RFC: init-d-script add optional setpriv wrapper for s-s-d.

Wed Sep 4 09:28:22 BST 2024

Thorsten,

Thanks.

On Tue, Sep 03, 2024 at 11:49:18PM +0000, Thorsten Glaser wrote:
> Dixi quod…
> 
> >Otherwise lgtm though I never heard of setpriv before.
> 
> Does this work though? I’d think that the injection of
> setpriv would need to be between s-s-d and the dæmon to
> run, otherwise s-s-d might not have enough privilegues.

In the cases I have tested so far it works. But I have no particular expertise
in capabilities and I know this doesn't quite answer your question in the
general sense.

I am exploring if there can be a general solution to the issue of disappearing
LSB/cron/etc scripts that would scale better than orphan-sysvinit-scripts and
have focused on the cases where that has already happened.

So, using network-manager as an example, the current LSB intiscript that
unit-translator generates from /lib/systemd/system/NetworkManager.service is:-

#! /bin/sh
# Generated by ./unit-translator/utrans from:
#  0d96ab7fdbde8be2dec1cf85ec83ac9ca544752eefa0bd9136817bd24b8c4c22  /lib/systemd/system/NetworkManager.service

# kFreeBSD does not accept scripts as interpreters, using #!/bin/sh and sourcing.
if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then
   set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script
fi
### BEGIN INIT INFO
# Provides: NetworkManager
# Required-Start: dbus $remote_fs
# Required-Stop: dbus $remote_fs
# Should-Start: $network $local_fs
# Should-Stop: $network $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Network Manager
### END INIT INFO
DESC="Network Manager"
DAEMON="/usr/sbin/NetworkManager"
DAEMON_ARGS="--no-daemon"
SETPRIV_ARGS="--bounding-set -all,+NET_ADMIN,+DAC_OVERRIDE,+NET_RAW,+NET_BIND_SERVICE,+SETGID,+SETUID,+SYS_MODULE,+AUDIT_WRITE,+KILL,+SYS_CHROOT"
PIDFILE="/run/NetworkManager.pid"
START_ARGS="--background --make-pidfile"
ulimit -n 65536
do_reload() {
  /usr/bin/busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload u 0
}

Then, with the init-d-script patch to support SETPRIV_ARGS, /proc/$(pidof NetworkManager)/status contains

Name:	NetworkManager
Umask:	0022
State:	S (sleeping)
[..]
SigPnd:	0000000000000000
ShdPnd:	0000000000000000
SigBlk:	0000000000000000
SigIgn:	0000000000001000
SigCgt:	0000000100004a03
CapInh:	0000000800000000
CapPrm:	00000008200534e2
CapEff:	00000008200534e2
CapBnd:	00000000200534e2
CapAmb:	0000000000000000

$ /sbin/capsh '--decode=00000000200534e2'
0x00000000200534e2=cap_dac_override,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_audit_write

So, it certainly *can* work. I will experiment more to see if you can drop
sufficient capabilities to break s-s-d.

Mark