GNU bug report logs - #61462
Add support for file capabilities(7)

Previous Next

Package: guix-patches;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Sun, 12 Feb 2023 20:46:01 UTC

Severity: normal

Tags: patch

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: 61462 <at> debbugs.gnu.org
Subject: [bug#61462] Add support for file capabilities(7)
Date: Sat, 04 Mar 2023 17:55:59 +0100

Hi!

Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:

> I need to offload some of my eternally rebased local patches. Here's
> one that makes it easy to assign capabilities(7) — currently through
> setcap(8) — to programmes like we can set{u,g}id.
>
> There are many packages that benefit from this.  Mine are:
>
>  (privileged-programs
>    (cons* (privileged-program
>            (file-append mtr "/sbin/mtr")
>            (capabilities "cap_net_raw+ep"))
>           (privileged-program
>            (file-append nethogs "/sbin/nethogs")
>            (capabilities "cap_net_admin,cap_new_raw+ep"))
>           (privileged-program
>            (file-append light "/bin/light")
>            (setuid? #t))
>           %default-privileged-programs))

Neat!

> The set's over a year old and needs a bit of love.  Some details might
> have bitrot, I probably forgot a to-do or two in that year, and
> there's something unguixy about calling setcap(8) instead of writing a
> completely new Guile binding/module :-)
>
> I'm quite opinionated about the setuid-programs unification: there
> should not be multiple confusing and masking layers of privilege, and
> it should be possible to setgid a capable executable.

So you mean that ‘privileged-programs’ should entirely replace
‘setuid-programs’, right?

I’m a bit unsure about using file capabilities:

  1. File capabilities are persistent and less visible than setuid bits
     (you won’t see them with “ls -l”), so easily overlooked.  Could
     there be a risk of lingering file capabilities when reconfiguring a
     system?

  2. How ’bout portability to different file systems and to GNU/Hurd?

  3. What’s the complexity/benefit ratio?  :-)

Then there’s the compatibility story with moving from
/run/setuid-programs to /run/privileged-programs etc. that’ll have to be
handled with care.

I’m very much sold to the principle of least authority, but I feel like
POSIX capabilities (not to be confused with “actual” capabilities) are a
bit of a hack.

Thoughts?

Ludo’.
This bug report was last modified 305 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.