[RFC] explicitly allow setuid and setgid permissions in templates

[paper42]

There are no checks for setuid and setgid permissions right now which could potentially be a security risk.

a) setugid=yes allows both setuid and setgid permissions in all files in the package b) setugid="usr/bin/su" per-file rules

split setuid and setgid rules c) setuid=yes; setgid=yes d) setuid="usr/bin/su"; setgid=""

I will prepare a post-install hook when it's decided which method is preferred. I like c) the most, because there are some packages providing just setgid binaries without needing setuid (mlocate). b) and d) sound too verbose to me and if a package provides a set{u,g}id binary, the whole package is trusted.

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

cc @ericonr

[ericonr]

a) setugid=yes allows both setuid and setgid permissions in all files in the package

I don't think we need/should ship something with a gazillion s[ug]id binaries, so I think we should always list them explicitly. And what this allows us to do is also statically check that the permission bits are correct: if something like sudo's make install regresses for cross targets (wild example), it will be caught at package build time.

Statically checking setgid in Void is not really possible (it has to happen in INSTALL), because of how we (at least currently) manage groups. Most of the group usage is chown root:<group> then set perms to 4750. However, again because it happens in INSTALL, this breaks static checking.

[fosslinux]

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

[paper42]

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

@fosslinux Permissions are in tar headers, so tar tvf pkg.xbps shows them.

[Duncaen]

For x86_64-glibc:

