unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#61462] Add support for file capabilities(7)
@ 2023-02-12 20:37 Tobias Geerinckx-Rice via Guix-patches via
  2023-02-05  0:00 ` [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
                   ` (3 more replies)
  0 siblings, 4 replies; 35+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2023-02-12 20:37 UTC (permalink / raw)
  To: 61462

[-- Attachment #1: Type: text/plain, Size: 1190 bytes --]

Hi Guix,

I need to offload some of my eternally rebased local patches. 
Here's one that makes it easy to assign capabilities(7) — 
currently through setcap(8) — to programmes like we can 
set{u,g}id.

There are many packages that benefit from this.  Mine are:

  (privileged-programs
    (cons* (privileged-program
            (file-append mtr "/sbin/mtr")
            (capabilities "cap_net_raw+ep"))
           (privileged-program
            (file-append nethogs "/sbin/nethogs")
            (capabilities "cap_net_admin,cap_new_raw+ep"))
           (privileged-program
            (file-append light "/bin/light")
            (setuid? #t))
           %default-privileged-programs))

The set's over a year old and needs a bit of love.  Some details 
might have bitrot, I probably forgot a to-do or two in that year, 
and there's something unguixy about calling setcap(8) instead of 
writing a completely new Guile binding/module :-)

I'm quite opinionated about the setuid-programs unification: there 
should not be multiple confusing and masking layers of privilege, 
and it should be possible to setgid a capable executable.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

end of thread, other threads:[~2024-08-19 14:56 UTC | newest]

Thread overview: 35+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-12 20:37 [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00 ` [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-02-12 21:05 ` [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-03-04 16:55 ` Ludovic Courtès
2023-03-24  4:31   ` Vagrant Cascadian via Guix-patches
2023-04-18 13:14     ` Ludovic Courtès
2023-04-18 19:38       ` Vagrant Cascadian
2023-04-20 10:33         ` Ludovic Courtès
2023-07-15 23:59 ` [bug#61462] [PATCH v2 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-07-16  0:00   ` [bug#61462] [PATCH v2 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-07-21 18:53   ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-07-21 19:11     ` Vagrant Cascadian
2023-08-08 15:40       ` Ludovic Courtès
2023-08-29 20:29         ` [bug#61462] /run should be cleaned on boot Vagrant Cascadian
2023-11-15 21:37     ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-12-24  0:34       ` Vagrant Cascadian
2024-01-08 16:45         ` Ludovic Courtès
2024-08-19 14:55           ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).