permissions-debugsource-20181224-lp152.14.3.1 4>$  Ap_r/=„݅g ۭޫ]'fVAfxzج\Ty0?.17<H*gQs"mUp~GpeYs|gx%!C1r ) Y(nU&slafU(i :7L(<݀jr;ɀLAƠ К,j\ n>W_\L,t@zw੄}5O |3t]]``BoI-S % gN:}0cc2ec83afe78150c6c3de1cb8916bbe0755fd94a004f73140e6e0494c23d4bb55d82bf930c84cec0023192fb78d778a82f45c002[ _r/=„twj(A5`h"j#s4*ދLDcȊ״&D:C%D=-Ai6^H3펂*r8c,&nR[3ugɖóG%Lu97-|Ǻ {eYNΙ>P`'n@ԟ#/3M0جI*bJlV +"5z8ڂP'E2( vŕ}ܣ$_|͑Dtw33ຂ>p;2?2d# 0 V #,5 N`      8@x(8393:3F/G/H/I/X0Y0\04]0<^0ob0c1ad1e1f1l2u2v2z2;2L2P2V2Cpermissions-debugsource20181224lp152.14.3.1Debug sources for package permissionsThis package provides debug sources for package permissions. Debug sources are useful when developing applications that use this package or when debugging this package._qbuild79openSUSE Leap 15.2openSUSEGPL-2.0+http://bugs.opensuse.orgDevelopment/Debughttp://github.com/openSUSE/permissionslinuxx86_64A큤_q_(43f747fd0a709e659e708db1a113c50f0849e5d6005a428988716db03d877737rootrootrootrootpermissions-20181224-lp152.14.3.1.src.rpmpermissions-debugsourcepermissions-debugsource(x86-64)    rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1_i^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comMalte Kraus Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20181224: * fix paths of ksysguard whitelisting * whitelist ksysguard network helper (bsc#1151190) * pcp: remove no longer needed / conflicting entries- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647build79 160553010720181224-lp152.14.3.120181224-lp152.14.3.1permissions-20181224-lp152.14.3.1.x86_64chkstat.c/usr/src/debug//usr/src/debug/permissions-20181224-lp152.14.3.1.x86_64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:15002/openSUSE_Leap_15.2_Update/3eb488a46785bebc2ccd039d1c7dafc2-permissions.openSUSE_Leap_15.2_Updatecpioxz5x86_64-suse-linuxdirectoryC source, ASCII text`_| MxEutf-8bf025cbe1c5c6d5efd43d539eae28c0843665f441b224408442a1e60ae83506d?P7zXZ !t/$\] crt:bLL F4.qHʲ{soVѴLRBK@ da2 _YRQ1w(h_Цg^)}3 @p0~ʞW[x;ۀRlJ!Ŗ5.趌hO$`zcQ(8^OGAS9l~n( :I:a*iOR»Kymv78c#E5l.%ȭHLg2K$ ^Di*I7} Pmކ&Kj.^ÆnK.5YJo4[kd~d-zā_U"B DGb (]#7F %PF/8Ff(*RG:(>;'$8@N~1xrcOb^Ҩւxgp \hGy[_"rN+Ll*hJ[iX4)83N_CQ'fb=pS&CLJJ> 9tBْ2OFt PADTstqk{\(tv}("S>T:3uÖ=o g\SZwTlZ_70i\h@ALu&fo@w-Z*EgBu%.-ÕRT1l {"SAR'r8,g|n/5&fg6օ^XXeH q}Ecs%HJzډ5+{Ƃ'$HnD:1GF8䡅H6h\(ρ4eJ=~#P!Qջ0!OE,+e:VU( '_' 5ښ=ʧ?\Zx =qY6ho%xމA7sWFwFf4Sul_kTIm6 DZ}wERVU"k <)ԱU0)tft(VKr,uYEpQ )7? w?POL^sKa|i\0/T}Φ̭ Ƀgٸi28 )I&:QrA%?eq=w@o,/!?cT0XNd}-}z=пp#HTE4&Q'169EH@C|nT}3A n]?3?!jn-H]9ڣ@ 2wosK=߂Nj=}ߦ,w\+d!