GNU bug report logs - #73750
[PATCH] gnu: system: %default-privileged-programs: Set ping capabilities

Previous Next

Package: guix-patches;

Reported by: Rutherther <rutherther <at> ditigal.xyz>

Date: Fri, 11 Oct 2024 19:51:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rutherther <rutherther <at> ditigal.xyz>
To: guix-patches <at> gnu.org
Cc: Rutherther <rutherther <at> protonmail.com>
Subject: [PATCH] gnu: system: %default-privileged-programs: Set ping
 capabilities
Date: Fri, 11 Oct 2024 21:49:10 +0200

Ping and ping6 don't need setuid, they can work with
cap_net_raw capability only. This means that even if
ping or ping6 had a vulnerability that could be
used for execution as root, it can't anymore if
the program is not setuid.

* gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid
programs, add ping, ping6 programs with cap_net_raw=ep capabilities

Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209
---
 gnu/system.scm | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/gnu/system.scm b/gnu/system.scm
index 44f93f91d1..c0cda6baa4 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -1249,25 +1249,30 @@ (define (operating-system-environment-variables os)
 
 (define %default-privileged-programs
   (let ((shadow (@ (gnu packages admin) shadow)))
-    (map file-like->setuid-program
-         (list (file-append shadow "/bin/passwd")
-               (file-append shadow "/bin/chfn")
-               (file-append shadow "/bin/sg")
-               (file-append shadow "/bin/su")
-               (file-append shadow "/bin/newgrp")
-               (file-append shadow "/bin/newuidmap")
-               (file-append shadow "/bin/newgidmap")
-               (file-append inetutils "/bin/ping")
-               (file-append inetutils "/bin/ping6")
-               (file-append sudo "/bin/sudo")
-               (file-append sudo "/bin/sudoedit")
-               (file-append fuse-2 "/bin/fusermount")
-               (file-append fuse "/bin/fusermount3")
-
-               ;; To allow mounts with the "user" option, "mount" and "umount" must
-               ;; be setuid-root.
-               (file-append util-linux "/bin/mount")
-               (file-append util-linux "/bin/umount")))))
+    (cons*
+     (privileged-program
+      (program (file-append inetutils "/bin/ping"))
+      (capabilities "cap_net_raw=ep"))
+     (privileged-program
+      (program (file-append inetutils "/bin/ping6"))
+      (capabilities "cap_net_raw=ep"))
+     (map file-like->setuid-program
+          (list (file-append shadow "/bin/passwd")
+                (file-append shadow "/bin/chfn")
+                (file-append shadow "/bin/sg")
+                (file-append shadow "/bin/su")
+                (file-append shadow "/bin/newgrp")
+                (file-append shadow "/bin/newuidmap")
+                (file-append shadow "/bin/newgidmap")
+                (file-append sudo "/bin/sudo")
+                (file-append sudo "/bin/sudoedit")
+                (file-append fuse-2 "/bin/fusermount")
+                (file-append fuse "/bin/fusermount3")
+
+                ;; To allow mounts with the "user" option, "mount" and "umount" must
+                ;; be setuid-root.
+                (file-append util-linux "/bin/mount")
+                (file-append util-linux "/bin/umount"))))))
 
 (define %setuid-programs
   ;; Do not add to this list or use it in new code!  It's defined only to ease

base-commit: b8fd792ea267cb920da0651074a533d8abf00488
-- 
2.46.0
This bug report was last modified 201 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.