GNU bug report logs -
#55683
Support binaries that need "setcap" similar to "setuid-programs"
Previous Next
To reply to this bug, email your comments to 55683 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#55683; Package
guix.
(Fri, 27 May 2022 19:53:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vagrant Cascadian <vagrant <at> debian.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 27 May 2022 19:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I've been working on a package called lcsync:
https://issues.guix.gnu.org/55682
But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
running:
setcap cap_net_raw=eip /path/to/bin/lcsync
You could add lcsync to setuid-programs, but this would be a terrible
idea, as it's a file syncing tool and you would have root access to
writing any file in the filesystem...
Upstream lcsync is considering how to rewrite it to drop privledges so
that it would not be *terrible* to run setuid root, but ... ideally it
could just use setcap to provide the very limited root privledges that
it needs.
It seems like something very similar to setuid-programs could work for
programs that need particular capabilities... e.g. copy a binary from
the store, set the appropriate capabilities with "setcap", add this
special directory to PATH.
But maybe there's a better way to do this already? :)
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#55683; Package
guix.
(Fri, 27 May 2022 20:08:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 55683 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2022-05-27, Vagrant Cascadian wrote:
> I've been working on a package called lcsync:
>
> https://issues.guix.gnu.org/55682
>
> But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
> running:
>
> setcap cap_net_raw=eip /path/to/bin/lcsync
Similar issues seem to have come up for other packages:
https://issues.guix.gnu.org/27415
https://issues.guix.gnu.org/39136
https://issues.guix.gnu.org/39136
And possibly:
https://issues.guix.gnu.org/search?query=setcap
Some programs *might* be able to handle this sort of thing in a service
definition, but lcsync at least should be callable by the user from the
commandline (sort of like rsync); it doesn't normally have a daemon
component that would make sense to run as a service.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#55683; Package
guix.
(Mon, 13 Feb 2023 19:53:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 55683 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2022-05-27, Vagrant Cascadian wrote:
> On 2022-05-27, Vagrant Cascadian wrote:
>> I've been working on a package called lcsync:
>>
>> https://issues.guix.gnu.org/55682
>>
>> But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
>> running:
>>
>> setcap cap_net_raw=eip /path/to/bin/lcsync
>
> Similar issues seem to have come up for other packages:
>
> https://issues.guix.gnu.org/27415
> https://issues.guix.gnu.org/39136
> https://issues.guix.gnu.org/39136
>
> And possibly:
>
> https://issues.guix.gnu.org/search?query=setcap
Patches working towards implementing the required functionality at:
https://issues.guix.gnu.org/61462
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 1 year and 290 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.