permissions-20200127-lp153.24.15.1 4>$  ApcFV/=„0cMіTV.&~c<@td܈M9HX,=C# Rqi hm%B{ّX`sZ  &cb;LSaJ&o ߨ1[_C۫M)Q'{@\{4e9732rm)`9 Tw uҚ(WԞocluviHd0860b0debedb40c00651673e99f03391cb699b76627f0f38120cbec6fea6382cc67e736fc124b02304cb11b7f6618d754071b2c53䨉cFV/=„& 022S ^J"SyktK!L;^"L[!c^h#3eNC c *uO;ܬ_HmI 0W d\G ?HjN5 ^"Ϧ뉮7`Zb?;v=3Ŵ._9bHhIĦLCϿ_\ ֆys.4uD\oMW|aMOKeWZ7U!ixmx:C>p@|4?|$d % D+4= Vl8 \  n          I v   P C( 8 :9 p::n:>vFvGv Hw Iw@ XwLYw\\w ]w ^xXbxcyXdyeyfylyuz vz0w{p x{ y{z{{{{| Cpermissions20200127lp153.24.15.1SUSE Linux Default PermissionsPermission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security.cFQobs-power9-06>openSUSE Leap 15.3openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Securityhttp://github.com/openSUSE/permissionslinuxppc64le PNAME=security SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi # apply all potentially changed permissions /usr/bin/chkstat --system;T1W_S 9;@큤cFPcFPcFPcFPcFPcFPcFPcFPcFP08f79ea016f1288ae1033733838b5d3c1b0c760511a3c00dd8792272c20e18a5102407c5328b932956cb16a556ba1266ca9dc50af035764d687353b0013e8ccb254ecad52808937c3153a81d50810ee7e689d78dfc2cf8aac67cf179a2fdbf3b3338b4450422c6128f9408722aad3d032cb03318bda761d21c7d4ed480ec6c59154358b8c334172d5068133b899e69638488c556d9032ca1d3bac754230fa536bedb57f835ebc5f98972510c12b49e5708df8f4f8aa6abe8391d573fcb9cf95435eca1eb5762d2b602f4b5114a54eb6e6815d26f10b5dab00cda67f2860ca4a32dcb772c1e9949198bc7695bd25c20cd21aea565905b0975de2edeafb31d8202acbebeb00ef9fccc619e66ad50b5c31ac346b2e06ec7d429ec8d2181bc5bd2f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpermissions-20200127-lp153.24.15.1.src.rpmaaa_base:/etc/permissionsconfig(permissions)permissionspermissions(ppc-64)@@@    /bin/shconfig(permissions)coreutilsdiffutilsfillupgrepgroup(trusted)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libcap.so.2()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)20200127-lp153.24.15.13.0.4-14.6.0-14.0-15.2-14.14.3cEZc!@bVaaa@`@` l^?@^ϧ^>@^^y@^\@^Y^;^:@^4]@]@]@]@]:\8\b@[@[z@ZiZ\Z%8ZZ@Z@Z@ZNY|Y@Y˒Y@YY@Y7Y2Y1S@W"W@W@WBWBVV@VV2 @V +V +UuT~@TZ@matthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.commalte.kraus@suse.comjsegitz@suse.comjsegitz@suse.comjsegitz@suse.commalte.kraus@suse.commalte.kraus@suse.commatthias.gerstner@suse.commatthias.gerstner@suse.comMalte Kraus Malte Kraus Malte Kraus Malte Kraus Johannes Segitz Malte Kraus jsegitz@suse.comjsegitz@suse.comopensuse-packaging@opensuse.orgmatthias.gerstner@suse.commeissner@suse.comkrahmer@suse.comkukuk@suse.commpluskal@suse.comastieger@suse.comrbrown@suse.comkrahmer@suse.comeeich@suse.comjsegitz@suse.comastieger@suse.compgajdos@suse.comastieger@suse.comastieger@suse.comopensuse-packaging@opensuse.orgdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.comdimstar@opensuse.orgmeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.commeissner@suse.comkrahmer@suse.commeissner@suse.com- Update to version 20200127: * fix regression introduced by backport of security fix (bsc#1203911)- Update to version 20200127: * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)- Update to version 20200127: * postfix: add postlog setgid for maildrop binary (bsc#1201385)- Update to version 20200127: * base this fork on a SLE-15-SP3 branch instead of on the Factory branch. The Factory branch contains too many unknowns for the far-off Leap 15.3 codebase. * add a couple of cleanup changes that we can on Leap 15.3: - etc/permissions: remove unnecessary static dirs and devices - etc/permissions: remove legacy RPM directory entries - etc/permissions: remove outdated sudo directories- Update to version 20200127: * Makefile: Leap 15.3 still uses /etc, so adjust the installation setup- Update to version 20181225: * mgetty: faxq-helper now finally reside in /usr/libexec * libksysguard5: Updated path for ksgrd_network_helper * kdesu: Updated path for kdesud * sbin_dirs cleanup: these binaries have already been moved to /usr/sbin * mariadb: revert auth_pam_tool to /usr/lib{,64} again * cleanup: revert virtualbox back to plain /usr/lib * cleanup: remove deprecated /etc/ssh/sshd_config * hawk_invoke is not part of newer hawk2 packages anymore * cleanup: texlive-filesystem: public now resides in libexec * cleanup: