update path to gnome-pty-helper (bnc#634199)
[opensuse:permissions.git] / permissions.secure
1 # /etc/permissions.secure
2 #
3 # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.  All rights reserved.
4 #
5 # Author: Roman Drahtmueller <draht@suse.de>, 2001
6 #
7
8 # See /etc/permissions for general hints on how to use this file.
9 #
10 # /etc/permissions.secure is designed for the use in a multi-user and
11 # networked installation. Most privileged file modes are disabled here.
12 # Many programs that still have their suid- or sgid-modes have had their
13 # security problems in the past already.
14 # The primary target of this configuration is to make the basic things
15 # such as changing passwords, the basic networking programs as well as
16 # some of the all-day work programs properly function for the unprivileged
17 # user. The dial-out packages are executable for users belonging to the
18 # "dialout" group - therefore, these users are to be treated "privileged".
19 # Packages such as (remote-) batch queueing systems, games, programs for 
20 # the linux text console, everything linked against OOP libraries and
21 # most other exotic utilities are turned into unprivileged binary files
22 # in order for them not to cause any security problems if one or more of
23 # the programs turn out to have buffer overruns or otherwise locally 
24 # exploitable programming errors.
25 # This file is not designed to make your system as closed and as restrictive
26 # as at all possible. In many cases, restricted access to a configuration 
27 # file is of no use since the data used can be obtained from the /proc file
28 # system or interface configuration as well. Also, system programs such as
29 # /sbin/ifconfig or /sbin/route are not changed because nosey users can
30 # bring their own. "Security by obscurity" will add any significant 
31 # security-related advantage to the system. Keep in mind that curiosity
32 # is a major motivation for your users to try to see behind the curtain.
33 #
34 # If you need the functionality of a program that usually runs as a
35 # privileged user, then use it as root, or, if you are not root, ask your 
36 # system administrator for advice. In many cases, adding a user to the 
37 # "trusted" group gives her access to the resources that are not accessible
38 # any more if the admin chose to select "secure" as the permissions default.
39 #
40 # Please make use of the diff program to see the differences between the
41 # permissions.easy and permissions.secure files if things don't work as
42 # they should and you suspect a permission or privilege problem.
43 # The word "easy" is a reference for the /etc/permissions.easy file.
44 #
45 # As usual, these settings are "suggested". If you feel so inclined, 
46 # please feel free to change the modes in this files, but keep a log 
47 # of your changes for future reference.
48
49 # Please always keep in mind that your system listens on network sockets
50 # in the default configuration. Change this by disabling the services that 
51 # you do not need or by restricting access to them using packet filters
52 # or tcp wrappers (see hosts_access(5)) to gain a higher level of security
53 # in your system.
54
55 #
56 # Directories
57 #
58 # no lock files for emacs:
59 /var/lib/xemacs/lock/                                   root:trusted      1775
60 # for screen's session sockets:
61 /var/run/uscreens/                                      root:root         1777
62
63 #
64 # /etc
65 #
66 /etc/crontab                                            root:root          600
67 /etc/exports                                            root:root          644
68 /etc/fstab                                              root:root          644
69 /etc/ftpaccess                                          root:root          644
70 /etc/ftpusers                                           root:root          644
71 /etc/inetd.conf                                         root:root          644
72 /etc/inittab                                            root:root          644
73 /etc/mtab                                               root:root          644
74 /etc/rmtab                                              root:root          644
75 /var/lib/nfs/rmtab                                      root:root          644
76 /etc/syslog.conf                                        root:root          600
77
78 #
79 # suid system programs that need the suid bit to work:
80 #
81 /bin/su                                                 root:root         4755
82 # disable at and cron for users that do not belnong to the group "trusted"
83 /usr/bin/at                                             root:trusted      4750
84 /usr/bin/crontab                                        root:trusted      4750
85 /usr/bin/gpasswd                                        root:shadow       4755
86 /usr/bin/newgrp                                         root:root         4755
87 /usr/bin/passwd                                         root:shadow       4755
88 /usr/bin/chfn                                           root:shadow       4755
89 /usr/bin/chage                                          root:shadow       4755
90 /usr/bin/chsh                                           root:shadow       4755
91 /usr/bin/expiry                                         root:shadow       4755
92 # the default configuration of the sudo package in SuSE distribution is to
93 # intimidate users.
