chilidog.highland.cc.ks.us

home *** CD-ROM | disk | FTP | other *** search

/ chilidog.highland.cc.ks.us / chilidog.highland.cc.ks.us.zip / chilidog.highland.cc.ks.us / backup / bradford.20110502.etc.tar.gz / bradford.20110502.etc.tar / etc / permissions.paranoid < prev next >

Wrap

Text File | 2006-04-22 | 22KB | 450 lines

# /etc/permissions.paranoid # # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Roman Drahtmueller <draht@suse.de>, 2001 # # # See /etc/permissions for general hints on how to use this file. # # /etc/permissions.paranoid is NOT designed to be used in a single-user as # well as a multi-user installation, be it networked or not. # Derived from /etc/permissions.secure, it has _all_ sgid and suid bits # cleared - therefore, the system might be useable for non-privileged users # except for simple tasks like changing passwords and such. In addition, # some of the configuration files are not readable for world any more. # # Feel free to use this file as a basis of a system configuration that meets # your understanding of "secure", for the case that you're a bit paranoid. # Since there is no such thing as "it works" with this configuration, please # use these settings with care. Some experience on behalf of the administrator # is needed to have a system running flawlessly when users are present. # In particular, all terminal emulators will not be able to write to utmp # and wtmp any more, which renders who(1) and finger(1) useless. # # Please always keep in mind that your system listens on network sockets # in the default configuration. Change this by disabling the services that # you do not need or by restricting access to them using packet filters # or tcp wrappers (see hosts_access(5)) to gain a higher level of security # in your system. # # Directories # # no lock files for emacs: /var/lib/xemacs/lock root:trusted 1775 # for screen's session sockets: /var/run/uscreens root:trusted 1775 # # /etc # /etc/crontab root:root 600 /etc/exports root:root 600 /etc/fstab root:root 600 /etc/ftpaccess root:root 600 /etc/ftpusers root:root 600 /etc/inetd.conf root:root 600 /etc/inittab root:root 600 /etc/mtab root:root 600 /etc/rmtab root:root 600 /var/lib/nfs/rmtab root:root 600 /etc/syslog.conf root:root 600 # # suid system programs that need the suid bit to work: # /bin/su root:root 0755 # disable at and cron for non-root users /usr/bin/at root:trusted 0755 /usr/bin/crontab root:trusted 0755 /usr/bin/gpasswd root:shadow 0755 /usr/bin/newgrp root:root 0755 /usr/bin/passwd root:shadow 0755 /usr/bin/chfn root:shadow 0755 /usr/bin/chage root:shadow 0755 /usr/bin/chsh root:shadow 0755 /usr/bin/expiry root:shadow 0755 # the default configuration of the sudo package in SuSE distribution is to # intimidate users. /usr/bin/sudo root:root 0755 /usr/sbin/su-wrapper root:root 0755 # opie password system # #66303 /usr/bin/opiepasswd root:root 0755 /usr/bin/opiesu root:root 0755 # "user" entries in /etc/fstab make mount work for non-root users: /usr/bin/ncpmount root:trusted 0755 /usr/bin/ncpumount root:trusted 0755 # mount/umount have had their problems already: /bin/mount root:root 0755 /bin/umount root:root 0755 /bin/eject root:audio 0755 # # #133657 /usr/bin/fusermount root:trusted 0755 # #66203 /usr/lib/majordomo/wrapper root:daemon 0755 # glibc backwards compatibility /usr/lib/pt_chown root:root 0755 /usr/lib64/pt_chown root:root 0755 /sbin/unix_chkpwd root:shadow 0755 /sbin/unix2_chkpwd