# /etc/permissions.eal4 # # Copyright (c) 2001, 2002, 2003, 2004 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Roman Drahtmueller , 2003 # # # See /etc/permissions for general hints on how to use this file. # # This file is based on /etc/permissions.secure as shipped with SLES8. # It has been adapted to the needs of the EAL4 evaluation which disables # a few more SUID programs. # It still contains a lot more definitions than the minimal package set # for the EAL4 evaluation, but those don't hurt in here. # # # Directories # # closed: /usr/lib/ircd irc.root 700 # No games: /var/X11R6/scores root.root 0750 /var/catman man.root 755 /var/cron root.root 700 /var/spool/cron root.root 700 /var/cron/tabs root.root 700 /var/spool/cron/tabs root.root 700 /var/lib/gdm gdm.shadow 750 /var/lib/xdm/authdir root.root 700 /var/lib/xdm/authdir/authfiles root.root 700 /var/lock root.uucp 775 # closed; see "easy" /var/man2html root.root 0755 # no lock files for emacs: /var/state/emacs/lock root.trusted 1775 /var/state/xemacs/lock root.trusted 1775 /var/lib/xemacs/lock root.trusted 1775 /var/squid squid.root 755 /var/squid/cache squid.root 755 /var/squid/logs squid.root 755 # # /etc # /etc/crontab root.root 600 /etc/exports root.root 600 /etc/fstab root.root 600 /etc/ftpaccess root.root 600 /etc/ftpconversions root.root 600 /etc/ftpusers root.root 600 /etc/HOSTNAME root.root 644 /etc/hosts root.root 644 # Changing the hosts_access(5) files causes trouble with services # that do not run as root! /etc/hosts.allow root.root 644 /etc/hosts.deny root.root 644 /etc/hosts.equiv root.root 644 /etc/hosts.lpd root.root 644 /etc/inetd.conf root.root 600 /etc/inittab root.root 600 /etc/issue root.root 600 /etc/issue.net root.root 600 /etc/ld.so.conf root.root 644 /etc/ld.so.cache root.root 644 /etc/login.defs root.root 600 /etc/motd root.root 644 /etc/mtab root.root 600 /etc/rmtab root.root 600 /etc/services root.root 644 # changing the global ssh client configuration makes it unreadable # and therefore useless. Keep in mind that users can bring their own client! /etc/ssh_config root.root 644 /etc/sshd_config root.root 640 /etc/ssh_host_key.pub root.root 644 /etc/ssh_host_key root.root 600 /etc/ssh_random_seed root.root 600 /etc/ssh_known_hosts root.root 644 /etc/ssh/ssh_host_key root.root 600 /etc/ssh/ssh_host_key.pub root.root 644 /etc/ssh/ssh_random_seed root.root 600 /etc/ssh/ssh_config root.root 644 /etc/ssh/sshd_config root.root 640 /etc/syslog.conf root.root 600 /etc/termcap root.root 644 # sysconfig files: /etc/sysconfig/network/providers root.root 700 # # suid system programs that need the suid bit to work: # /bin/su root.trusted 4750 /usr/bin/su1 root.root 0711 # disable at and cron for non-root users /usr/bin/at root.trusted 4755 /usr/bin/crontab root.trusted 4755 /usr/bin/gpasswd root.trusted 4755 /usr/bin/newgrp root.root 0755 /usr/bin/passwd root.shadow 4755 /usr/bin/chfn root.shadow 4755 /usr/bin/chage root.shadow 4755 /usr/bin/chsh root.shadow 4755 /usr/bin/expiry root.shadow 0755 # NIS+: "trusted" only. /usr/bin/chkey root.trusted 0755 # the default configuration of the sudo package in SuSE distribution is to # intimidate users. /usr/bin/sudo root.root 0755 /usr/sbin/suexec root.root 0755 /usr/sbin/su-wrapper root.root 0755 # opie password system /etc/opiekeys root.root 600 /usr/bin/opiepasswd root.root 0755 /usr/bin/opiesu root.root 0755 # "user" entries in /etc/fstab make mount work for non-root users: /usr/bin/ncpmount root.trusted 