Post Ad1t4l64bIHEfsUHA0 by siosm@floss.social
 (DIR) More posts by siosm@floss.social
 (DIR) Post #Ad1t4jDnZbGgrG5PvM by siosm@floss.social
       2023-12-19T15:01:57Z
       
       0 likes, 0 repeats
       
       sudo without a setuid binary or SSH over a UNIX socket: https://tim.siosm.fr/blog/2023/12/19/ssh-over-unix-socket/I have been working on this setup as part of my investigation to reduce our reliance on setuid binaries and trying to figure out alternative for common use cases.#Fedora #ConfinedUsers #UnixLegacy
       
 (DIR) Post #Ad1t4kBhyrBrr47GIy by pid_eins@mastodon.social
       2023-12-19T18:26:38Z
       
       0 likes, 0 repeats
       
       @siosm btw, the nicest way to disable the suid binaries is by dropping in a config snippet for systemd that sets NoNewPriviliges=yes, system wide. In that case suid is a thing of the past. (I mean, ideally we'd have an option to compile it out of the kernel, but this is the next best thing)
       
 (DIR) Post #Ad1t4l64bIHEfsUHA0 by siosm@floss.social
       2023-12-19T23:07:44Z
       
       0 likes, 0 repeats
       
       @pid_eins Indeed, this is definitely the most effective way.Unfortunately I still need some setuid binaries right now for various features. The main one is newuidmap for rootless podman, but pkexec comes soon after as a number of desktop apps still require it. They would need to be converted to daemon-only polkit.
       
 (DIR) Post #Ad1t4liiHdBYbiZ8O8 by pid_eins@mastodon.social
       2023-12-20T16:20:16Z
       
       0 likes, 0 repeats
       
       @siosm Everytime somebody says "rootless podman" something in me dies. The thing is very much root-full, given the setuid binary it calls. (ok, fcaps, but CAP_SETUID, which it asks for is is one of those caps which are effectively fully equivalent to setuid root). I wish the people involved would stop throwing around this misleading slogan, it's utter bullshit. I mean, yes, they reduced the amount of privileged code running from user context, but it's not gone.
       
 (DIR) Post #Ad1t4mOBnQMWgLyG2K by pid_eins@mastodon.social
       2023-12-20T16:22:30Z
       
       0 likes, 1 repeats
       
       @siosm On a more positive note: we'll soon have fully rootless nspawn. Without setuid mess. See this:https://github.com/systemd/systemd/pull/26826
       
 (DIR) Post #Ad1t4mry0iBKAhu2S0 by siosm@floss.social
       2023-12-19T23:11:08Z
       
       0 likes, 0 repeats
       
       @pid_eins At one point I also had a seccomp filter for my entire user session banning obsolete syscalls as defined by systemd. This broke the xdg-desktop-portal service which relies on fusermount if I remember correctly (will have to double check).