From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8ED92158042 for ; Sun, 10 Nov 2024 22:38:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B75A7E0883; Sun, 10 Nov 2024 22:38:30 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 81CB8E087A for ; Sun, 10 Nov 2024 22:38:30 +0000 (UTC) Message-ID: Date: Sun, 10 Nov 2024 17:38:22 -0500 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] [PATCH 2/2] fcaps.eclass: make binaries readable by default To: gentoo-dev@lists.gentoo.org References: <20241110215401.128418-1-floppym@gentoo.org> <20241110215401.128418-2-floppym@gentoo.org> Content-Language: en-US From: Eli Schwartz Autocrypt: addr=eschwartz@gentoo.org; keydata= xjMEZmeRNBYJKwYBBAHaRw8BAQdAYNZ7pUDWhx1i2f3p6L2ZLu4FcY18UoeGC04Gq/khqwfN I0VsaSBTY2h3YXJ0eiA8ZXNjaHdhcnR6QGdlbnRvby5vcmc+wpYEExYKAD4WIQTvUdMIsc4j CIi+DYTqQj6ToWND8QUCZoRL+gIbAwUJBKKGAAULCQgHAwUVCgkICwUWAgMBAAIeBQIXgAAK CRDqQj6ToWND8aB5AP9r4kB691nNtNwKkdRiOdl7/k6WYzokvHvDamXxRJ0I+gEAjZqR5V8y mfR3fy2Z+r2Joeqdt3CIv5IwPs64spBvigLOOARmZ5E0EgorBgEEAZdVAQUBAQdATT46Z06b 1X9xjXFCYFxmq/Tj3tSEKZInDWTpoHQp4l8DAQgHwn4EGBYKACYWIQTvUdMIsc4jCIi+DYTq Qj6ToWND8QUCZmeRNAIbDAUJBKKGAAAKCRDqQj6ToWND8a2RAP40KPfbfoiZAJW5boFmFJ3G TUBDJRh9CWHyaPqq2PN+0wD/R07oLzfnJUN209mzi9TuTuHjeZybysyqXSw4MAxkMAY= In-Reply-To: <20241110215401.128418-2-floppym@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------AZ2HoqbzkuwhQuyCVDt4XeO4" X-Archives-Salt: eb414682-5829-4bc7-92cc-1139eb88569f X-Archives-Hash: c788f764c1a594d2ad0c6d4ca9c3ea23 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------AZ2HoqbzkuwhQuyCVDt4XeO4 Content-Type: multipart/mixed; boundary="------------Rl0dljW0XIBlcdY8beCiJraA"; protected-headers="v1" From: Eli Schwartz To: gentoo-dev@lists.gentoo.org Message-ID: Subject: Re: [gentoo-dev] [PATCH 2/2] fcaps.eclass: make binaries readable by default References: <20241110215401.128418-1-floppym@gentoo.org> <20241110215401.128418-2-floppym@gentoo.org> In-Reply-To: <20241110215401.128418-2-floppym@gentoo.org> --------------Rl0dljW0XIBlcdY8beCiJraA Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/10/24 4:54 PM, Mike Gilbert wrote: > Removing the read bit from suid binaries has questionable security > benefit, and may cause problems for some software. >=20 > Users may override FCAPS_CAPS_MODE and FCAPS_NOCAPS_MODE should they > desire the old behavior. >=20 > Bug: https://bugs.gentoo.org/938164 > Signed-off-by: Mike Gilbert > --- > eclass/fcaps.eclass | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 > diff --git a/eclass/fcaps.eclass b/eclass/fcaps.eclass > index bf05776ba760..da4a52099396 100644 > --- a/eclass/fcaps.eclass > +++ b/eclass/fcaps.eclass > @@ -70,13 +70,13 @@ esac > # @USER_VARIABLE > # @DESCRIPTION: > # Mode to use when capabilities are supported. > -: ${FCAPS_CAPS_MODE:=3D0711} > +: ${FCAPS_CAPS_MODE:=3D0755} Considering the context of the linked bug, and the change offered here, I don't really understand the proposed solution. This is a very flexible variable. Way too flexible. There is no valid use case for setting it to anything other than removing read permissions, or preserving read permissions -- so why is it acceptable to offer users the opportunity to define FCAPS_CAPS_MODE=3D"4123" FCAPS_NOCAPS_MODE=3D"0644" Which is an error condition? If we want a user variable at all here, let it be : ${FCAPS_DENY_WORLD_READ:=3Dno} But I'm not convinced any optionality is necessary at all here. If the expected behavior is to have read, and users are free to toggle sfperms at the portage level, why is it necessary to make this additionally configurable as an eclass variable? Either way, there is also a stale comment in the function body: # If everything goes well, we don't want the file to be readable # by people. > # @ECLASS_VARIABLE: FCAPS_NOCAPS_MODE > # @USER_VARIABLE > # @DESCRIPTION: > # Mode to use when capabilities are not supported. > -: ${FCAPS_NOCAPS_MODE:=3D4711} > +: ${FCAPS_NOCAPS_MODE:=3D4755} > =20 > # @FUNCTION: fcaps > # @USAGE: [-o ] [-g ] [-m ] [-M ] --=20 Eli Schwartz --------------Rl0dljW0XIBlcdY8beCiJraA-- --------------AZ2HoqbzkuwhQuyCVDt4XeO4 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTnFNnmK0TPZHnXm3qEp9ErcA0vVwUCZzE13gUDAAAAAAAKCRCEp9ErcA0vVwHI AQDXe0zaZKBX+PYbTUh/Fqhzh1E/L0BnZHbU7C+bn9GT3AEAqI4Ht/I9iV58e4cvFBrXjVEn70mn vOaUo8tG290gWAU= =6ulV -----END PGP SIGNATURE----- --------------AZ2HoqbzkuwhQuyCVDt4XeO4--