authbind: helper now resides in libexec * cleanup: polkit: the agent now also resides in libexec * libexec cleanup: 'inn' news binaries now reside in libexec * whitelist please (bsc#1183669) * Fix enlightenment paths * usbauth: drop compatibility variable for libexec * usbauth: Updated path for usbauth-npriv * profiles: finish usage of variable for polkit-agent-helper-1 * Makefile: fix custom flags support when using make command line variables * added information about know limitations of this approach * Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476) * Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475) * profiles: prepare /usr/sbin versions of profile entries (bsc#1029961) * profiles: use new variables feature to remove redundant entries * profiles: remove now superfluous squid pinger paths (bsc#1171569) * tests: implement basic tests for new the new variable feature * tests: avoid redundant specification of test names by using class names * regtests: split up base types and actual test implementation * man pages: add documentation about variables, update copyrights * chkstat: implement support for variables in profile paths * chkstat: prepare reuse of config file locations * chkstat: fix some typos and whitespace * etc/permissions: remove unnecessary, duplicate, outdated entries * etc/permissions: remove trailing whitespace * ksgrd_network_helper: remove obviously wrong path * adjust squid pinger path (bsc#1171569) * mgetty: remove long dead (or never existing) locks directory (bsc#1171882) * squid: remove basic_pam_auth which doesn't need special perms (bsc#1171569) * cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164) * drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) * whitelist Xorg setuid-root wrapper (bsc#1175867) * screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879) * Add /usr/libexec for cockpit-session as new path * physlock: whitelist with tight restrictions (bsc#1175720) * mtr-packet: stop requiring dialout group * etc/permissions: fix mtr permission * list_permissions: improve output format * list_permissions: support globbing in --path argument * list_permissions: implement simplifications suggested in PR#92 * list_permissions: new tool for better path configuration overview * regtest: support new getcap output format in libcap-2.42 * regtest: print individual test case errors to stderr * etc/permissions: remove static /var/spool/* dirs * etc/permissions: remove outdated entries * etc/permissions: remove unnecessary static dirs and devices * screen: remove now unused /var/run/uscreens * Revert "etc/permissions: remove entries for bind-chrootenv" * rework permissions.local text (boo#1173221) * dbus-1: adjust to new libexec dir location (bsc#1171164) * permission profiles: reinstate kdesud for kde5 * etc/permissions: remove entries for bind-chrootenv * etc/permissions: remove traceroute entry * VirtualBox: remove outdated entry which is only a symlink any more * /bin/su: remove path refering to symlink * etc/permissions: remove legacy RPM directory entries * /etc/permissions: remove outdated sudo directories * singularity: remove outdated setuid-binary entries * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588) * dbus-1: remove deprecated alternative paths * PolicyKit: remove outdated entries last used in SLE-11 * pcp: remove no longer needed / conflicting entries * gnats: remove entries for package removed from Factory * kdelibs4: remove entries for package removed from Factory * v4l-base: remove entries for package removed from Factory * mailman: remove entries for package deleted from Factory * gnome-pty-helper: remove dead entry no longer part of the vte package * gnokii: remove entries for package no longer in Factory * xawtv (v4l-conf): correct group ownership in easy profile * systemd-journal: remove unnecessary profile entries * thttp: make makeweb entry usable in the secure profile (bsc#1171580) * profiles: add entries for enlightenment (bsc#1171686) * permissions fixed profile: utempter: reinstate libexec compatibility entry * chkstat: fix sign conversion warnings on non 32-bit architectures * chkstat: allow simultaneous use of `--set` and `--system` * regtest: adjust