[bug#61462] Add support for file capabilities(7)

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#61462] Add support for file capabilities(7)

From:	Ludovic Courtès
Subject:	[bug#61462] Add support for file capabilities(7)
Date:	Sat, 04 Mar 2023 17:55:59 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)

Hi!

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> I need to offload some of my eternally rebased local patches. Here's
> one that makes it easy to assign capabilities(7) — currently through
> setcap(8) — to programmes like we can set{u,g}id.
>
> There are many packages that benefit from this.  Mine are:
>
>  (privileged-programs
>    (cons* (privileged-program
>            (file-append mtr "/sbin/mtr")
>            (capabilities "cap_net_raw+ep"))
>           (privileged-program
>            (file-append nethogs "/sbin/nethogs")
>            (capabilities "cap_net_admin,cap_new_raw+ep"))
>           (privileged-program
>            (file-append light "/bin/light")
>            (setuid? #t))
>           %default-privileged-programs))

Neat!

> The set's over a year old and needs a bit of love.  Some details might
> have bitrot, I probably forgot a to-do or two in that year, and
> there's something unguixy about calling setcap(8) instead of writing a
> completely new Guile binding/module :-)
>
> I'm quite opinionated about the setuid-programs unification: there
> should not be multiple confusing and masking layers of privilege, and
> it should be possible to setgid a capable executable.

So you mean that ‘privileged-programs’ should entirely replace
‘setuid-programs’, right?

I’m a bit unsure about using file capabilities:

  1. File capabilities are persistent and less visible than setuid bits
     (you won’t see them with “ls -l”), so easily overlooked.  Could
     there be a risk of lingering file capabilities when reconfiguring a
     system?

  2. How ’bout portability to different file systems and to GNU/Hurd?

  3. What’s the complexity/benefit ratio?  :-)

Then there’s the compatibility story with moving from
/run/setuid-programs to /run/privileged-programs etc. that’ll have to be
handled with care.

I’m very much sold to the principle of least authority, but I feel like
POSIX capabilities (not to be confused with “actual” capabilities) are a
bit of a hack.

Thoughts?

Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#61462] Add support for file capabilities(7), Ludovic Courtès <=
- [bug#61462] Add support for file capabilities(7), Vagrant Cascadian, 2023/03/24

Prev by Date: [bug#61459] [PATCH] gnu: node-lts: Remove dependency on python-wrapper.
Next by Date: [bug#61483] [PATCH 0/5] Some basic Home Shepherd Services
Previous by thread: [bug#61459] [PATCH] gnu: node-lts: Remove dependency on python-wrapper.
Next by thread: [bug#61462] Add support for file capabilities(7)
Index(es):
- Date
- Thread