GNU bug report logs - #61462
Add support for file capabilities(7)

Previous Next

Package: guix-patches;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Sun, 12 Feb 2023 20:46:01 UTC

Severity: normal

Tags: patch

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Vagrant Cascadian <vagrant <at> debian.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>, 61462 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, brian <bjc <at> spork.org>
Subject: [bug#61462] Add support for file capabilities(7)
Date: Sat, 23 Dec 2023 16:34:11 -0800

[Message part 1 (text/plain, inline)]
On 2023-11-15, Vagrant Cascadian wrote:
> On 2023-07-21, Vagrant Cascadian wrote:
>> Thanks for the refreshed v2 patches! I gave them a quick spin...
>>
>> As noted on IRC, apparently it lacks actual calls to setcap, so that
>> part still needs another patch at least!
>>
>> Otherwise, it did seem to more-or-less work...
>
> I did eventually get some updated patches that even followed through on
> the promise of calling out to setcap, and from what I recall they even
> worked! I liked them a lot.
>
>
>> There are compatibility symlinks from /run/setuid-programs to
>> /run/privledged/bin and it sets setuid on requested files.
>>
>> I was a little curious about why /run/privlidged/bin as opposed to
>> without /bin ... keeping the door open for other privlidged things? What
>> about things that come from /gnu/store/*/sbin ? are those handled any
>> differently?
>
> Working patches aside, that is my only outstanding question, and I would
> hate to see that be a blocker. :)

I just noticed I pushed a branch with the working patches to a public
branch last month:

  https://salsa.debian.org/debian/guix/-/tree/capabilities-61462-20231115?ref_type=heads

They are even still cherry-pickable from current master! Yay!

These patches were started over a year ago(well, probably before that,
even), and had a working implementation about 6 months ago...

My guess is the main blocker is nervousness about renaming
setuid-programs to privilidged-programs (I know I am a bit nervous to do
so!)?


This would make it possible to properly fix several bugs:

  https://issues.guix.gnu.org/27415
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/55683

And have been mentioned indirectly in several others over the years:

  https://issues.guix.gnu.org/search?query=setcap


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 305 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.