# /usr/share/permissions/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2011 SUSE Linux Products GmbH Nuernberg, Germany.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by chkstat (and indirectly by various RPM scripts)
# to check or set the modes and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SUSE installation:
# /usr/share/permissions/permissions  (This file)
# /usr/share/permissions/permissions.easy
# /usr/share/permissions/permissions.secure
# /usr/share/permissions/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format: 
# <file> <owner>:<group> <permission> 
#
# How it works:
# To change an entry copy the line to permissions.local, modify it
# to suit your needs and call "chkstat --system"
#
# chkstat uses the variable PERMISSION_SECURITY from
# /etc/sysconfig/security to determine which security level to
# apply.
# In addition to the central files listed above the directory
# /usr/share/permissions/permissions.d/ can contain permission files
# that belong to the packages they modify file modes for. These
# permission files are to switch between conflicting file modes of
# the same file paths in different packages (popular example:
# sendmail and postfix, path /usr/sbin/sendmail).

#
# root directories:
#

/tmp/                                                   root:root         1777
/tmp/.X11-unix/                                         root:root         1777
/tmp/.ICE-unix/                                         root:root         1777

#
# /var:
#

/var/tmp/                                               root:root         1777
/var/spool/mqueue/                                      root:root          700
/var/spool/mail/                                        root:root         1777
/var/run/nscd/socket					root:root	   666
/run/nscd/socket					root:root	   666

#
# login tracking
#
/var/log/lastlog                                        root:root          644
/var/log/faillog                                        root:root          600
/var/log/wtmp                                           root:utmp          664
/var/log/btmp                                           root:utmp          600
/var/run/utmp                                           root:utmp          664
/run/utmp                                           	root:utmp          664

#
# /etc
#
/etc/passwd                                             root:root          644
/etc/shadow                                             root:shadow        640
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow                                        root:root          644
/etc/hosts.deny                                         root:root          644
/etc/hosts.equiv                                        root:root          644
/etc/hosts.lpd                                          root:root          644
/etc/ld.so.conf                                         root:root          644
/etc/ld.so.cache                                        root:root          644

/etc/opiekeys                                           root:root          600

/etc/ppp/                                               root:root          750
/etc/ppp/chap-secrets                                   root:root          600
/etc/ppp/pap-secrets                                    root:root          600

# sysconfig files:
/etc/sysconfig/network/providers/                       root:root          700

# utempter
/usr/lib/utempter/utempter                              root:utmp         2755
/usr/libexec/utempter/utempter                          root:utmp         2755

#
# legacy

# games:games 775 safe as long as we don't change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/                                             root:root         0755

#
# named chroot (#438045)
#
# These currently conflict with a systemd-tmpfiles configuration file.
# The entries in parallel serve the purpose of a whitelisting for
# world-writable files, therefore they need to stay in place until we have a
# better whitelisting concept.
/var/lib/named/dev/null                                 root:root         0666
/var/lib/named/dev/random                               root:root         0666

# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu						root:root         0755

# ceph log directory (bsc#1150366)
/var/log/ceph/                                          ceph:ceph         3770
