From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id qBYhB4ujHWT4bAAASxT56A (envelope-from ) for ; Fri, 24 Mar 2023 14:20:11 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id QDbnBoujHWSGcQAAauVa8A (envelope-from ) for ; Fri, 24 Mar 2023 14:20:11 +0100 Received: from lists.gnu.org (unknown [209.51.188.17]) by aspmx1.migadu.com (Postfix) with ESMTP id B05ED3DA9E for ; Fri, 24 Mar 2023 14:20:10 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pfZge-0003B3-Sx; Fri, 24 Mar 2023 01:10:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pfZgV-00039s-SD for guix-patches@gnu.org; Fri, 24 Mar 2023 01:09:54 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pfZgV-0004iQ-JY for guix-patches@gnu.org; Fri, 24 Mar 2023 01:09:51 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pfZ7p-0008VD-Hz for guix-patches@gnu.org; Fri, 24 Mar 2023 00:34:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#61462] Add support for file capabilities(7) Resent-From: Vagrant Cascadian Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 24 Mar 2023 04:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61462 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Tobias Geerinckx-Rice Cc: 61462@debbugs.gnu.org Received: via spool by 61462-submit@debbugs.gnu.org id=B61462.167963242732652 (code B ref 61462); Fri, 24 Mar 2023 04:34:01 +0000 Received: (at 61462) by debbugs.gnu.org; 24 Mar 2023 04:33:47 +0000 Received: from localhost ([127.0.0.1]:39637 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pfZ7a-0008Ua-JG for submit@debbugs.gnu.org; Fri, 24 Mar 2023 00:33:47 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:42570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pfZ6D-0008SF-U2 for 61462@debbugs.gnu.org; Fri, 24 Mar 2023 00:33:45 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id B88171AC6F; Thu, 23 Mar 2023 21:32:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1679632321; bh=tXtwnCpMDo84rynIJj+21B8ArOyjndaJhNJr7BDtYfw=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=DDrQC4tErizMNbrGJkK3wj7wNdJ7PV38D8wWf+6qe9U5EpZGTWaZpGvZX2T8wVmjW LNBmgEHi1rHori1ddvox3QvaMaSflO3eWcIhSKpJWfha5OLPsc+qcAzdCGyktjpf3N BoEsD/XAJerssqjgEZzoqLE/eLB3OmNAe8OKYrbX9oCaL0W1AqJzaPEwYk9ZHwq5H8 hBcqFxA1EGZpoJabe63HGRxkObm0RY89gz9Ke9t0AwQ3kGYagIP242AUwkZ5oW5TPk 2KNStcAm14CQXIMa+lP2XM+y33XuwpNswUO6diVKO1Ylw/z9iBKrz2i03VxVom0rJ1 4AUxJsOYGclhA== In-Reply-To: <877cvwsbfk.fsf@gnu.org> References: <87r0uuehlr.fsf@nckx> <877cvwsbfk.fsf@gnu.org> Date: Thu, 23 Mar 2023 21:31:53 -0700 Message-ID: <87cz4y6a86.fsf@contorta> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Vagrant Cascadian via Guix-patches Reply-To: Vagrant Cascadian Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679664010; a=rsa-sha256; cv=none; b=Q8zBzv/s8LqLjJOyJLrK6hraP8BKN/Y+QDa7ajm4yqxzdypxZ7ugCGNbYTgh+CWJ40wd+K 2L1Zt+84FuHk8hWWVyPISSyQXzuUvYuzW8eC9ZYXAqHFtuUUCDo6CPI7lrcQlC7vZrmWrx 6o+tH23Fr5x9WBZ6vf90OQBpAIZ8H/dg2qHZkW0JaBT6VzMYVoBI+2LQP9uRUTnWPadzVY AmZIrWZZeN/Q0Tue5R+ea2VMslPMmEzYwN9eEtc+6Jx0rAt21em3EjwmkoqNqKfz4Z4o2x 6OGmjt5sqMs6XsH7LHcqMewnCs9kSeN6mU1ePdhkHIYuxiLfzWqEmLnSmg2wtA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=DDrQC4tE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1679664010; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=qO1GprO0XKOZR1OcwftQYkuLzPtY3MqttZfN7diQMAI=; b=io0Hvm9OjRiOvGlwcp6yzs6D/UpTSyVwJ0aMiMCXvWiHoSU/Vp6VRbdTSGKDUelLziX46x 3nJH5ocH4my/4H5sYRTvu9Hj4DMvs1er8GUlR0qYVue7OAuDD4f8/fsDNv2spF4qAZ9nxS fi3ImkwWXHJW5utd57C3UuPXhJbieNOxoHwPUSN9ovQ4j+sNvKA3sDArQ0uUuXS5Zbkv9s ubhjSo8/fCRa7DpizNXKuq9fgtXvaW4eri9Vyk31n1jxtnEuF7RA8wLUpulSy1x30M1J7j eHiFlg75cz7wFT4TJPTRS7mV4ob00RejukGn61SjzLL6aze+64KLgQJeYBKcng== Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debian.org header.s=1.vagrant.user header.b=DDrQC4tE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -2.74 X-Spam-Score: -2.74 X-Migadu-Queue-Id: B05ED3DA9E X-TUID: O/V2NBIFnHRg --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2023-03-04, Ludovic Court=C3=A8s wrote: > Tobias Geerinckx-Rice skribis: > >> I need to offload some of my eternally rebased local patches. Here's >> one that makes it easy to assign capabilities(7) =E2=80=94 currently thr= ough >> setcap(8) =E2=80=94 