Re: New proposed system group "scap" and setuid binary "dumpcalls"

To: Bálint Réczey <balint@balintreczey.hu>, debian-devel@lists.debian.org
Subject: Re: New proposed system group "scap" and setuid binary "dumpcalls"
From: Josh Triplett <josh@joshtriplett.org>
Date: Mon, 6 Oct 2025 08:34:34 -0700
Message-id: <[🔎] aOPhinpNcQ_8xDY3@localhost>
In-reply-to: <[🔎] 20251006151547.pfk7nozry3vxxb2v@shell.thinkmo.de>
References: <[🔎] CAK0Odpw-fV=C6RKwY1_ODxhF2p-iHUdX_QqZicqLQ9oodQHObg@mail.gmail.com> <[🔎] aOF1PXYaeZjfBGDk@localhost> <[🔎] CAK0OdpzXPiBV_A6k_n+ET0W9KdjAsGvWxEqpXG7ZarPsMAbvFA@mail.gmail.com> <[🔎] 20251006111649.fiob5k4widfrsf6d@shell.thinkmo.de> <[🔎] CAK0OdpyEZB6dbV2x1Ugnc5MkxMir+jvA_1=cVcPRJTTB0ZvSDA@mail.gmail.com> <[🔎] 20251006151547.pfk7nozry3vxxb2v@shell.thinkmo.de>

On Mon, Oct 06, 2025 at 05:15:47PM +0200, Bastian Blank wrote:
> On Mon, Oct 06, 2025 at 05:01:39PM +0200, Bálint Réczey wrote:
> > > From my view: it needs to employ the "can ptrace" check for any
> > > monitored process.
> > I think that would also be against the monitoring's usefulness. Not
> > ptrace-able processes can cause issues to be triaged, too.
> 
> In that case you need to go through the normal elevation rules.  So
> either sudo oder packagekit.

I think you may mean PolicyKit? But yes, ideally this would use
PolicyKit rather than a group-limited setuid/setcap binary.

In the absence of that, the group at least needs to be documented as
root-equivalent, since systemwide monitoring of syscalls on privileged
processes almost certainly is.

Reply to:

Follow-Ups:
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>

References:
- New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bastian Blank <waldi@debian.org>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: New proposed system group "scap" and setuid binary "dumpcalls"
Next by Date: Re: CMake 4 upload to unstable
Previous by thread: Re: New proposed system group "scap" and setuid binary "dumpcalls"
Next by thread: Re: New proposed system group "scap" and setuid binary "dumpcalls"
Index(es):
- Date
- Thread