update path to gnome-pty-helper (bnc#634199)
[opensuse:permissions.git] / permissions.paranoid
1 # /etc/permissions.paranoid
2 #
3 # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.  All rights reserved.
4 #
5 # Author: Roman Drahtmueller <draht@suse.de>, 2001
6 #
7
8 # See /etc/permissions for general hints on how to use this file.
9 #
10 # /etc/permissions.paranoid is NOT designed to be used in a single-user as
11 # well as a multi-user installation, be it networked or not.
12 # Derived from /etc/permissions.secure, it has _all_ sgid and suid bits
13 # cleared - therefore, the system might be useable for non-privileged users
14 # except for simple tasks like changing passwords and such. In addition, 
15 # some of the configuration files are not readable for world any more.
16 #
17 # Feel free to use this file as a basis of a system configuration that meets
18 # your understanding of "secure", for the case that you're a bit paranoid.
19 # Since there is no such thing as "it works" with this configuration, please
20 # use these settings with care. Some experience on behalf of the administrator
21 # is needed to have a system running flawlessly when users are present.
22 # In particular, all terminal emulators will not be able to write to utmp
23 # and wtmp any more, which renders who(1) and finger(1) useless.
24 #
25 # Please always keep in mind that your system listens on network sockets
26 # in the default configuration. Change this by disabling the services that 
27 # you do not need or by restricting access to them using packet filters
28 # or tcp wrappers (see hosts_access(5)) to gain a higher level of security
29 # in your system.
30
31 #
32 # Directories
33 #
34 # no lock files for emacs:
35 /var/lib/xemacs/lock/                                   root:trusted      1775
36 # for screen's session sockets:
37 /var/run/uscreens/                                      root:trusted      1775
38
39
40 #
41 # /etc
42 #
43 /etc/crontab                                            root:root          600
44 /etc/exports                                            root:root          600
45 /etc/fstab                                              root:root          600
46 /etc/ftpaccess                                          root:root          600
47 /etc/ftpusers                                           root:root          600
48 /etc/inetd.conf                                         root:root          600
49 /etc/inittab                                            root:root          600
50 /etc/mtab                                               root:root          600
51 /etc/rmtab                                              root:root          600
52 /var/lib/nfs/rmtab                                      root:root          600
53 /etc/syslog.conf                                        root:root          600
54
55 #
56 # suid system programs that need the suid bit to work:
57 #
58 /bin/su                                                 root:root         0755
59 # disable at and cron for non-root users
60 /usr/bin/at                                             root:trusted      0755
61 /usr/bin/crontab                                        root:trusted      0755
62 /usr/bin/gpasswd                                        root:shadow       0755
63 /usr/bin/newgrp                                         root:root         0755
64 /usr/bin/passwd                                         root:shadow       0755
65 /usr/bin/chfn                                           root:shadow       0755
66 /usr/bin/chage                                          root:shadow       0755
67 /usr/bin/chsh                                           root:shadow       0755
68 /usr/bin/expiry                                         root:shadow       0755
69 # the default configuration of the sudo package in SuSE distribution is to
70 # intimidate users.