@p'(Z+D*2uT* 7}ncPwLWlv 0`<˧-UpR:^~̮Kyga;=]P:_T 393F7D_#]d־-N˞FaC+rhuZlPc9.5f2}߱eP;f(PYo=o=ά-un?/aޛs';QŬ `YΎ z ]G! Ax1L#IֽGe&Ï "b n\%ŗvhRSoT?'>B,ɹ  zK5?,^%4dDMTG.GxPRwn{BxΉ-lu=Px" ` و Yv7ؽ pR'Kz5Z7V!w>4uί8Ʋ$% ^OT A)VnV>'Yi9~>2 H➞zX T` 7ra Kȅ)]Dٵ.z5wpJA+1Sksҫ3r5s/+R!ԄpB?DP!wzF#jBգ% #{GLXr1ΤʿVt(XRgܨ*[dg'w D?OgE =eC|9$X vH_M">9ń~FX[3/cÑ܎P eҊ4iJvԍ'YdM:SE&:I[}fTBp=D4V rFX_:צoB>=tlpÕ+/bOfG(!⭛|$%L)[Y㸎y k4OBEE]|QmK | &=5]+g-+,$itc/5ɌnO Äo\8%Du NtaS𝽋ׁGo(pt^xAQgL[w^ <8a& p+Jl' Oh_*K :=, }7+WQ됚b<.'ʩ*X8CSʜQKljGE6*aF{H"7Mj_uIb(XzH Q-ic-sofܚP^wiq;0nM%9,_#9ݷ9FY֥E ͳ'-Lj! j:'֔m-"鑪7KI"F:(O dGz<*P}uOΖ#63R!n˲ EPF4!]\ǙsӠ.ͽTܘƫi10%|*ĈtlV82o$]vP_|?e˩6 \Z7p.&GVW嶬{0-oYqgodEr][p'YSe|vڰ~̶WX&Jt.zm@6-_3x?'ϲ7-/%m#J_ߒ)%tKi e$Jk(=x}ro@(W‴GTqHҼxHT&IO?y9qi|m+\2J0F?ڱ;.:Z gWzr֔t1# puuҳ*֧ Tnh'is2ңtO5 8peQ!ᬞ>P0%x]>3֔2G{L6:ۢRxĕR#Q/97CW'i7!w jܧbvf$%ϋm.iz*_\h^BLZ]?Mb@O+~y:UMQM!?(&<% rtBdـ6y$[[+1/l2R_۫[6iWXDhs)Gu5TGcqI2UHxW! ֨$fGa;gk%fp1K }<6[XIB@E+22 xѠW0yW ˺_87>&f'RSzAAw \A1HWɸ_k) C` m a"̼tY^ ]K)0?:uBW16ϹF,ύG' IpdŁ|ĀǼ|RLrHQ< F<[hDZX9. jD`TXJkǴjyO9 ?؁3Ƨd'I[ݺ>d(*uz\`dlaedM]N_Z )3vN 跩(Ojv@&3jW^Zm/("aGUmTɒ~tXe6EJuE;;6|#@'f##6%a$[['hY/fLMk=isEϮu$3) y326ʎOB 9Ѓ>dFL`?Lq$ͦum,*$m&l%٠)G/a d'4VT V%GxJĖjXX\A4(H[iZVxx*_ƨxFPYOϰi6bYƱ8iM ҙ#sDIOϴGrC^ >ȚFXD&%_ipwR6D<!ЃQ>7Dw *{!O.y:]3 B\u6 !f芝ui2="x2/?4sT0"rXRb@ pUYgY C{z {NQZ8%/U&N> ^SbFLzUjmRH8j]ԩ`۳tvW^)ZF>ҫ2wSg{ gQyFY.j#X}ZXZYmٚh,PNx5'h bQ>?c}֖z=d_B_.XOaSfXz Hu ]9`4hONm嘏9M'qb<1őq!ZmJwAƋ5&UO{˯9`C3:&)k0g͗"-$搶(?$șŒ\OCesO⢗I\Y^t).C6&'^LGy=7@2v=8|p'u}`o gƫDUJng $s-fʃҋ S%;t][YN&JGhT>N m5=hAQ9#!$ΧТPGBi[>"¾[$]ϲ ,le,O<][EحƇ·,㧄W }¾z"scⲞSAӡ澼~_N'/wDvD776Фpݺ `ЉJ\=U bQ6a!dY-i9`Ri}FxoϵdYÊX>3{1"ifctR?M}}Gޛt{U$Le !st%X;f>}:lchGșmYN ?I3;ަJvbez]~]W[S~? Mw˕WqfV[X"z|,V9Ld耂(hիBc+D0Sfڙ2D[WAI6Or͏U%ĩPv=,0Vo%.K#*D=&5Wm CpshЪ@.@g)1k;CUU)Hge]f&F4 fgXLBh ŮQP>R k߂xRޭ\3,8RУArB!gv1cc{暡JWk[־~}Bu{1]"\"hkۣS,\.B I;L 奞FlXm5<| gW&BGɅ*"Nz-~N8_0<JaN)^ h'a*t[ !F=@8erj?z~ K*tRi;iZ|X px"8XkuGs~Qs'`h?g +=(D6C5\\+QzU8o^_wGBD`AOB..GM?DxF'!Aò>jAfCԪ(cxa7rmb7Š= ϼ zSsi:+"_[\`=AE/o{٥) =t,l1?sEâ&%nПZ=pbhjݪaOZ >EcX<پ 5yc 켒g7sa i:S h9 ?EB) bj&ݶ+}R!P}0U{Әe+t0!':,uoɋο q<D b#.h ԞZD2„|.&X؞HPP=lyO%tJRqxsX"}2Y+roP2n ؙQܦ載T_;oO ,6O,ި=u&(-\w_&&ڨBsm  [XO݂Ծԧ-Bl@cJ.r*Vyvz:R~qD5H\Lo /" šBLQTp6u3`V`&nzѴJ'b touHPm^ûM~K| tg2g&#fRvCR툊y5V {Ȧ˓ V f/y9nn|lg`Վw.0pvL}`oFLu,^š= cLWÞJx8N|f1X{' L^JмrS!IDnw;]0U`L m^u'N*[/oʠI׺?A}o0#5)7e ˯ =u5. ʰr/A9O(Oo]2G[24Ös1L7#Qk Fɘh 3 Lt('W!-Ngx}ZN㈂sїGc7CIb,%v_ 2VJw`Ȕhu(>Kz XmWA B3i&~"T> %q- lLɚd w{'#`?Buֱ KMow۳a$Y:DIE4 YZ