Hi,
the new upstream version of one of my packages tries to set the
CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
during "make install" (using setcap(8)). (The affected tool sends ICMP
ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
the file capability is a nicer approach than setting the setuid bit.)
Now, the question is: is it allowed to ship files having special
capabilities set. I couldn't find anything neither in the policy nor in
the devref. If the answer to that is "yes", how should the package
handle that? Using setcap(8) requires root privileges, so it cannot be
used in debian/rules. Would it be fine to do that in postinst?
TIA for any comments or pointers!
Cheers,
Sebastian
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
Attachment:
signature.asc
Description: Digital signature