RFC: baseline requirements for Ubuntu rootfs: xattrs and fscaps
Dimitri John Ledkov
xnox at ubuntu.com
Thu Aug 2 23:24:35 UTC 2018
On 2 August 2018 at 01:58, Steve Langasek <steve.langasek at ubuntu.com> wrote:
> A recent customer bug report revealed that we have packages in the standard
> Ubuntu system (mtr-tiny) which are making use of filesystem capabilities, to
> reduce the need for suid binaries on the system:
>
> $ getcap /usr/bin/mtr-packet
> /usr/bin/mtr-packet = cap_net_raw+ep
> $
>
> The customer bug report arose because today, we are not handling all Ubuntu
> images in an xattr-safe manner. E.g., on a freshly-launched cosmic lxd
> container here:
>
> $ lxc exec caring-calf -- getcap /usr/bin/mtr-packet
> $
>
> This prevents the software from working as intended by the Debian
> maintainer; the command will only succeed as root in such an environment,
> where it is intended to be runnable as a non-root user.
>
> We have previously dealt with such an incompatibility in the iputils package
> by introducing an Ubuntu delta
> (https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1302192), restoring
> use of suid in place of fscaps. This is suboptimal because:
>
> - It violates the principle of least privilege; why give processes full
> root privs if cap_net_raw is all they need?
> - It's a game of whack-a-mole. We fixed iputils in response to bug
> reports, but the wrong privileges on mtr-packet went unnoticed. There
> may be other bugs in the future again caused by failing to preserve
> xattrs.
>
> I am therefore proposing that we explicitly raise the requirements for
> Ubuntu root filesystems to always be transported in an xattr-preserving
> manner.
>
For the cases when one forgets to unpack with extended attributes, the
packages in question imho should ship a tmpfiles.d snippet such that
these extended attributes are restored on boot (if that given
filesystem is ever booted).
Example:
t /run/cups - - - - security.SMACK64=printing user.attr-with-spaces="foo bar"
For more details see
http://manpages.ubuntu.com/manpages/bionic/en/man5/tmpfiles.d.5.html
It would be even useful imho to add a lintian check for this.
--
Regards,
Dimitri.
More information about the ubuntu-devel
mailing list