# These file ensures that privileges to applications that were not
# covered by the evaluation are dropped or added.

# Add SUID bit to vlock to allow it to authenticate normal users
# as it is invoked by screen. It uses the standard PAM stack.
/usr/bin/vlock					root:root	4755

# restrict su to users of the trusted group to prevent denial
# of service attacks or password cracking attacks against the root
# password 
/bin/su						root:trusted	4710
# This permission allows the use of targetpw in /etc/sudoers and still
# preventing password cracking attacks from normal users against the root
# password.
/usr/bin/sudo					root:trusted	4710

# remove the SUID bit but preserve the remaining permissions
/lib64/dbus-1/dbus-daemon-launch-helper		root:messagebus 750
/bin/mount					root:root	755
/bin/umount					root:root	755
/bin/eject					root:root	755
/sbin/unix_chkpwd				root:root	755
/sbin/unix2_chkpwd				root:root	755
/usr/lib64/pt_chown				root:root	755
/usr/bin/rcp					root:root	755
/usr/bin/gpasswd				root:root	755
/usr/bin/chage					root:root	755
/usr/bin/opiepasswd				root:root	755
/usr/lib/PolicyKit/polkit-grant-helper-pam	root:polkituser	750
/usr/lib/PolicyKit/polkit-set-default-helper	polkituser:root	755

/usr/bin/rsh					root:root	755
/usr/bin/at					root:trusted	4750
/usr/bin/expiry					root:shadow	755
/usr/bin/opiesu					root:root	755
/usr/bin/crontab				root:trusted	4755
/usr/bin/rlogin					root:root	755

#remove the SGID bit but preserve the remaining permissions
/usr/bin/lppasswd				lp:lp		755
/usr/lib/PolicyKit/polkit-revoke-helper		root:polkituser	755
/usr/lib/PolicyKit/polkit-read-auth-helper	root:polkituser	755
/usr/lib/PolicyKit/polkit-explicit-grant-helper	root:polkituser	755
/usr/lib/PolicyKit/polkit-grant-helper		root:polkituser	755
