From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 6D1+Goa+YmKrrQAAbAwnHQ (envelope-from ) for ; Fri, 22 Apr 2022 16:41:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id oLVsGoa+YmKVIAEAauVa8A (envelope-from ) for ; Fri, 22 Apr 2022 16:41:10 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1A0578269 for ; Fri, 22 Apr 2022 16:41:09 +0200 (CEST) Received: from localhost ([::1]:34616 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nhuT6-0007xV-Sk for larch@yhetil.org; Fri, 22 Apr 2022 10:41:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50952) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nhuT0-0007wP-SJ for guix-patches@gnu.org; Fri, 22 Apr 2022 10:41:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60603) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nhuT0-0005AH-JQ for guix-patches@gnu.org; Fri, 22 Apr 2022 10:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nhuT0-0002yU-HI for guix-patches@gnu.org; Fri, 22 Apr 2022 10:41:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 22 Apr 2022 14:41:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54997 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 54997@debbugs.gnu.org Received: via spool by 54997-submit@debbugs.gnu.org id=B54997.165063840811321 (code B ref 54997); Fri, 22 Apr 2022 14:41:02 +0000 Received: (at 54997) by debbugs.gnu.org; 22 Apr 2022 14:40:08 +0000 Received: from localhost ([127.0.0.1]:54495 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhuRt-0002vq-Pd for submit@debbugs.gnu.org; Fri, 22 Apr 2022 10:40:08 -0400 Received: from andre.telenet-ops.be ([195.130.132.53]:41392) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhuRr-0002ve-3j for 54997@debbugs.gnu.org; Fri, 22 Apr 2022 10:39:51 -0400 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by andre.telenet-ops.be with bizsmtp id Mqfo270114UW6Th01qfprM; Fri, 22 Apr 2022 16:39:49 +0200 Message-ID: <616af1474c44d6c1caf71fa1f9d263ff46462201.camel@telenet.be> From: Maxime Devos Date: Fri, 22 Apr 2022 16:39:43 +0200 In-Reply-To: <8735i8ratp.fsf_-_@gnu.org> References: <20220417210453.27884-1-ludo@gnu.org> <20220417210453.27884-9-ludo@gnu.org> <4eac7fd571ddafd46bcadfa2ef5c6b3e41a162ab.camel@telenet.be> <8735i8ratp.fsf_-_@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-xkGL+UE0u7QPcDTujc1H" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1650638389; bh=glsM28O1B54L4UFJF4Gu0pJhiNXRCnm5Ws6wBV4YNwc=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=FA8bwoMYExSo3V21WJwDQNbEzsZnu9m0QPAkHz0/Wd9SUG3xtsPKoAjOZwNKoWDd+ cbZgVLh1gjme45bOUuFbg2Ki0FK2z43kSdgn7PWTLbp0ubh1o1hD0uMLj1rrPds3KB QPea9PZacwkv+vRYwsI4F/zDEmP7338A0EFFKBpmCXbQk51wXeNUr8WwaP0UXCo+vU lrHHCawMNhl1yy/RrrBiyp/5BjgDSr8no1icgdY/nh9IcQfHglqbxMHI5MWd4tOy1h RA2z0Rd9BEA/NKutDheWqFKGBYIP6MiZ+gEAOStsIN4KhM48do+jB/4nGA9XjOEhTG tS2H+mHYVYwJg== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650638470; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=glsM28O1B54L4UFJF4Gu0pJhiNXRCnm5Ws6wBV4YNwc=; b=XbFj9AgY/kw4e77vZ2vx05nSt1lQfScRPaSR6IkTXmI5YmB39S3+tm7rdkuI+NhBvm/7IR jZNtSTZ3EtS6vqfpvgGrCzzmycTQnimZmw31GdVPcE05fjgyknFm/FgtVARuNEQDgK8ws+ iAlVvEH8a2l4DvEn7Uqcd7CYAW/rloUsXsQkM7dDR1nnYvWsfG+5q3gkfsPMUi3aybeYch t5dXZToxunaCEzswu2r/61q/BxQMmZmfDx2kooDOqI6bErl1Y34MqU/5riczm0FGHuERbS