permissions-debugsource-20201225-150400.5.16.1 >  A cQKp9|vIv",\-(:V D`.Lm4lucxAԩ Vpm~GijWMo\13C)$;> ĥo˽W触3r놱-|P8S5{sT#p$kx1gp;8 ?8d# 1 W )JS i{       (T\(#8,?9(?: K?F5UG5hH5pI5xX5|Y5\5]5^5b6:c6d7ie7nf7ql7su7v7z77778 Cpermissions-debugsource20201225150400.5.16.1Debug sources for package permissionsThis package provides debug sources for package permissions. Debug sources are useful when developing applications that use this package or when debugging this package.cQ*sheep54SUSE Linux Enterprise 15SUSE LLC GPL-2.0+https://www.suse.com/Development/Debughttp://github.com/openSUSE/permissionslinuxx86_64A큤cQ(cOf6658b4504be5cca0b2d8a87dfcfe1dc201ef8556a951c7f3e3c20f4c2174bb0rootrootrootrootpermissions-20201225-150400.5.16.1.src.rpmpermissions-debugsourcepermissions-debugsource(x86-64)    rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3cOcEZc pbVbby@bgbF@b+9aea@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comjsegitz@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.commalte.kraus@suse.comjsegitz@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20201225: * permissions for enlightenment helper on 32bit arches (bsc#1194047)- Update to version 20201225: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20201225: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20201225: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20201225: * apptainer: fix starter-suid location (bsc#1198720)- Update to version 20201225: * static permissions: remove deprecated bind / named chroot entries (bsc#1200747)- Update to version 20201225: * backport of apptainer whitelisting (bsc#1196145, bsc#1198720)- Update to version 20201225: * squid: adjust pinger path, drop basic_pam_auth (bsc#1197649)- Update to version 20201225: * whitelist ksysguard network helper (bsc#1151190)- Update to version 20181225: * setuid bit for cockpit session binary (bsc#1169614)- Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647sheep54 166625898620201225-150400.5.16.120201225-150400.5.16.1permissions-20201225-150400.5.16.1.x86_64chkstat.c/usr/src/debug//usr/src/debug/permissions-20201225-150400.5.16.1.x86_64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:26482/SUSE_SLE-15-SP4_Update/cc249308f61e00752d1b1c0114b2fc64-permissions.SUSE_SLE-15-SP4_Updatecpioxz5x86_64-suse-linuxdirectoryC source, ASCII textT0ZޖWw*utf-8c66e687d9863ed2d00037a14bcb315059c87ac188e79798908687f9f98bb9138?P7zXZ !t/g$] crt:bLL c||*{ii\QV P 7|lB<fO%f5CCYVz#0x%Ț FŔTRy+(VESs& Zidk%[* 4Mlٙ:}&:U5׏`JM'< T1aJo%2$= [/lڏ#ھC,aavqΓ>>P>YY~+};KNjqeaYƢ\, LY*42b>"#obA k`hmx9HИ`.