Re: Setting file capabilites of files shipped in binary packages

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Setting file capabilites of files shipped in binary packages
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Sun, 13 Mar 2011 20:24:16 +0000
Message-id: <[🔎] 4D7D27F0.7090202@debian.org>
In-reply-to: <[🔎] 20110313195606.GA8419@chough.tokkee.org>
References: <[🔎] 20110313195606.GA8419@chough.tokkee.org>

On 13/03/11 19:56, Sebastian Harl wrote:
> Hi,
> 
> the new upstream version of one of my packages tries to set the
> CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> during "make install" (using setcap(8)). (The affected tool sends ICMP
> ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
> the file capability is a nicer approach than setting the setuid bit.)
> 
> Now, the question is: is it allowed to ship files having special
> capabilities set. I couldn't find anything neither in the policy nor in
> the devref. If the answer to that is "yes", how should the package
> handle that? Using setcap(8) requires root privileges, so it cannot be
> used in debian/rules. Would it be fine to do that in postinst?

That's exactly what gnome-keyring from experimental does (for CAP_IPC_LOCK). You
can have a look at its postinst.

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: Setting file capabilites of files shipped in binary packages
  - From: Andrey Rahmatullin <wrar@wrar.name>

References:
- Setting file capabilites of files shipped in binary packages
  - From: Sebastian Harl <tokkee@debian.org>

Prev by Date: Re: Setting file capabilites of files shipped in binary packages
Next by Date: Re: Re: Mirror problems?
Previous by thread: Re: Setting file capabilites of files shipped in binary packages
Next by thread: Re: Setting file capabilites of files shipped in binary packages
Index(es):
- Date
- Thread