# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2011 SUSE Linux Products GmbH Nuernberg, Germany.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by chkstat (and indirectly by various RPM scripts)
# to check or set the modes and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions  (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format: 
# <file> <owner>:<group> <permission> 
#
# How it works:
# To change an entry copy the line to permissions.local, modify it
# to suit your needs and call "chkstat --system"
#
# chkstat uses the variable PERMISSION_SECURITY from
# /etc/sysconfig/security to determine which security level to
# apply.
# In addition to the central files listed above the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).

#
# root directories:
#

/tmp/                                                   root:root         1777
/tmp/.X11-unix/                                         root:root         1777
/tmp/.ICE-unix/                                         root:root         1777

#
# /var:
#

/var/tmp/                                               root:root         1777
/var/spool/mqueue/                                      root:root          700
/var/spool/news/                                        news:news          775
/var/spool/uucp/                                        uucp:uucp          755
/var/spool/voice/                                       root:root          755
/var/spool/mail/                                        root:root         1777
/var/yp/                                                root:root          755
/var/run/nscd/socket					root:root	   666
/run/nscd/socket					root:root	   666

#
# /etc
#
/etc/lilo.conf                                          root:root          600
/etc/passwd                                             root:root          644
/etc/shadow                                             root:shadow        640
/etc/HOSTNAME                                           root:root          644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow                                        root:root          644
/etc/hosts.deny                                         root:root          644
/etc/hosts.equiv                                        root:root          644
/etc/hosts.lpd                                          root:root          644
/etc/ld.so.conf                                         root:root          644
/etc/ld.so.cache                                        root:root          644

/etc/opiekeys                                           root:root          600

/etc/ppp/                                               root:root          750
/etc/ppp/chap-secrets                                   root:root          600
/etc/ppp/pap-secrets                                    root:root          600

# sysconfig files:
/etc/sysconfig/network/providers/                       root:root          700

# utempter
/usr/sbin/utempter                                      root:utmp         2755
/usr/lib/utempter/utempter                              root:utmp         2755

# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key                                   root:root          600
/etc/ssh/ssh_host_key.pub                               root:root          644
/etc/ssh/ssh_host_dsa_key                               root:root          600
/etc/ssh/ssh_host_dsa_key.pub                           root:root          644
/etc/ssh/ssh_host_rsa_key                               root:root          600
/etc/ssh/ssh_host_rsa_key.pub                           root:root          644
/etc/ssh/ssh_config                                     root:root          644
/etc/ssh/sshd_config                                    root:root          640

#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl                                       root:root          755

# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute                                    root:root          755

# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd                                          root:lp           0755

# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/                                             root:root         0755

# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool                                        root:trusted      4750

#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun                               root:root         0666
/lib/udev/devices/null                                  root:root         0666
/lib/udev/devices/ptmx                                  root:tty          0666
/lib/udev/devices/tty                                   root:tty          0666
/lib/udev/devices/zero                                  root:root         0666

#
# named chroot (#438045)
#
/var/lib/named/dev/null                                 root:root         0666
/var/lib/named/dev/random                               root:root         0666

# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu						root:root         0755
# wodim is not allowed setuid root as cd burning does not strictly require
# it (bnc#882035)
/usr/bin/wodim                                          root:root         0755
