - added xmcd for archs != i386 ------------------------------------------------------------------- Tue Aug 13 13:48:05 MEST 2002 - draht@suse.de - gnome-games2 entries changed/adopted to /opt/gnome2 path. ------------------------------------------------------------------- Tue Aug 13 13:30:30 CEST 2002 - draht@suse.de - changed kcheckpass from 2755 root.shadow to 4755. (#17664) ------------------------------------------------------------------- Wed Jul 31 07:55:06 CEST 2002 - olh@suse.de - ncpmount, ncpumount, nwsfind, ncplogin, ncpmap root.trusted 4750 ------------------------------------------------------------------- Sat Jul 27 13:19:26 CEST 2002 - kukuk@suse.de - Rename group wwwadmin to www - Rename group game to games ------------------------------------------------------------------- Tue Jul 23 12:54:24 MEST 2002 - draht@suse.de - added sapdb files, not setuid root in secure,paranoid. ------------------------------------------------------------------- Mon Jul 22 18:26:43 MEST 2002 - draht@suse.de - added frontpage files ------------------------------------------------------------------- Tue Jul 16 15:18:14 MEST 2002 - draht@suse.de - changed entries for mailman: group mdom -> mailman ------------------------------------------------------------------- Tue Jul 16 03:51:29 MEST 2002 - draht@suse.de - mailman sgid mdom files added to easy, secure and paranoid. ------------------------------------------------------------------- Wed Jul 10 14:33:50 MEST 2002 - draht@suse.de - .paranoid comment fixed about at and cron (#12159) ------------------------------------------------------------------- Mon Jul 8 17:24:21 MEST 2002 - draht@suse.de - ppp dialup networking fixes and cleanup. ------------------------------------------------------------------- Mon Jul 8 15:56:23 MEST 2002 - draht@suse.de - modifications: -s for pppd, world-writeable directories for kdemultimedia3-sound, gift, mips and armv4l RPMS directory. ------------------------------------------------------------------- Fri Jul 5 21:13:08 CEST 2002 - kukuk@suse.de - Add /usr/src/packages/RPMS/sparcv9 to easy,secure,paranoid. ------------------------------------------------------------------- Thu Jul 4 16:26:47 MEST 2002 - draht@suse.de - /usr/lib64/pt_chown added to easy,secure,paranoid. ------------------------------------------------------------------- Mon Jul 1 19:56:10 MEST 2002 - draht@suse.de - entries for packages added or changed: squid geki2 d1x falconseye fdutils gewels gnome-games heimdal lbreakout lpdfilter lprng man mgetty (/var/spool/fax/outgoing/* need discussion) mtrack (locfile+satfile -> 0644) nethack nvi-m17n (/var/preserve/vi.recover -> 1777) opie (/bin -> /usr/bin) pcp plptools qpopper rp-pppoe (/usr/sbin/pppoe-wrapper) smpppd (/usr/sbin/cinternet-wwwrun wwwrun.dialout 2750) squid (/usr/sbin/pam_auth) su-wrapper xemacs (lock directory changed again? now /var/state/xemacs and /var/lib/xemacs) xgalaga xmcd xscrabble ------------------------------------------------------------------- Mon Jul 1 01:01:10 CEST 2002 - ro@suse.de - don't install all sources (spec file etc.) ------------------------------------------------------------------- Fri Jun 28 14:40:07 MEST 2002 - draht@suse.de - minor spec file change ------------------------------------------------------------------- Fri Jun 28 12:56:43 MEST 2002 - draht@suse.de - entries for packages added: ftpdir gnokii kamplus geki2 aaa_dir (/tmp/.ICE-unix) ------------------------------------------------------------------- Fri Jun 28 12:56:18 MEST 2002 - draht@suse.de - unpack tar archive in source for convenience. ------------------------------------------------------------------- Thu Jun 27 23:05:51 CEST 2002 - olh@suse.de - update permissions of /usr/src/packages/RPMS/ ------------------------------------------------------------------- Fri Jun 21 02:10:26 CEST 2002 - ro@suse.de - created package as split off from aaa_base