1. Manuals
  2. Tumbleweed
  3. permctl
  4. permctl(8)

Scroll to navigation

PERMCTL(8)   PERMCTL(8)

NAME

permctl - tool to check and set system-wide file permissions

SYNOPSIS

permctl [OPTIONS] <permission-files...>

permctl --system [OPTIONS] <files...>

DESCRIPTION

The program /usr/bin/permctl is a tool to check and set file permissions. It was previously called chkstat, but has been renamed to better describe its purpose.

permctl can either operate in system mode or on individually specified permissions(5) files. In system mode, the file /etc/sysconfig/security determines which profile to use and whether to actually apply permission changes. When explicit file paths are specified in system mode, then only the permissions of the given paths will be checked and adjusted. If no paths are specified then all paths listed in the configured permissions profiles will be processed.

The main purpose of permctl is to manage security-sensitive file permissions like setuid-root bits, capability bits or access control lists (ACL) in the system. The permissions configuration files allow to adjust these file permissions to match the user’s needs. The system-wide permissions profiles also act as a gatekeeping mechanism in SUSE distributions. Packages may not install security-sensitive programs (which e.g. carry a setuid-root bit) when they are not listed in the permissions profiles.

OPTIONS

--system

Run in system mode. Parses /etc/sysconfig/security to determine which profile / security level to use (PERMISSION_SECURITY) and whether to set or merely warn about permission changes (CHECK_PERMISSIONS). In system mode, any non-option arguments limit the set of files to operate on; i.e. just as if the --examine option was specified for them.

--set

Actually apply the file permissions. The default is to check and warn only, unless in system mode, where CHECK_PERMISSIONS specifies the default behavior.

--warn

Opposite of --set, i.e. warn only, but don’t make actual changes.

--noheader

Omit printing the output header lines which describe the configuration files used by permctl.

--fscaps, --no-fscaps

Enable or disable use of file based capabilities. In system mode the setting of PERMISSIONS_FSCAPS determines whether capabilities are applied, when this option is not set.

--examine <file...>

Check permissions for this file instead of all files listed in the permissions files. Can appear multiple times.

--files <filelist...>

Check permissions for the files listed in filelist instead of all files listed in the permissions files. Can appear multiple times. The files must contain the file paths to check, one per line.

--root <directory>

Check files relative to the specified directory.

--config-root <dir>

Lookup configuration files relative to the given root directory. This is only intended for testing purposes.

--level "level1 [level2...]"

Force the application of the given security level(s) e.g. "local paranoid" would apply the local and paranoid permission profiles. This overrides the settings found in /etc/sysconfig/security (only supported in --system mode).

ENVIRONMENT VARIABLES

PERMCTL_ALLOW_INSECURE_MODE_IF_NO_PROC

Allow to operate without mounted /proc file system. This is an unsafe mode that must only be used in controlled environments where unprivileged users can’t influence file system operation.

EXIT STATUS

permctl returns 1 if any fatal errors have been encountered that prevented it from determining or adjusting file permissions. It returns 2 if --warn was given and one or more entries need fixing. In all other cases it returns 0.

EXAMPLES

permctl --set /usr/share/permissions/permissions /usr/share/permissions/permissions.secure

Parses the supplied permission configuration files and applies the permission settings for all files listed there.

permctl --system /usr/bin/ping

Run in system mode and only correct permissions of /usr/bin/ping.

SEE ALSO

permissions(5)

COPYRIGHT

1996-2003 SuSE Linux AG, Nuernberg, Germany.
2008-2019 SUSE LINUX Products GmbH
2019-2026 SUSE Software Solutions Germany GmbH

AUTHORS

Reinhold Sojer, Ruediger Oertel, Michael Schroeder, Ludwig Nussel

Useful changes and additions by Tobias Burnus

Major refactoring by Matthias Gerstner, Malte Kraus

01/02/2026