* Bug: The capability CAP_WAKE_ALARM should be whitelisted.
@ 2023-08-06 22:41 Robert Woods
2023-08-14 18:39 ` [PATCH] 52027: whitelist capability CAP_WAKE_ALARM in 'privasserted' function Robert Woods
0 siblings, 1 reply; 2+ messages in thread
From: Robert Woods @ 2023-08-06 22:41 UTC (permalink / raw)
To: zsh-workers
Hello,
Since a recent update of my ArchLinux, I noticed that zsh consider my
user account as privileged and display the sharp symbol (#) instead of
the percent (%) symbol.
The issue was triggered by the systemd update v254 from July 28, 2023.
But let me explain the details first:
1) I noticed that the zsh package in ArchLinux is built with
the option '--enable-cap'[1]
2) I noticed that the function 'privasserted' that checks if the
current user is privileged or not, uses the linux capability[2]. If
there is some effective capability sets, it considers the users as
privileged.
3) I reproduced the function 'privasserted' on a toy C example to check
the issue, and I noticed that 'CAP_WAKE_ALARM' was enabled. First I
thought this issue was coming from a config error on my system, but
then I figured that this capability was directly inherited from my
"desktop manager" xlogin[3]. (It is not exactly a desktop manager
since it is very lightweight, but you get the idea).
4) Since xlogin is simply a systemctl config to start my Xorg session
I checked the last release of systemd, and sure thing, the release
note of v254 (July 28, 2023) explains the origin of this issue[4].
Section "Security Relevant Changes" of the release v254 of systemd[4]:
> pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
> process capability to invoked session processes of regular users on
> local seats (as well as to systemd --user), unless configured
> otherwise [...]. This is useful in order allow desktop tools such as
> GNOME's Alarm Clock application to set a timer for
> LOCK_REALTIME_ALARM that wakes up the system when it elapses. [...].
> Note that this capability is relatively narrow in focus (in
> particular compared to other process capabilities such as
> CAP_SYS_ADMIN) and we already — by default — permit more impactful
> operations such as system suspend to local users.
This change was made by Lennart Poettering himself in a GitHub PR[5].
My thoughts on that:
* Since systemd is widely use, I expect this issue to become a real
one: users will not understand why they are considered as privileged
on zsh.
* I understand the rationale of using the capabilities to check if a
user is privileged or not, however, I think some capabilities should
be whitelisted like CAP_WAKE_ALARM since it is not very harmful.
* Even if systemd was not allowing CAP_WAKE_ALARM by default, some
desktop manager would still enable it in their systemctl config
anyway. So it doesn't change my previous point in my opinion.
I hope my bug report is clear enough. I would like to take this
opportunity to thank you for all the work you guys are doing on zsh!
Kind regards,
Footnotes:
[1]
https://gitlab.archlinux.org/archlinux/packaging/packages/zsh/-/blob/main/PKGBUILD#L74
[2] https://github.com/zsh-users/zsh/blob/zsh-5.9/Src/utils.c#L7522
[3] https://github.com/joukewitteveen/xlogin
[4] https://github.com/systemd/systemd/releases/tag/v254
[5] https://github.com/systemd/systemd/pull/26548
--
Roberts Woods
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] 52027: whitelist capability CAP_WAKE_ALARM in 'privasserted' function
2023-08-06 22:41 Bug: The capability CAP_WAKE_ALARM should be whitelisted Robert Woods
@ 2023-08-14 18:39 ` Robert Woods
0 siblings, 0 replies; 2+ messages in thread
From: Robert Woods @ 2023-08-14 18:39 UTC (permalink / raw)
To: zsh-workers
This patch is a follow up of this issue: https://zsh.org/workers/52027
Since the systemd update v254 from July 28, 2023, the capability
'CAP_WAKE_ALARM' is passed by default to some user process (especially
desktop managers). Since 'CAP_WAKE_ALARM' is very narrow in focus, it
is preferable that zsh does not consider it as a 'privileged'
capability.
For context, in the release note of systemd v254 the following is
written in the Section "Security Relevant Changes"[1]:
> pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
> process capability to invoked session processes of regular users on
> local seats (as well as to systemd --user), unless configured
> otherwise [...]. This is useful in order allow desktop tools such as
> GNOME's Alarm Clock application to set a timer for
> LOCK_REALTIME_ALARM that wakes up the system when it elapses. [...].
> Note that this capability is relatively narrow in focus (in
> particular compared to other process capabilities such as
> CAP_SYS_ADMIN) and we already — by default — permit more impactful
> operations such as system suspend to local users.
[1] https://github.com/systemd/systemd/releases/tag/v254
Signed-off-by: Robert Woods <141646993+RobieWoods@users.noreply.github.com>
---
Src/utils.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Src/utils.c b/Src/utils.c
index 94a33453f..7040d0954 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -7551,9 +7551,9 @@ privasserted(void)
/* POSIX doesn't define a way to test whether a capability set *
* is empty or not. Typical. I hope this is conforming... */
cap_flag_value_t val;
- cap_value_t n;
- for(n = 0; !cap_get_flag(caps, n, CAP_EFFECTIVE, &val); n++)
- if(val) {
+ cap_value_t cap;
+ for(cap = 0; !cap_get_flag(caps, cap, CAP_EFFECTIVE, &val); cap++)
+ if(val && cap != CAP_WAKE_ALARM) {
cap_free(caps);
return 1;
}
--
2.41.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-08-14 18:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-06 22:41 Bug: The capability CAP_WAKE_ALARM should be whitelisted Robert Woods
2023-08-14 18:39 ` [PATCH] 52027: whitelist capability CAP_WAKE_ALARM in 'privasserted' function Robert Woods
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).