Proper way to do setcap in maintscript

To: Dpkg-Maintainers <debian-dpkg@lists.debian.org>
Cc: Helmut Grohne <helmut@subdivi.de>
Subject: Proper way to do setcap in maintscript
From: Niels Thykier <niels@thykier.net>
Date: Sat, 18 Nov 2023 17:13:44 +0100
Message-id: <[🔎] bef7166f-c3ab-4ef4-ace5-1467e9d883ca@thykier.net>

Hi,

I have seen the following pattern in multiple packages, where we use`setcap` to replace a setuid (or setgid) mode with a capability. I thinkit is about time that we get proper packaging helper support for it.



```
if [ "$1" = configure ]; then
     if command -v setcap > /dev/null; then
         if setcap CAP CMD then
             chmod u-s CMD
         else
             echo "Setcap failed ..." >&2
         fi
     else
         echo "Setcap is not installed,  ..." >&2
     fi
fi
```

If I was to add support for this snippet in package helpers, is thereanything I should change in it? Such as:


 * Should the snippet use dpkg-statoverride instead of a chmod?
   (If dpkg-statoverride is used, how will this interact with the next
    bullet?)
 * Should the snippet use $DPKG_ROOT for the CMD even though setcap
   would presumably have to be run from the HOST system?

The snippet format has been used for a while, so it definitely "works".But I figured the basic template could do with a review to see if it isstill up to speed with best practices - especially if we start adding itto a package helper. :)


Best regards,
Niels

PS: I am also happy to receive suggestions for how to integrate thisbetter with dpkg. My understanding though is that it will come with thedpkg manifest format, so I assumed the package helper just had to dosome maintscript glue for now.

Reply to:

Follow-Ups:
- Re: Proper way to do setcap in maintscript
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Re: Debian-dpkg
Next by Date: Re: Proper way to do setcap in maintscript
Previous by thread: Re: Debian-dpkg
Next by thread: Re: Proper way to do setcap in maintscript
Index(es):
- Date
- Thread