71 /usr/bin/sudo                                           root:root         0755
72 /usr/sbin/su-wrapper                                    root:root         0755
73 # opie password system
74 # #66303
75 /usr/bin/opiepasswd                                     root:root         0755
76 /usr/bin/opiesu                                         root:root         0755
77 # "user" entries in /etc/fstab make mount work for non-root users:
78 /usr/bin/ncpmount                                       root:trusted      0755
79 /usr/bin/ncpumount                                      root:trusted      0755
80 # #331020
81 /sbin/mount.nfs                                         root:root         0755
82 # mount/umount have had their problems already:
83 /bin/mount                                              root:root         0755
84 /bin/umount                                             root:root         0755
85 /bin/eject                                              root:audio        0755
86 #
87 # #133657
88 /usr/bin/fusermount                                     root:trusted      0755
89 # #66203
90 /usr/lib/majordomo/wrapper                              root:daemon       0755
91 # glibc backwards compatibility
92 /usr/lib/pt_chown                                       root:root         0755
93 /usr/lib64/pt_chown                                     root:root         0755
94 # needs setuid root when using shadow via NIS:
95 # #216816
96 /sbin/unix_chkpwd                                       root:shadow       0755
97 /sbin/unix2_chkpwd                                      root:shadow       0755
98 # qpopper
99 /usr/sbin/popauth                                       pop:trusted       0755
100 # from the squid package
101 /usr/sbin/pam_auth                                      root:shadow       0755
102
103 # still to be converted to utempter
104 /usr/lib/libvte9/gnome-pty-helper                       root:tty          0755
105
106 #
107 # mixed section: most of it is disabled in this permissions.secure:
108 #
109 #########################################################################
110 # rpm subsystem:
111 /usr/src/packages/SOURCES/                              root:root          700
112 /usr/src/packages/BUILD/                                root:root          700
113 /usr/src/packages/BUILDROOT/                            root:root          700
114 /usr/src/packages/RPMS/                                 root:root          700
115 /usr/src/packages/RPMS/alpha/                           root:root          700
116 /usr/src/packages/RPMS/alphaev56/                       root:root          700
117 /usr/src/packages/RPMS/alphaev67/                       root:root          700
118 /usr/src/packages/RPMS/alphaev6/                        root:root          700
119 /usr/src/packages/RPMS/arm4l/                           root:root          700
120 /usr/src/packages/RPMS/athlon/                          root:root          700
121 /usr/src/packages/RPMS/i386/                            root:root          700
122 /usr/src/packages/RPMS/i486/                            root:root          700
123 /usr/src/packages/RPMS/i586/                            root:root          700
124 /usr/src/packages/RPMS/i686/                            root:root          700
125 /usr/src/packages/RPMS/ia64/                            root:root          700
126 /usr/src/packages/RPMS/mips/                            root:root          700
127 /usr/src/packages/RPMS/ppc/                             root:root          700
128 /usr/src/packages/RPMS/ppc64/                           root:root          700
129 /usr/src/packages/RPMS/powerpc/                         root:root          700
130 /usr/src/packages/RPMS/powerpc64/                       root:root          700
131 /usr/src/packages/RPMS/s390/                            root:root          700
132 /usr/src/packages/RPMS/s390x/                           root:root          700
133 /usr/src/packages/RPMS/sparc/                           root:root          700
134 /usr/src/packages/RPMS/sparcv9/                         root:root          700
135 /usr/src/packages/RPMS/sparc64/                         root:root          700
136 /usr/src/packages/RPMS/x86_64/                          root:root          700
137 /usr/src/packages/RPMS/armv4l/                          root:root          700
138 /usr/src/packages/RPMS/armv5tel/                        root:root          700
139 /usr/src/packages/RPMS/armv5tevl/                       root:root          700
140 /usr/src/packages/RPMS/armv5tejl/                       root:root          700
141 /usr/src/packages/RPMS/armv5tejvl/                      root:root          700
142 /usr/src/packages/RPMS/armv6l/                          root:root          700
143 /usr/src/packages/RPMS/armv6vl/                         root:root          700
144 /usr/src/packages/RPMS/armv7l/                          root:root          700
145 /usr/src/packages/RPMS/hppa/                            root:root          700
146 /usr/src/packages/RPMS/hppa2.0/                         root:root          700
147 /usr/src/packages/RPMS/noarch/                          root:root          700
148 /usr/src/packages/SPECS/                                root:root          700
