Scroll to navigation

PERMCTL(8)   PERMCTL(8)

NAME

permctl - tool to check and set system wide file permissions

SYNOPSIS

permctl [OPTIONS] <permission-files...>

permctl --system [OPTIONS] <files...>

DESCRIPTION

The program /usr/bin/permctl is a tool to check and set file permissions. It was previously called chkstat, but has been renamed to better describe its purpose.

permctl can either operate in system mode or on individually specified permission files. In system mode, the file /etc/sysconfig/security determines which profile to use and whether to actually apply permission changes.

OPTIONS

--system

Run in system mode. Parses /etc/sysconfig/security to determine which profile / security level to use (PERMISSION_SECURITY) and whether to set or merely warn about permission changes (CHECK_PERMISSIONS). In system mode, any non-option arguments limit the set of files to operate on; i.e. just as if the --examine option was specified for them.

--set

Actually apply the file permissions. The default is to check and warn only, unless in system mode, where CHECK_PERMISSIONS specifies the default behavior.

--warn

Opposite of --set, i.e. warn only, but don’t make actual changes.

--noheader

Omit printing the output header lines which describe the configuration files used by permctl.

--fscaps, --no-fscaps

Enable or disable use of file based capabilities. In system mode the setting of PERMISSIONS_FSCAPS determines whether capabilities are applied, when this option is not set.

--examine <file...>

Check permissions for this file instead of all files listed in the permissions files. Can appear multiple times.

--files <filelist...>

Check permissions for the files listed in filelist instead of all files listed in the permissions files. Can appear multiple times. The files must contain the file paths to check, one per line.

--root <directory>

Check files relative to the specified directory.

ENVIRONMENT VARIABLES

PERMCTL_ALLOW_INSECURE_MODE_IF_NO_PROC

Allow to operate without mounted /proc file system. This is an unsafe mode that must only be used in controlled environments where unprivileged users can’t influence file system operation.

EXIT STATUS

permctl returns 1 if any fatal errors have been encountered that prevented it from determining or adjusting file permissions. It returns 2 if --warn was given and one or more entries need fixing. In all other cases it returns 0.

EXAMPLES

permctl --set /usr/share/permissions/permissions /usr/share/permissions/permissions.secure

Parses the supplied permission configuration files and applies the permission settings for all files listed there.

permctl --system /usr/bin/ping

Run in system mode and only correct permissions of /usr/bin/ping.

SEE ALSO

permissions(5)

COPYRIGHT

1996-2003 SuSE Linux AG, Nuernberg, Germany.
2008-2019 SUSE LINUX Products GmbH
2019-2024 SUSE Software Solutions Germany GmbH

AUTHORS

Reinhold Sojer, Ruediger Oertel, Michael Schroeder, Ludwig Nussel

Useful changes and additions by Tobias Burnus

Major refactoring by Matthias Gerstner, Malte Kraus

05/22/2024