Hi, On Sat, Feb 05, 2022 at 02:02:23PM +0100, Guillem Jover wrote: > On Fri, 2022-02-04 at 19:35:10 -0800, Noah Meyerhans wrote: > > > root@debian:~# ls -l `which ping` > > > -rwxr-xr-x 1 root root 77432 Aug 23 19:08 /usr/bin/ping > > > root@debian:~# getcap `which ping` > > > /usr/bin/ping cap_net_raw=ep > > > > > > This looks like a limitation that would only be possible to solve by > > > dpkg and extending tar / cpio probably. > > > > > > >From what I found it is possible to do this with tar and > > > --xattrs-include='security.capability' when packing and unpacking.
> > Ping requires elevated privileges in order to open its ICMP network > > sockets. The postinst script attempts to set a file-based cap_net_raw > > capability on the binary after installation, and falls back to setuid in > > case that fails (usually due to missing filesystem support for file > > capabilities). This workflow is racy, however, as there's a period of > > time when the file exists on disk but has not had any privilege > > acquisition mechanism applied to it. During this period of time, > > unprivileged users cannot run this program, when otherwise they could. > > Elimination of this race situation would likely require the ability for > > dpkg to initially create files with additional file-based capabilities. > > So, implementing this in dpkg, would require at least the upcoming > metadata tracking support > <https://wiki.debian.org/Teams/Dpkg/Spec/MetadataTracking>, which is > currently blocked. Another approach to get similar results would be > just having support in dpkg-statoverride (tracked in #502580). I've blocked 827479 and 1098773 on this bug; they request file capabilities (instead of setuid root) on newgrp and newuidmap, newgidmap. I don't really want to play postinst games in their respective packages, except if really necessary. > But a way to implement this more reliably already in iputils would be > to ship the file in the .deb as set-UID-root (so that it always can > work), and apply the POSIX capabilities and remove the set-UID-root > bit in the maintscript if the system supports the former. (I've seen this, but still. Would be a lot better without a postinst.) Chris