149 /usr/src/packages/SRPMS/                                root:root          700
150 #########################################################################
151 # video
152 /usr/bin/v4l-conf                                       root:video        0755
153 # Itanium ia32 emulator
154 /usr/lib/ia32el/suid_ia32x_loader                       root:root         0755
155 #########################################################################
156 # scotty:
157 # #66211
158 /usr/bin/ntping                                         root:trusted      0755
159 # vlock (bnc#629236)
160 /usr/sbin/vlock-main                                    root:shadow       0755
161 #
162 /usr/bin/Xorg                                           root:root         0711
163 # turned off write and wall by disabling sgid tty:
164 /usr/bin/wall                                           root:tty          0755
165 /usr/bin/write                                          root:tty          0755
166 # thttpd
167 /usr/bin/makeweb                                        root:www          0750
168 # yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
169 /usr/bin/yaps                                           root:uucp         0755
170 # ncpfs tool: trusted only
171 /usr/bin/nwsfind                                        root:trusted      0750
172 /usr/bin/ncplogin                                       root:trusted      0750
173 /usr/bin/ncpmap                                         root:trusted      0750
174 # lpdfilter:
175 # checks itself that only lp and root can call it
176 /usr/lib/lpdfilter/bin/runlpr                           root:root         0755
177 # pcmcia:
178 # Needs setuid to eject cards (#100120)
179 /sbin/pccardctl                                         root:trusted      0755
180 # gnokii nokia cellphone software
181 # #66209
182 /usr/sbin/mgnokiidev                                    root:uucp          755
183 # pcp, performance co-pilot
184 # setuid root is used to write /var/log/pcp/NOTICES
185 # #66205
186 /usr/lib/pcp/pmpost                                     root:trusted      0755
187 # mailman mailing list software
188 # #66315
189 /usr/lib/mailman/cgi-bin/admin                          root:mailman      0755
190 /usr/lib/mailman/cgi-bin/admindb                        root:mailman      0755
191 /usr/lib/mailman/cgi-bin/edithtml                       root:mailman      0755
192 /usr/lib/mailman/cgi-bin/listinfo                       root:mailman      0755
193 /usr/lib/mailman/cgi-bin/options                        root:mailman      0755
194 /usr/lib/mailman/cgi-bin/private                        root:mailman      0755
195 /usr/lib/mailman/cgi-bin/roster                         root:mailman      0755
196 /usr/lib/mailman/cgi-bin/subscribe                      root:mailman      0755
197 /usr/lib/mailman/cgi-bin/confirm                        root:mailman      0755
198 /usr/lib/mailman/cgi-bin/create                         root:mailman      0755
199 /usr/lib/mailman/cgi-bin/editarch                       root:mailman      0755
200 /usr/lib/mailman/cgi-bin/rmlist                         root:mailman      0755
201 /usr/lib/mailman/mail/mailman                           root:mailman      0755
202
203 # libgnomesu (#75823, #175616)
204 /usr/lib/libgnomesu/gnomesu-pam-backend                 root:root         0755
205
206 # control-center2 (#104993)
207 /usr/sbin/change-passwd                                 root:root         0755
208
209 #
210 # smb printing with kerberos authentication (#177114)
211 #
212 /usr/bin/get_printing_ticket                            root:lp           0755
213
214 #
215 # networking (need root for the privileged socket)
216 #
217 /bin/ping                                               root:root         0755
218 /bin/ping6                                              root:root         0755
219 # mtr is linked against ncurses.
220 /usr/sbin/mtr                                           root:dialout      0755
221 /usr/bin/rcp                                            root:root         0755
222 /usr/bin/rlogin                                         root:root         0755
223 /usr/bin/rsh                                            root:root         0755
224
225 # heartbeat #66310
226 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid
227 # bit is removed, one can manually add users to the haclient group instead.
228 /usr/bin/cl_status                                      root:haclient     0555
229
230 # exim
231 /usr/sbin/exim                                          root:root         0755
232
233 #
234 # dialup networking programs
235 #
236 /usr/sbin/pppoe-wrapper                                 root:dialout      0750
237 # i4l package (#100750):
238 /sbin/isdnctrl                                          root:dialout      0750
239 # #66111
240 /usr/bin/vboxbeep                                       root:trusted      0755
241
242
243 #
244 # linux text console utilities
245 #
246 # setuid needed on the text console to set the terminal content on ctrl-o
247 # #66112
248 /usr/lib/mc/cons.saver                                  root:root         0755
249
250
251 #
252 # terminal emulators
253 # This and future SuSE products have support for the utempter, a small helper
254 # program that does the utmp/wtmp update work with the necessary rights.
