SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for permissions-config-1599_20220912-1.10.i586.rpm :

* Wed Sep 21 2022 Dirk Müller - skip tests on qemu user builds
* Tue Sep 13 2022 matthias.gerstnerAATTsuse.com- Update to version 20220912:
* chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
* Mon Aug 08 2022 Dominique Leuenberger - Fix dependency from permissions-zypp-plugin to permissions.
* Sat Jul 30 2022 Stephan Kulow - Avoid different Versions for subpackages to fix build-compare seeing the src rpm as equal. It replaces VERSION-RELEASE but that will fail if subpackages use a different Version
* Wed Jul 13 2022 matthias.gerstnerAATTsuse.com- Update to version 20220713:
* postfix: add postlog setgid for maildrop binary (bsc#1201385)
* libexec migration: KDE utilities now properly place their helpers
* pccardctl: installation path has finally changed to /usr/sbin
* Fri Mar 11 2022 matthias.gerstnerAATTsuse.com- Update to version 20220309:
* apptainer whitelisting (bsc#1196145)
* Fri Feb 25 2022 matthias.gerstnerAATTsuse.com- Update to version 20220202:
* mount.nfs: switch from migration mode to fixed path in /usr/sbin
* changed gendered pronouns
* mgetty: faxq-helper now finally reside in /usr/libexec
* Wed Sep 01 2021 matthias.gerstnerAATTsuse.com- Update to version 20210901:
* libksysguard5: Updated path for ksgrd_network_helper
* kdesu: Updated path for kdesud
* sbin_dirs cleanup: these binaries have already been moved to /usr/sbin
* mariadb: revert auth_pam_tool to /usr/lib{,64} again
* cleanup: revert virtualbox back to plain /usr/lib
* cleanup: remove deprecated /etc/ssh/sshd_config
* hawk_invoke is not part of newer hawk2 packages anymore
* cleanup: texlive-filesystem: public now resides in libexec
* cleanup: authbind: helper now resides in libexec
* cleanup: polkit: the agent now also resides in libexec
* libexec cleanup: \'inn\' news binaries now reside in libexec
* Tue May 18 2021 matthias.gerstnerAATTsuse.com- Update to version 20210518:
* whitelist please (bsc#1183669)
* Tue May 18 2021 matthias.gerstnerAATTsuse.com- Update to version 20210518:
* Fix enlightenment paths for 32-bit architectures
* Mon Jan 25 2021 matthias.gerstnerAATTsuse.com- Update to version 20210125:
* usbauth: drop compatibility variable for libexec
* usbauth: Updated path for usbauth-npriv
* profiles: finish usage of variable for polkit-agent-helper-1
* Fri Dec 04 2020 Ludwig Nussel - move man page to where the documented files are
* Wed Nov 11 2020 matthias.gerstnerAATTsuse.com- Update to version 20201111:
* squid: remove basic_pam_auth which doesn\'t need special perms (bsc#1171569)
* mgetty: remove long dead (or never existing) locks directory (bsc#1171882)
* adjust squid pinger path (bsc#1171569)
* profiles: remove now superfluous squid pinger paths (bsc#1171569)
* ksgrd_network_helper: remove obviously wrong path
* etc/permissions: remove unnecessary, duplicate, outdated entries
* chkstat: implement support for variables in profile paths in new variables.conf
* man pages: add documentation about variables, update copyrights
* profiles: use new variables feature to remove redundant entries
* profiles: prepare /usr/sbin versions of profile entries (bsc#1029961)
* Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475)
* Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476)
* README: added information about know limitations of this approach- adjusted spec file: - package new variables.conf - apply %{optflags} correctly via CXXFLAGS variable - drop FSCAPS_DEFAULT_ENABLED which isn\'t recognized anymore by the refactored chkstat sources. This is now the default.
* Thu Oct 08 2020 matthias.gerstnerAATTsuse.com- Update to version 20201008:
* cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164)
* drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
* Wed Sep 30 2020 matthias.gerstnerAATTsuse.com- Update to version 20200930:
* whitelist Xorg setuid-root wrapper (bsc#1175867)
* Wed Sep 09 2020 matthias.gerstnerAATTsuse.com- Update to version 20200909:
* screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879)
* Fri Sep 04 2020 matthias.gerstnerAATTsuse.com- Update to version 20200904:
* Add /usr/libexec for cockpit-session as new path
* physlock: whitelist with tight restrictions (bsc#1175720)
* Wed Aug 26 2020 malte.krausAATTsuse.com- Update to version 20200826:
* mtr-packet: stop requiring dialout group
* etc/permissions: fix mtr permission
* list_permissions: improve output format
* list_permissions: support globbing in --path argument
* list_permissions: implement simplifications suggested in PR#92
* list_permissions: new tool for better path configuration overview
* Tue Aug 11 2020 matthias.gerstnerAATTsuse.com- Update to version 20200811:
* regtest: support new getcap output format in libcap-2.42
* regtest: print individual test case errors to stderr
* Mon Jul 27 2020 matthias.gerstnerAATTsuse.com- Update to version 20200727:
* etc/permissions: remove static /var/spool/
* dirs
* etc/permissions: remove outdated entries
* etc/permissions: remove unnecessary static dirs and devices
* screen: remove now unused /var/run/uscreens
* Fri Jul 10 2020 matthias.gerstnerAATTsuse.com- Update to version 20200710:
* Revert \"etc/permissions: remove entries for bind-chrootenv\". This currently conflicts with the way the CheckSUIDPermissions rpmlint-check is implemented.