TestUnkownOwnership test to new warning output behaviour * whitelist texlive public binary (bsc#1171686) * fixed permissions: adjust to new libexec dir location (bsc#1171164) * chkstat: don't print warning about unknown user/group by default * Makefile: link with --as-needed, move libs to the end of the command line * setuid bit for cockpit (bsc#1169614) * Fix paranoid mode for newgidmap and newuidmap (boo#1171173) * chkstat: collectProfilePaths(): use directory_iterator to simplify code * chkstat: collectProfilePaths(): prefer /usr over /etc * regtest: add relative symlink corner case to TestSymlinkBehaviour * Chkstat::parseProfile(): avoid use of raw pointer * parseSysconfig(): only emmit warning if value is non-empty * incorporate a bunch of PR #56 review comments * regtest: add test for correct ownership change * chkstat: final pass over refactored code * chkstat: finish refactoring of safeOpen() * chkstat: improve/fix output of mismatches * chkstat: support numerical owner/group specification in profiles * chkstat: safeOpen: simplify path handling by using a std::string * chkstat regtest: support debug build * chkstat: start refactoring of safe_open() -> safeOpen() * chkstat: processEntries: pull out change logic into applyChanges() * chkstat: processEntries: pull out safety check logic * chkstat: processEntries: separate printing code and simplify ownership flags * chkstat: processEntries: also add file_status and *_ok flags to EntryContext * chkstat: processEntries: also add caps to EntryContext * chkstat: also move fd_path into EntryContext * chkstat: processEntries(): introduce EntryContext data structure * chkstat: introduce class type to deal with capabilities * chkstat: overhaul of the main entry processing loop * chkstat: smaller cleanup of Chkstat::run() * chkstat: remove last global variables `root` and `rootl` * chkstat: refactor parsing of permission profiles * chkstat: replace global `permlist` by STL map * chkstat: remove now obsolete usage() function * chkstat: refactor collection of permission files * regtest: support --after-test-enter-shell * chkstat: change global euid variable into const class member * chkstat: replace global level, nlevel by a vector data structure * chkstat: refactor check_fscaps_enabled() * chkstat: refactor parse_sysconfig as a member function Chkstat::parseSysconfig * chkstat: introduce separate processArguments() and refactor --files logic * chkstat: replace C style chkecklist by std::set * chkstat: refactor command line parsing * allow /usr/libexec in addition to /usr/lib (bsc#1171164) * whitelist s390-tools setgid bit on log directory (bsc#1167163) * whitelist WMP (bsc#1161335) * regtest: improve readability of path variables by using literals * regtest: adjust test suite to new path locations in /usr/share/permissions * regtest: only catch explicit FileNotFoundError * regtest: provide valid home directory in /root * regtest: mount permissions src repository in /usr/src/permissions * regtest: move initialialization of TestBase paths into the prepare() function * chkstat: suppport new --config-root command line option * fix spelling of icingacmd group * chkstat: fix readline() on platforms with unsigned char * remove capability whitelisting for radosgw * whitelist ceph log directory (bsc#1150366) * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013 * add a test for symlinked directories * fix relative symlink handling * include cpp compat headers, not C headers * Move permissions and permissions.* except .local to /usr/share/permissions * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * regtest: bindMount(): explicitly reject read-only recursive mounts * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat * Makefile: allow to build test version programmatically * README.md: add basic readme file that explains the repository's purpose * chkstat: change and harmonize coding style * chkstat: switch to C++ compilation unit * remove obsolete/broken entries for rcp/rsh/rlogin * chkstat: handle symlinks in final path elements correctly * Revert "Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)"" * Revert "mariadb: settings for new auth_pam_tool (bsc#1160285)" * mariadb: settings