GNU bug report logs - #61462
Add support for file capabilities(7)

Previous Next

Package: guix-patches;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Sun, 12 Feb 2023 20:46:01 UTC

Severity: normal

Tags: patch

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: 61462 <at> debbugs.gnu.org
Subject: [bug#61462] Add support for file capabilities(7)
Date: Sun, 12 Feb 2023 21:37:54 +0100

[Message part 1 (text/plain, inline)]
Hi Guix,

I need to offload some of my eternally rebased local patches. 
Here's one that makes it easy to assign capabilities(7) — 
currently through setcap(8) — to programmes like we can 
set{u,g}id.

There are many packages that benefit from this.  Mine are:

 (privileged-programs
   (cons* (privileged-program
           (file-append mtr "/sbin/mtr")
           (capabilities "cap_net_raw+ep"))
          (privileged-program
           (file-append nethogs "/sbin/nethogs")
           (capabilities "cap_net_admin,cap_new_raw+ep"))
          (privileged-program
           (file-append light "/bin/light")
           (setuid? #t))
          %default-privileged-programs))

The set's over a year old and needs a bit of love.  Some details 
might have bitrot, I probably forgot a to-do or two in that year, 
and there's something unguixy about calling setcap(8) instead of 
writing a completely new Guile binding/module :-)

I'm quite opinionated about the setuid-programs unification: there 
should not be multiple confusing and masking layers of privilege, 
and it should be possible to setgid a capable executable.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.