Comment # 6 on bug 1114383 from Matthias Gerstner

Ah, I missed the bit that the reporter seems to have added custom set*id
permissions for kcheckpass via the permissions file. So I got this partly
wrong.

Entries in /etc/permissions.local actually only work reliably for locally
installed files like in /usr/local/... that are not managed by zypper. Or for
overriding permissions of files that ship with set*id and thus call
%set_permissions and %verify_permissions.

There has been a long discussion regarding pam_yubico and gnome / KDE
screensavers [1]. It is a difficult topic. There will always be some PAM
modules that don't work without root privs. But having a lot of set*id
binaries is also not desireable.

SuSEconfig was removed in openSUSE 10.3, because it was only invoked by YaST
but not by zypper or rpm directly. I don't know of any replacement. Maybe
there is a possibility to run a hook script after certain zypper operations?
Adding the zypper maintainer, maybe he has got some input on this.

@fvogt: Since there seem to be at least some valid use cases to add a custom
setuid bit to kcheckpass, you could still add calls to %set_permissions and
%verify_permissions to your package, to allow users to override the
permissions in a defined away.

Otherwise only hacks come to my mind:

- adding a system start service or cron job to call 'chkstat' on a regular
  basis
- using a wrapper around 'zypper' to run chkstat after each zypper in/up/dup
  operation

[1]: https://github.com/Yubico/yubico-pam/issues/113