* Tue Jul 07 2020 Callum Farmer - Removed dbus-libexec.patch: contained in upstream
* Tue Jul 07 2020 matthias.gerstnerAATTsuse.com- Update to version 20200624:
* rework permissions.local text (boo#1173221)
* dbus-1: adjust to new libexec dir location (bsc#1171164)
* permission profiles: reinstate kdesud for kde5
* etc/permissions: remove entries for bind-chrootenv
* etc/permissions: remove traceroute entry
* VirtualBox: remove outdated entry which is only a symlink any more
* /bin/su: remove path refering to symlink
* etc/permissions: remove legacy RPM directory entries
* /etc/permissions: remove outdated sudo directories
* singularity: remove outdated setuid-binary entries
* chromium: remove now unneeded chrome_sandbox entry (bsc#1163588)
* dbus-1: remove deprecated alternative paths
* PolicyKit: remove outdated entries last used in SLE-11
* pcp: remove no longer needed / conflicting entries
* gnats: remove entries for package removed from Factory
* kdelibs4: remove entries for package removed from Factory
* v4l-base: remove entries for package removed from Factory
* mailman: remove entries for package deleted from Factory
* gnome-pty-helper: remove dead entry no longer part of the vte package
* gnokii: remove entries for package no longer in Factory
* xawtv (v4l-conf): correct group ownership in easy profile
* systemd-journal: remove unnecessary profile entries
* thttp: make makeweb entry usable in the secure profile (bsc#1171580)
* Tue Jun 16 2020 malte.krausAATTsuse.com- dbus-1: adjust to new libexec dir location (bsc#1171164). This is temporarily done through the patch in dbus-libexec.patch because we are not completely certain the stability of current git.- run chkstat test suite during RPM build
* Tue May 26 2020 matthias.gerstnerAATTsuse.com- Update to version 20200526:
* profiles: add entries for enlightenment (bsc#1171686)
* Wed May 20 2020 matthias.gerstnerAATTsuse.com- Update to version 20200520:
* permissions fixed profile: utempter: reinstate libexec compatibility entry
* Tue May 19 2020 matthias.gerstnerAATTsuse.com- Update to version 20200519:
* chkstat: fix sign conversion warnings on 32-bit architectures
* chkstat: allow simultaneous use of `--set` and `--system`
* regtest: adjust TestUnkownOwnership test to new warning output behaviour
* Mon May 18 2020 malte.krausAATTsuse.com- Update to version 20200518:
* whitelist texlive public binary (bsc#1171686)
* Fri May 15 2020 matthias.gerstnerAATTsuse.com- Update to version 20200514:
* fixed permissions: adjust to new libexec dir location (bsc#1171164) (affects utempter path)
* Wed May 13 2020 matthias.gerstnerAATTsuse.com- Update to version 20200513:
* major rewrite of the chkstat tool
* setuid bit for cockpit (bsc#1169614)
* Thu May 07 2020 malte.krausAATTsuse.com- Update to version 20200506:
* add whitelist for files in /usr/lib to be also allowed in /usr/libexec (bsc#1171164)
* Tue Mar 24 2020 jsegitzAATTsuse.de- Update to version 20200324:
* whitelist s390-tools setgid bit on log directory (bsc#1167163)
* whitelist WMP (bsc#1161335)
* regtest: improve readability of path variables by using literals
* regtest: adjust test suite to new path locations in /usr/share/permissions
* regtest: only catch explicit FileNotFoundError
* regtest: provide valid home directory in /root
* regtest: mount permissions src repository in /usr/src/permissions
* regtest: move initialialization of TestBase paths into the prepare() function
* chkstat: suppport new --config-root command line option
* fix spelling of icingacmd group
* Fri Feb 28 2020 malte.krausAATTsuse.com- Update to version 20200228:
* chkstat: fix readline() on platforms with unsigned char
* Thu Feb 27 2020 malte.krausAATTsuse.com- Update to version 20200227:
* remove capability whitelisting for radosgw
* whitelist ceph log directory (bsc#1150366)
* adjust testsuite to post CVE-2020-8013 link handling
* testsuite: add option to not mount /proc
* do not follow symlinks that are the final path element: CVE-2020-8013
* add a test for symlinked directories
* fix relative symlink handling
* include cpp compat headers, not C headers
* Move permissions and permissions.
