Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: permissions | Distribution: openSUSE Leap 15.2 |
Version: 20181224 | Vendor: openSUSE |
Release: lp152.13.1 | Build date: Mon Jun 8 13:55:07 2020 |
Group: Productivity/Security | Build host: obs-arm-9 |
Size: 153567 | Source RPM: permissions-20181224-lp152.13.1.src.rpm |
Packager: https://bugs.opensuse.org | |
Url: http://github.com/openSUSE/permissions | |
Summary: SUSE Linux Default Permissions |
Permission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.
GPL-2.0+
* Tue Jun 02 2020 matthias.gerstner@suse.com - Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686) * Thu May 28 2020 malte.kraus@suse.com - whitelist texlive public binary (bsc#1171686) * Mon May 11 2020 jsegitz@suse.com - Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173) * Thu Apr 02 2020 jsegitz@suse.com - correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364) * Tue Mar 24 2020 jsegitz@suse.com - whitelist s390-tools setgid bit on log directory (bsc#1167163) * Mon Mar 02 2020 malte.kraus@suse.com - run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat * Fri Feb 28 2020 malte.kraus@suse.com - Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile * Thu Feb 06 2020 matthias.gerstner@suse.com - Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687) * Wed Feb 05 2020 matthias.gerstner@suse.com Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry * Fri Jan 31 2020 Malte Kraus <malte.kraus@suse.com> - fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch) * Tue Nov 19 2019 Malte Kraus <malte.kraus@suse.com> - fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch) * Mon Oct 28 2019 Malte Kraus <malte.kraus@suse.com> - fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch) * Mon Oct 28 2019 Malte Kraus <malte.kraus@suse.com> - fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch) * Thu Sep 26 2019 Johannes Segitz <jsegitz@suse.com> - Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797) * Thu Jun 13 2019 Malte Kraus <malte.kraus@suse.com> - Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid * Tue Apr 30 2019 jsegitz@suse.com - Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678) * Tue Feb 12 2019 jsegitz@suse.com - Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve * Wed Nov 28 2018 opensuse-packaging@opensuse.org - Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball. * Mon Aug 20 2018 matthias.gerstner@suse.com - 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability. * Thu Jan 25 2018 meissner@suse.com - Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467) * Mon Jan 15 2018 krahmer@suse.com - Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877) * Mon Dec 04 2017 kukuk@suse.com - fillup is required for post, not pre installation * Thu Nov 30 2017 mpluskal@suse.com - Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros * Wed Nov 29 2017 astieger@suse.com - Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921) * Thu Nov 23 2017 rbrown@suse.com - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) * Tue Nov 21 2017 krahmer@suse.com - Update to version 20171121: * - permissions: adding kwayland (bsc#1062182) * Mon Nov 06 2017 eeich@suse.com - Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304 * Wed Oct 25 2017 jsegitz@suse.com - Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid) * Thu Sep 28 2017 astieger@suse.com - Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738 * Wed Sep 27 2017 pgajdos@suse.com - Update to version 20170927: * fix typos in manpages * Fri Sep 22 2017 astieger@suse.com - Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304 * Wed Sep 13 2017 astieger@suse.com - Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645) * Wed Sep 06 2017 opensuse-packaging@opensuse.org - Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425) * Wed Jun 07 2017 dimstar@opensuse.org - BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it. * Sat Jun 03 2017 meissner@suse.com - Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc) * Fri Jun 02 2017 meissner@suse.com - Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used * Sun Aug 07 2016 meissner@suse.com - Update to version 20160807: * suexec2 is a symlink, no need for permissions handling * Tue Aug 02 2016 meissner@suse.com - Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap * Tue Aug 02 2016 krahmer@suse.com - adding qemu-bridge-helper mode 04750 (bsc#988279) * Mon May 23 2016 dimstar@opensuse.org - Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem. * Mon May 23 2016 meissner@suse.com - chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352) * Wed Mar 30 2016 meissner@suse.com - permissions: adding gstreamer ptp file caps (bsc#960173) * Fri Jan 15 2016 meissner@suse.com - the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060) * Tue Jan 12 2016 meissner@suse.com - pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363 * Thu Oct 29 2015 meissner@suse.com - add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557) * Mon Sep 28 2015 meissner@suse.com - adjusted radosgw to root:www mode 0750 (bsc#943471) * Mon Sep 28 2015 meissner@suse.com - radosgw can get capability cap_bind_net_service (bsc#943471) * Mon Jun 08 2015 meissner@suse.com - remove /usr/bin/get_printing_ticket; (bnc#906336) * Wed Dec 03 2014 krahmer@suse.com - Added iouyap capabilities (bnc#904060) * Wed Nov 05 2014 meissner@suse.com - %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647
/etc/permissions /etc/permissions.easy /etc/permissions.local /etc/permissions.paranoid /etc/permissions.secure /usr/bin/chkstat /usr/share/fillup-templates/sysconfig.security /usr/share/man/man5/permissions.5.gz /usr/share/man/man8/chkstat.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Jul 9 11:45:28 2024