1. Manuals
  2. Tumbleweed
  3. permissions-config
  4. permissions(5)

Scroll to navigation

PERMISSIONS(5)   PERMISSIONS(5)

NAME

permissions - manage system wide file permission settings

SYNOPSIS

The permctl(8) program sets permissions and ownerships of files according to the permission configuration files described in this manual page.

DESCRIPTION

File Format

The files /usr/share/permissions/permissions.* are line based and whitespace delimited. Lines starting with '#' are comments. A permissions entry consists of lines of the following format:

:package: pkg1[,pkg2...]
/path/to/file user:group 0755


 +capabilities cap_net_admin=ep


 +acl user:somebody:rwx

The main part of an entry is the file path specification as seen in the second line, which consists of three whitespace separated columns:

•The first column specifies the file path. Directory paths must end with a slash.

•The second column specifies the designated file owner and group delimited by a ':' character.

•The third column specifies the designated file mode in octal.

Basic file entries can be extended by immediately following lines starting with +<keyword>. The following keywords are supported:

+capabilities

grant Linux capabilities to the file. The string specified here must conform to the rules found in cap_from_text(3).

+acl

grant additional access control list (ACL) entries to the file. The string specified here must conform to the rules found in acl(5) (section ACL TEXT FORMS). The ACL entries will be merged with the basic octal file mode, therefore they must not contain any permissions for the file owner, group or other. If a file has extended ACL entries assigned on disk, but none are configured in the permissions configuration, the extended ACL entries will be removed by permctl(8).

The optional :package: directive allows to restrict following path entries to files owned by the given comma separated list of packages. The designated permissions will then only be assigned to the target file if it is owned by one of the specified packages according to the RPM system database. This setting is in effect for all subsequent permission entries in the file until another :package: directive is encountered. Entries appearing before any :package: line will always be applied without inspecting target file package ownership.

The file name in the first column of the base entry can contain contain variables as defined in the variables.conf file. A variable expands to one or more alternative path segments that relate to the same program or file. permctl will look in each possible path resulting from the variable expansion and apply the permissions accordingly.

Path Variable Expansion via variables.conf

The variables.conf file will ignore empty lines, whitespace only lines or comment lines starting with '#'. All other lines must contain variable definitions that follow the syntax 'myvar = /path/1 /path/2'. This example will declare a variable identified as myvar that will expand to both specified path segments.

Path segments appearing in variable assignments need to be separated by whitespace characters. The path values cannot contain whitespace themselves. The variable identifier is limited to alphanumeric characters and the underscore character.

To reference a variable in a permissions file, it needs to be dereferenced using the %{myvar} syntax. The variable needs to appear as a single path component and cannot be mixed with other literal characters. Multiple variables per path are allowed. The following are valid uses of variables:

- %{myvar}/sub/path
- /parent/path/%{myvar}
- /parent/path/%{myvar}/sub/path
- %{var1}/path/%{var2}

While the following are invalid:

- /prefix/pre%{myvar}suf/suffix
- /%{var}text/path
- /path/text%{var}

Configuration File Locations

/usr/share/permissions/variables.conf

contains variable expansion definitions.

The permctl program, when run in --system mode, will assemble a set of configuration entries depending on the profiles configured in /etc/sysconfig/security. The order of files parsed (with increasing priority) is as follows:

/usr/share/permissions/permissions

contains fixed entries independent of the active profile.

/usr/share/permissions/permissions.<profile>

contains the per-profile configuration of files.

/usr/share/permissions/packages.d/*

contains per-package drop-in configuration files, which can also exist in fixed or in different profile variants.

/etc/permissions.local

contains local per-system extra entries or overrides managed by the system administrator.

Available Predefined Profiles

The permissions package ships the following predefined profiles:

easy

security settings targeted towards single user workstations, where the only user is also the administrator. This profile is tailored towards more simplicity (less configuration and authorization requirements) at the possible expense of security in some areas.

secure

this is a balanced profile for servers or multi-user workstations that contains more secure settings at the expense of additional configuration or authorization requirements in some areas.

paranoid

this is a profile that disables all setuid and setgid bits and most capabilities. It is intended for power users that want to add back individual setuid bits via the /etc/permissions.local file. This profile is not intended to be used as-is, as it will likely break the system without careful tuning.

EXAMPLES

This is a demonstration of the use of variable expansion:

# in variables.conf
lib_dirs = /lib /lib64
sub_dirs = prog_v1 prog_v2
# in a permissions profile
%{lib_dirs}/%{sub_dirs}/libsomething.so root:root 04755

This will cause `permctl `to try and apply the given permission to all of the following paths, if existing:

/lib/prog_v1/libsomething.so
/lib64/prog_v1/libsomething.so
/lib/prog_v2/libsomething.so
/lib64/prog_v2/libsomething.so

The following example shows the effect of the :package: directive:

# this entry will always be applied regardless of which package owns 'some_program'.
/usr/bin/some_program root:root 04755
:package: sudo
# this entry will only be applied if /usr/bin/sudo is owned by the "sudo" package.
/usr/bin/sudo root:root 04755
# this entry would also be applied only if owned by the "sudo" package, since
# no new ":package:" directive appeared.
/usr/bin/another_program root:root 04755
:package: su
# with the new package directive this entry will only be applied if
# /usr/bin/su is owned by the "su" package.
/usr/bin/su root:root 04755

FILES

/usr/share/permissions/permissions
/usr/share/permissions/permissions.easy
/usr/share/permissions/permissions.secure
/usr/share/permissions/permissions.paranoid
/usr/share/permissions/packages.d/*
/usr/share/permissions/permissions.d/* (deprecated)
/usr/share/permissions/variables.conf
/etc/permissions.local

SEE ALSO

permctl(8)

AUTHORS

Written by Ludwig Nussel.

REPORTING BUGS

Report bugs to https://bugzilla.suse.com/ or to https://github.com/openSUSE/permissions/.

01/02/2026