From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id gE4hAYg2kWKDNQAAbAwnHQ (envelope-from ) for ; Fri, 27 May 2022 22:37:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id QMQjAIg2kWIzyQAAG6o9tA (envelope-from ) for ; Fri, 27 May 2022 22:37:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 95E3E39681 for ; Fri, 27 May 2022 22:37:27 +0200 (CEST) Received: from localhost ([::1]:37556 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nugi6-00033m-Dq for larch@yhetil.org; Fri, 27 May 2022 16:37:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60200) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nug19-0007nP-4D for bug-guix@gnu.org; Fri, 27 May 2022 15:53:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:41934) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nug18-00026p-NL for bug-guix@gnu.org; Fri, 27 May 2022 15:53:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nug18-0006jV-KP for bug-guix@gnu.org; Fri, 27 May 2022 15:53:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55683: Support binaries that need "setcap" similar to "setuid-programs" Resent-From: Vagrant Cascadian Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 27 May 2022 19:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55683 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 55683@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165368112825815 (code B ref -1); Fri, 27 May 2022 19:53:02 +0000 Received: (at submit) by debbugs.gnu.org; 27 May 2022 19:52:08 +0000 Received: from localhost ([127.0.0.1]:35831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nug0G-0006iJ-BT for submit@debbugs.gnu.org; Fri, 27 May 2022 15:52:08 -0400 Received: from lists.gnu.org ([209.51.188.17]:42176) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nug0A-0006i8-W8 for submit@debbugs.gnu.org; Fri, 27 May 2022 15:52:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60010) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nug0A-0006QG-ND for bug-guix@gnu.org; Fri, 27 May 2022 15:52:02 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:42198) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nug07-0001xj-Py for bug-guix@gnu.org; Fri, 27 May 2022 15:52:01 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:40]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 64AAB1AC53 for ; Fri, 27 May 2022 12:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1653681117; bh=eHIi/ouWGdXWNrdMyWabOz+9IGt4yERjiYddM+ViIeM=; h=From:To:Subject:Date:From; b=cmnLLFumUEX18u9QRhiuEMNn+dXK4mCflMgkgYuODm10R93rgqIZc9KIHL7DFFcTe y/zec+7FL4/lvvJjqJTDF3RqNxOflmLr51m8hQKrA1HEu0EH9ljHo36KNYhqYKZBDy ZEgryn1rLf2bAg4+4Vfgak7IO5xDDVwvqRhMj56K2d0Nr5IJ3o30+V11K0CpBV1JUi IVx3ULzpEHL+1Uiclvy9d5mADpGGZi4aIdQ1Nld6QmVbGxSuFdnwfkKcfjnn9W2KVu /Qhb3zTCVcDJ0HtaZxmq5/SkuBeWVWVyzXOyscwF8txde8xPqmtMhIoDHgZlEurO5u slu1Cesw3p+Tw== From: Vagrant Cascadian Date: Fri, 27 May 2022 12:51:51 -0700 Message-ID: <87k0a669ew.fsf@yucca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=173.255.214.101; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1653683847; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=lTgxb6xWeanygQJPfeU0O97N3QVWnD1Ua1kQpB2tggc=; b=aQe+rr11h/4szX6qYPfpNBSfvGFTrx9VwTxujYT7p1JUZribWbNpijz0JmQmso7BBXK3zN ockQNPDy2AZJ/jkDcbri/YiZyVtSZMXku5Vwrr6iiHQxLRW59aACgq6tSp6MLwCuapNAq0 QNksqnapSA3DgE1k2+kTHybMvO1IlOS98DmvoHcPKsLoLdH5gwjG6PJ7+8HusVulITDAxc z4TvDpWrH37wLB6AqHXQsAarrxgXVXv1YiGD7SzwqlVr2VjpzcbYWpwxEnt4OfibPzJDBM 1xniXookSe4zY4Ss4wBbknwbIpixj2hQiQQwiqeVdWjjGdtm7LaONT2jcXrg1Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653683847; a=rsa-sha256; cv=none; b=pHv3qBD79SqbWFEEMypV04ESI9E/mb1g2a2yATlK1D9H8Nn4y8xVb+vpue/KjXqqbEA2lU BJUjo/B9sraajTUPu0Lzo5ynu1zN1R7cHEYwU+lj80bQU3eDQQ8m3Mr8eHnjgpVd1zgKRI +HNrGj/tibeDk/xItE4La8PjMOsH64Sv0OB/OisQNiXuFKD3ns6FDFPmaOZlqemL9jvuLx /OBBLDqfEKWNisRo66N8y+oemyAdWASDmcnejHovsooNY+Y4RfmRCAgSy0b2lqhvDhnBrv DiArGTicHaRuQXEqel7i/qTk/QaZIkdiPTocwBEw/bi1m/ZLaGChAn5A10vAow== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=cmnLLFum; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -0.84 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=cmnLLFum; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 95E3E39681 X-Spam-Score: -0.84 X-Migadu-Scanner: scn1.migadu.com X-TUID: RPbqp3YC5bIO --=-=-= Content-Type: text/plain I've been working on a package called lcsync: https://issues.guix.gnu.org/55682 But lcsync needs CAP_NET_RAW... Normally, this is accomplished by running: setcap cap_net_raw=eip /path/to/bin/lcsync You could add lcsync to setuid-programs, but this would be a terrible idea, as it's a file syncing tool and you would have root access to writing any file in the filesystem... Upstream lcsync is considering how to rewrite it to drop privledges so that it would not be *terrible* to run setuid root, but ... ideally it could just use setcap to provide the very limited root privledges that it needs. It seems like something very similar to setuid-programs could work for programs that need particular capabilities... e.g. copy a binary from the store, set the appropriate capabilities with "setcap", add this special directory to PATH. But maybe there's a better way to do this already? :) live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYpEr2AAKCRDcUY/If5cW qjFHAP9RM7GiWjiOBlMNXtl7kg/Wvi0lzcD3TFxZgLM4A5X4SQD/Q/W2jaMvykBB yYm3LTaiXORGAXBaz3B2mbw6eZ2kYAU= =r9DB -----END PGP SIGNATURE----- --=-=-=--