to programmes like we can set{u,g}id. >> >> There are many packages that benefit from this. Mine are: >> >> (privileged-programs >> (cons* (privileged-program >> (file-append mtr "/sbin/mtr") >> (capabilities "cap_net_raw+ep")) >> (privileged-program >> (file-append nethogs "/sbin/nethogs") >> (capabilities "cap_net_admin,cap_new_raw+ep")) >> (privileged-program >> (file-append light "/bin/light") >> (setuid? #t)) >> %default-privileged-programs)) > > Neat! Agreed! Thanks! >> I'm quite opinionated about the setuid-programs unification: there >> should not be multiple confusing and masking layers of privilege, and >> it should be possible to setgid a capable executable. > > So you mean that =E2=80=98privileged-programs=E2=80=99 should entirely re= place > =E2=80=98setuid-programs=E2=80=99, right? > > I=E2=80=99m a bit unsure about using file capabilities: > > 1. File capabilities are persistent and less visible than setuid bits > (you won=E2=80=99t see them with =E2=80=9Cls -l=E2=80=9D), so easily= overlooked. Could > there be a risk of lingering file capabilities when reconfiguring a > system? Does reconfigure leave old setuid binaries laying around in /run/setuid-programs currently? That sounds like leaking state from previous generations into the current generation, and should be fixed if it is indeed the case. Seems like with setuid/setgid and the proposed priviledged binaries, the setuid/setgid bits and capabilties should be explicitly set on any defined binaries, and any that are left over in the /run/*-programs directories should be... forcibly removed! Otherwise your current system is vulnerable to previous potentially bad choices indefinitely... Basically, guix system reconfigure should be fastidious and ideally deterministic with generating and updating /run/*-programs ... > 2. How =E2=80=99bout portability to different file systems and to GNU/H= urd? Currently I *think* /run/setuid-programs is tmpfs (at least on systems I have used running a linux-libre kernel) ... I do not think this attempts to change that...; we probably do not need broad filesystem compatibility, just whatever filesystem /run/*-programs is implemented on. And since they are not compatibly with GNU/Hurd, then let us drop support for x86_64-linux, riscv64-linux, ppc64el-linux, arm64-linux, etc. ... to make sure things are compatible! :P In all seriousness though, while I appreciate thinking about broad compatibility across different types of systems, I am a bit nervous about an approach that would require features to behave compatibly across all systems... ...though I suspect you were more getting at "What are the consequences of implementing this for some other system types?" > 3. What=E2=80=99s the complexity/benefit ratio? :-) > > Then there=E2=80=99s the compatibility story with moving from > /run/setuid-programs to /run/privileged-programs etc. that=E2=80=99ll hav= e to be > handled with care. I am less opinionated about adding yet another directory to PATH, although obivously then you get into the weird issues with old $PATH values laying around (e.g. not getting the new directory added until logging out or re-loading the running profile) > I=E2=80=99m very much sold to the principle of least authority, but I fee= l like > POSIX capabilities (not to be confused with =E2=80=9Cactual=E2=80=9D capa= bilities) are a > bit of a hack. And setuid/setgid is not a hack? It seems like essentially the same thing, just with no granularity... > Thoughts? There are some things that are just not possible without capabilities, and setuid/setgid is a dangerous hammer that should be used very sparingly, if at all, and capabilities are no *worse* that setuid/setgid, allowing a finer grained set of problems :) The need for this functionality has come up more than a few times: https://issues.guix.gnu.org/27415 https://issues.guix.gnu.org/39136 https://issues.guix.gnu.org/55683 And possibly a few others: https://issues.guix.gnu.org/search?query=3Dsetcap live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZB0nugAKCRDcUY/If5cW qs9AAQDmHv2X5PEZVmW6X0wGSbqTGP/1lT22DrJGHUnhKJyIMgEA2e2/zzQjDxwd NUfndSt+0z/GfKibdAv/8tiXvaLuZwU= =jTL3 -----END PGP SIGNATURE----- --=-=-=--