* except .local to /usr/share/permissions
* regtest: fix the static PATH list which was missing /usr/bin
* regtest: also unshare the PID namespace to support /proc mounting
* regtest: bindMount(): explicitly reject read-only recursive mounts
* Makefile: force remove upon clean target to prevent bogus errors
* regtest: by default automatically (re)build chkstat before testing
* regtest: add test for symlink targets
* regtest: make capability setting tests optional
* regtest: fix capability assertion helper logic
* regtests: add another test case that catches set
*id or caps in world-writable sub-trees
* regtest: add another test that catches when privilege bits are set for special files
* regtest: add test case for user owned symlinks
* regtest: employ subuid and subgid feature in user namespace
* regtest: add another test case that covers unknown user/group config
* regtest: add another test that checks rejection of insecure mixed-owner paths
* regtest: add test that checks for rejection of world-writable paths
* regtest: add test for detection of unexpected parent directory ownership
* regtest: add further helper functions, allow access to main instance
* regtest: introduce some basic coloring support to improve readability
* regtest: sort imports, another piece of rationale
* regtest: add capability test case
* regtest: improve error flagging of test cases and introduce warnings
* regtest: support caps
* regtest: add a couple of command line parameter test cases
* regtest: add another test that checks whether the default profile works
* regtests: add tests for correct application of local profiles
* regtest: add further test cases that test correct profile application
* regtest: simplify test implementation and readability
* regtest: add helpers for permissions.d per package profiles
* regtest: support read-only bind mounts, also bind-mount permissions repo
* tests: introduce a regression test suite for chkstat
* Makefile: allow to build test version programmatically
* README.md: add basic readme file that explains the repository\'s purpose
* chkstat: change and harmonize coding style
* chkstat: switch to C++ compilation unit- add suse_version to end of permissions package version
* Thu Feb 13 2020 malte.krausAATTsuse.com- Update to version 20200213:
* remove obsolete/broken entries for rcp/rsh/rlogin
* chkstat: handle symlinks in final path elements correctly
* Revert \"Revert \"mariadb: settings for new auth_pam_tool (bsc#1160285)\"\"
* Revert \"mariadb: settings for new auth_pam_tool (bsc#1160285)\"
* Tue Feb 04 2020 matthias.gerstnerAATTsuse.com- Update to version 20200204:
* mariadb: settings for new auth_pam_tool (bsc#1160285)
* chkstat: - add read-only fallback when /proc is not mounted (bsc#1160764) - capability handling fixes (bsc#1161779) - better error message when refusing to fix dir perms (#32)
* Mon Jan 27 2020 malte.krausAATTsuse.com- Update to version 20200127:
* fix paths of ksysguard whitelisting
* fix zero-termination of error message for overly long paths
* Thu Dec 05 2019 malte.krausAATTsuse.com- Update to version 20191205:
* fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690)
* Wed Nov 27 2019 matthias.gerstnerAATTsuse.com- Update to version 20191122:
* faxq-helper: correct \"secure\" permission for trusted group (bsc#1157498)
* Mon Nov 18 2019 malte.krausAATTsuse.com- Update to version 20191118:
* whitelist ksysguard network helper (bsc#1151190)
* Tue Nov 12 2019 malte.krausAATTsuse.com- Update to version 20191112:
* fix syntax of paranoid profile
* fix squid permissions (bsc#1093414, CVE-2019-3688)
* Thu Oct 03 2019 Tomáš Chvátal - Add || exit 0 on the scriptlet as it can actually fail in rootless containers with podman. This makes sure the zypper does not abort the container creation.
* the actual error looks like: /dev/zero: chown: Operation not permitted
* Fri Sep 13 2019 jsegitzAATTsuse.de- Update to version 20190913:
* setgid bit for nagios directory (bsc#1028975, bsc#1150345)- This also restructures the sources for the permission package
* Fri Aug 30 2019 malte.krausAATTsuse.com- Update to version 20190830:
* dumpcap: remove \'other\' executable bit because of capabilities (boo#1148788, CVE-2019-3687)
* Thu Aug 29 2019 malte.krausAATTsuse.com- Update to version 20190829:
* add one more missing slash for icinga2
* fix more missing slashes for directories
* Tue Aug 20 2019 malte.krausAATTsuse.com- Update to version 20190820:
* cron directory permissions: add slashes
* Thu Jul 11 2019 malte.krausAATTsuse.com- Update to version 20190711:
* iputils: Add capability permissions for clockdiff (bsc#1140994)
* Wed Jul 10 2019 opensuse-packagingAATTopensuse.org- Update to version 20190710:
* iputils/ping: Drop effective capability
* iputils/ping6: Remove definitions
* Thu Jun 13 2019 meissnerAATTsuse.com- Update to version 20190521:
* singluarity: Add starter-suid for version 3.2.0
* adjust settings for amanda to current binary layout
* Wed Jun 05 2019 - Move BuildRequires: back to main package
* Wed Jun 05 2019 - Moved requires to subpackages (bsc#1137257)
* Thu May 02 2019 jsegitzAATTsuse.com- Fixed versions. Removed set_version from _service file, doesn\'t work with the new packaging. Call fix_version.sh to set current date as version instead- Fixed requires for -config and -zypp-plugin
* Tue Apr 30 2019 opensuse-packagingAATTopensuse.org- Update to version 20190429:
* removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)
* fixed error in description of permissions.paranoid. Make it clear that this is not a usable profile, but intended as a base for own developments
* Sat Apr 13 2019 Jan Engelhardt - Fix RPM group, fix hard requirement on documentation. Update description typography.
