Re: New proposed system group "scap" and setuid binary "dumpcalls"

To: Josh Triplett <josh@joshtriplett.org>
Cc: debian-devel@lists.debian.org
Subject: Re: New proposed system group "scap" and setuid binary "dumpcalls"
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sat, 18 Oct 2025 21:01:45 +0200
Message-id: <[🔎] CAK0Odpyvzw=XVHNjteEUwP=eYDhf4=UnR=Myahe8uLuMzVco_Q@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] aOPhinpNcQ_8xDY3@localhost>
References: <[🔎] CAK0Odpw-fV=C6RKwY1_ODxhF2p-iHUdX_QqZicqLQ9oodQHObg@mail.gmail.com> <[🔎] aOF1PXYaeZjfBGDk@localhost> <[🔎] CAK0OdpzXPiBV_A6k_n+ET0W9KdjAsGvWxEqpXG7ZarPsMAbvFA@mail.gmail.com> <[🔎] 20251006111649.fiob5k4widfrsf6d@shell.thinkmo.de> <[🔎] CAK0OdpyEZB6dbV2x1Ugnc5MkxMir+jvA_1=cVcPRJTTB0ZvSDA@mail.gmail.com> <[🔎] 20251006151547.pfk7nozry3vxxb2v@shell.thinkmo.de> <[🔎] aOPhinpNcQ_8xDY3@localhost>

Hi All,

Josh Triplett <josh@joshtriplett.org> ezt írta (időpont: 2025. okt.
6., H, 17:34):
>
> On Mon, Oct 06, 2025 at 05:15:47PM +0200, Bastian Blank wrote:
> > On Mon, Oct 06, 2025 at 05:01:39PM +0200, Bálint Réczey wrote:
> > > > From my view: it needs to employ the "can ptrace" check for any
> > > > monitored process.
> > > I think that would also be against the monitoring's usefulness. Not
> > > ptrace-able processes can cause issues to be triaged, too.
> >
> > In that case you need to go through the normal elevation rules.  So
> > either sudo oder packagekit.
>
> I think you may mean PolicyKit? But yes, ideally this would use
> PolicyKit rather than a group-limited setuid/setcap binary.
>
> In the absence of that, the group at least needs to be documented as
> root-equivalent, since systemwide monitoring of syscalls on privileged
> processes almost certainly is.

Thank you for all the input.

I've switched upstream to use the "_scap" group name as Guillem
suggested and also proposed using polkit:
https://gitlab.com/wireshark/wireshark/-/issues/20805

Cheers,
Balint

Reply to:

References:
- New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bastian Blank <waldi@debian.org>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Bastian Blank <waldi@debian.org>
- Re: New proposed system group "scap" and setuid binary "dumpcalls"
  - From: Josh Triplett <josh@joshtriplett.org>

Prev by Date: Re: Revisiting the hostname/FQDN issue, adding libnss-myhostname
Next by Date: Bug#1118377: ITP: golang-github-melbahja-goph -- native golang ssh client
Previous by thread: Re: New proposed system group "scap" and setuid binary "dumpcalls"
Next by thread: Bug#1117209: ITP: headscale -- An open source, self-hosted implementation of the Tailscale control server
Index(es):
- Date
- Thread