From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 11 15:50:14 2024 Received: (at submit) by debbugs.gnu.org; 11 Oct 2024 19:50:14 +0000 Received: from localhost ([127.0.0.1]:35384 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szLeP-00062h-Pq for submit@debbugs.gnu.org; Fri, 11 Oct 2024 15:50:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:44984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1szLeO-00062a-QJ for submit@debbugs.gnu.org; Fri, 11 Oct 2024 15:50:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1szLeA-0004IG-5q for guix-patches@gnu.org; Fri, 11 Oct 2024 15:49:58 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::] helo=mail.ditigal.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1szLe7-0004lp-6A for guix-patches@gnu.org; Fri, 11 Oct 2024 15:49:56 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 6eca7c3a (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Fri, 11 Oct 2024 19:49:51 +0000 (UTC) From: Rutherther To: guix-patches@gnu.org Subject: [PATCH] gnu: system: %default-privileged-programs: Set ping capabilities Date: Fri, 11 Oct 2024 21:49:10 +0200 Message-ID: <17684ddc94ff580df1e1db89a8224b5f9a21bbb4.1728675695.git.rutherther@protonmail.com> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1728676191; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : from; bh=2tahvzck+WbHhG8KguUVZH/Sq1bfY2BoLZwg5hxqS8Q=; b=MK4EgqumXlF28GAVwfXMDnSEjjvdvjw+on8sp5rbC5W1jsoXPwJHmoofJweifyNjxkwMD 9dxBZnv78L1ReW3XUdQ7oZwemC3l4t+tF0BavJFNpSf3igGwI+U8kvgYKIoITH3hbUTFh8f nTkLbD2lzmrUwlbh3uNwnTXrTABYaWU= Received-SPF: pass client-ip=2a01:4f8:1c1b:6a1c::; envelope-from=rutherther@ditigal.xyz; helo=mail.ditigal.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -0.4 (/) X-Debbugs-Envelope-To: submit Cc: Rutherther X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Ping and ping6 don't need setuid, they can work with cap_net_raw capability only. This means that even if ping or ping6 had a vulnerability that could be used for execution as root, it can't anymore if the program is not setuid. * gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid programs, add ping, ping6 programs with cap_net_raw=ep capabilities Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209 --- gnu/system.scm | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/gnu/system.scm b/gnu/system.scm index 44f93f91d1..c0cda6baa4 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -1249,25 +1249,30 @@ (define (operating-system-environment-variables os) (define %default-privileged-programs (let ((shadow (@ (gnu packages admin) shadow))) - (map file-like->setuid-program - (list (file-append shadow "/bin/passwd") - (file-append shadow "/bin/chfn") - (file-append shadow "/bin/sg") - (file-append shadow "/bin/su") - (file-append shadow "/bin/newgrp") - (file-append shadow "/bin/newuidmap") - (file-append shadow "/bin/newgidmap") - (file-append inetutils "/bin/ping") - (file-append inetutils "/bin/ping6") - (file-append sudo "/bin/sudo") - (file-append sudo "/bin/sudoedit") - (file-append fuse-2 "/bin/fusermount") - (file-append fuse "/bin/fusermount3") - - ;; To allow mounts with the "user" option, "mount" and "umount" must - ;; be setuid-root. - (file-append util-linux "/bin/mount") - (file-append util-linux "/bin/umount"))))) + (cons* + (privileged-program + (program (file-append inetutils "/bin/ping")) + (capabilities "cap_net_raw=ep")) + (privileged-program + (program (file-append inetutils "/bin/ping6")) + (capabilities "cap_net_raw=ep")) + (map file-like->setuid-program + (list (file-append shadow "/bin/passwd") + (file-append shadow "/bin/chfn") + (file-append shadow "/bin/sg") + (file-append shadow "/bin/su") + (file-append shadow "/bin/newgrp") + (file-append shadow "/bin/newuidmap") + (file-append shadow "/bin/newgidmap") + (file-append sudo "/bin/sudo") + (file-append sudo "/bin/sudoedit") + (file-append fuse-2 "/bin/fusermount") + (file-append fuse "/bin/fusermount3") + + ;; To allow mounts with the "user" option, "mount" and "umount" must + ;; be setuid-root. + (file-append util-linux "/bin/mount") + (file-append util-linux "/bin/umount")))))) (define %setuid-programs ;; Do not add to this list or use it in new code! It's defined only to ease base-commit: b8fd792ea267cb920da0651074a533d8abf00488 -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 03 17:05:37 2024 Received: (at 73750-done) by debbugs.gnu.org; 3 Nov 2024 22:05:37 +0000 Received: from localhost ([127.0.0.1]:35012 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ij3-0007CQ-5b for submit@debbugs.gnu.org; Sun, 03 Nov 2024 17:05:37 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58256) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ij1-0007CI-7R for 73750-done@debbugs.gnu.org; Sun, 03 Nov 2024 17:05:36 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t7ign-00033P-QS; Sun, 03 Nov 2024 17:03:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=dFd0JIuene01GYN5tnvoMph8iFJqOpbzB8DgdKARJk4=; b=K6c00BcPx/q40kH+WUXQ t/7xU98IloOjoayJltJmoZgaiWYrW1iAKtNq41DGFnVdMx7yf45m1wpu8urf9zh1TnJSm4QD8xCan uBt8IfsLpYo29dAYq7uKwSKiDAoMaFFyi36ZDPrUPA/jOtN8rOEDA8mh+gvtP8UdQll1D4uI41sAj H1a8toV2N2i86bUd8yDTolxzQ45IDr3Mv7MrAZINR2VipjcsuQWYUiIpp6YhIrQiQNp5VRuz+eEvg DEUND8t+o2VuX1MLt5eUioyxKecobheit5SrtmgsVCRbQU/YZGiSkV09nmZ63xPdXrCjpKDv8Tq3K ZAinS3XZH6rUWQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Rutherther Subject: Re: [bug#73750] [PATCH] gnu: system: %default-privileged-programs: Set ping capabilities In-Reply-To: <17684ddc94ff580df1e1db89a8224b5f9a21bbb4.1728675695.git.rutherther@protonmail.com> (rutherther@ditigal.xyz's message of "Fri, 11 Oct 2024 21:49:10 +0200") References: <17684ddc94ff580df1e1db89a8224b5f9a21bbb4.1728675695.git.rutherther@protonmail.com> Date: Sun, 03 Nov 2024 23:02:49 +0100 Message-ID: <87ldy0kmba.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73750-done Cc: Rutherther , Tobias Geerinckx-Rice , 73750-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Rutherther skribis: > Ping and ping6 don't need setuid, they can work with > cap_net_raw capability only. This means that even if > ping or ping6 had a vulnerability that could be > used for execution as root, it can't anymore if > the program is not setuid. > > * gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid > programs, add ping, ping6 programs with cap_net_raw=3Dep capabilities > > Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209 Applied, thanks! Indeed, that was the whole point of the work on privileged programs carried out by Tobias. Nice to see it in action! Ludo=E2=80=99. From unknown Mon Aug 18 14:25:31 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 02 Dec 2024 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator