From: "Ludovic Courtès" <ludo@gnu.org>
To: Vagrant Cascadian <vagrant@debian.org>
Cc: Tobias Geerinckx-Rice <me@tobias.gr>, 61462@debbugs.gnu.org
Subject: [bug#61462] Add support for file capabilities(7)
Date: Tue, 18 Apr 2023 15:14:16 +0200 [thread overview]
Message-ID: <87o7nlwcwn.fsf_-_@gnu.org> (raw)
In-Reply-To: <87cz4y6a86.fsf@contorta> (Vagrant Cascadian's message of "Thu, 23 Mar 2023 21:31:53 -0700")
Hi Vagrant & Tobias,
Sorry for the late reply!
Vagrant Cascadian <vagrant@debian.org> skribis:
>>> I'm quite opinionated about the setuid-programs unification: there
>>> should not be multiple confusing and masking layers of privilege, and
>>> it should be possible to setgid a capable executable.
>>
>> So you mean that ‘privileged-programs’ should entirely replace
>> ‘setuid-programs’, right?
>>
>> I’m a bit unsure about using file capabilities:
>>
>> 1. File capabilities are persistent and less visible than setuid bits
>> (you won’t see them with “ls -l”), so easily overlooked. Could
>> there be a risk of lingering file capabilities when reconfiguring a
>> system?
>
> Does reconfigure leave old setuid binaries laying around in
> /run/setuid-programs currently?
No: ‘activate-setuid-programs’ first deletes /run/setuid-programs/*,
then populates it.
> Seems like with setuid/setgid and the proposed priviledged binaries, the
> setuid/setgid bits and capabilties should be explicitly set on any
> defined binaries, and any that are left over in the /run/*-programs
> directories should be... forcibly removed! Otherwise your current system
> is vulnerable to previous potentially bad choices indefinitely...
Right, so in that sense it’s no different from setuid binaries, other
than the fact that “ls -l” won’t show it.
>> 2. How ’bout portability to different file systems and to GNU/Hurd?
>
> Currently I *think* /run/setuid-programs is tmpfs
It’s not by default.
[...]
> In all seriousness though, while I appreciate thinking about broad
> compatibility across different types of systems, I am a bit nervous
> about an approach that would require features to behave compatibly
> across all systems...
I guess All I’m saying is that we should keep this in mind.
Perhaps the hypothetical ‘activate-privileged-programs’ procedure would
fall back to setuid-root on GNU/Hurd or do some other Hurd-specific
thing. We don’t need to go too far, but we do need to give it some
thought IMO.
>> I’m very much sold to the principle of least authority, but I feel like
>> POSIX capabilities (not to be confused with “actual” capabilities) are a
>> bit of a hack.
>
> And setuid/setgid is not a hack? It seems like essentially the same
> thing, just with no granularity...
That’s right!
> There are some things that are just not possible without capabilities,
> and setuid/setgid is a dangerous hammer that should be used very
> sparingly, if at all, and capabilities are no *worse* that
> setuid/setgid, allowing a finer grained set of problems :)
>
> The need for this functionality has come up more than a few times:
>
> https://issues.guix.gnu.org/27415
> https://issues.guix.gnu.org/39136
> https://issues.guix.gnu.org/55683
Right; thanks for digging the references.
I wouldn’t want to block this change. Tobias, if you’re around, let’s
look more closely how we can address Hurd suppot and backward
compatibility.
Thanks,
Ludo’.
next prev parent reply other threads:[~2023-04-18 13:15 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-12 20:37 [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-02-05 0:00 ` [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-02-12 21:05 ` [bug#61462] Add support for file capabilities(7) Tobias Geerinckx-Rice via Guix-patches via
2023-03-04 16:55 ` Ludovic Courtès
2023-03-24 4:31 ` Vagrant Cascadian via Guix-patches
2023-04-18 13:14 ` Ludovic Courtès [this message]
2023-04-18 19:38 ` Vagrant Cascadian
2023-04-20 10:33 ` Ludovic Courtès
2023-07-15 23:59 ` [bug#61462] [PATCH v2 01/10] system: Disallow file-like setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 02/10] services: setuid-program: Populate /run/privileged/bin Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 03/10] system: Use /run/privileged/bin in search paths Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 04/10] gnu: Replace (almost) all uses of /run/setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 05/10] system: Add (gnu system privilege) Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 06/10] system: (gnu system setuid) wraps " Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 07/10] build: Rename activate-setuid-programs Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 08/10] services: Rename setuid-program-service-type Tobias Geerinckx-Rice via Guix-patches via
2023-07-15 23:59 ` [bug#61462] [PATCH v2 09/10] system: Use privileged-program-service-type by default Tobias Geerinckx-Rice via Guix-patches via
2023-07-16 0:00 ` [bug#61462] [PATCH v2 10/10] system: Add privileged-programs to <operating-system> Tobias Geerinckx-Rice via Guix-patches via
2023-07-21 18:53 ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-07-21 19:11 ` Vagrant Cascadian
2023-08-08 15:40 ` Ludovic Courtès
2023-08-29 20:29 ` [bug#61462] /run should be cleaned on boot Vagrant Cascadian
[not found] ` <87o7ipvbhh.fsf__48662.4622646318$1693341314$gmane$org@wireframe>
2023-08-29 21:21 ` bug#64775: " brian via Bug reports for GNU Guix
2023-11-15 21:37 ` [bug#61462] Add support for file capabilities(7) Vagrant Cascadian
2023-12-24 0:34 ` Vagrant Cascadian
2024-01-08 16:45 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7nlwcwn.fsf_-_@gnu.org \
--to=ludo@gnu.org \
--cc=61462@debbugs.gnu.org \
--cc=me@tobias.gr \
--cc=vagrant@debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.