On 2023-11-15, Vagrant Cascadian wrote:
> On 2023-07-21, Vagrant Cascadian wrote:
>> Thanks for the refreshed v2 patches! I gave them a quick spin...
>>
>> As noted on IRC, apparently it lacks actual calls to setcap, so that
>> part still needs another patch at least!
>>
>> Otherwise, it did seem to more-or-less work...
>
> I did eventually get some updated patches that even followed through on
> the promise of calling out to setcap, and from what I recall they even
> worked! I liked them a lot.
>
>
>> There are compatibility symlinks from /run/setuid-programs to
>> /run/privledged/bin and it sets setuid on requested files.
>>
>> I was a little curious about why /run/privlidged/bin as opposed to
>> without /bin ... keeping the door open for other privlidged things? What
>> about things that come from /gnu/store/*/sbin ? are those handled any
>> differently?
>
> Working patches aside, that is my only outstanding question, and I would
> hate to see that be a blocker. :)

I just noticed I pushed a branch with the working patches to a public
branch last month:

  https://salsa.debian.org/debian/guix/-/tree/capabilities-61462-20231115?ref_type=heads

They are even still cherry-pickable from current master! Yay!

These patches were started over a year ago(well, probably before that,
even), and had a working implementation about 6 months ago...

My guess is the main blocker is nervousness about renaming
setuid-programs to privilidged-programs (I know I am a bit nervous to do
so!)?


This would make it possible to properly fix several bugs:

  https://issues.guix.gnu.org/27415
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/55683

And have been mentioned indirectly in several others over the years:

  https://issues.guix.gnu.org/search?query=setcap


live well,
  vagrant