0755 /usr/bin/ncpumount root.trusted 0755 # mount/umount have had their problems already: /bin/mount root.root 0755 /bin/umount root.root 0755 /usr/bin/fdmount root.root 0755 /usr/bin/ziptool root.trusted 0755 /bin/eject root.audio 0755 # sendmail calls the wrapper as daemon.daemon: /usr/lib/majordomo/wrapper root.daemon 0755 # glibc backwards compatibility /usr/lib/pt_chown root.root 0755 /usr/lib64/pt_chown root.root 0755 /sbin/pwdb_chkpwd root.shadow 0755 /sbin/unix_chkpwd root.shadow 0755 /sbin/unix2_chkpwd root.shadow 0755 # qpopper /usr/sbin/popauth pop.root 0755 # from the squid package /usr/sbin/pam_auth root.shadow 0755 # utempter: See bottom of /etc/permissions: /usr/sbin/utempter root.tty 2755 # # log files that do not grow remarkably # /var/log/faillog root.root 600 /var/log/lastlog root.tty 644 # # mixed section: most of it is disabled in this permissions.secure: # ######################################################################### # rpm subsystem: /usr/src/packages/SOURCES root.root 700 /usr/src/packages/BUILD root.root 700 /usr/src/packages/RPMS root.root 700 /usr/src/packages/RPMS/alpha root.root 700 /usr/src/packages/RPMS/alphaev56 root.root 700 /usr/src/packages/RPMS/alphaev67 root.root 700 /usr/src/packages/RPMS/alphaev6 root.root 700 /usr/src/packages/RPMS/arm4l root.root 700 /usr/src/packages/RPMS/athlon root.root 700 /usr/src/packages/RPMS/i386 root.root 700 /usr/src/packages/RPMS/i486 root.root 700 /usr/src/packages/RPMS/i586 root.root 700 /usr/src/packages/RPMS/i686 root.root 700 /usr/src/packages/RPMS/ia64 root.root 700 /usr/src/packages/RPMS/mips root.root 700 /usr/src/packages/RPMS/ppc root.root 700 /usr/src/packages/RPMS/ppc64 root.root 700 /usr/src/packages/RPMS/powerpc root.root 700 /usr/src/packages/RPMS/powerpc64 root.root 700 /usr/src/packages/RPMS/s390 root.root 700 /usr/src/packages/RPMS/s390x root.root 700 /usr/src/packages/RPMS/sparc root.root 700 /usr/src/packages/RPMS/sparcv9 root.root 700 /usr/src/packages/RPMS/sparc64 root.root 700 /usr/src/packages/RPMS/x86_64 root.root 700 /usr/src/packages/RPMS/mips root.root 700 /usr/src/packages/RPMS/armv4l root.root 700 /usr/src/packages/RPMS/noarch root.root 700 /usr/src/packages/SPECS root.root 700 /usr/src/packages/SRPMS root.root 700 # # mostly from series beo: # see customs(8), export(1) and pmake(1) /usr/bin/pmake root.root 0755 /usr/bin/export root.root 0755 /usr/bin/make root.root 0755 # Portable Batch System (PBS) (beo) /usr/sbin/pbs_rcp root.root 0755 /usr/sbin/pbs_iff root.root 0755 # queue (beo) /usr/bin/queue root.root 0755 # clusterit (beo) /usr/bin/dsh root.root 0755 # dqs: /usr/bin/qmod root.root 0755 /usr/bin/dqs_options root.root 0755 /usr/bin/qconf root.root 0755 # wants root for realtime scheduling policy class # we better let it complain - on an idle machine it has no effect anyway. /opt/rtsynth/RTSynth root.root 0755 # same here: package muse /usr/bin/muse root.root 0755 # AX.25, NETROM, ROSE and TCP node frontend /usr/sbin/node root.root 0755 ######################################################################### # executor, Mac-simulator: /opt/executor/bin/executor-demo-svga root.root 0755 # Amiga-emulator /usr/bin/suae root.root 0755 # stonx: atari emulator, svgalib: /usr/bin/sstonx root.root 0755 # atari800 emulator /usr/bin/atari800 root.root 0755 # z81 emulator /usr/bin/z81txt root.root 0511 # package adamem (Z80 based ColecoVision and ColecoADAM emulator) /usr/X11R6/lib/adamem/cvem root.root 0755 /usr/X11R6/lib/adamem/adamem root.root 0755 # video /usr/X11R6/bin/v4l-conf root.video 0755 /opt/gnome/bin/zapping_setup_fb root.video 0755 # vmware /usr/bin/vmware.bin root.trusted 0755 /usr/bin/vmware-ping root.root 0755 # iBCS2 binary emulator /shlib/protlib_s.emu root.root 755 /shlib/protlib_s.debug root.root 755 /shlib/libnsl_s.emu root.root 755 /shlib/libnsl_s.debug root.root 755 ######################################################################### # netatalk printer daemon: /usr/sbin/papd root.lp 0755 # package cysched: /opt/synchronize/linux/bin/synchrod root.root 0755 /opt/synchronize/linux/bin/websyncd root.root 0755 # scotty: /usr/bin/ntping root.trusted 0755 /usr/bin/straps root.trusted 0755 /sbin/cardctl root.trusted 0755 # use it as root if you must: /usr/X11R6/bin/dga root.root 0755 # screen savers: # xlock and xlockmore have helper programs that do this job now: /usr/X11R6/bin/xlock root.root 0755 /usr/X11R6/bin/xlock-mesa root.root 0755 /usr/X11R6/bin/xscreensaver root.root 0755 # This is not extensively tested. /usr/bin/vlock root.shadow 0755 /usr/X11R6/bin/XFree86 root.root 0711 /usr/X11R6/bin/Xwrapper root.root 0755 /usr/X11R6/bin/xemacs root.root 0755 /usr/bin/emacs root.root 0755 /usr/bin/man root.root 0755 /usr/bin/mandb root.root 0755 # turned off write and wall by disabling sgid tty: /usr/bin/wall root.tty 0755 /usr/bin/write root.tty 0755 # linked against svgalib. Make it suid root if you want users to be # able to use xaos on the console or keep it safe as this: /usr/bin/xaos root.root 0755 # needs suid root for console font switches: /usr/bin/kon.bin root.trusted 0755 # thttpd: sgid + executeable only for group www. Useless... /usr/bin/makeweb root.www 2750 # ham series, package wampes: Disabled suid root /usr/bin/bbs root.root 0755 # ham series, package dpbox /usr/bin/dpgate dpbox.localham 0755 # sane package: disabled suid root. /usr/bin/as6edriver root.root 0755 # yaps, pager software, accesses /dev/ttyS? . Disabled sgid uucp. /usr/bin/yaps root.uucp 0755 # ncpfs tool: trusted only /usr/bin/nwsfind root.trusted 0750 /usr/bin/ncplogin root.trusted 0750 /usr/bin/ncpmap root.trusted 0750 # dvisvga package: disabled suid root (for libvga) /usr/bin/dvisvga root.root 0755 # maildrop package: change the permissions to the default from the # rpm package (0755) if you have to use it. Default to deliver mails # on a SuSE system is procmail. /usr/bin/maildrop root.mail 0755 /usr/bin/dotlock root.mail 0755 # video editor. package mainactr, series pay /opt/MainActor/MainActor root.root 0755 /opt/MainActor/MainView root.root 0755 # conferencing system: some buffer overflows in there... /usr/bin/bayonne_wrapper root.root 755 # lpdfilter /usr/lib/lpdfilter/bin/runlpr root.root 0755 # disabled by default in SuSE distributions: make it 4755 if you need it. /usr/bin/suidperl root.root 0755 # also disabled (libforms, libX11) reenable it by setting it 4755: /usr/X11R6/bin/cardinfo root.root 0755 # if smail is installed: /usr/sbin/smail root.root 0555 # phoenix, commercial package # The package won't work with these files closed. /usr/lib/phoenix/License root.root 644 /usr/lib/phoenix/basic/address.txt root.root 644 # apcupsd shouldn't need suid root /sbin/apcupsd root.root 755 /usr/sbin/apcupsd root.root 755 # gnokii nokia cellphone software /usr/sbin/mgnokiidev root.uucp 755 # plptools, palm pilot connectivity /usr/sbin/plpnfsd root.trusted 0750 # pcp, performance co-pilot /usr/share/pcp/bin/pmpost root.trusted 0755 # mailman