all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Vagrant Cascadian <vagrant@debian.org>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: Tobias Geerinckx-Rice <me@tobias.gr>, 61462@debbugs.gnu.org
Subject: [bug#61462] Add support for file capabilities(7)
Date: Tue, 18 Apr 2023 12:38:53 -0700	[thread overview]
Message-ID: <878reprnea.fsf@contorta> (raw)
In-Reply-To: <87o7nlwcwn.fsf_-_@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 3505 bytes --]

On 2023-04-18, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant@debian.org> skribis:
>
>>>> I'm quite opinionated about the setuid-programs unification: there
>>>> should not be multiple confusing and masking layers of privilege, and
>>>> it should be possible to setgid a capable executable.
>>>
>>> So you mean that ‘privileged-programs’ should entirely replace
>>> ‘setuid-programs’, right?
>>>
>>> I’m a bit unsure about using file capabilities:
>>>
>>>   1. File capabilities are persistent and less visible than setuid bits
>>>      (you won’t see them with “ls -l”), so easily overlooked.  Could
>>>      there be a risk of lingering file capabilities when reconfiguring a
>>>      system?
>>
>> Does reconfigure leave old setuid binaries laying around in
>> /run/setuid-programs currently?
>
> No: ‘activate-setuid-programs’ first deletes /run/setuid-programs/*,
> then populates it.

Good!

>> Seems like with setuid/setgid and the proposed priviledged binaries, the
>> setuid/setgid bits and capabilties should be explicitly set on any
>> defined binaries, and any that are left over in the /run/*-programs
>> directories should be... forcibly removed! Otherwise your current system
>> is vulnerable to previous potentially bad choices indefinitely...
>
> Right, so in that sense it’s no different from setuid binaries, other
> than the fact that “ls -l” won’t show it.

That aspect seems fixable with documentation in the simplest case of how
to show that /run/*-programs contains the correct permissions, e.g a
brief mention of "getcap" to show the capabilities.

The most fancy case I quickly think of might be "guix system
list-privledged-programs" or some such that would display all the
various privledges (setuid, setgid, capabilities, etc.) on each of the
binaries in /run/*-programs? But probably overkill...


>>>   2. How ’bout portability to different file systems and to GNU/Hurd?
>>
>> Currently I *think* /run/setuid-programs is tmpfs
>
> It’s not by default.

Huh, could have sworn on all my guix systems that /run was on tmpfs by
default, and I did not knowingly do anything special to change that...


>> In all seriousness though, while I appreciate thinking about broad
>> compatibility across different types of systems, I am a bit nervous
>> about an approach that would require features to behave compatibly
>> across all systems...
>
> I guess All I’m saying is that we should keep this in mind.
>
> Perhaps the hypothetical ‘activate-privileged-programs’ procedure would
> fall back to setuid-root on GNU/Hurd or do some other Hurd-specific
> thing.  We don’t need to go too far, but we do need to give it some
> thought IMO.

If it cannot properly set the capabilities, then it should not assume
setuid-root is an ok fallback; it should instead most definitely just
fail!

At least the case I am most familiar with, lcsync, it really should not
run as setuid-root, as that effectively allows anyone to modify or copy
any file as root. Although, likely Hurd limits the impacts of setuid
root in ways I do not understand?

Even then, I still think if you ask for something in your guix system
configuration, and it cannot deliver what you asked for, it should not
give you something else as an approximation of what you wanted. Maybe
that is a strict interpretation of an ideal, and reality is much harder
than that. :)


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

  reply	other threads:[~2023-04-18 19:40 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-12 20:37 [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00 ` [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-02-05  0:00   ` [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-02-12 21:05 ` [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-03-04 16:55 ` Ludovic Courtès
2023-03-24  4:31   ` Vagrant Cascadian via Guix-patches
2023-04-18 13:14     ` Ludovic Courtès
2023-04-18 19:38       ` Vagrant Cascadian [this message]
2023-04-20 10:33         ` Ludovic Courtès
2023-07-15 23:59 ` [bug#61462] [PATCH v2 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59   ` [bug#61462] [PATCH v2 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-07-16  0:00   ` [bug#61462] [PATCH v2 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-07-21 18:53   ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-07-21 19:11     ` Vagrant Cascadian
2023-08-08 15:40       ` Ludovic Courtès
2023-08-29 20:29         ` [bug#61462] /run should be cleaned on boot Vagrant Cascadian
2024-09-15 22:29           ` bug#64775: " Ludovic Courtès
     [not found]         ` <87o7ipvbhh.fsf__48662.4622646318$1693341314$gmane$org@wireframe>
2023-08-29 21:21           ` brian via Bug reports for GNU Guix
2023-11-15 21:37     ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-12-24  0:34       ` Vagrant Cascadian
2024-01-08 16:45         ` Ludovic Courtès
2024-08-19 14:55           ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878reprnea.fsf@contorta \
    --to=vagrant@debian.org \
    --cc=61462@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=me@tobias.gr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.