1.0.0 — remove setuid bit from Makefile install#189
Merged
Conversation
End of the rootless track. The Makefile install target now installs crate(1) at mode 0755 instead of 04755; the binary can no longer self-elevate. Every privileged operation is delegated to crated(8) via the libnv privops socket (local clients, getpeereid-authenticated) or the HTTPS API with bearer tokens (remote clients). This is a one-line build change. The preceding 31 mini-PRs (0.9.0 → 0.9.30) staged the verb taxonomy, libnv listener, per-user namespacing, CLI call-site wiring, and default flip, so the setuid removal here is a security gate, not a code rewrite. Wire-format unchanged. 1.0.0 clients interop with 0.9.30 daemons and vice versa. Suite stays at 1303.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makefileinstall target:install -s -m 04755 crate→install -s -m 0755 crate(setuid bit removed)cli/args.cppversion string bumped tocrate 1.0.0docs/rootless-migration.mdstatus updated to "1.0.0, setuid removed"; 1.0.0 entry in release-log filled inCHANGELOG.md1.0.0 entry covering upgrade matrix, rollback procedure, and the 1.x backlog (per-user path leaks not yet wired — see audit findings)This is a one-line build change. Every other piece of the rootless track shipped in 0.9.0–0.9.30:
rootless_per_user: true)Behaviour change
crate(1)runs as the operator's uid and talks tocrated(8)over the libnv privops socket (/var/run/crate/privops.sockby default).cratedMUST be running forcrate(1)to function in 1.0.0; the daemon was already required for the 0.9.x track, so this is not a new dependency.Wire compatibility
No wire changes since 0.9.29. 1.0.0 clients interop with 0.9.30 daemons; bearer tokens, JSON privops, libnv schemas, control sockets, HTTPS API, Prometheus metrics all unchanged.
Rollback
Patch
Makefileback to-m 04755and rebuild, OR pin to 0.9.30. The setuid bit is the only thing that changed between the two; 0.9.30 → 1.0.0 → 0.9.30 is reversible without daemon side-effects.1.x backlog (not blocking 1.0.0)
From the pre-1.0 audit:
lib/network_lease6.cppIPv6 lease path still hardcoded (IPv4 sibling done 0.9.27)lib/lifecycle.cpp.cratefile path hardcodedlib/pfctl_ops.cpppf lock not per-userlib/stack.cppDNS dirs hardcodedlib/vm_run.cppVM + cloud-init paths hardcodedlib/run_net.cpp:446directifconfig -vnet(should use existingSetIfaceUpprivops verb)These are latent multi-tenant bugs but don't block setuid removal — single-tenant workflows are unaffected.
Test plan
make install DESTDIR=/tmp/stage && ls -l /tmp/stage/usr/local/bin/crateshows mode 0755 (nosbit)crate --versionprintscrate 1.0.0crate list(as non-root operator withcratedrunning) succeedscrate list(withcratedstopped) fails with a clear "daemon not running" errorGenerated by Claude Code