From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id qEgqEiDyPmRudAAASxT56A (envelope-from ) for ; Tue, 18 Apr 2023 21:40:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id WMtNESDyPmRUUAAAG6o9tA (envelope-from ) for ; Tue, 18 Apr 2023 21:40:16 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 564C2991B for ; Tue, 18 Apr 2023 21:40:15 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1porBS-0000zS-2R; Tue, 18 Apr 2023 15:40:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1porBQ-0000zJ-9x for guix-patches@gnu.org; Tue, 18 Apr 2023 15:40:08 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1porBK-0006ck-SS for guix-patches@gnu.org; Tue, 18 Apr 2023 15:40:07 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1porBK-00054r-4R for guix-patches@gnu.org; Tue, 18 Apr 2023 15:40:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#61462] Add support for file capabilities(7) Resent-From: Vagrant Cascadian Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Apr 2023 19:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61462 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Tobias Geerinckx-Rice , 61462@debbugs.gnu.org Received: via spool by 61462-submit@debbugs.gnu.org id=B61462.168184677119470 (code B ref 61462); Tue, 18 Apr 2023 19:40:02 +0000 Received: (at 61462) by debbugs.gnu.org; 18 Apr 2023 19:39:31 +0000 Received: from localhost ([127.0.0.1]:60421 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1porAo-00053y-UE for submit@debbugs.gnu.org; Tue, 18 Apr 2023 15:39:31 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:35946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1porAk-00053f-3u for 61462@debbugs.gnu.org; Tue, 18 Apr 2023 15:39:30 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 91FD11AB72; Tue, 18 Apr 2023 12:39:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1681846757; bh=C1b85S6PYFOE3vPc59EPMgqGisN5KxAsS8Gr4GOt02g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=RlLwphfFDQ1IcucvJOSufEAvvOANNJm4D+j83Tj9PuPa+EZ2tNneClf/xkSfZt+Hr 6MuRhIqDHAm2pcmPcN4JfniTgTc4KVNzCjVUR13c7EE+LpiBptqryN/uz9uOlC03XD gHpJPjYc94pibGaQsQG5HwUxQ36gTBjuz/4GHf7jPAGkLKukJ1WBwLio9mm/KlsBon YzBLo8tnri7+kLGlWMkUYJ9xZBZ99+XfmFt0dwN1b0IW9AYE5/Go2JEuyLu3CgAz91 ZXEwg05G/Etl9cBPs+ABYwQ1pCSRhCJzsVS6CxAbZqxxivv3CPihRiObalQRSmmDpY E8Rwse2NOhh4g== From: Vagrant Cascadian In-Reply-To: <87o7nlwcwn.fsf_-_@gnu.org> References: <87r0uuehlr.fsf@nckx> <877cvwsbfk.fsf@gnu.org> <87cz4y6a86.fsf@contorta> <87o7nlwcwn.fsf_-_@gnu.org> Date: Tue, 18 Apr 2023 12:38:53 -0700 Message-ID: <878reprnea.fsf@contorta> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=RlLwphfF; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681846816; a=rsa-sha256; cv=none; b=fIPiUH0q1lIdVO3NBEA109qAn+1BwA99zdWRPFXY8R8eTfoP52ppLn2DIZtWSmz55WTu9f vsUmZxhJBLrlTUb1ELQwITBciNijb9tS4VtCQjVQoOyRXL4ZO0sl2Esj2/51OT5is6Ggh/ ngADQDM0WlVsD7dTvjQGVaWUagEbadk7vj8buiXiVu/0o0nvV7CACJ05bamslXt/m7vLs7 7I7oudmwPvWEoWhLAckEYwzAJBu983a7fWMba/10eNHqhjXRkmO6cr6pAC3Sjc83Hgl2gB NXYL8D2+cJ/dTaEY5RU2ZV5FZZm9s8AO/qMIE/OLEZ8zTqJjSS/TskS6/D0Y5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681846816; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=i0LiZKmZPkEC93BqNqfr6ulPlkVacFzCr4Oxta/QU64=; b=qT7DeZv0Lk4O58xvSDE84J9ivfbIJH8vx3Rz/05kMFu2GwyAJ5pl3Wcd/r4BT0r2W2Fs9Z 35pCs30+Q7hPfH1hNCwDiQxM4vsCECBs5v6tI9LiM4+mEHLbzm0pMZNYwvvLdnW6+p807d EGhoJL3a7n7bwBEpzhngBHn1YNSJKXikRnrdarSDmu+5LIW+y+NxnVKTCjYunOfI0VWFiF SIW+6WFOliiPM0HBdN1kGans08lhkLOBvrPgKaFyRyy8H/e7Qw2cw7B6KOHon5VJCnQbuq 7B4I18ndTLFEEQ4p0ITqoSlxX07k7kFtSQbZ8bwq9h3kYPJEds2yaBLmqAbOyw== X-Migadu-Spam-Score: -0.11 X-Spam-Score: -0.11 X-Migadu-Queue-Id: 564C2991B X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=RlLwphfF; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none