-rwsr-xr-x 0/0           14576 2016-10-18 01:52 ./usr/bin/9mount
-rwsr-xr-x 0/0            6192 2016-10-18 01:52 ./usr/bin/9bind
-rwsr-xr-x 0/0           10288 2016-10-18 01:52 ./usr/bin/9umount
-rwxr-sr-x 0/0          285408 2019-07-02 09:26 ./usr/bin/powermanga
-rwsr-xr-x 0/0         1223160 2020-12-16 11:10 ./usr/bin/arcan
-rwsr-sr-x 0/0           59696 2021-04-27 09:46 ./usr/bin/at
-rwsr-sr-x 0/0           43856 2021-06-30 02:17 ./usr/bin/mount.cifs
-rwsr-xr-x 0/0           22576 2019-01-20 13:27 ./usr/bin/pseudo
-rwsr-xr-x 0/0           30768 2019-01-20 13:27 ./usr/bin/contain
-rwsr-xr-x 0/0           55984 2021-03-30 14:49 ./usr/bin/cronie-crontab
-rwsr-xr-x 0/0          481648 2020-11-10 15:19 ./usr/bin/dar
-rwsr-xr-x 0/0          129184 2020-11-21 19:30 ./usr/bin/mount.davfs
-rwsr-xr-x 0/0           22600 2021-02-24 16:14 ./usr/bin/dcrontab
-rwsr-xr-- 0/0           14400 2021-03-05 18:04 ./usr/lib/dma-mbox-create
-rwxr-sr-x 0/0           67848 2021-03-05 18:04 ./usr/bin/dma
-rwsr-sr-x 0/0           22600 2021-03-30 18:11 ./usr/bin/mount.ecryptfs_private
-rwsr-xr-x 0/0           22592 2021-05-25 07:25 ./usr/lib/electron10/chrome-sandbox
-rwsr-xr-x 0/0           22592 2021-07-11 15:30 ./usr/lib/electron12/chrome-sandbox
-rwsr-xr-x 0/0           22512 2020-09-06 11:43 ./usr/lib/electron7/chrome-sandbox
-rwsr-xr-x 0/0           22408 2021-01-22 10:00 ./usr/lib/electron9/chrome-sandbox
-rwsr-xr-x 0/0           51280 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_system
-rwsr-xr-x 0/0           22592 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_sys
-rwsr-xr-x 0/0           26704 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_ckpasswd
-rwsr-sr-x 0/0           80248 2021-04-04 23:14 ./usr/bin/fcrontab
-rwsr-xr-x 0/0           34904 2021-04-04 23:14 ./usr/bin/fcronsighup
-rwsr-sr-x 0/0           43984 2021-04-04 23:14 ./usr/bin/fcrondyn
-rwsr-xr-x 0/0          470472 2021-07-01 11:36 ./usr/bin/firejail
-rwsr-xr-x 0/0           34952 2019-01-05 05:42 ./usr/bin/fusermount
-rwsr-xr-x 0/0           34960 2021-06-15 15:29 ./usr/bin/fusermount3
-rwsr-xr-x 0/0           34968 2021-04-05 12:35 ./usr/bin/fusermount-glusterfs
-rwsr-xr-x 0/0           39048 2021-04-10 20:00 ./usr/bin/cgi-wrapper
-rwsr-xr-x 0/0           14400 2021-07-23 01:21 ./usr/bin/hikari-unlocker
-rwsr-xr-x 0/0          104688 2021-03-24 03:10 ./usr/bin/incrontab
-rwsr-xr-x 0/0           14408 2020-05-05 11:43 ./usr/bin/kbdlight
-rwsr-xr-x 0/0         3202528 2021-07-12 06:12 ./usr/bin/keybase-redirector
-rwsr-x--- 0/0          146216 2021-06-04 19:02 ./usr/bin/kismet_cap_rz_killerbee
-rwsr-xr-x 0/0           14496 2018-10-16 16:09 ./usr/bin/cgexec
-rwsr-xr-x 0/0           22608 2018-07-14 08:18 ./usr/bin/pam-escalate-helper
-rwx--s--x 0/0           14408 2020-07-31 12:32 ./usr/lib/utempter/utempter
-rwsr-xr-x 0/0          737656 2021-03-06 00:01 ./usr/libexec/lxc/lxc-user-nic
-rwsr-xr-x 0/0           14400 2021-05-29 19:17 ./usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
-rwsr-xr-x 0/0           55352 2021-03-05 11:40 ./usr/bin/ksu
-rws--x--x 0/0          133976 2021-06-15 15:38 ./usr/bin/mount.nfs
-rwsr-xr-x 0/0           43168 2021-01-28 22:10 ./usr/bin/doas
-rwsr-xr-x 0/0           18496 2021-05-24 19:28 ./usr/libexec/opensmtpd/lockspool
-rwxr-sr-x 0/0          232264 2021-05-24 19:28 ./usr/bin/smtpctl
-rws--x--x 0/0          510344 2021-04-21 16:47 ./usr/libexec/ssh-keysign
-rwsr-xr-x 0/0           38968 2021-01-04 02:32 ./usr/bin/unix_chkpwd
-rwsr-xr-x 0/0           22608 2019-01-30 01:14 ./usr/bin/physlock
-rwxr-sr-x 0/0          301376 2021-06-14 14:57 ./usr/bin/plocate
-rwsr-xr-x 0/0           39296 2021-01-12 15:33 ./usr/bin/pumount
-rwsr-xr-x 0/0           52928 2021-01-12 15:33 ./usr/bin/pmount
-rwsr-xr-x 0/0           18504 2021-06-11 03:22 ./usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-xr-x 0/0           30776 2021-06-11 03:22 ./usr/bin/pkexec
-rwsr-xr-x 0/0          238824 2021-06-25 16:01 ./usr/libexec/qemu-bridge-helper
-rwsr-xr-x 0/0           14400 2021-03-06 00:01 ./usr/libexec/s-nail-dotlock
-rwsr-xr-x 0/0         1113432 2020-01-25 20:03 ./usr/bin/schroot-sbuild
-rwsr-xr-x 0/0         1113424 2020-01-25 20:03 ./usr/bin/schroot
-rwsr-xr-x 0/0         1117520 2020-01-25 20:03 ./usr/bin/dchroot
-rwsr-xr-x 0/0           40488 2020-02-14 08:54 ./usr/bin/sg
-rwsr-xr-x 0/0           59760 2020-02-14 08:54 ./usr/bin/passwd
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newuidmap
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newgidmap
-rwsr-xr-x 0/0           67704 2020-02-14 08:54 ./usr/bin/gpasswd
-rwsr-xr-x 0/0           26984 2020-02-14 08:54 ./usr/bin/expiry
-rwsr-xr-x 0/0           71960 2020-02-14 08:54 ./usr/bin/chage
-rwsr-xr-x 0/0           14456 2016-11-22 01:24 ./usr/bin/slock
-rwsr-xr-x 0/0           18520 2021-05-14 13:17 ./usr/libexec/spice-client-glib-usb-acl-helper
-rwsr-xr-x 0/0           80600 2021-06-15 19:53 ./usr/libexec/squid/pinger
-rwsr-xr-x 0/0           22608 2021-06-15 19:53 ./usr/libexec/squid/basic_pam_auth
-rwsr-xr-x 0/0           26776 2021-06-15 19:53 ./usr/libexec/squid/basic_ncsa_auth
-rwsr-xr-x 0/0          174536 2021-05-24 22:21 ./usr/bin/sudo
-rwxr-sr-x 0/0           14400 2020-04-30 22:51 ./usr/bin/makeweb
-rwsr-xr-x 0/0          116888 2021-01-12 14:07 ./usr/bin/udevil
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/umount
-rwsr-xr-x 0/0           71816 2021-07-25 04:23 ./usr/bin/su
-rwsr-xr-x 0/0           18568 2021-07-25 04:23 ./usr/bin/newgrp
-rwsr-xr-x 0/0           59528 2021-07-25 04:23 ./usr/bin/mount
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/chsh
-rwsr-xr-x 0/0           39048 2021-07-25 04:23 ./usr/bin/chfn
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VirtualBoxVM
-rwsr-xr-x 0/0          166528 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxSDL
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetNAT
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetDHCP
-rwsr-xr-x 0/0           31368 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxHeadless
-rwsr-xr-x 0/0           16167 2019-01-22 12:35 ./usr/bin/vpsm
-rwsr-xr-x 0/0           22592 2021-01-29 03:52 ./usr/bin/weston-launch
-rwxr-sr-x 0/0           14424 2021-05-31 23:14 ./usr/lib/x2go/libx2go-server-db-sqlite3-wrapper
-rws--x--x 0/0           14392 2018-11-24 17:59 ./usr/lib/xcdroast/bin/xcdrwrap
-rwsr-xr-x 0/0         1895824 2020-10-29 14:15 ./usr/bin/xlock
-rwsr-xr-x 0/0           14672 2021-07-10 16:19 ./usr/libexec/Xorg.wrap
-rwsr-xr-x 0/0          308000 2021-07-23 12:50 ./usr/libexec/xscreensaver/xscreensaver-auth
-rwsr-xr-x 0/0          160400 2021-07-23 12:50 ./usr/libexec/xscreensaver/sonar