mailing list software /usr/lib/mailman/cgi-bin/admin root.mailman 0755 /usr/lib/mailman/cgi-bin/admindb root.mailman 0755 /usr/lib/mailman/cgi-bin/archives root.mailman 0755 /usr/lib/mailman/cgi-bin/edithtml root.mailman 0755 /usr/lib/mailman/cgi-bin/handle_opts root.mailman 0755 /usr/lib/mailman/cgi-bin/listinfo root.mailman 0755 /usr/lib/mailman/cgi-bin/options root.mailman 0755 /usr/lib/mailman/cgi-bin/private root.mailman 0755 /usr/lib/mailman/cgi-bin/roster root.mailman 0755 /usr/lib/mailman/cgi-bin/subscribe root.mailman 0755 /usr/lib/mailman/mail/wrapper root.mailman 0755 # apache frontpage extensions, disabled in secure and paranoid /usr/lib/frontpage/version4.0/apache-fp/_vti_bin/fpexe root.root 0755 /usr/sbin/fpexec root.root 0755 /usr/sbin/validate root.root 0755 # sapdb; setuid root in permissions.easy /opt/sapdb/depend/pgm/dbmsrv root.root 0755 /opt/sapdb/depend/pgm/lserver root.root 0755 # # networking (need root for the privileged socket) # /bin/ping root.root 4755 /bin/ping6 root.root 0755 /usr/bin/bing root.trusted 0755 # new traceroute program by Olaf Kirch does not need setuid root any more. /usr/sbin/traceroute root.root 0755 /usr/sbin/traceroute6 root.root 0755 # mtr is linked against ncurses. /usr/sbin/mtr root.dialout 0755 /usr/bin/rcp root.root 0755 /usr/bin/rlogin root.root 0755 /usr/bin/rsh root.root 0755 # ssh is not suid here any more. If a user needs the rsh fallback feature, # she should use /usr/bin/rsh. /usr/bin/ssh root.root 0755 # ham radio /var/mtrack/locfile root.root 0644 /var/mtrack/satfile root.root 0644 /usr/bin/kamplus root.localham 0750 /usr/bin/endhost root.localham 0750 /etc/kamrc root.localham 664 /var/lib/kamplus root.localham 775 /var/lib/kamplus/parms root.localham 775 /var/lib/kamplus/cq root.localham 664 /var/lib/kamplus/messages root.localham 664 /var/lib/kamplus/helpfile-qt root.localham 664 /var/lib/kamplus/capture.txt root.localham 664 /var/lib/kamplus/parms/tnc.parms root.localham 664 /var/lib/kamplus/parms/home root.localham 664 /var/lib/kamplus/parms/away root.localham 664 /usr/bin/kam-qt root.localham 750 # # dialup networking programs # /usr/sbin/dip root.dialout 0755 /usr/sbin/pppd root.dialout 0750 /usr/sbin/cinternet-wwwrun wwwrun.dialout 0750 /usr/sbin/pppoe-wrapper root.dialout 0750 /var/run/smpppd root.dialout 750 /var/lib/smpppd root.root 700 /etc/ppp root.dialout 750 /etc/ppp/chap-secrets root.root 600 /etc/ppp/pap-secrets root.root 600 /etc/pppoed.conf root.root 600 /etc/smpppd.conf root.root 600 /etc/smpppd-c.conf root.dialout 640 # i4l package: /usr/sbin/isdnctrl root.uucp 0750 /usr/sbin/isdnbutton root.trusted 0755 /usr/bin/vboxbeep root.trusted 0755 # # linux text console utilities # since svgalib has vanished, only the mc cons.saver is left. # /usr/lib/mc/bin/cons.saver root.root 0755 # # terminal emulators # This and future SuSE products have support for the utempter, a small helper # program that does the utmp/wtmp update work with the necessary rights. # The use of utempter obsoletes the need for sgid bits on terminal emulator # binaries. We mention screen here, but all other terminal emulators have # moved to /etc/permissions, with modes set to 0755. # screen. multi-user mode needs suid root (4755). discouraged... /usr/bin/screen root.root 0755 # this still uses the old /dev/ttypX terminal files. Needs # suid root to chown the tty. Should do without, too. /usr/X11R6/bin/xwawi root.tty 0755 # same here: /usr/X11R6/bin/c16term root.tty 0755 # framebuffer