GNU bug report logs - #55683
Support binaries that need "setcap" similar to "setuid-programs"

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55683 in the body.
You can then email your comments to 55683 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: bug-guix <at> gnu.org
Subject: Support binaries that need "setcap" similar to "setuid-programs"
Date: Fri, 27 May 2022 12:51:51 -0700

[Message part 1 (text/plain, inline)]

I've been working on a package called lcsync:

  https://issues.guix.gnu.org/55682

But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
running:

  setcap cap_net_raw=eip /path/to/bin/lcsync

You could add lcsync to setuid-programs, but this would be a terrible
idea, as it's a file syncing tool and you would have root access to
writing any file in the filesystem...

Upstream lcsync is considering how to rewrite it to drop privledges so
that it would not be *terrible* to run setuid root, but ... ideally it
could just use setcap to provide the very limited root privledges that
it needs.

It seems like something very similar to setuid-programs could work for
programs that need particular capabilities... e.g. copy a binary from
the store, set the appropriate capabilities with "setcap", add this
special directory to PATH.

But maybe there's a better way to do this already? :)


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 55683 <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: 55683 <at> debbugs.gnu.org
Subject: Re: Support binaries that need "setcap" similar to "setuid-programs"
Date: Fri, 27 May 2022 13:07:00 -0700

[Message part 1 (text/plain, inline)]

On 2022-05-27, Vagrant Cascadian wrote:
> I've been working on a package called lcsync:
>
>   https://issues.guix.gnu.org/55682
>
> But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
> running:
>
>   setcap cap_net_raw=eip /path/to/bin/lcsync

Similar issues seem to have come up for other packages:

  https://issues.guix.gnu.org/27415
  https://issues.guix.gnu.org/39136
  https://issues.guix.gnu.org/39136

And possibly:

  https://issues.guix.gnu.org/search?query=setcap


Some programs *might* be able to handle this sort of thing in a service
definition, but lcsync at least should be callable by the user from the
commandline (sort of like rsync); it doesn't normally have a daemon
component that would make sense to run as a service.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 55683 <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: 55683 <at> debbugs.gnu.org
Subject: Re: Support binaries that need "setcap" similar to "setuid-programs"
Date: Mon, 13 Feb 2023 11:52:06 -0800

[Message part 1 (text/plain, inline)]

On 2022-05-27, Vagrant Cascadian wrote:
> On 2022-05-27, Vagrant Cascadian wrote:
>> I've been working on a package called lcsync:
>>
>>   https://issues.guix.gnu.org/55682
>>
>> But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
>> running:
>>
>>   setcap cap_net_raw=eip /path/to/bin/lcsync
>
> Similar issues seem to have come up for other packages:
>
>   https://issues.guix.gnu.org/27415
>   https://issues.guix.gnu.org/39136
>   https://issues.guix.gnu.org/39136
>
> And possibly:
>
>   https://issues.guix.gnu.org/search?query=setcap

Patches working towards implementing the required functionality at:

  https://issues.guix.gnu.org/61462

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 55683-done <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: 55683-done <at> debbugs.gnu.org
Subject: Re: Support binaries that need "setcap" similar to "setuid-programs"
Date: Mon, 10 Mar 2025 20:55:56 -0700

[Message part 1 (text/plain, inline)]

On 2023-02-13, Vagrant Cascadian wrote:
> On 2022-05-27, Vagrant Cascadian wrote:
>> On 2022-05-27, Vagrant Cascadian wrote:
>>> I've been working on a package called lcsync:
>>>
>>>   https://issues.guix.gnu.org/55682
>>>
>>> But lcsync needs CAP_NET_RAW... Normally, this is accomplished by
>>> running:
>>>
>>>   setcap cap_net_raw=eip /path/to/bin/lcsync
...
> Patches working towards implementing the required functionality at:
>
>   https://issues.guix.gnu.org/61462

This was fixed in commit:

  71f0676a295841e2cc662eec0d3e9b7e69726035 privilege: Add POSIX capabilities(7) support.

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.