[ericonr]

-rwsr-xr-x 0/0           22592 2021-05-25 07:25 ./usr/lib/electron10/chrome-sandbox
-rwsr-xr-x 0/0           22592 2021-07-11 15:30 ./usr/lib/electron12/chrome-sandbox
-rwsr-xr-x 0/0           22512 2020-09-06 11:43 ./usr/lib/electron7/chrome-sandbox
-rwsr-xr-x 0/0           22408 2021-01-22 10:00 ./usr/lib/electron9/chrome-sandbox

can probably be removed from the package, we should be using the user namespace sandbox by now.

I wonder if the mount utilities need suid? Shouldn't mount itself being suid be enough?

Curious what cgi-wrapper from hiawatha needs suid for...

As discussed over IRC, vpsm being suid doesn't make a difference, since it's a shell script, but it needs to be fixed.

[github-actions[bot]]

Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.

[CameronNemo]

I am a little unsure of the scope here. Will this help avoid setting the suid bit in INSTALL files? If so, don't we need to list each suid binary explicitly? Or is that something that should be done in do_install or post_install and then just say setuid=yes?

[ericonr]

Will this help avoid setting the suid bit in INSTALL files?

No, it's mostly unrelated. The INSTALL files are needed in case a file has owners other than root:root and need the permissions. This PR can't really touch those, at least as it stands.

If so, don't we need to list each suid binary explicitly?

We still need to do so. The idea is to have a lint that checks that the files have the permission expected of them; setuid=yes is a blanket option that wouldn't help in catching small issues that passed by accidentally.