terminal emulator (japanese). Most scary... Compare modes # in "easy". /usr/bin/jfbterm root.tty 0755 /usr/bin/newvc root.root 0755 /usr/bin/fld root.root 0755 # # former suid programs # /usr/X11R6/bin/seyon root.uucp 0755 /usr/X11R6/bin/SuperProbe root.root 755 /usr/X11R6/bin/XBF_NeoMagic root.root 755 /usr/X11R6/bin/XF86_8514 root.root 755 /usr/X11R6/bin/XF86_AGX root.root 755 /usr/X11R6/bin/XF86_I128 root.root 755 /usr/X11R6/bin/XF86_Mach32 root.root 755 /usr/X11R6/bin/XF86_Mach64 root.root 755 /usr/X11R6/bin/XF86_Mach8 root.root 755 /usr/X11R6/bin/XF86_Mono root.root 755 /usr/X11R6/bin/XF86_P9000 root.root 755 /usr/X11R6/bin/XF86_S3 root.root 755 /usr/X11R6/bin/XF86_S3V root.root 755 /usr/X11R6/bin/XF86_SVGA root.root 755 /usr/X11R6/bin/XF86_VGA16 root.root 755 /usr/X11R6/bin/XF86_W32 root.root 755 /usr/X11R6/bin/XFCom_3DLabs root.root 755 /usr/X11R6/bin/XFCom_Cyrix root.root 755 /usr/X11R6/bin/XFCom_Rendition root.root 755 /usr/X11R6/bin/XFCom_SiS root.root 755 /usr/X11R6/bin/XSuSE_AT3D root.root 755 /usr/X11R6/bin/XSuSE_Elsa_GLoria root.root 755 /usr/X11R6/bin/XSuSE_Matrox root.root 755 /usr/X11R6/bin/XSuSE_NVidia root.root 755 /usr/X11R6/bin/XSuSE_Tseng root.root 755 /usr/X11R6/bin/xcpustate root.root 755 /usr/X11R6/bin/xload root.root 755 /usr/X11R6/bin/xosview.bin root.root 755 /usr/X11R6/bin/xosview root.root 755 /usr/bin/cu root.root 755 /usr/bin/cdrecord root.root 755 /usr/bin/elm root.root 755 /usr/bin/filter root.root 755 /usr/bin/deliver root.root 755 /usr/bin/lockfile root.root 755 /usr/bin/minicom root.uucp 755 /usr/bin/mutt root.root 755 /usr/bin/procmail root.root 755 /usr/sbin/atrun root.root 755 /usr/bin/mh/inc root.root 755 /usr/bin/mh/msgchk root.root 755 # # kde+kde2 # (all of them are disabled in permissions.secure except for # the helper programs) # # arts wrapper, normally suid root: /opt/kde3/bin/artswrapper root.root 0755 /opt/kde2/bin/artswrapper root.root 0755 # set this to suid root (4755) if you're running shadow via NIS: /opt/kde3/bin/kcheckpass root.shadow 0755 # getting group id disk means root. See modes of disk device files! /opt/kde3/bin/kscd root.disk 0755 # This has a meaning: /opt/kde3/bin/kdesud root.nogroup 2755 /opt/kde2/bin/kdesud root.nogroup 2755 # devpts obsoletes this: /opt/kde3/bin/konsole_grantpty root.root 0755 /opt/kde2/bin/konsole_grantpty root.root 0755 /opt/kde3/bin/kreatecd_rootwrapper root.root 0755 /opt/kde2/bin/kpac_dhcp_helper root.root 0755 /opt/kde3/bin/kpac_dhcp_helper root.root 0755 /opt/kde2/bin/kradio root.video 0755 /opt/kde2/bin/kwintv root.video 0755 # kdemultimedia3-sound, gift /var/cache/gift root.root 0755 /var/cache/cddb root.root 0755 /var/cache/cddb/blues root.root 0755 /var/cache/cddb/classical root.root 0755 /var/cache/cddb/country root.root 0755 /var/cache/cddb/data root.root 0755 /var/cache/cddb/folk root.root 0755 /var/cache/cddb/jazz root.root 0755 /var/cache/cddb/misc root.root 0755 /var/cache/cddb/newage root.root 0755 /var/cache/cddb/reggae root.root 0755 /var/cache/cddb/rock root.root 0755 /var/cache/cddb/soundtrack root.root 0755 # xmcd database, open only in permissions.easy /var/lib/xmcd/discog root.root 755 /var/lib/xmcd/discog/Blues root.root 755 /var/lib/xmcd/discog/Blues/General_Blues/index.html root.root 644 /var/lib/xmcd/discog/Classical root.root 755 /var/lib/xmcd/discog/Classical/General_Classical/index.html root.root 644 /var/lib/xmcd/discog/Country root.root 755 /var/lib/xmcd/discog/Country/General_Country/index.html root.root 