1
Fork 0
mirror of https://https.git.savannah.gnu.org/git/guix.git/ synced 2025-07-10 08:30:39 +02:00

system: %default-privileged-programs: Set ping capabilities

Ping and ping6 don't need setuid, they can work with
cap_net_raw capability only. This means that even if
ping or ping6 had a vulnerability that could be
used for execution as root, it can't anymore if
the program is not setuid.

* gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid
programs, add ping, ping6 programs with cap_net_raw=ep capabilities

Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Rutherther 2024-10-11 21:49:10 +02:00 committed by Ludovic Courtès
parent e7a445571d
commit e5d64e87d4
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5

View file

@ -1253,25 +1253,30 @@ use 'plain-file' instead~%")
(define %default-privileged-programs
(let ((shadow (@ (gnu packages admin) shadow)))
(map file-like->setuid-program
(list (file-append shadow "/bin/passwd")
(file-append shadow "/bin/chfn")
(file-append shadow "/bin/sg")
(file-append shadow "/bin/su")
(file-append shadow "/bin/newgrp")
(file-append shadow "/bin/newuidmap")
(file-append shadow "/bin/newgidmap")
(file-append inetutils "/bin/ping")
(file-append inetutils "/bin/ping6")
(file-append sudo "/bin/sudo")
(file-append sudo "/bin/sudoedit")
(file-append fuse-2 "/bin/fusermount")
(file-append fuse "/bin/fusermount3")
(cons*
(privileged-program
(program (file-append inetutils "/bin/ping"))
(capabilities "cap_net_raw=ep"))
(privileged-program
(program (file-append inetutils "/bin/ping6"))
(capabilities "cap_net_raw=ep"))
(map file-like->setuid-program
(list (file-append shadow "/bin/passwd")
(file-append shadow "/bin/chfn")
(file-append shadow "/bin/sg")
(file-append shadow "/bin/su")
(file-append shadow "/bin/newgrp")
(file-append shadow "/bin/newuidmap")
(file-append shadow "/bin/newgidmap")
(file-append sudo "/bin/sudo")
(file-append sudo "/bin/sudoedit")
(file-append fuse-2 "/bin/fusermount")
(file-append fuse "/bin/fusermount3")
;; To allow mounts with the "user" option, "mount" and "umount" must
;; be setuid-root.
(file-append util-linux "/bin/mount")
(file-append util-linux "/bin/umount")))))
;; To allow mounts with the "user" option, "mount" and "umount" must
;; be setuid-root.
(file-append util-linux "/bin/mount")
(file-append util-linux "/bin/umount"))))))
(define %setuid-programs
;; Do not add to this list or use it in new code! It's defined only to ease