MSvf0sAYes45iwxaI/XJXo4ufk7yw7dx1kHP/BUx40V1OucfPYZVmbcdEpWxmg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650638470; a=rsa-sha256; cv=none; b=DXXO1vo4vpx7UUQMytAqIEJB/z9fp5Vk6xe5n6otxxDqMpoyXPK6VlDFumBh+dyyB/4KT7 JEPxxycIdhnLdp17dy/rd1xXEqRNQTTiZ7UXXE1awKRiNqQA2kmpv1kJT8h1uvv4h/CLfp air8NaPdLdl6sVHdcWirv9C3jotTnASDRlRWo3nZYFhJomsjee4kLDn7vYTWn3eTcc/Tem QxB0RDMv0f07p1KZYGgipmqQPk65lwd+11QwHuGJ7x6dt3Y0El3x1I7g1pUE0+vRD1IXQ6 i5XyMNnKHCg+Q8iwaMwtoYAPYiaUoF7ozuEg7B8/6uu9RMqKXM1FzgvA5TQLlw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=FA8bwoMY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.38 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r22 header.b=FA8bwoMY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 1A0578269 X-Spam-Score: 5.38 X-Migadu-Scanner: scn1.migadu.com X-TUID: os+5a+pZVY6y --=-xkGL+UE0u7QPcDTujc1H Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s schreef op wo 20-04-2022 om 00:02 [+0200]: > > would become simpler as it wouldn't need to fork, exec, waitpid and > > dynamic-wind.=C2=A0 Alternatively, if associating a user and group with > > a > > pola wrapper is problematic (*), what do you think of defining a > > 'system*/with-capabilities' or 'invoke/with-capabilities' in a > > central > > location? >=20 > I=E2=80=99m not sure what these procedures would do. >=20 > I think we should build the house one brick at a time; this is the > first brick but I=E2=80=99m sure there=E2=80=99ll be others as we gain mo= re > experience and clearer use cases. This system*/with-capabilities brick would do the primitive- fork+setuid+setgid+execl thing: (define (system*/with-capabilities command #:key user group extra- groups environment) ;; Exec the given command with the right authority. (let ((pid (primitive-fork))) (if (zero? pid) (dynamic-wind (const #t) (lambda () (let ((pw (getpwnam "ipfs"))) ; TODO use 'user' and 'group', and don't change user/group when already this user/group (setgroups '#()) (setgid (passwd:gid pw)) (setuid (passwd:uid pw)) (environ environment) (apply execl command))) (lambda () (primitive-exit 127))) (waitpid pid))))) This would make this functionality available outside the ipfs service as well. Over time, it could be extended to support more kinds of ambient authority, e.g. namespaces, POSIX =E2=80=98capabilities=E2=80=99, c= apability masks to disallow gaining capabilities by runningsetuid binaries, the file system hierarchy (with bind mounts), removing all users and groups (on the Hurd), ... Many of these are supported by 'least-authority-wrapper' but these POLA wrappers require creating an additional process which seems a bit unoptimal to me (memory- and latency-wise). Also, having to do fork, waitpid and primitive-fork seems rather low- level to me, so I prefer moving this code into somewhere like (gnu build SOMEWHERE) or to keep the old make-forkexec-constructor/container code. Greetinsgs, Maxime. --=-xkGL+UE0u7QPcDTujc1H Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYmK+LxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7lfjAPwOb8rRVbIKCwU+IST9lYnmN3P3 wlsYxC8ttytRHwo84QD/X/Yrav9MciSAp6fxdWaWviXJcHndzknX7YhFDE5GVAk= =RY56 -----END PGP SIGNATURE----- --=-xkGL+UE0u7QPcDTujc1H--