Re: [gentoo-dev] [PATCH 2/2] fcaps.eclass: make binaries readable by default

Sun, 10 Nov 2024 14:48:46 -0800 

On 11/10/24 4:54 PM, Mike Gilbert wrote:
> Removing the read bit from suid binaries has questionable security
> benefit, and may cause problems for some software.
> 
> Users may override FCAPS_CAPS_MODE and FCAPS_NOCAPS_MODE should they
> desire the old behavior.
> 
> Bug: https://bugs.gentoo.org/938164
> Signed-off-by: Mike Gilbert <flop...@gentoo.org>
> ---
>  eclass/fcaps.eclass | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/eclass/fcaps.eclass b/eclass/fcaps.eclass
> index bf05776ba760..da4a52099396 100644
> --- a/eclass/fcaps.eclass
> +++ b/eclass/fcaps.eclass
> @@ -70,13 +70,13 @@ esac
>  # @USER_VARIABLE
>  # @DESCRIPTION:
>  # Mode to use when capabilities are supported.
> -: ${FCAPS_CAPS_MODE:=0711}
> +: ${FCAPS_CAPS_MODE:=0755}


Considering the context of the linked bug, and the change offered here,
I don't really understand the proposed solution.

This is a very flexible variable. Way too flexible. There is no valid
use case for setting it to anything other than removing read
permissions, or preserving read permissions -- so why is it acceptable
to offer users the opportunity to define

FCAPS_CAPS_MODE="4123"
FCAPS_NOCAPS_MODE="0644"

Which is an error condition?

If we want a user variable at all here, let it be

: ${FCAPS_DENY_WORLD_READ:=no}

But I'm not convinced any optionality is necessary at all here. If the
expected behavior is to have read, and users are free to toggle sfperms
at the portage level, why is it necessary to make this additionally
configurable as an eclass variable?

Either way, there is also a stale comment in the function body:

# If everything goes well, we don't want the file to be readable
# by people.



>  # @ECLASS_VARIABLE: FCAPS_NOCAPS_MODE
>  # @USER_VARIABLE
>  # @DESCRIPTION:
>  # Mode to use when capabilities are not supported.
> -: ${FCAPS_NOCAPS_MODE:=4711}
> +: ${FCAPS_NOCAPS_MODE:=4755}
>  
>  # @FUNCTION: fcaps
>  # @USAGE: [-o <owner>] [-g <group>] [-m <mode>] [-M <caps mode>] 
> <capabilities> <file[s]>


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to