644 /var/lib/xmcd/discog/Data root.root 755 /var/lib/xmcd/discog/Data/General_Data/index.html root.root 644 /var/lib/xmcd/discog/Folk root.root 755 /var/lib/xmcd/discog/Folk/General_Folk/index.html root.root 644 /var/lib/xmcd/discog/Jazz root.root 755 /var/lib/xmcd/discog/Jazz/General_Jazz/index.html root.root 644 /var/lib/xmcd/discog/Newage root.root 755 /var/lib/xmcd/discog/Newage/General_Newage/index.html root.root 644 /var/lib/xmcd/discog/Rock root.root 755 /var/lib/xmcd/discog/Rock/General_Rock/index.html root.root 644 /var/lib/xmcd/discog/Soundtrack root.root 755 /var/lib/xmcd/discog/Soundtrack/General_Soundtrack/index.html root.root 644 /var/lib/xmcd/discog/Unclassifiable root.root 755 /var/lib/xmcd/discog/Unclassifiable/General_Unclassifiable/index.html root.root 644 /var/lib/xmcd/discog/World root.root 755 /var/lib/xmcd/discog/World/Reggae root.root 755 /var/lib/xmcd/discog/World/Reggae/index.html root.root 644 /var/lib/xmcd/discog/index.html root.root 644 # # amanda # # Well, if you are gid disk already, you don't need these amanda binaries # to get root. # Anyway, we don't keep the suid bits. /usr/sbin/amcheck root.disk 0750 /usr/lib/amanda/calcsize root.disk 0750 /usr/lib/amanda/rundump root.disk 0750 /usr/lib/amanda/planner root.disk 0750 /usr/lib/amanda/runtar root.disk 0750 /usr/lib/amanda/dumper root.disk 0750 /usr/lib/amanda/killpgrp root.disk 0750 # # ingres # all suid and sgid bits cleared. /usr/ingres/bin root.root 0755 /usr/ingres/bin/creatdb root.root 0751 /usr/ingres/bin/destroydb root.root 0751 /usr/ingres/bin/helpr root.root 0751 /usr/ingres/bin/ingconv root.root 0751 /usr/ingres/bin/ingres root.root 0751 /usr/ingres/bin/printadmin root.root 0751 /usr/ingres/bin/printr root.root 0751 /usr/ingres/bin/purge root.root 0751 /usr/ingres/bin/restore root.root 0751 /usr/ingres/bin/sysdump root.root 0751 /usr/ingres/bin/sysmod root.root 0751 /usr/ingres/bin/sysmodfunc root.root 0751 /usr/ingres/bin/univingres root.root 0751 # :-) /usr/ingres/bin/usersetup root.root 0700 /opt/tngfw/ingres/utility/csreport ingres.sys 0755 /opt/tngfw/ingres/files/iipwd/ingvalidpw.dis ingres.sys 0755 /opt/tngfw/secu/bin/cadatefmt root.root 0755 /opt/tngfw/cadb/system/cadb_sut root.root 0755 /opt/tngfw/cadb/system/dbserver root.sys 0755 /opt/tngfw/wv/bin/create_repository root.root 0755 /opt/tngfw/wv/bin/fwrpt root.root 0755 /opt/tngfw/wv/bin/dscvrbe root.root 0755 /opt/tngfw/wv/bin/carxwvdg root.root 0755 /opt/tngfw/wv/bin/discwiz root.root 0755 /opt/tngfw/wv/bin/tools_scripts root.root 0755 /opt/tngfw/wv/bin/emrport root.root 0755 /opt/tngfw/wv/bin/emrpt root.root 0755 /opt/tngfw/wv/bin/logonserver.exe root.root 0755 /opt/tngfw/wv/bin/dscvrone root.root 0755 /opt/tngfw/wv/bin/dscvrbe_stop root.root 0755 /opt/tngfw/cal root.root 755 # # yard # all suid and sgid bits cleared. /usr/lib/YARD/bin/yardarch root.yard 0750 /usr/lib/YARD/bin/yardck root.yard 0750 /usr/lib/YARD/bin/yardd root.yard 0750 /usr/lib/YARD/bin/yardflush root.yard 0750 /usr/lib/YARD/bin/yardinit root.yard 0750 /usr/lib/YARD/bin/yardlog root.yard 0750 /usr/lib/YARD/bin/yardsrv root.yard 0755 /usr/lib/YARD/bin/yardstat root.yard 0755 /usr/lib/YARD/bin/yarduser root.yard 0555 # # gnats # /usr/lib/gnats/gen-index gnats.root 4555 /usr/lib/gnats/pr-edit gnats.root 4555 /usr/lib/gnats/queue-pr gnats.root 4555 # # news (inn) # # suid root bits cleared. /usr/lib/news/bin/rnews news.uucp 0755 /usr/lib/news/bin/startinnfeed root.news 0755 /usr/lib/news/bin/inndstart