Should simple setcap/setuid modules be kept in NixOS?

[matthewbauer]

Issue description

There's quite a few NixOS modules that do nothing more than set up a "security.wrappers" configuration for a single binary. This seems like a bad idea to me. My concern is that it obscures what is going on behind the scenes from the user. When you enable these modules, it is not exactly clear what it is doing. Having users explicitly make these programs setuid via the security.wrappers interface seems like the best policy. Given the very serious security concerns, I want users to know very clearly what they are making setuid/setgid. Almost all of these programs will work just fine via sudo invocations.

From just a maintenance perspective, this also feels like it could lead to potentially buggy or insecure modules. Here is a full list of some of the modules I am talking about:

• security.pam.usb
• security.chromiumSuidSandbox
• programs.mtr
• programs.iftop
• programs.slock
• programs.firejail
• programs.udevil
• programs.wireshark
• programs.kbdlight
• programs.wavemon
• services.mail

[7c6f434c]

- programs.wireshark

A good example, I guess, especially given that best practice is probably tcpdump for straightforward privileged capture and wireshark (maybe even sandboxed) for dissection of packets without fear of One More Wireshark Dissector Bug leading to something bad done as root…

[imuli]

• programs.wireshark
  A good example, I guess, especially given that best practice is probably tcpdump for straightforward privileged capture and wireshark (maybe even sandboxed) for dissection of packets without fear of One More Wireshark Dissector Bug leading to something bad done as root…

That's actually a sort of terrible example. Basically because what you just described is how many people would go about it - either sudo tcpdump or adding dumpcap as a setuid root. What the module actually does is:

security.wrappers.dumpcap = {
  source = "${wireshark}/bin/dumpcap";
  capabilities = "cap_net_raw+p";
  owner = "root";
  group = "wireshark";
  permissions = "u+rx,g+x";
};

Wireshark does not run as root, the program dumpcap, which has about the same attack surface as tcpdump -w, runs with the raw network access capability. This is way way safer than running as root.

Speaking more generally: I would say keep the setcap wrappers as they are better than sudo or setuid and slightly more difficult for users to add. Dropping setuid wrappers seems fine though, especially if there's a configuration error that tells you how to add them yourself for the transition.

[stale]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.