root:shadow 0755 # qpopper /usr/sbin/popauth pop:trusted 0755 # from the squid package /usr/sbin/pam_auth root:shadow 0755 # still to be converted to utempter /opt/gnome/lib/vte/gnome-pty-helper root:tty 0755 # gpg cannot pin memory into the ram using mlock(2) if not suid. # In memory pressure conditions, memory pages containing sensitive information # can be paged to disk. # the suid bit also removes gpg's complaints wrt the insecure memory. # in permissions.paranoid, we remove the setuid bit following the rationale # described near the top of the file. /usr/bin/gpg root:root 0755 # # mixed section: most of it is disabled in this permissions.secure: # ######################################################################### # rpm subsystem: /usr/src/packages/SOURCES/ root:root 700 /usr/src/packages/BUILD/ root:root 700 /usr/src/packages/RPMS/ root:root 700 /usr/src/packages/RPMS/alpha/ root:root 700 /usr/src/packages/RPMS/alphaev56/ root:root 700 /usr/src/packages/RPMS/alphaev67/ root:root 700 /usr/src/packages/RPMS/alphaev6/ root:root 700 /usr/src/packages/RPMS/arm4l/ root:root 700 /usr/src/packages/RPMS/athlon/ root:root 700 /usr/src/packages/RPMS/i386/ root:root 700 /usr/src/packages/RPMS/i486/ root:root 700 /usr/src/packages/RPMS/i586/ root:root 700 /usr/src/packages/RPMS/i686/ root:root 700 /usr/src/packages/RPMS/ia64/ root:root 700 /usr/src/packages/RPMS/mips/ root:root 700 /usr/src/packages/RPMS/ppc/ root:root 700 /usr/src/packages/RPMS/ppc64/ root:root 700 /usr/src/packages/RPMS/powerpc/ root:root 700 /usr/src/packages/RPMS/powerpc64/ root:root 700 /usr/src/packages/RPMS/s390/ root:root 700 /usr/src/packages/RPMS/s390x/ root:root 700 /usr/src/packages/RPMS/sparc/ root:root 700 /usr/src/packages/RPMS/sparcv9/ root:root 700 /usr/src/packages/RPMS/sparc64/ root:root 700 /usr/src/packages/RPMS/x86_64/ root:root 700 /usr/src/packages/RPMS/armv4l/ root:root 700 /usr/src/packages/RPMS/hppa/ root:root 700 /usr/src/packages/RPMS/hppa2.0/ root:root 700 /usr/src/packages/RPMS/noarch/ root:root 700 /usr/src/packages/SPECS/ root:root 700 /usr/src/packages/SRPMS/ root:root 700 ######################################################################### # video /usr/X11R6/bin/v4l-conf root:video 0755 /opt/gnome/sbin/zapping_setup_fb root:video 0755 # vmware /usr/bin/vmware root:trusted 0755 /usr/bin/vmware-ping root:trusted 0755 # Itanium ia32 emulator /usr/lib/ia32el/suid_ia32x_loader root:root 0755 ######################################################################### # scotty: # #66211 /usr/bin/ntping root:trusted 0755 # This is not extensively tested. /usr/bin/vlock root:shadow 0755 /usr/X11R6/bin/Xorg root:root 0711 /usr/bin/man root:root 0755 /usr/bin/mandb root:root 0755 # turned off write and wall by disabling sgid tty: /usr/bin/wall root:tty 0755 /usr/bin/write root:tty 0755 # thttpd /usr/bin/makeweb root:www 0750 # yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. /usr/bin/yaps root:uucp 0755 # scmxx, tool for mobile phone, accesses /dev/ttyS? # #66309 /usr/bin/scmxx root:uucp 0755 # ncpfs tool: trusted only /usr/bin/nwsfind root:trusted 0750 /usr/bin/ncplogin root:trusted 0750 /usr/bin/ncpmap root:trusted 0750 # lpdfilter: # checks itself that only lp and root can call it /usr/lib/lpdfilter/bin/runlpr root:root 0755 # pcmcia: # Needs setuid to eject cards (#100120) /sbin/pccardctl root:trusted 0755 # pcmcia-cardinfo: # for visual pcmcia status info. Needs setuid for creating device # files. It does that before initializing X /usr/X11R6/bin/cardinfo root:root 0755 # gnokii nokia cellphone software # #66209 /usr/sbin/mgnokiidev root:uucp 755 # pcp, performance co-pilot # setuid root is used to write /var/log/pcp/NOTICES # #66205 /usr/lib/pcp/pmpost root:trusted 0755 # mailman mailing list software # #66315 /usr/lib/mailman/cgi-bin/admin root:mailman 0755 /usr/lib/mailman/cgi-bin/admindb root:mailman 0755 /usr/lib/mailman/cgi-bin/edithtml root:mailman 0755 /usr/lib/mailman/cgi-bin/listinfo root:mailman 0755 /usr/lib/mailman/cgi-bin/options root:mailman 0755 /usr/lib/mailman/cgi-bin/private root:mailman 0755 /usr/lib/mailman/cgi-bin/roster root:mailman 0755 /usr/lib/mailman/cgi-bin/subscribe root:mailman 0755 /usr/lib/mailman/cgi-bin/confirm root:mailman 0755 /usr/lib/mailman/cgi-bin/create root:mailman 0755 /usr/lib/mailman/cgi-bin/editarch root:mailman 0755 /usr/lib/mailman/cgi-bin/rmlist root:mailman 0755 /usr/lib/mailman/mail/mailman root:mailman 0755 # libgnomesu (#75823) /opt/gnome/lib/libgnomesu/gnomesu-pam-backend root:root 0755 # control-center2 (#104993) /opt/gnome/sbin/change-passwd root:root 0755 # # cups (#66305) # /usr/bin/lppasswd lp:sys 0755 # # networking (need root for the privileged socket) # /bin/ping root:root 0755 /bin/ping6 root:root 0755 /usr/bin/bing root:trusted 0755 /usr/sbin/traceroute6 root:root 0755 # mtr is linked against ncurses. /usr/sbin/mtr root:dialout 0755 /usr/bin/rcp root:root 0755 /usr/bin/rlogin root:root 0755 /usr/bin/rsh root:root 0755 # OpenPBS #66320 /var/spool/pbs/spool root:root 0755 /var/spool/pbs/undelivered root:root 0755 /opt/pbs/sbin/pbs_iff root:root 0755 /opt/pbs/sbin/pbs_rcp root:root 0755 # heartbeat #66310 # cl_status needs to be allowed to connect to the heartbeat API. If the setgid # bit is removed, one can manually add users to the haclient group instead. /usr/bin/cl_status root:haclient 0555 # apache2 /usr/sbin/suexec2 root:root 0755 # exim /usr/sbin/exim root:root 0755 # # dialup networking programs # /usr/sbin/pppoe-wrapper root:dialout 0750 # i4l package (#100750): /sbin/isdnctrl root:dialout 0750 # #66111 /usr/bin/vboxbeep root:trusted 0755 # # linux text console utilities # # setuid needed on the text console to set the terminal content on ctrl-o # #66112 /usr/lib/mc/cons.saver root:root 0755 # # terminal emulators # This and future SuSE products have support for the utempter, a small helper # program that does the utmp/wtmp update work with the necessary rights. # The use of utempter obsoletes the need for sgid bits on terminal emulator # binaries. We mention screen here, but all other terminal emulators have # moved to /etc/permissions, with modes set to 0755. # framebuffer terminal emulator (japanese). /usr/bin/jfbterm root:tty 0755 # # kde # # arts wrapper, normally suid root: /opt/kde3/bin/artswrapper root:root 0755 # needs setuid root when using shadow via NIS: # #66218 /opt/kde3/bin/kcheckpass root:shadow 0755 # do not allow khc_indexbuilder to write into /var/cache/susehelp/ /opt/kde3/bin/khc_indexbuilder root:man 0755 # This has a meaning... hmm... /opt/kde3/bin/kdesud root:nogroup 0755 # used for getting proxy settings from dhcp /opt/kde3/bin/kpac_dhcp_helper root:root 0755 # edits /etc/smb.conf # #66312 /usr/bin/fileshareset root:root 0755 # # amanda # # Well, if you are gid disk already, you don't need these amanda binaries # to get root. # Anyway, we don't keep the suid bits. /usr/sbin/amcheck root:disk 