Re: Setting file capabilites of files shipped in binary packages
On 13/03/11 19:56, Sebastian Harl wrote:
> the new upstream version of one of my packages tries to set the
> CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> during "make install" (using setcap(8)). (The affected tool sends ICMP
> ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
> the file capability is a nicer approach than setting the setuid bit.)
> Now, the question is: is it allowed to ship files having special
> capabilities set. I couldn't find anything neither in the policy nor in
> the devref. If the answer to that is "yes", how should the package
> handle that? Using setcap(8) requires root privileges, so it cannot be
> used in debian/rules. Would it be fine to do that in postinst?
That's exactly what gnome-keyring from experimental does (for CAP_IPC_LOCK). You
can have a look at its postinst.