for new auth_pam_tool (bsc#1160285) * add read-only fallback when /proc is not mounted (bsc#1160764) * capability handling fixes (bsc#1161779) * better error message when refusing to fix dir perms (#32) * fix paths of ksysguard whitelisting * fix zero-termination of error message for overly long paths * fix misleading indendation * fix changing of capabilities * fix warning text for unlisted files * fix error message with insecure sym links * remove useless if around realloc() * fix invalid free() when permfiles points to argv * use path-based operations with /proc/self/fd/X to avoid errors due to O_PATH * add .gitignore for chkstat binary * add/fix compiler warnings, free memory at exit * only open regular files/directories without O_PATH, fix stat buffer initialization * update * rewrite while protecting against symlinks and races * fix whitespace * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * whitelist ksysguard network helper (bsc#1151190) * fix syntax of paranoid profile * fix squid permissions (bsc#1093414, CVE-2019-3688) * setgid bit for nagios directory (bsc#1028975, bsc#1150345) * global: removal of unneeded SuSEconfig file and directory * global: restructure repository layout * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687) * add one more missing slash for icinga2 * fix more missing slashes for directories * cron directory permissions: add slashes * iputils: Add capability permissions for clockdiff * iputils/ping: Drop effective capability * iputils/ping6: Remove definitions * singluarity: Add starter-suid for version 3.2.0 * removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678) * fixed error in description of permissions.paranoid. Make it clear that this is not a usable profile, but intended as a base for own developments * Misleading comment fix * removed old entry for wodim * removed old entry for netatalk * removed old entry for suidperl * removed old entriy for utempter * removed old entriy for hostname * removed old directory entries * removed old entry for qemu-bridge-helper * removed old entries for pccardctl * removed old entries for isdnctrl * removed old entries for unix(2)_chkpwd * removed old entries for mount.nfs * removed old entries for (u)mount * removed old entry for fileshareset * removed old entries for KDE * removed old entry for heartbeat * removed old entry for gnome-control-center * removed old entry for pcp * removed old entry for lpdfilter * removed old entry for scotty * removed old entry for ia32el * removed old entry for squid * removed old qpopper whitelist * removed pt_chown entries. Not needed anymore and a bad idea anyway * removed old majordomo entry * removed stale entries for old ncpfs tools * removed old entry for rmtab * Fixed type in icinga2 whitelist entry * New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox * Removed whitelist for /usr/bin/su.core. According to comment a temporary hack introduced 2012 to help moving su from coretuils to util-linux. I couldn't find it anywhere, so we don't need it anymore * Remove entry for /usr/bin/yaps. We don't ship it anymore and the group that is used doesn't exists anymore starting with Leap 15, so it will not work there anyway. Users using this (old) package can do this individually * removed entry for /etc/ftpaccess. We currently don't have it anywhere (and judging from my search this has been the case for quite a while) * Ensure consistency of entries, otherwise switching between settings becomes problematic * Fix spelling of SUSE * adjust settings for amanda to current binary layout- Update to version 20181225: * etc/permissions: remove unnecessary entries (bsc#1182899)- Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025)- Update to version 20181224: * profiles: add entries for enlightenment (bsc#1171686)- whitelist texlive public binary (bsc#1171686)- Remove setuid bit for newgidmap and newuidmap in paranoid profile (bsc#1171173)- correct spelling of icinga group (icingagmd -> icingacmd, bsc#1168364)- whitelist s390-tools setgid bit on log directory (bsc#1167163)- run testsuite during package build - Update to version 20181224: * testsuite: adapt expected behavior to legacy branches * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013, bsc#1163922 * add a test for symlinked directories * fix relative symlink handling * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance * regtest: introduce some basic coloring support to improve readability * regtest: sort imports, another piece of rationale * regtest: add capability test case * regtest: improve error flagging of test cases and introduce warnings * regtest: support caps * regtest: add a couple of command line parameter test cases * regtest: add another test that checks whether the default profile works * regtests: add tests for correct application of local profiles * regtest: add further test cases that test correct profile application * regtest: simplify test implementation and readability * regtest: add helpers for permissions.d per package profiles * regtest: support read-only bind mounts, also bind-mount permissions repo * tests: introduce a regression test suite for chkstat- Update to version 20181224: * whitelist WMP (bsc#1161335) * Makefile: allow to build test version programmatically * chkstat: handle symlinks in final path elements correctly * add .gitignore for chkstat binary * faxq-helper: correct "secure" permission for trusted group (bsc#1157498) * fix syntax of paranoid profile- Update to version 20181224: * mariadb: settings for new auth_pam_tool (bsc#1160285) * chkstat: capability handling fixes (bsc#1161779) * chkstat: fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) * dumpcap: remove 'other' executable bit because of capabilities (boo#1148788, CVE-2019-3687)Sync upstream SLE-15-SP1 branch with our SLE-15-SP1:Update package. Therefore remove all of the following patches which are now included in the tarball: - 0001-whitelisting-update-virtualbox.patch - 0002-consistency-between-profiles.patch 0003-var-run-postgresql.patch - 0004-var-cache-man.patch - 0005-singularity-starter-suid.patch - 0006-bsc1110797_amanda.patch - 0007-chkstat-fix-privesc-CVE-2019-3690.patch - 0008-squid-pinger-owner-fix-CVE-2019-3688.patch - 0009-chkstat-handle-missing-proc.patch - 0010-chkstat-capabilities-implicit-changes.patch Because of inconsistencies between the upstream branch and the package state the following previously missing changes are introduced by this update: - Update to version 20181117: * removed old entry for rmtab * Fixed typo in icinga2 whitelist entry- fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594, 0009-chkstat-handle-missing-proc.patch) - fix capability handling when doing multiple permission changes at once (bsc#1161779, 0010-chkstat-capabilities-implicit-changes.patch)- fix invalid free() when permfiles points to argv (bsc#1157198, changed 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688, 0008-squid-pinger-owner-fix-CVE-2019-3688.patch)- fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690, 0007-chkstat-fix-privesc-CVE-2019-3690.patch)- Updated permissons for amanda, added 0006-bsc1110797_amanda.patch (bsc#1110797)- Added ./0005-singularity-starter-suid.patch (bsc#1128598) New whitelisting for /usr/lib/singularity/bin/starter-suid- Added 0004-var-cache-man.patch. Removed entry for /var/cache/man. Conflicts with packaging and man:man is the better setting anyway (bsc#1133678)- Added 0001-whitelisting-update-virtualbox.patch (bsc#1120650) New whitelisting for /usr/lib/virtualbox/VirtualBoxVM and removed stale entries for VirtualBox - Added 0002-consistency-between-profiles.patch Ensure consistency of entries, otherwise switching between settings becomes problematic - Added 0003-var-run-postgresql.patch (bsc#1123886) Whitelist for postgresql. Currently the checker doesn't complain because the directories aren't packaged, but that might change and/or our checkers might improve- Update to version 20181116: * zypper-plugin: new plugin to fix bsc#1114383 * singularity: remove dropped -suid binaries (bsc#1028304) * capability whitelisting: allow cap_net_bind_service for ns-slapd from 389-ds * setuid whitelisting: add fusermount3 (bsc#1111230) * setuid whitelisting: add authbind binary (bsc#1111251) * setuid whitelisting: add firejail binary (bsc#1059013) * setuid whitelisting: add lxc-user-nic (bsc#988348) * whitelisting: add smc-tools LD_PRELOAD library (bsc#1102956) * whitelisting: add spice-gtk usb helper setuid binary (bnc#1101420) * Fix wrong file path in help string * Capabilities for usage of Wireshark for non-root - remove 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: is now contained in tarball.