File-based capabilities missing after installation
Marcus Karlsson
mk at acc.umu.se
Thu May 8 08:43:25 CEST 2014
On Tue, May 06, 2014 at 02:58:34PM +0200, Thomas Lange wrote:
> >>>>> On Tue, 6 May 2014 14:21:35 +0200, Marcus Karlsson <mk at acc.umu.se> said:
>
> > unable to use the ping program. It turns out that Ubuntu nowdays (at
> > least 14.04) don't use setuid for ping and relies on file based
> > capabiltiies instead. But this is not preserved during the installation.
>
> > Has anyone else run into this, or has any ideas on what we can do to
> > solve it? Reinstalling the package fixes it but we would like to avoid
> > that if possible.
> Can you have a look at the postisnt script of the package which you
> have reinstalled (I guess the package that contains the ping
> executable). What do they do inside this script to set the
> capabiltiies?
if [ "$1" = configure ]; then
# If we have setcap is installed, try setting cap_net_raw+ep,
# which allows us to install our binaries without the setuid
# bit.
if command -v setcap > /dev/null; then
if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then
echo "Setcap worked! Ping(6) is not suid!"
else
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
chmod u+s /bin/ping /bin/ping6
fi
else
echo "Setcap is not installed, falling back to setuid" >&2
chmod u+s /bin/ping /bin/ping6
fi
fi
Looks like they simply attemt to invoke setcap and falls back to setting
the suid bit if it fails or is unavailable.
> Maybe we only need to add the libcap2 package into FAI?
I'm not sure if that will help. Iputils-ping is installed as part of
base.tar.xz so that would be where the capabilities are dropped. GNU
Tar does not support capabilities as far as I know, although Fedora is
working on local patches for it [1]. A solution could be to use a
modified version of tar when creating and extracting it.
Marcus
[1] https://bugzilla.redhat.com/show_bug.cgi?id=771927
More information about the linux-fai
mailing list