root.news 0755 /usr/lib/news/bin/inews news.news 0755 # # fax # # restrictive, only for "trusted" group users: /var/spool/fax/outgoing root.trusted 1770 /var/spool/fax/outgoing/locks root.trusted 1770 /var/spool/fax/archive uucp.uucp 700 /var/spool/fax/bin uucp.uucp 755 /var/spool/fax/client uucp.uucp 755 /var/spool/fax/config uucp.uucp 755 /var/spool/fax/dev uucp.uucp 755 /var/spool/fax/docq uucp.uucp 700 /var/spool/fax/doneq uucp.uucp 700 /var/spool/fax/etc uucp.uucp 755 /var/spool/fax/info uucp.uucp 755 /var/spool/fax/log uucp.uucp 755 /var/spool/fax/pollq uucp.uucp 700 /var/spool/fax/recvq uucp.uucp 755 /var/spool/fax/sendq uucp.uucp 700 /var/spool/fax/status uucp.uucp 755 /var/spool/fax/tmp uucp.uucp 700 # # tex # /var/texfonts/pk/deskjet root.root 0775 /var/texfonts/pk/gsftopk root.root 0775 /var/texfonts/pk root.root 0775 /var/texfonts root.root 0775 # # uucp # /var/spool/uucppublic root.uucp 1770 /var/spool/uucp uucp.uucp 755 /usr/bin/uucp uucp.uucp 0555 /usr/bin/uuname uucp.uucp 0555 /usr/bin/uustat uucp.uucp 0555 /usr/bin/uux uucp.uucp 0555 /usr/lib/uucp/uucico uucp.uucp 0555 /usr/lib/uucp/uuxqt uucp.uucp 0555 /var/lib/uucp/taylor_config/call uucp.uucp 440 /var/lib/uucp/taylor_config/passwd uucp.uucp 440 /var/log/uucp uucp.uucp 755 # # games of all kinds, toys # all suid and sgid bits cleared. # # directories: /var/games games.games 0775 /var/games/sasteroids games.games 0775 /var/games/xbl games.games 0775 /var/games/sail games.games 0775 /var/games/phantasia games.games 0775 /var/games/kugel-scorefile games.games 0664 /var/games/kjewelscore games.games 0664 /var/games/xgalaga/scores games.games 0664 /var/games/xsok games.games 0775 /var/games/xsok/Cyberbox.score games.games 0664 /var/games/xsok/Sokoban.score games.games 0664 /var/games/xsok/Xsok.score games.games 0664 /var/games/xbill/scores games.games 0664 /var/games/geki2.scores games.games 0664 /var/games/grande.scores games.games 0664 # svgalib: /usr/games/abuse.console root.root 0755 # SpaceBoom: not in SuSE-7.1 any more: /usr/games/SpaceBoom/SpaceBoom root.root 0755 /usr/games/synaesthesia root.root 0755 /usr/games/sasteroids root.games 0755 /usr/games/snake games.games 0755 /usr/games/wtf games.games 0755 /usr/games/trek games.games 0755 /usr/games/cribbage games.games 0755 /usr/games/arithmetic games.games 0755 /usr/games/quiz games.games 0755 /usr/games/backgammon games.games 0755 /usr/games/banner games.games 0755 /usr/games/canfield games.games 0755 /usr/games/wargames games.games 0755 /usr/games/fish games.games 0755 /usr/games/tetris-bsd games.games 0755 /usr/games/apxserver games.games 0755 /usr/games/huntd games.games 0755 /usr/games/hunt games.games 0755 /usr/games/rot13 games.games 0755 /usr/games/boggle games.games 0755 /usr/games/pig games.games 0755 /usr/games/worms games.games 0755 /usr/games/robots games.games 0755 /usr/games/yahtzee games.games 0755 /usr/games/Maelstrom games.games 0755 /usr/games/monop games.games 0755 /usr/games/random games.games 0755 /usr/games/cfscores games.games 0755 /usr/games/number games.games 0755 /usr/games/mille games.games 0755 /usr/games/ppt games.games 0755 /usr/games/adventure games.games 0755 /usr/games/morse games.games 0755 /usr/games/battlestar games.games 0755 /usr/games/sail games.games 0755 /usr/games/rain games.games 0755 /usr/games/countmail games.games 0755 /usr/games/factor games.games 0755 /usr/games/caesar games.games 0755 /usr/games/wump games.games 0755 /usr/games/snscore games.games 0755 /usr/games/gomoku games.games 0755 /usr/games/pom games.games 0755 /usr/games/bin/cfsndserv games.games 0755 /usr/games/bin/cfclient games.games 0755 /usr/games/bin/gcfclient games.games 0755 /usr/games/bin/crossfire games.games 0755 /usr/games/hangman games.games 0755 /usr/games/dm games.games 0755 /usr/games/atc games.games 0755 /usr/lib/nethack/nethack.gtk games.games 0755 /usr/lib/nethack/nethack.tty games.games 0755 /usr/lib/nethack/nethack.qt games.games 0755 /usr/lib64/nethack/nethack.gtk games.games 0755 /usr/lib64/nethack/nethack.tty games.games 0755 /usr/lib64/nethack/nethack.qt games.games 0755 # falconseye /usr/lib/nethack/nethack.fe games.games 0755 /usr/lib64/nethack/nethack.fe games.games 0755 /usr/games/primes games.games 0755 /usr/games/phantasia games.games 0755 /usr/games/bcd games.games 0755 /usr/games/worm games.games 0755 /usr/games/teachgammon games.games 0755 /usr/games/chromium games.games 0755 /usr/games/crossfire games.games 0755 /usr/games/geki2 games.games 0755 /usr/games/grande games.games 0755 /usr/games/xscrab games.games 0755 /usr/bin/ltris games.games 0755 /usr/bin/xlogical games.games 0755 /usr/bin/lbreakout games.games 0755 /usr/bin/lbreakout2 games.games 0755 # d1x descent /usr/share/games/d1x/d1x143sh games.games 0755 /usr/X11R6/bin/mirrormagic games.games 0755 /usr/X11R6/bin/xboing games.games 0755 /usr/X11R6/bin/xboingrp games.games 0755 /usr/X11R6/bin/xbombs games.games 0755 /usr/X11R6/bin/xgalaga games.games 0755 /usr/X11R6/bin/tophextris games.games 0755 /usr/X11R6/bin/xtetris games.games 0755 /usr/X11R6/bin/xhextris games.games 0755 /usr/X11R6/bin/cxhextris games.games 0755 /usr/X11R6/bin/xdigger games.games 0755 /usr/X11R6/bin/xkobo games.games 0755 /usr/X11R6/bin/xmris games.games 0755 /usr/X11R6/bin/xbl games.games 0755 /usr/X11R6/bin/battalion games.games 0755 /usr/X11R6/bin/rocksndiamonds games.games 0755 # gnome-games /opt/gnome2/bin/gtali games.games 0755 /opt/gnome2/bin/gnotski games.games 0755 /opt/gnome2/bin/gnome-stones games.games 0755 /opt/gnome2/bin/glines games.games 0755 /opt/gnome2/bin/gnibbles games.games 0755 /opt/gnome2/bin/iagno games.games 0755 /opt/gnome2/bin/gnotravex games.games 0755 /opt/gnome/bin/sol games.games 0755 /opt/gnome/bin/gturing games.games 0755 /opt/gnome/bin/gnome-xbill games.games 0755 /opt/gnome2/bin/mahjongg games.games 0755 /opt/gnome2/bin/gnometris games.games 0755 /opt/gnome/bin/ctali games.games 0755 /opt/gnome2/bin/gnobots2 games.games 0755 /opt/gnome2/bin/gnomine games.games 0755 /opt/gnome2/bin/same-gnome games.games 0755 /opt/gnome/bin/freecell games.games 0755 /opt/gnome/bin/GnomeScott games.games 0755 /opt/gnome/bin/gataxx games.games 0755 /opt/gnome/bin/soundtracker root.root 0755 /opt/gnome/bin/gewels games.games 0755 /opt/gnome/bin/gnect games.games 0755 # lprng # FIXME: setuid root is bad - setgid lp should be sufficient... /usr/bin/lpq root.lp 2755 /usr/bin/lpr root.lp 2755 /usr/bin/lprm root.lp 2755 /usr/bin/lpstat root.lp 2755 # # postfix /usr/sbin/postdrop root.maildrop 2755 /usr/sbin/postqueue root.maildrop 2755 # Security configuration and old passwords /etc/security root.root 0755 /etc/security/opasswd root.root 0600 /usr/lib/news root.root 0750 /etc/news root.root 0750 /etc/uucp root.root 0750 # Audit configuration and log files /etc/audit root.root 0700 /etc/audit/audit.conf root.root 0600 /etc/audit/filter.conf root.root 0600 /etc/audit/filesets.conf root.root 0600 /var/log/audit root.root 0600 /var/log/audit.d root.root 0700