# /etc/permissions
#
# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany.  All rights reserved.
#
# Author: Roman Drahtmueller <draht@suse.de>, 2001
#
# This file is used by SuSEconfig and chkstat to check or set the modes
# and ownerships of files and directories in the installation.
#
# There is a set of files with similar meaning in a SuSE installation:
# /etc/permissions  (This file)
# /etc/permissions.easy
# /etc/permissions.secure
# /etc/permissions.paranoid
# /etc/permissions.local
# Please see the respective files for their meaning.
#
#
# Format: 
# <file> <owner>:<group> <permission> 
#
# How it works:
# Change the entries as you like, then call
# `chkstat -set /etc/permissions or /etc/permissions.{easy,secure,paranoid}
# respectively, or call `SuSEconfig as yast do after they think
# that files have been modified in the system.
#
# SuSEconfig will use the files /etc/permissions and the ones ending
# in what the variable PERMISSION_SECURITY from
# /etc/sysconfig/security contains. By default, these are the files
# /etc/permissions, /etc/permissions.easy and /etc/permissions.local
# for local changes by the admin. In addition, the directory
# /etc/permissions.d/ can contain permission files that belong to
# the packages they modify file modes for. These permission files
# are to switch between conflicting file modes of the same file
# paths in different packages (popular example: sendmail and
# postfix, path /usr/sbin/sendmail).
#
# SuSEconfig's usage of the chkstat program can be turned off completely
# by setting CHECK_PERMISSIONS to "warn" in /etc/sysconfig/security.
#
# /etc/permissions is kept to the bare minimum. File modes that differ
# from the settings in this file should be considered broken.
#
# Please see the headers of the files
#   /etc/permissions.easy
#   /etc/permissions.secure
#   /etc/permissions.paranoid
# as well as
#   /etc/permissions.local
# for more information about their particular meaning and their setup.

#
# root directories:
#

/                                                       root:root          755
/root                                                   root:root          700
/tmp                                                    root:root         1777
/tmp/.X11-unix/                                         root:root         1777
/tmp/.ICE-unix/                                         root:root         1777
/dev                                                    root:root          755
/bin                                                    root:root          755
/sbin                                                   root:root          755
/lib                                                    root:root          755
/etc                                                    root:root          755
/home                                                   root:root          755
/boot                                                   root:root          755
/opt                                                    root:root          755
/usr                                                    root:root          755

#
# /var:
#

/var/tmp                                                root:root         1777
/var/tmp/vi.recover/                                    root:root         1777
/var/log                                                root:root          755
/var/spool                                              root:root          755
/var/spool/atjobs                                       at:at              700
/var/spool/atjobs/.SEQ                                  at:at              600
/var/spool/atjobs/.lockfile                             at:at              600
/var/spool/atspool                                      at:at              700
/var/spool/cron                                         root:root          700
/var/spool/mqueue                                       root:root          700
/var/spool/news                                         news:news          775
/var/spool/uucp                                         uucp:uucp          755
/var/spool/voice                                        root:root          755
/var/spool/mail                                         root:root         1777
/var/adm                                                root:root          755
/var/adm/backup                                         root:root          700
/var/cache                                              root:root          755
/var/cache/fonts                                        root:root         1777
/var/cache/man                                          man:root           755
/var/yp                                                 root:root          755
/var/run/nscd/socket					root:root	   666
/var/run/sudo                                           root:root          700

#
# log files that do not grow remarkably
#
/var/log/faillog                                        root:root          600
# This file is not writeable by gid tty so that the information
# therein can be trusted.
/var/log/lastlog                                        root:tty           644


#
# some device files
#

/dev/zero                                               root:root          666
/dev/null                                               root:root          666
/dev/full                                               root:root          622
/dev/ip                                                 root:root          660
/dev/initrd                                             root:disk          660
/dev/kmem                                               root:kmem          640

#
# /etc
#
/etc/lilo.conf                                          root:root          600
/etc/passwd                                             root:root          644
/etc/shadow                                             root:shadow        640
/etc/init.d                                             root:root          755
/etc/HOSTNAME                                           root:root          644
/etc/hosts                                              root:root          644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow                                        root:root          644
/etc/hosts.deny                                         root:root          644
/etc/hosts.equiv                                        root:root          644
/etc/hosts.lpd                                          root:root          644
/etc/ld.so.conf                                         root:root          644
/etc/ld.so.cache                                        root:root          644

/etc/opiekeys                                           root:root          600

/etc/smpppd.conf                                        root:root          600
/etc/smpppd-c.conf                                      root:dialout       640
/var/run/smpppd                                         root:dialout       750

/etc/ppp                                                root:dialout       750
/etc/ppp/chap-secrets                                   root:root          600
/etc/ppp/pap-secrets                                    root:root          600

# sysconfig files:
/etc/sysconfig/network/providers                        root:root          700

# utempter
/usr/sbin/utempter                                      root:tty          2755

# changing the global ssh client configuration makes it unreadable
# and therefore useless. Keep in mind that users can bring their own client!
/etc/ssh/ssh_host_key                                   root:root          600
/etc/ssh/ssh_host_key.pub                               root:root          644
/etc/ssh/ssh_config                                     root:root          644
/etc/ssh/sshd_config                                    root:root          640

#
# legacy
#
# don't set the setuid bit on suidperl! Set it on sperl instead if
# you really need it as suidperl is a hardlink to perl nowadays.
/usr/bin/suidperl                                       root:root          755

# this made my X die. As punishment it gets the setuid bit removed.
# Use it directly as root if you need it.
/usr/X11R6/bin/dga                                      root:root          755

# cdrecord does not need to be setuid root as it uses resmgr for
# accessing the devices. Access to that one can be configured in
# /etc/resmgr.conf
/usr/bin/cdrecord                                       root:root          755

# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute                                    root:root          755

# netatalk printer daemon: sgid not needed any more with cups.
/usr/sbin/papd                                          root:lp           0755

# safe as long as we don't change files below it (#103186)
/var/games/                                             games:games       0775

# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool                                        root:trusted      4750
