Revisions of permissions
Dominique Leuenberger (dimstar_suse)
accepted
request 853596
from
Matthias Gerstner (mgerstner)
(revision 146)
move man page to where the documented files are A separate package for a single man page really is overkill. See also discussion at https://lists.opensuse.org/archives/list/packaging@lists.opensuse.org/message/5FSP57UVYLS7BNBDNF4EGHW5TEEZUS5D/ (forwarded request 853107 from lnussel)
Dominique Leuenberger (dimstar_suse)
accepted
request 840211
from
Matthias Gerstner (mgerstner)
(revision 145)
- Update to version 20201008: * cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164) * drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
Dominique Leuenberger (dimstar_suse)
accepted
request 838733
from
Matthias Gerstner (mgerstner)
(revision 144)
- Update to version 20200930: * whitelist Xorg setuid-root wrapper (bsc#1175867)
Dominique Leuenberger (dimstar_suse)
accepted
request 833221
from
Matthias Gerstner (mgerstner)
(revision 143)
- Update to version 20200909: * screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879)
Dominique Leuenberger (dimstar_suse)
accepted
request 832056
from
Matthias Gerstner (mgerstner)
(revision 142)
- Update to version 20200904: * Add /usr/libexec for cockpit-session as new path * physlock: whitelist with tight restrictions (bsc#1175720)
Dominique Leuenberger (dimstar_suse)
accepted
request 829800
from
Malte Kraus (mkraus)
(revision 141)
- Update to version 20200826: * mtr-packet: stop requiring dialout group * etc/permissions: fix mtr permission * list_permissions: improve output format * list_permissions: support globbing in --path argument * list_permissions: implement simplifications suggested in PR#92 * list_permissions: new tool for better path configuration overview
Dominique Leuenberger (dimstar_suse)
accepted
request 825923
from
Matthias Gerstner (mgerstner)
(revision 140)
- Update to version 20200811: * regtest: support new getcap output format in libcap-2.42 * regtest: print individual test case errors to stderr
Dominique Leuenberger (dimstar_suse)
accepted
request 822971
from
Matthias Gerstner (mgerstner)
(revision 139)
- Update to version 20200727: * etc/permissions: remove static /var/spool/* dirs * etc/permissions: remove outdated entries * etc/permissions: remove unnecessary static dirs and devices * screen: remove now unused /var/run/uscreens
Dominique Leuenberger (dimstar_suse)
accepted
request 819968
from
Matthias Gerstner (mgerstner)
(revision 138)
- Update to version 20200710: * Revert "etc/permissions: remove entries for bind-chrootenv". This currently conflicts with the way the CheckSUIDPermissions rpmlint-check is implemented. - Removed dbus-libexec.patch: contained in upstream - Update to version 20200624: * rework permissions.local text (boo#1173221) * dbus-1: adjust to new libexec dir location (bsc#1171164) * permission profiles: reinstate kdesud for kde5 * etc/permissions: remove entries for bind-chrootenv * etc/permissions: remove traceroute entry * VirtualBox: remove outdated entry which is only a symlink any more * /bin/su: remove path refering to symlink * etc/permissions: remove legacy RPM directory entries * /etc/permissions: remove outdated sudo directories * singularity: remove outdated setuid-binary entries * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588) * dbus-1: remove deprecated alternative paths * PolicyKit: remove outdated entries last used in SLE-11 * pcp: remove no longer needed / conflicting entries * gnats: remove entries for package removed from Factory * kdelibs4: remove entries for package removed from Factory * v4l-base: remove entries for package removed from Factory * mailman: remove entries for package deleted from Factory * gnome-pty-helper: remove dead entry no longer part of the vte package * gnokii: remove entries for package no longer in Factory * xawtv (v4l-conf): correct group ownership in easy profile * systemd-journal: remove unnecessary profile entries
Dominique Leuenberger (dimstar_suse)
accepted
request 815295
from
Malte Kraus (mkraus)
(revision 137)
- dbus-1: adjust to new libexec dir location (bsc#1171164). This is temporarily done through the patch in dbus-libexec.patch because we are not completely certain the stability of current git. - run chkstat test suite during RPM build
Dominique Leuenberger (dimstar_suse)
accepted
request 810755
from
Matthias Gerstner (mgerstner)
(revision 136)
- Update to version 20200526: * profiles: add entries for enlightenment (bsc#1171686)
Yuchen Lin (maxlin_factory)
accepted
request 807568
from
Matthias Gerstner (mgerstner)
(revision 135)
- Update to version 20200520: * permissions fixed profile: utempter: reinstate libexec compatibility entry (forwarded request 807566 from mgerstner)
Dominique Leuenberger (dimstar_suse)
accepted
request 801106
from
Malte Kraus (mkraus)
(revision 134)
- Update to version 20200506: * add whitelist for files in /usr/lib to be also allowed in /usr/libexec (bsc#1171164)
Dominique Leuenberger (dimstar_suse)
accepted
request 787823
from
Johannes Segitz (jsegitz)
(revision 133)
Dominique Leuenberger (dimstar_suse)
accepted
request 780979
from
Matthias Gerstner (mgerstner)
(revision 132)
- Update to version 20200228: * chkstat: fix readline() on platforms with unsigned char - Update to version 20200227: * remove capability whitelisting for radosgw * whitelist ceph log directory (bsc#1150366) * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013 * add a test for symlinked directories * fix relative symlink handling * include cpp compat headers, not C headers * Move permissions and permissions.* except .local to /usr/share/permissions * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * regtest: bindMount(): explicitly reject read-only recursive mounts * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance (forwarded request 780264 from mkraus)
Dominique Leuenberger (dimstar_suse)
accepted
request 774158
from
Malte Kraus (mkraus)
(revision 131)
- Update to version 20200213: * remove obsolete/broken entries for rcp/rsh/rlogin * chkstat: handle symlinks in final path elements correctly * Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"" * Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"
Dominique Leuenberger (dimstar_suse)
accepted
request 769971
from
Matthias Gerstner (mgerstner)
(revision 130)
- Update to version 20200204: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: - add read-only fallback when /proc is not mounted (bsc#1160764) - capability handling fixes (bsc#1161779) - better error message when refusing to fix dir perms (#32) - Update to version 20200127: * fix paths of ksysguard whitelisting * fix zero-termination of error message for overly long paths
Dominique Leuenberger (dimstar_suse)
accepted
request 754442
from
Malte Kraus (mkraus)
(revision 129)
- Update to version 20191205: * fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690) - Update to version 20191122: * faxq-helper: correct "secure" permission for trusted group (bsc#1157498)
Dominique Leuenberger (dimstar_suse)
accepted
request 749269
from
Malte Kraus (mkraus)
(revision 128)
- Update to version 20191118: * whitelist ksysguard network helper (bsc#1151190) - Update to version 20191112: * fix syntax of paranoid profile * fix squid permissions (bsc#1093414, CVE-2019-3688)
Dominique Leuenberger (dimstar_suse)
accepted
request 734799
from
Marcus Meissner (msmeissn)
(revision 127)
- Add || exit 0 on the scriptlet as it can actually fail in rootless containers with podman. This makes sure the zypper does not abort the container creation. * the actual error looks like: /dev/zero: chown: Operation not permitted (forwarded request 734796 from scarabeus_iv)
Displaying revisions 21 - 40 of 166