- 0001-whitelisting-add-spice-gtk-usb-helper-setuid-binary-.patch: add whitelisting for the spice-gtk setuid binary (bsc#1101420) for improved usability.- Update to version 20180125: * the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247) * make btmp root:utmp (bsc#1050467)- Update to version 20180115: * - polkit-default-privs: usbauth (bsc#1066877)- fillup is required for post, not pre installation- Cleanup spec file with spec-cleaner - Drop conditions/definitions related to old distros- Update to version 20171129: * permissions: adding gvfs (bsc#1065864) * Allow setgid incingacmd on directory /run/icinga2/cmd bsc#1069410 * Allow fping cap_net_raw (bsc#1047921)- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Update to version 20171121: * - permissions: adding kwayland (bsc#1062182)- Update to version 20171106: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20171025: * Stricter permissions on cron directories (paranoid) and stricter permissions on sshd_config (secure/paranoid)- Update to version 20170928: * Fix invalid syntax bsc#1048645 bsc#1060738- Update to version 20170927: * fix typos in manpages- Update to version 20170922: * Allow setuid root for singularity (group only) bsc#1028304- Update to version 20170913: * Allow setuid for shadow newuidmap, newgidmap bsc#979282, bsc#1048645)- Update to version 20170906: * permissions - copy dbus-daemon-launch-helper from / to /usr - bsc#1056764 * permissions: Adding suid bit for VBoxNetNAT (bsc#1033425)- BuildIgnore group(trusted): we don't really care for this group in the buildroot and do not want to get system-users into the bootstrap cycle as we can avoid it.- Require: group(trusted), as we are handing it out to some unsuspecting binaries and it is no longer default. (bsc#1041159 for fuse, also cronie, etc)- Update to version 20170602: * make /etc/ppp owned by root:root. The group dialout usage is no longer used- Update to version 20160807: * suexec2 is a symlink, no need for permissions handling- Update to version 20160802: * list the newuidmap and newgidmap, currently 0755 until review is done (bsc#979282) * root:shadow 0755 for newuidmap/newgidmap- adding qemu-bridge-helper mode 04750 (bsc#988279)- Introduce _service to easier update the package. For simplicity, change the version from yyyy.mm.dd to yyyymmdd (which is eactly %cd in the _service defintion). Upgrading is no problem.- chage only needs read rights to /etc/shadow, so setgid shadow is sufficient (bsc#975352)- permissions: adding gstreamer ptp file caps (bsc#960173)- the apache folks renamed suexec2 to suexec with symlink. adjust both (bsc#962060)- pinger needs to be squid:root, not root:squid (there is no squid group) bsc#961363- add suexec with 0755 to all standard profiles. this can and should be overridden in permissions.local if you need it setuid root. bsc#951765 bsc#263789 - added missing / to the squid specific directories (bsc#950557)- adjusted radosgw to root:www mode 0750 (bsc#943471)- radosgw can get capability cap_bind_net_service (bsc#943471)- remove /usr/bin/get_printing_ticket; (bnc#906336)- Added iouyap capabilities (bnc#904060)- %{_bindir}/get_printing_ticket turned to mode 700, setuid root no longer needed (bnc#685093) - permissions: incorporating squid changes from bnc#891268 - hint that chkstat --system --set needs to be run after editing bnc#895647/bin/shobs-power9-06 1665575505 20200127-lp153.24.15.120200127-lp153.24.15.120200127-lp153.24.15.1permissionspermissions.easypermissions.localpermissions.paranoidpermissions.securechkstatsysconfig.securitypermissions.5.gzchkstat.8.gz/etc//usr/bin//usr/share/fillup-templates//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:17695/openSUSE_Leap_15.3_Update/cf14000bb6f6d39a9df31284323bdf53-permissions.openSUSE_Leap_15.3_Updatecpioxz5ppc64le-suse-linuxASCII textELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=561da3accd15c69cc533d81b60462c24aa6dd2c9, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R;MG!!utf-8f3b4ef68dddc9241453d4c89ce08522eb802e1979a6bd9934bcffa1dd4de3162?7zXZ !t/Cd ] crv(vX0•LgK*NeH⠵lGc#^yxv Ԥ`Y2l`OеȲZe0cGsn?