94 /usr/bin/sudo                                           root:root         4755
95 /usr/sbin/su-wrapper                                    root:root         0755
96 # opie password system
97 # #66303
98 /usr/bin/opiepasswd                                     root:root         4755
99 /usr/bin/opiesu                                         root:root         4755
100 # "user" entries in /etc/fstab make mount work for non-root users:
101 /usr/bin/ncpmount                                       root:trusted      4750
102 /usr/bin/ncpumount                                      root:trusted      4750
103 # #331020
104 /sbin/mount.nfs                                         root:root         0755
105 # mount/umount have had their problems already:
106 /bin/mount                                              root:root         4755
107 /bin/umount                                             root:root         4755
108 /bin/eject                                              root:audio        4750
109 #
110 # #133657
111 /usr/bin/fusermount                                     root:trusted      4750
112 # #66203
113 /usr/lib/majordomo/wrapper                              root:daemon       4750
114 # glibc backwards compatibility
115 /usr/lib/pt_chown                                       root:root         4755
116 /usr/lib64/pt_chown                                     root:root         4755
117 # needs setuid root when using shadow via NIS:
118 # #216816
119 /sbin/unix_chkpwd                                       root:shadow       4755
120 /sbin/unix2_chkpwd                                      root:shadow       4755
121 # qpopper
122 /usr/sbin/popauth                                       pop:trusted       4750
123 # from the squid package
124 /usr/sbin/pam_auth                                      root:shadow       4755
125
126 # still to be converted to utempter
127 /usr/lib/libvte9/gnome-pty-helper                       root:tty          2755
128
129 #
130 # mixed section: most of it is disabled in this permissions.secure:
131 #
132 #########################################################################
133 # rpm subsystem:
134 /usr/src/packages/SOURCES/                              root:root          755
135 /usr/src/packages/BUILD/                                root:root          755
136 /usr/src/packages/BUILDROOT/                            root:root          755
137 /usr/src/packages/RPMS/                                 root:root          755
138 /usr/src/packages/RPMS/alpha/                           root:root          755
139 /usr/src/packages/RPMS/alphaev56/                       root:root          755
140 /usr/src/packages/RPMS/alphaev67/                       root:root          755
141 /usr/src/packages/RPMS/alphaev6/                        root:root          755
142 /usr/src/packages/RPMS/arm4l/                           root:root          755
143 /usr/src/packages/RPMS/athlon/                          root:root          755
144 /usr/src/packages/RPMS/i386/                            root:root          755
145 /usr/src/packages/RPMS/i486/                            root:root          755
146 /usr/src/packages/RPMS/i586/                            root:root          755
147 /usr/src/packages/RPMS/i686/                            root:root          755
148 /usr/src/packages/RPMS/ia64/                            root:root          755
149 /usr/src/packages/RPMS/mips/                            root:root          755
150 /usr/src/packages/RPMS/ppc/                             root:root          755
151 /usr/src/packages/RPMS/ppc64/                           root:root          755
152 /usr/src/packages/RPMS/powerpc/                         root:root          755
153 /usr/src/packages/RPMS/powerpc64/                       root:root          755
154 /usr/src/packages/RPMS/s390/                            root:root          755
155 /usr/src/packages/RPMS/s390x/                           root:root          755
156 /usr/src/packages/RPMS/sparc/                           root:root          755
157 /usr/src/packages/RPMS/sparcv9/                         root:root          755
158 /usr/src/packages/RPMS/sparc64/                         root:root          755
159 /usr/src/packages/RPMS/x86_64/                          root:root          755
160 /usr/src/packages/RPMS/armv4l/                          root:root          755
161 /usr/src/packages/RPMS/armv5tel/                        root:root          755
162 /usr/src/packages/RPMS/armv5tevl/                       root:root          755
163 /usr/src/packages/RPMS/armv5tejl/                       root:root          755
164 /usr/src/packages/RPMS/armv5tejvl/                      root:root          755
165 /usr/src/packages/RPMS/armv6l/                          root:root          755
166 /usr/src/packages/RPMS/armv6vl/                         root:root          755
167 /usr/src/packages/RPMS/armv7l/                          root:root          755
168 /usr/src/packages/RPMS/hppa/                            root:root          755
169 /usr/src/packages/RPMS/hppa2.0/                         root:root          755
170 /usr/src/packages/RPMS/noarch/                          root:root          755
171 /usr/src/packages/SPECS/                                root:root          755
172 /usr/src/packages/SRPMS/                                root:root          755
173 #########################################################################
174 # video
175 /usr/bin/v4l-conf                                       root:video        4750
176 # Itanium ia32 emulator
177 /usr/lib/ia32el/suid_ia32x_loader                       root:root         0755
178 # scotty:
179 # #66211
180 /usr/bin/ntping                                         root:trusted      4750
181 # vlock (bnc#629236)
182 /usr/sbin/vlock-main                                    root:shadow       0755
183 #
184 /usr/bin/Xorg                                           root:root         0711
185 # turned off write and wall by disabling sgid tty:
186 /usr/bin/wall                                           root:tty          0755
187 /usr/bin/write                                          root:tty          0755
188 # thttpd: sgid + executeable only for group www. Useless...