ʾ l4 5Pr2NەCK:01aF;R7 % ٔE:ghKz] m03tئi|;_9NTɍZ% E沺;W)ܵ NOlmjPqN}:ɣklȫғ }N,p*NV1fS;s0*/8Јl]2.5F`@C꺝 HR=̆~)XT9YiO- r^/JfE< ID $7 N>l~m֌P#\ -YuC`B% lH#@"cuߚtŀB֛'_bGv ̷=|j, .iMVϪ0 0Yή > Y{֏C7zZ! AkmɗJgn=qFg YRE# x:{Efg~"iɽ8݅ k*=VIc8مqbCS&9⇂4` J֫Uo: ˡnH*'Tp:TgU,oXW܎뾺R [$Nܤtň4kV zP# JdZ{. PʹC Š%B9q@ mI'#rZm^M("0^h!ƥVK[ 7cc*A[ n3sN6EvwS5}M*ݨ1vC `"GDwKZIc Ho܍ikY&suh \sn!pꗦEOY;%,ɰ=cF-dn'I _Z>:U}nl"L C.tX.'5_b\4o?M9j6 UN" ! JB]h  ;regX ^#=s -aFu5ѫ*)uzu06u.~)ۚLj>0,+3vAÔ!˳?QCǚPE;ܕ!LGNխ u͙=M(*xT<5Ŗb&%fʕ=57Gf4m v<@pe{mZB̙CNЋ2r 6 {^BK&xxN5]9.DD^*fJ0FՁ[}-,&Ue[u^huvWf`vGREPK@jb.k,P^+:ުoަ 5k+:rGrm$Ɖ*%2y`Ӽa^OZ!dRQHx *hj 9T%'Ȁd8j&!RW脊=$gǥ;9@Zš巈_zUcQgQ6j% >ۯ6RoUs3+q 8IX; /oL)$y\talzZĨ[{TzŴπ(o7Ez%|&J]t.;Vw uj2@;/(ưDz 4q$2@apiS$BOtMxV];H_TuVݪt OjM娻i* R+Dթ3`xwǎ޷n/T-쉨g?Q&yN2x]g"WxW~сs4$'_94,c D-e`eB\6!)~9u;PK+`(8|[)yվV6cK(ϲyw8-],r*Fvٮc0`{."_V 2Bc}2I!2]m̝{(xשLj[ߖs #o * ƢݳYJmUL.g¨,Ѓjy< h (Ё'.ʐ7 $MH&ۡi.>B( Eس- h0X@EJsh zkyS4A{4IؙIAl@4A?- 35^y/~EX\]y*?)ԂA)37h# WNZiTĮ{,#]ѠAӞjV-)]b36[}%m4<(|>tnFi%k~z!.uDD󊆄:_ܢ9Q"!e7l0{(NI8X:;m#d\hniD(#E M2p[[F˞\P^" ǹ?2~d$[8Y^\N::~GW3bFN .g8V!|39` kO.o^T:|{7GC9=)Z.5. 3rz7u1)O=ѕ>ƭHm.O,Z!668B oډ\Ʈ#(1LS=8p+n@HsIm|a>"R== I+=t 5yYptzsN#V5CLjl \}ɪAT@Ce"NDmϰyR%ħo(^[3ۉC/zJ4c'#M(^COE5Vؾ2HV LD9)bPL,1$Z9]! 6)97uNL2mXӶb*w^gH A"˫,jU-&E)u⎽N~H7\D as[a@O=w(.w ; yKc7$e;nkl:D %%_#)X'{WI=i3 j| ATLk 0;A|xu]kyZ!#.}Ubt=?73Oay91@ d]qy|#^(J4C-Nk[YrVB"ZG4YXԌ}{n#nΟ8PapG0D:Ѵрl%ukH~Hz4OH# ugCy:9 81烅?)4;QxvT<-.nԓڊՊ|*_:3Xvqnŏȳ :@ 6/s(1n7_{21S;^JWz=lRN[&Hv 60|2WJ|YRU.ɟ 4ֈ(-NyāH^}VHoPO (zu e;5f>"3V;-y ګ < @v0odPhZ8 s?Vc^S7x=FaY̏B Kho}S9el(^ ^ AǷ=I!:WhJ5,DUO/YUމ,!#&WH܏ѼL*^P7{0Zj^#q'}rÊ]ʳSʗS€|5ƄirXODԡI)5WϬU|tE퓥 LNLrQn%Bhֈl&6j_2+vrrr=8YOp[oxtS$_4^(^vr=jVB-0ax\64NJfRg xж[wKXOUrY7B㍪)5R^t:GȤ: ݬIXU.e75>gumQFhe`u/;˯M1ubƳ'td8G D֐ʋ?*SVBcf!0;As?%S!Wh}[ÓPq ө-}.SlWh}<6T/wXB.@ng9řק/c\6oP- 2Pg_k\UF&Ow` ]} aM~lf*YuO!s&)y= %7|k21_x_x&&s~V R?@2J,?|hszиȍ#qd|3/IjILZyp.LpEŰ.b]DEf2Ga. D$G$ȎWG#t/~)_;kAg Ji=qDPd"۾[Z9xk] -aW~fD~r*X:pm')1L{b2SʐREq' eٛyDmCL(ː׮Hb, hjE ǔJpm a0p9Ƒ ~GTy'Ewg:w{»Lx>'#:ng~`/`e<)MW9PHs4_(9YN]8Iw~\Y#m¥6ou;rupj[ +΅ѹ}^qr:簄|pk| AtǼ֋TyoRNIci~eX&' rԑ: -^#W,hb0쒃E< ǿ#{*t{wԸ!@MMˈC $' b-xl6hC#&!Z&KœvB}P6gY/~:W+zt%>['-֛a2D'D9xBR6.Mh(}Nl_)!CYid;_6ű}_Q jRrr+rCqh~^ú-V|+|psUGa\3̇z A_f .TLI$]}j8~g}D"ُڂlX7; VC7)c_<n+ג9ˏ0&Bj"5Vrćf ݸƦ\VۥwaɏoGAG( H9*"X\gRyl)O ԳӿCj+^~6kGd7RUrcͤza'ů# J͝&؛e_FљO0,m̡ku:{,E[xP祴ay PV(է\b(uL_ ^sFo7^`j+kNy;}#r^odO}%DUn6E5Ң$ɿ|6”SC0_osl|dc-Gu3 u4Qu4}ݘVXM7snH{Yg԰-\>uu&*vy6DQեʟd$R1N7ǥ7Oc&p£"+C<8ی:^A&Cn [YV}A|/`n:T> j3G\%2OWRtq705zJi4dgT˟Zp j9G}*IH¿K|VF.9ڟ ڠi.Y8Ӵ)3iKH#Z[jw"<*"#GĿz\h5LHFNkT X6CXo~PK IdR=5 m7-@Hj5KF#AG [0Ss۫ȍŒo%&$v-? }W"bt 'EtICډWfArM ىԁGL*uVci$b^ZKL &V ŁXp[Ӛ8ʽ`g_+/-R &i%?WZ=T tj˳y#֘^/yTi#JAs qmZes zކ[|̺TH =n1㍲-/ig0߄ܩ+>@qҼzDGl0hYN :(n,ԇ`^h7 n~Nv=)aJ~2 YZ