The cups package creates an /etc/printcap link with permission 0755. The daily run of the security script says that this should be 0644. I can reset this, of course, but it reverts to the default on the next upgrade of cups.
Alternatively, I can edit /etc/mtree/special to accept 0755 but this is lost when I upgrade the base system.
The security man page says:
security also provides hooks for administrators to create their own lists. These lists should be kept in /etc/mtree/ and filenames must have the suffix “.secure”.
And it gives examples of entries. So I made a file called "/etc/mtree/printcap.secure" with the line: "chmod 0644 /etc/printcap" but this doesn't help. Perhaps I misunderstood the example.
So far the only work-around I've found is to make an entry in root's crontab to change the permission every night. This works but doesn't seem very elegant.
Can anyone suggest what I'm doing wrong?