255 # The use of utempter obsoletes the need for sgid bits on terminal emulator
256 # binaries. We mention screen here, but all other terminal emulators have
257 # moved to /etc/permissions, with modes set to 0755.
258
259 # framebuffer terminal emulator (japanese).
260 /usr/bin/jfbterm                                        root:tty          0755
261
262 #
263 # kde
264 #
265 # arts wrapper, normally suid root:
266 /opt/kde3/bin/artswrapper                               root:root         0755
267 # needs setuid root when using shadow via NIS:
268 # #66218
269 /opt/kde3/bin/kcheckpass                                root:shadow       0755
270 /usr/lib/kde4/libexec/kcheckpass                        root:shadow       0755
271 /usr/lib64/kde4/libexec/kcheckpass                      root:shadow       0755
272 # This has a meaning... hmm...
273 /opt/kde3/bin/kdesud                                    root:nogroup      0755
274 /usr/lib/kde4/libexec/kdesud                            root:nogroup      0755
275 /usr/lib64/kde4/libexec/kdesud                          root:nogroup      0755
276 # used for getting proxy settings from dhcp
277 /opt/kde3/bin/kpac_dhcp_helper                          root:root         0755
278 # used to distract the oom killer
279 # #203535
280 /opt/kde3/bin/start_kdeinit                             root:root         0755
281 # bnc#523833
282 /usr/lib/kde4/libexec/start_kdeinit                     root:root         0755
283 /usr/lib64/kde4/libexec/start_kdeinit                   root:root         0755
284 # edits /etc/smb.conf
285 # #66312
286 /usr/bin/fileshareset                                   root:root         0755
287
288
289 #
290 # amanda
291 #
292 /usr/sbin/amcheck                                       root:amanda       0750
293 /usr/lib/amanda/calcsize                                root:amanda       0750
294 /usr/lib/amanda/rundump                                 root:amanda       0750
295 /usr/lib/amanda/planner                                 root:amanda       0750
296 /usr/lib/amanda/runtar                                  root:amanda       0750
297 /usr/lib/amanda/dumper                                  root:amanda       0750
298 /usr/lib/amanda/killpgrp                                root:amanda       0750
299
300
301 #
302 # gnats
303 #
304 /usr/lib/gnats/gen-index                                gnats:root        0555
305 /usr/lib/gnats/pr-edit                                  gnats:root        0555
306 /usr/lib/gnats/queue-pr                                 gnats:root        0555
307
308
309 #
310 # news (inn)
311 #
312 # the inn start script changes it's uid to news:news. Later innbind
313 # is called by this user. Those programs do not need to be called by
314 # anyone else, therefore the strange permissions 4554 are required
315 # for operation. (#67032, #594393)
316 #
317 /usr/lib/news/bin/rnews                                 news:uucp         0555
318 /usr/lib/news/bin/inews                                 news:news         0555
319 /usr/lib/news/bin/innbind                               root:news         0555
320
321 #
322 # sendfax
323 #
324 # restrictive, only for "trusted" group users:
325 /usr/lib/mgetty+sendfax/faxq-helper                     fax:root          0755
326 /var/spool/fax/outgoing/                                fax:trusted       0755
327 /var/spool/fax/outgoing/locks                           fax:trusted       0755
328
329 #
330 # uucp
331 #
332 /var/spool/uucppublic/                                  root:uucp         1770
333 /usr/bin/uucp                                           uucp:uucp         0555
334 /usr/bin/uuname                                         uucp:uucp         0555
335 /usr/bin/uustat                                         uucp:uucp         0555
336 /usr/bin/uux                                            uucp:uucp         0555
337 /usr/lib/uucp/uucico                                    uucp:uucp         0555
338 /usr/lib/uucp/uuxqt                                     uucp:uucp         0555
339
340
341 #
342 # games of all kinds, toys
343 #
344
345 # bsd-games
346 /usr/games/atc                                          games:games       0755
347 /usr/games/battlestar                                   games:games       0755
348 /usr/games/canfield                                     games:games       0755
349 /usr/games/cribbage                                     games:games       0755
