system: %default-privileged-programs: Set ping capabilities

Ping and ping6 don't need setuid, they can work with cap_net_raw capability only. This means that even if ping or ping6 had a vulnerability that could be used for execution as root, it can't anymore if the program is not setuid. * gnu/system.scm (%default-privileged-programs): Remove ping, ping6 setuid programs, add ping, ping6 programs with cap_net_raw=ep capabilities Change-Id: Ie409b477f548dbff3318eec33d0d2ca16a1b3209 Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2025-07-10 16:50:43 +02:00 · 2024-10-11 21:49:10 +02:00 · 2024-10-11 21:49:10 +02:00 · e5d64e87d4
commit e5d64e87d4
parent e7a445571d
1 changed files with 23 additions and 18 deletions
--- a/gnu/system.scm
+++ b/gnu/system.scm
@ -1253,25 +1253,30 @@ use 'plain-file' instead~%")

 (define %default-privileged-programs
  (let ((shadow (@ (gnu packages admin) shadow)))
-    (map file-like->setuid-program
-         (list (file-append shadow "/bin/passwd")
-               (file-append shadow "/bin/chfn")
-               (file-append shadow "/bin/sg")
-               (file-append shadow "/bin/su")
-               (file-append shadow "/bin/newgrp")
-               (file-append shadow "/bin/newuidmap")
-               (file-append shadow "/bin/newgidmap")
-               (file-append inetutils "/bin/ping")
-               (file-append inetutils "/bin/ping6")
-               (file-append sudo "/bin/sudo")
-               (file-append sudo "/bin/sudoedit")
-               (file-append fuse-2 "/bin/fusermount")
-               (file-append fuse "/bin/fusermount3")
+    (cons*
+     (privileged-program
+      (program (file-append inetutils "/bin/ping"))
+      (capabilities "cap_net_raw=ep"))
+     (privileged-program
+      (program (file-append inetutils "/bin/ping6"))
+      (capabilities "cap_net_raw=ep"))
+     (map file-like->setuid-program
+          (list (file-append shadow "/bin/passwd")
+                (file-append shadow "/bin/chfn")
+                (file-append shadow "/bin/sg")
+                (file-append shadow "/bin/su")
+                (file-append shadow "/bin/newgrp")
+                (file-append shadow "/bin/newuidmap")
+                (file-append shadow "/bin/newgidmap")
+                (file-append sudo "/bin/sudo")
+                (file-append sudo "/bin/sudoedit")
+                (file-append fuse-2 "/bin/fusermount")
+                (file-append fuse "/bin/fusermount3")

-               ;; To allow mounts with the "user" option, "mount" and "umount" must
-               ;; be setuid-root.
-               (file-append util-linux "/bin/mount")
-               (file-append util-linux "/bin/umount")))))
+                ;; To allow mounts with the "user" option, "mount" and "umount" must
+                ;; be setuid-root.
+                (file-append util-linux "/bin/mount")
+                (file-append util-linux "/bin/umount"))))))

 (define %setuid-programs
  ;; Do not add to this list or use it in new code!  It's defined only to ease