189 /usr/bin/makeweb                                        root:www          2750
190 # yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp.
191 /usr/bin/yaps                                           root:uucp         0755
192 # ncpfs tool: trusted only
193 /usr/bin/nwsfind                                        root:trusted      4750
194 /usr/bin/ncplogin                                       root:trusted      4750
195 /usr/bin/ncpmap                                         root:trusted      4750
196 # lpdfilter:
197 # checks itself that only lp and root can call it
198 /usr/lib/lpdfilter/bin/runlpr                           root:root         4755
199 # pcmcia:
200 # Needs setuid to eject cards (#100120)
201 /sbin/pccardctl                                         root:trusted      4750
202 # gnokii nokia cellphone software
203 # #66209
204 /usr/sbin/mgnokiidev                                    root:uucp          755
205 # pcp, performance co-pilot
206 # setuid root is used to write /var/log/pcp/NOTICES
207 # #66205
208 /usr/lib/pcp/pmpost                                     root:trusted      4750
209 # mailman mailing list software
210 # #66315
211 /usr/lib/mailman/cgi-bin/admin                          root:mailman      2755
212 /usr/lib/mailman/cgi-bin/admindb                        root:mailman      2755
213 /usr/lib/mailman/cgi-bin/edithtml                       root:mailman      2755
214 /usr/lib/mailman/cgi-bin/listinfo                       root:mailman      2755
215 /usr/lib/mailman/cgi-bin/options                        root:mailman      2755
216 /usr/lib/mailman/cgi-bin/private                        root:mailman      2755
217 /usr/lib/mailman/cgi-bin/roster                         root:mailman      2755
218 /usr/lib/mailman/cgi-bin/subscribe                      root:mailman      2755
219 /usr/lib/mailman/cgi-bin/confirm                        root:mailman      2755
220 /usr/lib/mailman/cgi-bin/create                         root:mailman      2755
221 /usr/lib/mailman/cgi-bin/editarch                       root:mailman      2755
222 /usr/lib/mailman/cgi-bin/rmlist                         root:mailman      2755
223 /usr/lib/mailman/mail/mailman                           root:mailman      2755
224
225 # libgnomesu (#75823, #175616)
226 /usr/lib/libgnomesu/gnomesu-pam-backend                 root:root         4755
227
228 # control-center2 (#104993)
229 /usr/sbin/change-passwd                                 root:root         4755
230
231 #
232 # smb printing with kerberos authentication (#177114)
233 #
234 /usr/bin/get_printing_ticket                            root:lp           4750
235
236 #
237 # networking (need root for the privileged socket)
238 #
239 /bin/ping                                               root:root         4755
240 /bin/ping6                                              root:root         4755
241 # mtr is linked against ncurses. no suid bit, for root only:
242 /usr/sbin/mtr                                           root:dialout      0755
243 /usr/bin/rcp                                            root:root         4755
244 /usr/bin/rlogin                                         root:root         4755
245 /usr/bin/rsh                                            root:root         4755
246
247 # heartbeat #66310
248 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid
249 # bit is removed, one can manually add users to the haclient group instead.