}qGM,/_†3OBg[03t0o8`(fA8r`9yC=@VX}N\Vc t2JBib]س"T:=/pn#'1Њ ¯aTOxo/-1ADjһutPETabD/`bF1>䰮#O13F_dqH1_Dh 094AЖ`뚷r?e)F"7^jl,+RɟC(?ڜ\ ;rqMW!siO>\%Rd /CݨawŃa7DҴ%&fd7$HQ6O;#mLFIF˪:F|b_]_YzI7@e^͈8ؗSA-EF)2q`0uO#+wU3̩ Įf_P"hUNbv.UIad*7O \O+D_™ &'2=? 8:XE޹0K>%'b8yLr=|FwW,ሉ!-l0€`<5OԹo/=ۣ8%:-gafm 9Ѕy5mqFIS4 2Hkr ͼ0k`/63M_>jq|Srk g[#4ĊlҭxcGCGHo1 ;%UUg학) 3$ c'.G&#^`\Ƌ}xN'wL)9cƈ'䊟BėY?dP_7[궼ś`SB?ԍ|0zw#G4|K<Sgma88frmO۠w6b̅y-}_'Dn5Qm)v}򻭝k V> {[@Q~,<'ioU{lUg! `raS{nPsN!zxz $GxCe װ 75uc)953! r/jI~*&. /pes.]?b;R韦b&^zO}`k v*j7^E8qRВz Xh3N *+ Z$ϯ30 ;d=G<#GXb[@79iS/Jݽq"}(OPZ oFgaC41kJN~ ,r3(Oub>s )̠t祠޲ GZ,/]4Nt}AE#֬Yi(a F ]9n-o qf2p*="z5~8 Xv"r3WYwc\|ك~;(L3f2*+p@PjۆnP%]\jv 6(16{ib2!ccⴠ>d/na7%7'0h'7(Spve_Mj h"dLUh0ħi+>M IsG2USzw4.ZDqSBLHZV˖~4gv_^ X Ю"34bqۮQ_c۬PIBSfE#zp/Kg A:ND'~YfO$t/_Ufgb'\ |*.Jˡ6ъOv쏄!WeN0`Wf,G#:kB$Ϡ~7QmAIrP!C̠͉u#sl79cƶldOPLKS T^IɏY\ҕ Iֿ ?4`y_7ٿ8p+}k}F5Tr"j08{K\eFoT!ON%r 0)1ty)rPY+ݶQ{k*Są=~ k.@Wa<ؑ0*[ qˏwirO~A]n 7:>Hew_*K4!"Rc"o3E NVUJL/`;k:X (G6G"-7+iKgdi0@$6wPmŝ~"^)0gw\y̬"4h;һ ЍBX"EeKrqF!z (1ɚ<:za2őGgF"F6fܤs%pmkKS>m#!RnCò١Vq f5 ]6̊sDcbAìyՂ2 {~;eÿ"5[%{TrT)VP2"4n-M:vn׾>xCs۫ klYb}ȅl? Lj7:xE{nﵭRjFyޒv:F,%)0}&qFNixtNFiY}eʔO~)H\tɆ*Q7ݸKM-=p^]my *Hߣ\SLG~B.Mԙ6(5ؠTJ C^i*g_5@E^@s r5oSL;w%}SaM34? |wȹl &M-,YqK3;cD:q3 g@+>kȀó_} ǘn0~"~َrV&RhԢ+ ܾtHuNLu}% _oU&~Z5VFN'=JK_2@GbJ7^"A٬:I7bja"p/2 ʯd^ȅ\l'j!bA܇L^}.O`'OgT3A.^x)l"\FJ^ ,h5 זsFK25,N^!aغFM5cxcMbMc؞ H rI1%.Q$Z?=aV1&65ߩL (Yư&G PhI cK4ټ!= : sBM{5>`qf'&3Ei)).jxw,j8)+Qj% DLq]QSu7: ^h)y%%JqEC(v%:YS \?8 5ٺlgH~GfEƊeߨE~42&ka_;@GF6;<дn% []jb {&AU>pʥ.p1|̦ "B_o}@g#Pʱ#Cq8:l򭲖qrඨ70'ؑep8&Eϩ)/05dȒfhv .e2aك`'Ͽ č6 y3M 7j3, N|zQR >.j;9RF(9׷ҹp(+T }_q `;lbj^?訚7ܿv( gnj&'ڄ,U v҈J5>)ѐ #gKфϹ+o++F\CWw U"B~cr]RnWXx1m C4SW}m!ĿbG}wA4MaQX&_A8Hk4~gm?-7R  .}ݿTvxzvwaeWbcP3 5 TBa RZ^Wǂ&צ`|lQӯη&uU|k+~+LI[i 8_ lA 7@? x[.ͷiR8N"=On?;TCy)>5=8,9 )x*3QevcI‚~%̅Ȫ {GRMA,DVt.A>>J^wKҠvsK:i)^Ѧl;ڀĴGc؀ЂwR$ @@5cYŽSЎ:D'S؄G~aRv*ԁ]5Rd}jqSJg: ي'yrhoۻ{bsV%\"ヲvbVK5}5M)V{'fUc(lYddO- 7?1scs 貽~tTeu9v̤ׯԬˎ5X?3_hc /!Mll9&DpsTWEӀǕEU,x| C uaєd*SbK\vN[Xo䰧0Dؿ=y lZ6G]sp/.1>*E_1Q_Gh'fىp;bEnV=LFɌ2Qܙ_\U`C-|U5Q;h0I+ß[J#|YZZwed/iRIኃuޏW*oªË/%,SNy!馦gB'_>L 4+KǛ09NiӁF|~5Dj*kGp1@ 1(+}֦P>xe ZXM|/cU@:mX `n#ŢMiZHx)-]Md[1:X]ʬ_6P ODw^:I\Åc9Z83$V8c[]58 4:ZQ7ٶEQHIh5ׇi ksHZ= IO:MQ>t0~# >ZU 4>VlC욗1* NAcǖ!=7=Ҕ$,I;NrR^qMx4b;Jmt 8fҟ:]a1&/a2Փ~s*&F=;}sVjwD ̖85_D)Dѷ;#x.apkY9N@Ƙ:p|۶"7ZǟLGuiyI8 }t;WNܖ`δ_ҧ`Ȳ5h;47EY]8ZGbQR$qk5Oʱ,v;,bE3ϼnn0%GT_AӯHEZh"]ȇrp6eܠUj)j:6>lgYu{by??pFA8@IPZэ@B ҀS緵.?byEUVS2'~TEN+,o3 wȓKbX/sAV&f6j'!sGZ(]0t^l-WףƩpD5C dD C|lNډM4:\BF)xi&,K@Te1'.` R3wLdP!v0}6yR+_[]9`UKºܨ!w< G^F+"]̛*}L/|{VB'7MTg1\y B 埯5ÖT'@+Blvx~2̴ *-xX< DT0%F2{ mEBUk[<1bg:7v F1rbٸ\v # ׶I'^IߡT83?tR<#Ǚű$ '^GM8:a, m&r{+V>T/+n2ply#?|OnLoy6? PCTH8 QOscY =z)<uKB>*rMM嗢Ӛ`*ivv/N KIaV$aW B}7|݀7سڠr*Nf{p'Ʌoi* @F'3QX{( eJ &U~/C_ dx&ӬOO~ňV gUX~:gzi>҅wgSWk֘˓dFLxl"V>n)؊%c:{~DbB(6DM r7XzEIH 礍wl1,,>*ɠ%؊CvB,Ewlߨ˄af#=M* ~)=PݞwƳNQeܼT6'bJhtP5W kSM%q; J40 =?Fp8BNENHחvb&L@@fh5*v0K(gwM̻3/N FƏh zlO4[z#`3ݩȎ\<('.hhn%O|ݪىc]lD-8lDԴُ7u)J&L$!vc~ CgYx[y 3͎ 7\) o00egY+BR Qp93LѮ+B bW\m*O1߯Sߎ5iο?8[P>J90J,W3!jP5jAAfQTlj5M1YaB_v*nf %u+S$un2 ?!r7&_v[t'PT#1d6UO5[!˝R k$3f~GKY@t6ಢ6RV.;ծRsqO4hHM#8)nF^~T{$.~{J);(r?6{#q+ ~BX/REܬBl:ae3wX*8SuxMQު$R;ܠ!'ǷfiO+5O/Wq 7''a+Z?x^.hK:Z/D+I*Qj0"cVJ+r!bV} "I6Y2AHH}kW/ h<JM]{q߫?e&ٺJO7NIㆰb3[G~/!^Q}UK\`"f,]/ʠyH ϱ٬5B|ff ‰mPaL5 H]Dzi6t3{k Wi Jױ|xmZ;_N,)6;&dpbId 9=1F-(3"IW T_%!",;r%^67bճG %A{jG eh1rKm(RK|kY\Jp__7MV:5YaCGP9t_G Oj)iN!um}Bx=~+"%t#X`m}_kXezZB.d+8>6͈YpmQžP|!6T k2~VҖeԽb%X`Ȫ5gNHyvƏu̻ s+l)t޼]ЂVa`9#-%d6iq_h*9H1> r6v`FJc,b/ebJ@峐mFcB)[R) \AA΂ۓ4_)h q#/HƬ9*RcղH!\JV""\[1. #f A@j9+S3Y)2}ğb;2@`cQ,K^âɡN!}pkgx\4kiĨ8$(SNkk~*8(ൡ_֧0CMP *&q F-{) i4$F캼Cv &32nL/^8rb{X 8J>hco@$ܠ GHkagHNPD JeA}նیG(c=& 73Ri+hԝ(3g݄qdG泶n  hLV%xA\ӵcRl滋z#e7J&ӽkq3sW&V9jt}.<>M9dyA;pad@ (&a2TH!D6܉ʷA'W/A ,ОvH>\Yq4ɴQw#IyeS"Phh gphMNVZ= " ! ՞roxx+H a%,xr0ZFKD'V_&P$Ө6^;sCk )f k tE׎ , H0H;sw]lBF}-`#*Ai fIouq2NƨM60X=]a: :^A>a:w"MOs%IJtA0>Fa>EJsX0?7yEV/j_Ab VQg+A vИ.87XA!)¤_7=lN#S>{qly}&9* =hPf&Cx{al\Z֏`!?&ɽԢ&`&[Wy9!_l711Md10 Dc.jR Q8St RC֫ɈVVD4q-&@խ:)Cb9# aF=BXy#_‰3ɀƊT/M^R*!iFzixEA9kcp]C3BH;y5ɂA:i6yHx8ROE=uu_mog{^Tp9qG3wF&şY!