unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Vagrant Cascadian via Guix-patches <guix-patches@gnu.org>
To: "Ludovic Courtès" <ludo@gnu.org>, "Tobias Geerinckx-Rice" <me@tobias.gr>
Cc: 61462@debbugs.gnu.org
Subject: [bug#61462] Add support for file capabilities(7)
Date: Thu, 23 Mar 2023 21:31:53 -0700	[thread overview]
Message-ID: <87cz4y6a86.fsf@contorta> (raw)
In-Reply-To: <877cvwsbfk.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 4435 bytes --]

On 2023-03-04, Ludovic Courtès wrote:
> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> I need to offload some of my eternally rebased local patches. Here's
>> one that makes it easy to assign capabilities(7) — currently through
>> setcap(8) — to programmes like we can set{u,g}id.
>>
>> There are many packages that benefit from this.  Mine are:
>>
>>  (privileged-programs
>>    (cons* (privileged-program
>>            (file-append mtr "/sbin/mtr")
>>            (capabilities "cap_net_raw+ep"))
>>           (privileged-program
>>            (file-append nethogs "/sbin/nethogs")
>>            (capabilities "cap_net_admin,cap_new_raw+ep"))
>>           (privileged-program
>>            (file-append light "/bin/light")
>>            (setuid? #t))
>>           %default-privileged-programs))
>
> Neat!

Agreed! Thanks!


>> I'm quite opinionated about the setuid-programs unification: there
>> should not be multiple confusing and masking layers of privilege, and
>> it should be possible to setgid a capable executable.
>
> So you mean that ‘privileged-programs’ should entirely replace
> ‘setuid-programs’, right?
>
> I’m a bit unsure about using file capabilities:
>
>   1. File capabilities are persistent and less visible than setuid bits
>      (you won’t see them with “ls -l”), so easily overlooked.  Could
>      there be a risk of lingering file capabilities when reconfiguring a
>      system?

Does reconfigure leave old setuid binaries laying around in
/run/setuid-programs currently? That sounds like leaking state from
previous generations into the current generation, and should be fixed if
it is indeed the case.

Seems like with setuid/setgid and the proposed priviledged binaries, the
setuid/setgid bits and capabilties should be explicitly set on any
defined binaries, and any that are left over in the /run/*-programs
directories should be... forcibly removed! Otherwise your current system
is vulnerable to previous potentially bad choices indefinitely...

Basically, guix system reconfigure should be fastidious and ideally
deterministic with generating and updating /run/*-programs ...


>   2. How ’bout portability to different file systems and to GNU/Hurd?

Currently I *think* /run/setuid-programs is tmpfs (at least on systems I
have used running a linux-libre kernel) ... I do not think this attempts
to change that...; we probably do not need broad filesystem
compatibility, just whatever filesystem /run/*-programs is implemented
on.

And since they are not compatibly with GNU/Hurd, then let us drop
support for x86_64-linux, riscv64-linux, ppc64el-linux, arm64-linux,
etc. ... to make sure things are compatible! :P

In all seriousness though, while I appreciate thinking about broad
compatibility across different types of systems, I am a bit nervous
about an approach that would require features to behave compatibly
across all systems...

...though I suspect you were more getting at "What are the consequences
of implementing this for some other system types?"


>   3. What’s the complexity/benefit ratio?  :-)
>
> Then there’s the compatibility story with moving from
> /run/setuid-programs to /run/privileged-programs etc. that’ll have to be
> handled with care.

I am less opinionated about adding yet another directory to PATH,
although obivously then you get into the weird issues with old $PATH
values laying around (e.g. not getting the new directory added until
logging out or re-loading the running profile)


> I’m very much sold to the principle of least authority, but I feel like
> POSIX capabilities (not to be confused with “actual” capabilities) are a
> bit of a hack.

And setuid/setgid is not a hack? It seems like essentially the same
thing, just with no granularity...


> Thoughts?

There are some things that are just not possible without capabilities,
and setuid/setgid is a dangerous hammer that should be used very
sparingly, if at all, and capabilities are no *worse* that
setuid/setgid, allowing a finer grained set of problems :)

The need for this functionality has come up more than a few times:

  https://issues.guix.gnu.org/27415
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/55683

And possibly a few others:

  https://issues.guix.gnu.org/search?query=setcap


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

  reply	other threads:[~2023-03-24 13:20 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-12 20:37 [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00 ` [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-02-12 21:05 ` [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-03-04 16:55 ` Ludovic Courtès
2023-03-24  4:31   ` Vagrant Cascadian via Guix-patches [this message]
2023-04-18 13:14     ` Ludovic Courtès
2023-04-18 19:38       ` Vagrant Cascadian
2023-04-20 10:33         ` Ludovic Courtès
2023-07-15 23:59 ` [bug#61462] [PATCH v2 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-07-16  0:00   ` [bug#61462] [PATCH v2 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-07-21 18:53   ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-07-21 19:11     ` Vagrant Cascadian
2023-08-08 15:40       ` Ludovic Courtès
2023-08-29 20:29         ` [bug#61462] /run should be cleaned on boot Vagrant Cascadian
2023-11-15 21:37     ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-12-24  0:34       ` Vagrant Cascadian
2024-01-08 16:45         ` Ludovic Courtès
2024-08-19 14:55           ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87cz4y6a86.fsf@contorta \
    --to=guix-patches@gnu.org \
    --cc=61462@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=me@tobias.gr \
    --cc=vagrant@debian.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).