[opensuse-security] Tumbleweed /etc/permissions*
Hi *, I have a few question regarding the files /etc/permissions* and chkstat on a Tumbleweed system: According to the man pages and docs, chkstat is called whenever a configuration change was made. And chkstat should look into /etc/sysconfig/security to find the permissions.<type> file(s) to use. I have configured PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="yes" in my /etc/sysconfig/security file so chstat should use /etc/permissions.easy and /etc/permissions.local and it should honour capability settings in these files. In /etc/permissions.local I have /usr/bin/gnome-keyring-daemon root:root 0755 +capabilities cap_ipc_lock=+ep But everytime an update for the gnome-keyring package gets installed, the keyring daemon misses the configured capabilities. So obviously chkstat isn't called in this case. What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat? Thx and bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
Hi *,
I have a few question regarding the files /etc/permissions* and chkstat on a Tumbleweed system:
According to the man pages and docs, chkstat is called whenever a configuration change was made. And chkstat should look into /etc/sysconfig/security to find the permissions.<type> file(s) to use.
I have configured
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="yes"
in my /etc/sysconfig/security file so chstat should use
/etc/permissions.easy and /etc/permissions.local
and it should honour capability settings in these files.
In /etc/permissions.local I have
/usr/bin/gnome-keyring-daemon root:root 0755 +capabilities cap_ipc_lock=+ep
But everytime an update for the gnome-keyring package gets installed, the keyring daemon misses the configured capabilities.
So obviously chkstat isn't called in this case.
What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat?
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this. chkstat is not explicitly run excepting from %post and %verify scripts these days. gnome-keyring-daemon is not set up for it at this time, so either it gets added there or you have to run chkstat --system after every update of gnome-keyring-daemon. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2017-07-13 22:41, Marcus Meissner wrote:
On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
So obviously chkstat isn't called in this case.
What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat?
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this.
chkstat is not explicitly run excepting from %post and %verify scripts these days.
Would be a good or a bad idea to have it in cron? Just thought of it, and I don't know. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Hi Marcus, thx for your answer, but ...
On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
Hi *,
I have a few question regarding the files /etc/permissions* and chkstat on a Tumbleweed system:
According to the man pages and docs, chkstat is called whenever a configuration change was made. And chkstat should look into /etc/sysconfig/security to find the permissions.<type> file(s) to use. [...] What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat?
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this.
... then every package maintainer has to add it to his packages. And whats more, the maintainer doesn't even know, that an adaministrator of a certain system wants to add capabilities or special permissions to one of the package files. On the other hand an administrator may forget that in an update of a few hundred packages is one that needs a rerun of chkstat. So IMHO it would be great to have it run automatically - for example when zypper [up|dup|patch] finishes. It could be controlled by a parameter in zypp.conf.
chkstat is not explicitly run excepting from %post and %verify scripts these days.
gnome-keyring-daemon is not set up for it at this time, so either it gets added there or you have to run chkstat --system after every update of gnome-keyring-daemon.
Ciao, Marcus
Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2017-07-14 11:51, Michael Hirmke wrote:
Hi Marcus,
thx for your answer, but ...
On Thu, Jul 13, 2017 at 09:25:00PM +0200, Michael Hirmke wrote:
Hi *,
I have a few question regarding the files /etc/permissions* and chkstat on a Tumbleweed system:
According to the man pages and docs, chkstat is called whenever a configuration change was made. And chkstat should look into /etc/sysconfig/security to find the permissions.<type> file(s) to use. [...] What configurations changes are meant by the docs then? Shouldn't zypper also call chkstat after installation of all new packages? Or do I misunderstand the intention of the permissions package including chkstat?
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this.
... then every package maintainer has to add it to his packages. And whats more, the maintainer doesn't even know, that an adaministrator of a certain system wants to add capabilities or special permissions to one of the package files. On the other hand an administrator may forget that in an update of a few hundred packages is one that needs a rerun of chkstat. So IMHO it would be great to have it run automatically - for example when zypper [up|dup|patch] finishes. It could be controlled by a parameter in zypp.conf.
That's how it was run some years ago. In the past YaST or zypper ran "SuSEconfig" at the end of each modification run, and that script took care of everything. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Hi Carlos, [...]
There needs to be special %post and %verify scripts in the packages that need hooks in the permissions framework to refresh the permissions if the /usr/bin/gnome-keyring-daemon should behave like this.
... then every package maintainer has to add it to his packages. And whats more, the maintainer doesn't even know, that an adaministrator of a certain system wants to add capabilities or special permissions to one of the package files. On the other hand an administrator may forget that in an update of a few hundred packages is one that needs a rerun of chkstat. So IMHO it would be great to have it run automatically - for example when zypper [up|dup|patch] finishes. It could be controlled by a parameter in zypp.conf.
That's how it was run some years ago. In the past YaST or zypper ran "SuSEconfig" at the end of each modification run, and that script took care of everything.
yeah, I remember the good old times ;) Not sure, though, if zypper already existed at that time, but yes, Yast called SuSEconfig. Wonder, why it was left out at some point.
-- Cheers / Saludos,
Carlos E. R.
Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Carlos E. R.
-
Marcus Meissner
-
mh@mike.franken.de