250 /usr/bin/cl_status                                      root:haclient     2555
251
252 # exim
253 /usr/sbin/exim                                          root:root         4755
254
255 #
256 # dialup networking programs
257 #
258 /usr/sbin/pppoe-wrapper                                 root:dialout      4750
259 # i4l package (#100750):
260 /sbin/isdnctrl                                          root:dialout      4750
261 # #66111
262 /usr/bin/vboxbeep                                       root:trusted      0755
263
264
265 #
266 # linux text console utilities
267
268 # setuid needed on the text console to set the terminal content on ctrl-o
269 # #66112
270 /usr/lib/mc/cons.saver                                  root:root         0755
271
272
273 #
274 # terminal emulators
275 # This and future SuSE products have support for the utempter, a small helper
276 # program that does the utmp/wtmp update work with the necessary rights.
277 # The use of utempter obsoletes the need for sgid bits on terminal emulator
278 # binaries. We mention screen here, but all other terminal emulators have
279 # moved to /etc/permissions, with modes set to 0755.
280
281 # needs setuid to access /dev/console
282 # framebuffer terminal emulator (japanese)
283 /usr/bin/jfbterm                                        root:tty          0755
284
285 #
286 # kde
287 # (all of them are disabled in permissions.secure except for 
288 # the helper programs)
289 #
290 # arts wrapper, normally suid root:
291 /opt/kde3/bin/artswrapper                               root:root         0755
292 # needs setuid root when using shadow via NIS:
293 # #66218
294 /opt/kde3/bin/kcheckpass                                root:shadow       4755
295 /usr/lib/kde4/libexec/kcheckpass                        root:shadow       4755
296 /usr/lib64/kde4/libexec/kcheckpass                      root:shadow       4755
297 # This has a meaning... hmm...
298 /opt/kde3/bin/kdesud                                    root:nogroup      2755
299 /usr/lib/kde4/libexec/kdesud                            root:nogroup      2755
300 /usr/lib64/kde4/libexec/kdesud                          root:nogroup      2755
301 # used for getting proxy settings from dhcp
302 /opt/kde3/bin/kpac_dhcp_helper                          root:root         0755
303 # used to distract the oom killer
304 # #203535
305 /opt/kde3/bin/start_kdeinit                             root:root         4755
306 # bnc#523833
307 /usr/lib/kde4/libexec/start_kdeinit                     root:root         4755
308 /usr/lib64/kde4/libexec/start_kdeinit                   root:root         4755
309 # edits /etc/smb.conf
310 # #66312
311 /usr/bin/fileshareset                                   root:root         0755
312
313 #
314 # amanda
315 #
316 /usr/sbin/amcheck                                       root:amanda       0750
317 /usr/lib/amanda/calcsize                                root:amanda       0750
318 /usr/lib/amanda/rundump                                 root:amanda       0750
319 /usr/lib/amanda/planner                                 root:amanda       0750
320 /usr/lib/amanda/runtar                                  root:amanda       0750
321 /usr/lib/amanda/dumper                                  root:amanda       0750
322 /usr/lib/amanda/killpgrp                                root:amanda       0750
323
324
325 #
326 # gnats
327 #
328 /usr/lib/gnats/gen-index                                gnats:root        4555
329 /usr/lib/gnats/pr-edit                                  gnats:root        4555
330 /usr/lib/gnats/queue-pr                                 gnats:root        4555
331
332
333 #
334 # news (inn)
335 #
336 # the inn start script changes it's uid to news:news. Later innbind
337 # is called by this user. Those programs do not need to be called by
338 # anyone else, therefore the strange permissions 4554 are required
339 # for operation. (#67032, #594393)
340 #
341 /usr/lib/news/bin/rnews                                 news:uucp         4550
342 /usr/lib/news/bin/inews                                 news:news         2555
343 /usr/lib/news/bin/innbind                               root:news         4554
344
345 #
346 # sendfax
347 #
348 # restrictive, only for "trusted" group users:
349 /usr/lib/mgetty+sendfax/faxq-helper                     fax:root          4755
350 /var/spool/fax/outgoing/                                fax:root          0755
351 /var/spool/fax/outgoing/locks                           fax:root          0755
352
353 #
354 # uucp
355 #
356 /var/spool/uucppublic/                                  root:uucp         1770
357 /usr/bin/uucp                                           uucp:uucp         6555
358 /usr/bin/uuname                                         uucp:uucp         6555
359 /usr/bin/uustat                                         uucp:uucp         6555
360 /usr/bin/uux                                            uucp:uucp         6555
361 /usr/lib/uucp/uucico                                    uucp:uucp         6555
362 /usr/lib/uucp/uuxqt                                     uucp:uucp         6555
363
364
365 #
366 # games of all kinds, toys
367 # all suid and sgid bits cleared.