~c3" E 8p#Sx֊xTl,JO w,(yTHzzMxc~yn/MR"C'G&g3SHv{G2i! EAJ'~S2϶_)q.Tk\4B7Wд:Uާa0?w¬{zmʉ8tE=<5iL&+tS0t^T v8BTuB ״̸;)y]BUdjauءEio:ߥus' j+:;>A *a 7& M<@hpُzzOD틹iBdܺ*Ʌ٩u'qKjb^`D5)؝4K,Ij\D7O\H&L}c脾-]g}k5sͻ$롮R¨n;I>qi=N kf@(\vEw2{EswZcwrjJg(V&f^Ci'ҏhEFQB5o )9z)*2SKSlF/ua3s Fl9?Tz3MhL1g]t рj<}kgyڡ dqNՙa+ B[!NhOIf>d 6x1{t9/QT XnJ(-вDs*R8M39jWkf*\SC+Ŕ7gOJrb>KL5%Lrfe*Ŭ\\Xpq+'H4 C^٧u6i u>6A uU8%7zVqlnʃVhW.;<(rYK8\_TLndryeŠt53!u chzs<{McEF31>O՗: z ʒE+8>Dz# ia0[6w0u^<^rgy7hA̪qmFRɿZG \@T^zg)iulpu_!pS 6Xe 1@#.`Th3S;6N#͹zA~6oʫ8G}ᛊAkn?id! Uh\M vonFk\44uwn~Vh_b?jrxwvd`["i.AeYc0*]ӕ&8LUxYbc4 6d.Ub/dlC `EzC; 1aZ#K,/?i\A?7pw!^W~] 7 ;ʀcO`QxI>/;aܵC;ou~~VúU (]&\}5e/@:].2ٞ*ή!F/SįV2/v(ѡ^ݷRrCL?Uyd)) اP+8X0qcS! J"O",@B]l.\S[ÊH*(1J*XYZ6SkbYŎaYLR۩$9Qpj Ec)pi[s<\0N0<{%é@FEXN9@hTτ2E\NP$Ò;d1Frȫо 37heۃ'5-_ ]H`ހ Sv:IbF@FAaA0ܪo1.I$q }l`;d@EFWnhR2XTږFaq}Y6¦y:g:o7FК]/idowj0xW OHÄv$1Ԭ!3L5q WWl靳똁 (|+vl>'!֜ʾh5|M|4ߞa"w 6 7os;0j"4!T= ~i^S_ \4K1o"ml7[, j,k ލUV5/=Ѽ`l :;c#WhV j,ral$c$`8gX)Hb-]1E%uA\Vw%EPLƱ2Hz̢{ >N7bMXYOG:Z¾ABЛ;lU'<$77Kh88ƒFo]Y"#$[BM)I}x*)Gc9< ip~I^L-r {G;i|W1r Å_lYf\PK͌UJ`"Vdy?GzFLC|٘euPA7c^Š -' (`Tl@Tn_th).Jε 8 1{TU:vqx\F5 4~R"ALM74o|46&&~D!>7“hPKΘeR@JZC?'vM4O$ ?D: {HN*טZL__]JD]rcv5Ay(@eܕ0Yb`g84v[,Ŷ6,ܓޞIY%W<<\zYF*#rQCS{-F0*EQ>#ߊD-ʾGlW JRTm]TS$!G^"1D榒b)K<%afB3ˆNՠ\1f,~KozXoPA#8uk !નHQI 6Ba?ވ!HhJڄ0`7G)o38m8osH} ]`+Aɑ6/kg2Fu\C;o/%YDo`ȟS0V wz>L1laZŭiZ |{Q@\h''L ;o`Tɢ\v>UhX iwHʛ2I"?̮]ubI<"ɧ'寤Jsm|6#gc w]-;t `{G!t]zP*dD gFk}3'lDM9D#8 a5\FX}nLlͨibǰ%6-p@Z}[P]0'͙iIiF,|b i0+掭( LtRP+QK7p+6 O!TCYf~ SN){ʋ\3{(HkP|aydeU[yKFlR5cĬDu$flay Q\T^ 1yѡJ\r3 <xg[A.k(U|DMF8IaK= aT0@jp~ՙ*l)/xAr+H!6b,I/u3K.Q[2NBYZ<#(. @uȆa ׃=F:=܋>p$K˼Bv4?Q'}-H C$կ3Hۇm1蕐__$a6H-rS,[D|'p,F9`e5̞[Wda1nD(uVZL+\rٕP]wwL' =q^W2}Z ̓i{z. 9gbP+`QG<>?P@tAȔ>^dS*^wk)o':%b$/jw.T4otɼW]i8]a3sPI( $o{VЧ74&\uKvh6cWUAdx8iܷ@9_}.3 >sۨvZVYn̫k%&p#>҈X@Rƅ̔FpЧ3 OC(4v5DGAw^?LtLЃd 25A x_IZ=^Y-i.@ʑWuxnk-Fxe>Jv_xU7xj9UP>){z4R7۰yզag0׮i[䩃k >EҒבnwϦ6{RlWg> L;v ϭ̔4(. [sJq~~WZl IqSJ9CIVܞTN jP<gL_N+GE[;裇Ѥ Qst/[H*%hŽ։L1VoՕXH&Okd@VƜn2M3Z!u.h~+$Lk$|XWMߔLÕ=-|m aCnUew." >zmj< n W텫?!a3jCE@ة,I&a{spgt@m91|R/߈|Njэ9HzjsflE*W{({h<蜁Hȏ/Q))!ɷݶV.ǯigNɫM9ơ@9OµJD>˝D0~Zc#?~gcfqF/0?}*1_p(x6 EEOB3Ei#d}pDCܱ(ÚGv̽*aRS_V̂ *%3oS;31鬢 ߹ ȸE6cTMܫJvZkK}BF#`mܧ#QmÊ]\?Wy0ߗGDPVhNilj U8MZ/] RUciW^EGEL֯D ~D+ul#z{~6FHDH疴FOG@ffP"={"C\,7\dΌ)wr(!o<_69c.V |YdMYNa;,rhq5+Ρ eۃ?`qa{F\܌_q/<TX.['lGRo-u[ͪ` ' XW9lG*Ù Ab`4SgpDə3RȀOï4p^㦽U+iwQ3~YG}e/_"-{x$"ϐH|O];2ٵ\iĿma72FT/b9?5:b8w<\ |rb,"=s =ЃUo(m74'?h4Ee[hPʤ-\u ["leuLf>_[+G< iIr(xlb;)=kp=чzhiL X:i.-`R" I) C9(ˮğעHJjA>T0%vGO"Kz78zj}h_ P 6R(XF4da Wp`ZIĆc3 ,S#zEIamzニΣcFK>`8m@gSĵķlՐ=վjtB킐_~E5Y 58_U8{8Hǿq$f0@' J/FpG1X,O%scK TepeXI]bJ"ڼSo]_sx]GnhdM$sO\ri." 9+>2J4_qfU9g>{{U),#F al;ߟv%SnRS-֊e]-] 2 jeK1ļ{$b?Ju: OuΣ奭C #<<b!.j&;\j[|CNvevtOd5!^/PM! D~QwLlAMIĺ"@}+U#e*fƁfPƜVA*78¶6$K(kҀb7ʶ{u9gwnn.eau']ٌC8" l&.}2WUC#ufob__0߾7T9<͹3NtnLd= D_ kbiKjp<`7-' t P\e.…8^JѹfkHh(-9 ^5V4KC 3&.oRq-FvD3]Git9O:<2P[lO]i#t8Xw\ZȰm@U`=]]2`5YW|1k;fy0UTX}"FXX%N`v qCM:yWj?ƹxY# 8ml#H7Rp!x6TsaXvs3䀁ԐY<:I,h1yn7GDJBi! Noq38[eL.6X(.aj4\I=q+Ur$v4٧8(R:ec!Ly F}~ ^E$zs%Nh< NQqZKJa[!s74R>zYGJ꽦}ij|*fXLas4\0 :錘| HODJ1#+RjNzr*r))4s#|vbChPQE;$22[aNH<]g ǞU`\lD¼b$;ٸ]g:׷Dt,*wwQDlۮu D`ko(};ͩh2a~#ofE:1x^$g@ {hbM!S"m>W@?y*\sDBXNݿA@OhP6cyTZ=} ; }5\y?N"FC.]bsWմSAEZfbh $6&2@k8Hxp~ge '2V XW> S,hmkYhBhGc e1J)ʡRxR2?+ˁT%fDɈoժ|Xo@@[.8NY n/kb_ՉKƠFTy$UEZ]Bmkޒ{B9E*xSԓG^8^xߋb`.hs㔥S5|:0ȹ> nҍ\{^V|;%"OKt!0E֦r{҃JR"W51i= :Fu杤 CՒNt}-N u9JrZs/JL/hn$q;7,DUIkggF76SI?.@'>VbS8>9(ʞ;ƾ&1s֏k2Y|y7@XrP;M])H2™5洺@~!wHZ~ dGD[؝T3C\`Va: RFشz L+.a`NJD^Ys5: uany>T "n Á6]ӆGMtaZ'.fח+Ǟ{{kS55aZyZoxC+)Pvv}?9N< kE@㕞>}4yrߢl: bHl+ӇBwq48 h*zc!)ᕰ4VO\U>X;C_3-)KyJ8(Hپ&N\ӪB!G6B÷^+dž4epTSf}U? 퍟H[#ò!]Qś3נu0h.ۖ'l;$S DZ1Vb&14c-SQj:B!HuE;55bѝ,]>ɫ噱䩓vӦpқ.C57sxLl-' wMBJ;+Y ESGtoa)Z@ Ѽر[c#ZKihv<ݚ46, "0Nr;t.i00)(f=K>qzj-c(SYf89;)u!Fw䈘FB`9ӑ(~_+7VzaH.0BUxVd Ø9uVhJe(d<ÌjtC.J ^gpy)_d jF)ڀ(yhM|Fv@Ze=^!N\<ʆS5& ;PEBS &7>e\It&!acx 105EPu+Kn@mImy/32TdVwFri6:S5L1w)şA K7x<$.ԊGb5(h_=^?O^: ܡ]&Wв"}j"\$-٨&&r7%Bd)像E2\fZH{-U[qv\bKb#w\0hp&%E{rOwM%qJU  HPG1,)E S)Zw-'ÝA(u s˹5 PaأzN{b"X+ 6𾴘B+/<{~o鲐mnr8 Fv$Lx 2j4lꌘ3$r,ΰu1f?bE{ģXxrW#Z65-Γ_ss [MѿXF{/bY0^tE$BT b(\ Kyܼ?%4Iwv4.߆./2I \v3) yvsΦVTK>}p0a>5b76?Usksÿ6[ َFڰM a iRѶKdyʩ7ZӤ0)"\1XvVUeg9D]G~ Qp; cgT92r}P$T<8^6x (Ss5mg)Mo7!Y{ΫC٨fuRmg:ZSh$AɖL#Z:5:ՆL7e͙fr-:0 ƵeS4RMzcK @/͊H }!3 "Wј)ll D/ڭjwھ%f˂{;$CutRߏ ]':UU5Y|t5:YD9 $p4f80 \UYgK{ʖ@'@ny`|}}EIgh"noihHui% =j X{zWRc-%K P@ް dpyXC>Ǜ2y BL"}߲ C^'x{/4nI2 Y+TfIێ>`t6>wpK , YZ