X-TUID: 4AA/EaH8UNN1 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2023-04-18, Ludovic Court=C3=A8s wrote: > Vagrant Cascadian skribis: > >>>> I'm quite opinionated about the setuid-programs unification: there >>>> should not be multiple confusing and masking layers of privilege, and >>>> it should be possible to setgid a capable executable. >>> >>> So you mean that =E2=80=98privileged-programs=E2=80=99 should entirely = replace >>> =E2=80=98setuid-programs=E2=80=99, right? >>> >>> I=E2=80=99m a bit unsure about using file capabilities: >>> >>> 1. File capabilities are persistent and less visible than setuid bits >>> (you won=E2=80=99t see them with =E2=80=9Cls -l=E2=80=9D), so easi= ly overlooked. Could >>> there be a risk of lingering file capabilities when reconfiguring a >>> system? >> >> Does reconfigure leave old setuid binaries laying around in >> /run/setuid-programs currently? > > No: =E2=80=98activate-setuid-programs=E2=80=99 first deletes /run/setuid-= programs/*, > then populates it. Good! >> Seems like with setuid/setgid and the proposed priviledged binaries, the >> setuid/setgid bits and capabilties should be explicitly set on any >> defined binaries, and any that are left over in the /run/*-programs >> directories should be... forcibly removed! Otherwise your current system >> is vulnerable to previous potentially bad choices indefinitely... > > Right, so in that sense it=E2=80=99s no different from setuid binaries, o= ther > than the fact that =E2=80=9Cls -l=E2=80=9D won=E2=80=99t show it. That aspect seems fixable with documentation in the simplest case of how to show that /run/*-programs contains the correct permissions, e.g a brief mention of "getcap" to show the capabilities. The most fancy case I quickly think of might be "guix system list-privledged-programs" or some such that would display all the various privledges (setuid, setgid, capabilities, etc.) on each of the binaries in /run/*-programs? But probably overkill... >>> 2. How =E2=80=99bout portability to different file systems and to GNU= /Hurd? >> >> Currently I *think* /run/setuid-programs is tmpfs > > It=E2=80=99s not by default. Huh, could have sworn on all my guix systems that /run was on tmpfs by default, and I did not knowingly do anything special to change that... >> In all seriousness though, while I appreciate thinking about broad >> compatibility across different types of systems, I am a bit nervous >> about an approach that would require features to behave compatibly >> across all systems... > > I guess All I=E2=80=99m saying is that we should keep this in mind. > > Perhaps the hypothetical =E2=80=98activate-privileged-programs=E2=80=99 p= rocedure would > fall back to setuid-root on GNU/Hurd or do some other Hurd-specific > thing. We don=E2=80=99t need to go too far, but we do need to give it so= me > thought IMO. If it cannot properly set the capabilities, then it should not assume setuid-root is an ok fallback; it should instead most definitely just fail! At least the case I am most familiar with, lcsync, it really should not run as setuid-root, as that effectively allows anyone to modify or copy any file as root. Although, likely Hurd limits the impacts of setuid root in ways I do not understand? Even then, I still think if you ask for something in your guix system configuration, and it cannot deliver what you asked for, it should not give you something else as an approximation of what you wanted. Maybe that is a strict interpretation of an ideal, and reality is much harder than that. :) live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZD7xzgAKCRDcUY/If5cW qpTcAQD7bHTdztr6FrMwL+B4RpAKV1Kv5Bjy6G+4wl1y3PZqCQD9EIvDWiCriD7D yFokFCodzmxTuBfilPW8lrQ6mR/LAgc= =dxnf -----END PGP SIGNATURE----- --=-=-=--