368 #
369
370 # bsd-games
371 /usr/games/atc                                          games:games       0755
372 /usr/games/battlestar                                   games:games       0755
373 /usr/games/canfield                                     games:games       0755
374 /usr/games/cribbage                                     games:games       0755
375 /usr/games/phantasia                                    games:games       0755
376 /usr/games/robots                                       games:games       0755
377 /usr/games/sail                                         games:games       0755
378 /usr/games/snake                                        games:games       0755
379 /usr/games/tetris-bsd                                   games:games       0755
380
381 # Maelstrom
382 /usr/games/Maelstrom                                    games:games       0755
383
384 # pachi
385 /usr/games/pachi                                        games:games       0755
386 /usr/games/martian                                      games:games       0755
387
388 # nethack
389 /usr/lib/nethack/nethack.tty                            games:games       0755
390
391 # chromium,
392 /usr/games/chromium                                     games:games       0755
393
394 # xscrabble
395 /usr/games/xscrab                                       games:games       0755
396
397 # trackballs
398 /usr/games/trackballs                                   games:games       0755
399
400 # ltris
401 /usr/games/ltris                                        games:games       0755
402
403 # xlogical
404 /usr/games/xlogical                                     games:games       0755
405
406 # lbreakout
407 /usr/games/lbreakout2                                   games:games       0755
408
409 # xgalaga
410 /usr/bin/xgalaga                                        games:games       0755
411
412 # rocksndiamonds
413 /usr/games/rocksndiamonds                               games:games       0755
414
415 # gnome-games
416 /usr/bin/glines                                         games:games       0755
417 /usr/bin/gnibbles                                       games:games       0755
418 /usr/bin/gnobots2                                       games:games       0755
419 /usr/bin/gnometris                                      games:games       0755
420 /usr/bin/gnomine                                        games:games       0755
421 /usr/bin/gnotravex                                      games:games       0755
422 /usr/bin/gnotski                                        games:games       0755
423 /usr/bin/gtali                                          games:games       0755
424 /usr/bin/mahjongg                                       games:games       0755
425 /usr/bin/same-gnome                                     games:games       0755
426
427 # zypp (#385207)
428 /usr/sbin/zypp-refresh-wrapper                          root:root         0755
429
430 # PolicyKit (#295341)
431 /usr/lib/PolicyKit/polkit-set-default-helper            polkituser:root   4755
432 /usr/lib/PolicyKit/polkit-read-auth-helper              root:polkituser   2755
433 /usr/lib/PolicyKit/polkit-revoke-helper                 root:polkituser   2755
434 /usr/lib/PolicyKit/polkit-explicit-grant-helper         root:polkituser   2755
435 /usr/lib/PolicyKit/polkit-grant-helper                  root:polkituser   2755
436 /usr/lib/PolicyKit/polkit-grant-helper-pam              root:polkituser   4750
437
438 # polkit new (bnc#523377)
439 /usr/lib/polkit-1/polkit-agent-helper-1                 root:root         4755
440 /usr/bin/pkexec                                         root:root         4755
441
442 # dbus-1 (#333361)
443 /lib/dbus-1/dbus-daemon-launch-helper                   root:messagebus   4750
444 /lib64/dbus-1/dbus-daemon-launch-helper                 root:messagebus   4750
445
446 # policycoreutils (#440596)
447 /usr/bin/newrole                                        root:root         0755
448
449 # VirtualBox (#429725)
450 /usr/lib/virtualbox/VirtualBox                          root:vboxusers    0755
451 /usr/lib/virtualbox/VirtualBox3                         root:vboxusers    0755
452 /usr/lib/virtualbox/VBoxBFE                             root:vboxusers    0755
453 /usr/lib/virtualbox/VBoxHeadless                        root:vboxusers    0755
454 /usr/lib/virtualbox/VBoxSDL                             root:vboxusers    0755
455 # (bnc#533550)
456 /usr/lib/virtualbox/VBoxNetAdpCtl                       root:vboxusers    0755
457
458 # open-vm-tools (bnc#474285)
459 /usr/bin/vmware-user-suid-wrapper                       root:root         0755
460
461 # lockdev (bnc#588325)
462 /usr/sbin/lockdev                                       root:lock         2755