* Thu Apr 11 2019 jsegitzAATTsuse.com- Created new subpackages -config, -doc and standalone package chkstat where we can start a better versioning scheme and require it from the original package
* Tue Feb 12 2019 jsegitzAATTsuse.com- Update to version 20190212:
* removed old entry for wodim
* removed old entry for netatalk
* removed old entry for suidperl
* removed old entriy for utempter
* removed old entriy for hostname
* removed old directory entries
* removed old entry for qemu-bridge-helper
* removed old entries for pccardctl
* removed old entries for isdnctrl
* removed old entries for unix(2)_chkpwd
* removed old entries for mount.nfs
* removed old entries for (u)mount
* removed old entry for fileshareset
* removed old entries for KDE
* removed old entry for heartbeat
* removed old entry for gnome-control-center
* removed old entry for pcp
* removed old entry for lpdfilter
* removed old entry for scotty
* removed old entry for ia32el
* removed old entry for squid
* removed old qpopper whitelist
* removed pt_chown entries. Not needed anymore and a bad idea anyway
* removed old majordomo entry
* removed stale entries for old ncpfs tools
* removed old entry for rmtab
* Fixed typo in icinga2 whitelist entry
* New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox
* Removed whitelist for /usr/bin/su.core. According to comment a temporary hack introduced 2012 to help moving su from coretuils to util-linux. I couldn\'t find it anywhere, so we don\'t need it anymore
* Remove entry for /usr/bin/yaps. We don\'t ship it anymore and the group that is used doesn\'t exists anymore starting with Leap 15, so it will not work there anyway. Users using this (old) package can do this individually
* removed entry for /etc/ftpaccess. We currently don\'t have it anywhere (and judging from my search this has been the case for quite a while)
* Ensure consistency of entries, otherwise switching between settings becomes problematic
* Fix spelling of SUSE
* permissions.local: fix typo
* Fri Nov 16 2018 opensuse-packagingAATTopensuse.org- Update to version 20181116:
* zypper-plugin: new plugin to fix bsc#1114383
* Mon Nov 12 2018 opensuse-packagingAATTopensuse.org- Update to version 20181112:
* singularity: remove -suid binaries that have been dropped since version 2.4 (bsc#1028304)
* Tue Oct 30 2018 opensuse-packagingAATTopensuse.org- Update to version 20181030:
* capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds
* Mon Oct 29 2018 opensuse-packagingAATTopensuse.org- Update to version 20181029:
* setuid whitelisting: add fusermount3 (bsc#1111230)
* Thu Oct 25 2018 opensuse-packagingAATTopensuse.org- Update to version 20181025:
* setuid whitelisting: add authbind binary (bsc#1111251)
* Mon Aug 27 2018 opensuse-packagingAATTopensuse.org- Update to version 20180827:
* setuid whitelisting: add firejail binary (bsc#1059013)
* Fri Aug 10 2018 opensuse-packagingAATTopensuse.org- Update to version 20180810:
* setuid whitelisting: add lxc-user-nic (bsc#988348)
* Thu Aug 02 2018 opensuse-packagingAATTopensuse.org- Update to version 20180802:
* whitelisting: added smc-tools LD_PRELOAD library (bsc#1102956)
* Tue Jul 24 2018 opensuse-packagingAATTopensuse.org- Update to version 20180724:
* Fix wrong file path in help string
* whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420)
* Tue May 08 2018 astiegerAATTsuse.com- Update to version 20180508:
* Capabilities for usage of Wireshark for non-root (bsc#957624)
* Thu Jan 25 2018 meissnerAATTsuse.com- Update to version 20180125:
* the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247)
* make btmp root:utmp (bsc#1050467)
* Mon Jan 15 2018 krahmerAATTsuse.com- Update to version 20180115:
* - polkit-default-privs: usbauth (bsc#1066877)
  
ICM