350 /usr/games/phantasia                                    games:games       0755
351 /usr/games/robots                                       games:games       0755
352 /usr/games/sail                                         games:games       0755
353 /usr/games/snake                                        games:games       0755
354 /usr/games/tetris-bsd                                   games:games       0755
355
356 # Maelstrom
357 /usr/games/Maelstrom                                    games:games       0755
358
359 # pachi
360 /usr/games/pachi                                        games:games       0755
361 /usr/games/martian                                      games:games       0755
362
363 # nethack
364 /usr/lib/nethack/nethack.tty                            games:games       0755
365
366 # chromium,
367 /usr/games/chromium                                     games:games       0755
368
369 # xscrabble
370 /usr/games/xscrab                                       games:games       0755
371
372 # trackballs
373 /usr/games/trackballs                                   games:games       0755
374
375 # ltris
376 /usr/games/ltris                                        games:games       0755
377
378 # xlogical
379 /usr/games/xlogical                                     games:games       0755
380
381 # lbreakout
382 /usr/games/lbreakout2                                   games:games       0755
383
384 # xgalaga
385 /usr/bin/xgalaga                                        games:games       0755
386
387 # rocksndiamonds
388 /usr/games/rocksndiamonds                               games:games       0755
389
390 # gnome-games
391 /usr/bin/glines                                         games:games       0755
392 /usr/bin/gnibbles                                       games:games       0755
393 /usr/bin/gnobots2                                       games:games       0755
394 /usr/bin/gnometris                                      games:games       0755
395 /usr/bin/gnomine                                        games:games       0755
396 /usr/bin/gnotravex                                      games:games       0755
397 /usr/bin/gnotski                                        games:games       0755
398 /usr/bin/gtali                                          games:games       0755
399 /usr/bin/mahjongg                                       games:games       0755
400 /usr/bin/same-gnome                                     games:games       0755
401
402 # zypp (#385207)
403 /usr/sbin/zypp-refresh-wrapper                          root:root         0755
404
405 # PolicyKit (#295341)
406 /usr/lib/PolicyKit/polkit-set-default-helper            root:polkituser   0755
407 /usr/lib/PolicyKit/polkit-read-auth-helper              root:polkituser   0755
408 /usr/lib/PolicyKit/polkit-revoke-helper                 root:polkituser   0755
409 /usr/lib/PolicyKit/polkit-explicit-grant-helper         root:polkituser   0755
410 /usr/lib/PolicyKit/polkit-grant-helper                  root:polkituser   0755
411 /usr/lib/PolicyKit/polkit-grant-helper-pam              root:polkituser   0755
412
413 # polkit new (bnc#523377)
414 /usr/lib/polkit-1/polkit-agent-helper-1                 root:root         0755
415 /usr/bin/pkexec                                         root:root         0755
416
417 # dbus-1 (#333361)
418 /lib/dbus-1/dbus-daemon-launch-helper                   root:messagebus   0750
419 /lib64/dbus-1/dbus-daemon-launch-helper                 root:messagebus   0750
420
421 # policycoreutils (#440596)
422 /usr/bin/newrole                                        root:root         0755
423
424 # VirtualBox (#429725)
425 /usr/lib/virtualbox/VirtualBox                          root:vboxusers    0755
426 /usr/lib/virtualbox/VirtualBox3                         root:vboxusers    0755
427 /usr/lib/virtualbox/VBoxBFE                             root:vboxusers    0755
428 /usr/lib/virtualbox/VBoxHeadless                        root:vboxusers    0755
429 /usr/lib/virtualbox/VBoxSDL                             root:vboxusers    0755
430 # (bnc#533550)
431 /usr/lib/virtualbox/VBoxNetAdpCtl                       root:vboxusers    0755
432
433 # open-vm-tools (bnc#474285)
434 /usr/bin/vmware-user-suid-wrapper                       root:root         0755
435
436 # lockdev (bnc#588325)
437 /usr/sbin/lockdev                                       root:lock         0755