[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proper way to do setcap in maintscript



Helmut Grohne:
Hi Niels,

thanks for reaching out.


Thanks for the quick feedback. :)

On Sat, Nov 18, 2023 at 05:13:44PM +0100, Niels Thykier wrote:
  * Should the snippet use dpkg-statoverride instead of a chmod?
    (If dpkg-statoverride is used, how will this interact with the next
     bullet?)

I don't think dpkg-statoverride can do capabilities so we couldn't track
that anyway.

As a clarification, I meant using dpkg-statoverride for the `chmod u-s` part, so the dpkg is aware that the mode change is deliberate.

Also note that dpkg-statoverride needs a bit of attention
when it comes to /usr-merge (DEP17 P5) while the snippet will probably
just work.

  * Should the snippet use $DPKG_ROOT for the CMD even though setcap
    would presumably have to be run from the HOST system?

The commands should be used from the build system (i.e. without
DPKG_ROOT). We expect that if DPKG_ROOT is being used, it is being used
for all operations on the chroot and that packages are never upgraded
(i.e. we're always in a kind of bootstrap setting).

On the flip side, the paths to be operated on would benefit from being
prefixed by DPKG_ROOT.


Ok. Just confirm, are we then looking at something like:

```
if [ "$1" = configure ]; then
     if command -v setcap > /dev/null; then
         if setcap CAP ${DPKG_ROOT}CMD then
             chmod u-s ${DPKG_ROOT}CMD
         else
             echo "Setcap failed ..." >&2
         fi
     else
         echo "Setcap is not installed,  ..." >&2
     fi
fi
```

PS: I am also happy to receive suggestions for how to integrate this better
with dpkg. My understanding though is that it will come with the dpkg
manifest format, so I assumed the package helper just had to do some
maintscript glue for now.

I also hope that we have more fundamental dpkg support for this before
too long.

Helmut


:)

Thanks,
~Niels


Reply to: