GNU bug report logs -
#73750
[PATCH] gnu: system: %default-privileged-programs: Set ping capabilities
Previous Next
Reported by: Rutherther <rutherther <at> ditigal.xyz>
Date: Fri, 11 Oct 2024 19:51:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73750 in the body.
You can then email your comments to 73750 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#73750; Package
guix-patches.
(Fri, 11 Oct 2024 19:51:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rutherther <rutherther <at> ditigal.xyz>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 11 Oct 2024 19:51:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Ping and ping6 don't need setuid, they can work with
cap_net_raw capability only. This means that even if
ping or ping6 had a vulnerability that could be
used for execution as root, it can't anymore if
the program is not setuid.
* gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid
programs, add ping, ping6 programs with cap_net_raw=ep capabilities
Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209
---
gnu/system.scm | 43 ++++++++++++++++++++++++-------------------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/gnu/system.scm b/gnu/system.scm
index 44f93f91d1..c0cda6baa4 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -1249,25 +1249,30 @@ (define (operating-system-environment-variables os)
(define %default-privileged-programs
(let ((shadow (@ (gnu packages admin) shadow)))
- (map file-like->setuid-program
- (list (file-append shadow "/bin/passwd")
- (file-append shadow "/bin/chfn")
- (file-append shadow "/bin/sg")
- (file-append shadow "/bin/su")
- (file-append shadow "/bin/newgrp")
- (file-append shadow "/bin/newuidmap")
- (file-append shadow "/bin/newgidmap")
- (file-append inetutils "/bin/ping")
- (file-append inetutils "/bin/ping6")
- (file-append sudo "/bin/sudo")
- (file-append sudo "/bin/sudoedit")
- (file-append fuse-2 "/bin/fusermount")
- (file-append fuse "/bin/fusermount3")
-
- ;; To allow mounts with the "user" option, "mount" and "umount" must
- ;; be setuid-root.
- (file-append util-linux "/bin/mount")
- (file-append util-linux "/bin/umount")))))
+ (cons*
+ (privileged-program
+ (program (file-append inetutils "/bin/ping"))
+ (capabilities "cap_net_raw=ep"))
+ (privileged-program
+ (program (file-append inetutils "/bin/ping6"))
+ (capabilities "cap_net_raw=ep"))
+ (map file-like->setuid-program
+ (list (file-append shadow "/bin/passwd")
+ (file-append shadow "/bin/chfn")
+ (file-append shadow "/bin/sg")
+ (file-append shadow "/bin/su")
+ (file-append shadow "/bin/newgrp")
+ (file-append shadow "/bin/newuidmap")
+ (file-append shadow "/bin/newgidmap")
+ (file-append sudo "/bin/sudo")
+ (file-append sudo "/bin/sudoedit")
+ (file-append fuse-2 "/bin/fusermount")
+ (file-append fuse "/bin/fusermount3")
+
+ ;; To allow mounts with the "user" option, "mount" and "umount" must
+ ;; be setuid-root.
+ (file-append util-linux "/bin/mount")
+ (file-append util-linux "/bin/umount"))))))
(define %setuid-programs
;; Do not add to this list or use it in new code! It's defined only to ease
base-commit: b8fd792ea267cb920da0651074a533d8abf00488
--
2.46.0
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Sun, 03 Nov 2024 22:06:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Rutherther <rutherther <at> ditigal.xyz>:
bug acknowledged by developer.
(Sun, 03 Nov 2024 22:06:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 73750-done <at> debbugs.gnu.org (full text, mbox):
Rutherther <rutherther <at> ditigal.xyz> skribis:
> Ping and ping6 don't need setuid, they can work with
> cap_net_raw capability only. This means that even if
> ping or ping6 had a vulnerability that could be
> used for execution as root, it can't anymore if
> the program is not setuid.
>
> * gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid
> programs, add ping, ping6 programs with cap_net_raw=ep capabilities
>
> Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209
Applied, thanks!
Indeed, that was the whole point of the work on privileged programs
carried out by Tobias. Nice to see it in action!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 02 Dec 2024 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 201 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.