0750 /usr/lib/amanda/calcsize root:disk 0750 /usr/lib/amanda/rundump root:disk 0750 /usr/lib/amanda/planner root:disk 0750 /usr/lib/amanda/runtar root:disk 0750 /usr/lib/amanda/dumper root:disk 0750 /usr/lib/amanda/killpgrp root:disk 0750 # # gnats # /usr/lib/gnats/gen-index gnats:root 0555 /usr/lib/gnats/pr-edit gnats:root 0555 /usr/lib/gnats/queue-pr gnats:root 0555 # # news (inn) # # the inn start script changes it's uid to news:news. Later innstart and # innfeed are called by this user. Those programs do not need to be called by # anyone else, therefore the strange permissions 4554 are required for # operation. (#67032) # /usr/lib/news/bin/rnews news:uucp 0555 /usr/lib/news/bin/startinnfeed root:news 0555 /usr/lib/news/bin/inndstart root:news 0555 /usr/lib/news/bin/inews news:news 0555 # # fax # # restrictive, only for "trusted" group users: # faxq helper: /usr/lib/mgetty+sendfax/faxq-helper fax:root 0711 /var/spool/fax/outgoing fax:trusted 1770 /var/spool/fax/outgoing/locks fax:trusted 1770 # TODO: package should set this permissions /var/spool/fax/archive fax:uucp 700 /var/spool/fax/bin fax:uucp 755 /var/spool/fax/client fax:uucp 755 /var/spool/fax/config fax:uucp 755 /var/spool/fax/dev fax:uucp 755 /var/spool/fax/docq fax:uucp 700 /var/spool/fax/doneq fax:uucp 700 /var/spool/fax/etc fax:uucp 755 /var/spool/fax/info fax:uucp 755 /var/spool/fax/log fax:uucp 755 /var/spool/fax/pollq fax:uucp 700 /var/spool/fax/recvq fax:uucp 755 /var/spool/fax/sendq fax:uucp 700 /var/spool/fax/status fax:uucp 755 /var/spool/fax/tmp fax:uucp 700 # # uucp # /var/spool/uucppublic root:uucp 1770 /usr/bin/uucp uucp:uucp 0555 /usr/bin/uuname uucp:uucp 0555 /usr/bin/uustat uucp:uucp 0555 /usr/bin/uux uucp:uucp 0555 /usr/lib/uucp/uucico uucp:uucp 0555 /usr/lib/uucp/uuxqt uucp:uucp 0555 # # games of all kinds, toys # # bsd-games /usr/games/atc games:games 0755 /usr/games/battlestar games:games 0755 /usr/games/canfield games:games 0755 /usr/games/cribbage games:games 0755 /usr/games/phantasia games:games 0755 /usr/games/robots games:games 0755 /usr/games/sail games:games 0755 /usr/games/snake games:games 0755 /usr/games/tetris-bsd games:games 0755 # Maelstrom /usr/games/Maelstrom games:games 0755 # pachi /usr/games/pachi games:games 0755 /usr/games/martian games:games 0755 # nethack /usr/lib/nethack/nethack.tty games:games 0755 # chromium, /usr/games/chromium games:games 0755 # geki2 /usr/games/geki2 games:games 0755 /usr/games/grande games:games 0755 # xscrabble /usr/games/xscrab games:games 0755 # trackballs /usr/games/trackballs games:games 0755 # ltris /usr/games/ltris games:games 0755 # xlogical /usr/games/xlogical games:games 0755 # lbreakout /usr/games/lbreakout2 games:games 0755 # xgalaga /usr/X11R6/bin/xgalaga games:games 0755 # xtetris /usr/X11R6/bin/xtetris games:games 0755 # xmris /usr/X11R6/bin/xmris games:games 0755 # rocksndiamonds /usr/games/rocksndiamonds games:games 0755 # gnome-games /opt/gnome/bin/gtali games:games 0755 /opt/gnome/bin/gnotski games:games 0755 /opt/gnome/bin/gnome-stones games:games 0755 /opt/gnome/bin/glines games:games 0755 /opt/gnome/bin/gnibbles games:games 0755 /opt/gnome/bin/gnotravex games:games 0755 /opt/gnome/bin/mahjongg games:games 0755 /opt/gnome/bin/gnometris games:games 0755 /opt/gnome/bin/gnobots2 games:games 0755 /opt/gnome/bin/gnomine games:games 0755 /opt/gnome/bin/same-gnome games:games 0755 # Novell nici. See bug 127545 /var/opt/novell/nici/nicimud root:root 0755