From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [RFC PATCH v4 2/2] iputils: add capability for clockdiff, ping, traceroute6
Date: Wed, 31 Jul 2019 18:00:59 +0200 [thread overview]
Message-ID: <20190731160059.GJ3194@scaer> (raw)
In-Reply-To: <20190730213846.7488-2-petr.vorel@gmail.com>
Petr, All,
On 2019-07-30 23:38 +0200, Petr Vorel spake thusly:
> Not setting for arping as it can be used for ARP Poisoning.
>
> Use cap_net_raw+p (drop +e) as upstream sets that via
> cap_set_flag(), see https://github.com/iputils/iputils/issues/194
So, now we set the capabilities to those exectuables, do they still need
to be setuid?
But then, if one really does not want xattr, setuid is still required.
So, we have no way to express that a file should have either setuid or
xattrs, except as a big if-block like:
ifeq ($(BR2_ROOTFS_DEVICE_TABLE_SUPPORTS_EXTENDED_ATTRIBUTES),y)
define IPUTILS_PERMISSIONS
/usr/bin/clockdiff f 0755 0 0 - - - - -
|xattr cap_net_raw+p
endef
else
define IPUTILS_PERMISSIONS
/usr/bin/clockdiff f 4755 0 0 - - - - -
endef
endif
... which is what we were trying to avoid in the firstplace...
We could write something like:
/usr/bin/clockdiff f $(MAYBE_SUID)755 0 0 - - - - -
|xattr cap_net_raw+p
Where MAYBE_SUID would be set as:
MAYBE_SUID = $(if $(BR2_ROOTFS_DEVICE_TABLE_SUPPORTS_EXTENDED_ATTRIBUTES),0,4)
But it is starting to be a bit more complex than what you initially
envisionned, I guess.
Regards,
Yann E. MORIN.
> Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
> ---
> package/iputils/iputils.mk | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index 8e6a3e2fc5..f1d3e1fc6a 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -76,8 +76,11 @@ IPUTILS_CONF_OPTS += -DNO_SETCAP_OR_SUID=true
> define IPUTILS_PERMISSIONS
> /usr/sbin/arping f 4755 0 0 - - - - -
> /usr/bin/clockdiff f 4755 0 0 - - - - -
> + |xattr cap_net_raw+p
> /bin/ping f 4755 0 0 - - - - -
> + |xattr cap_net_raw+p
> /usr/bin/traceroute6 f 4755 0 0 - - - - -
> + |xattr cap_net_raw+p
> endef
>
> $(eval $(meson-package))
> --
> 2.22.0
>
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2019-07-31 16:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-30 21:38 [Buildroot] [RFC PATCH v4 1/2] makedevs: only warn when xattr support disabled Petr Vorel
2019-07-30 21:38 ` [Buildroot] [RFC PATCH v4 2/2] iputils: add capability for clockdiff, ping, traceroute6 Petr Vorel
2019-07-31 16:00 ` Yann E. MORIN [this message]
2019-07-31 20:11 ` Petr Vorel
2019-07-31 22:13 ` Thomas Petazzoni
2019-07-31 22:24 ` Petr Vorel
2019-08-01 7:29 ` Yann E. MORIN
2019-08-01 7:33 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190731160059.GJ3194@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox