Re: Proper way to do setcap in maintscript
Helmut Grohne:
Hi Niels,
thanks for reaching out.
Thanks for the quick feedback. :)
On Sat, Nov 18, 2023 at 05:13:44PM +0100, Niels Thykier wrote:
* Should the snippet use dpkg-statoverride instead of a chmod?
(If dpkg-statoverride is used, how will this interact with the next
bullet?)
I don't think dpkg-statoverride can do capabilities so we couldn't track
that anyway.
As a clarification, I meant using dpkg-statoverride for the `chmod u-s`
part, so the dpkg is aware that the mode change is deliberate.
Also note that dpkg-statoverride needs a bit of attention
when it comes to /usr-merge (DEP17 P5) while the snippet will probably
just work.
* Should the snippet use $DPKG_ROOT for the CMD even though setcap
would presumably have to be run from the HOST system?
The commands should be used from the build system (i.e. without
DPKG_ROOT). We expect that if DPKG_ROOT is being used, it is being used
for all operations on the chroot and that packages are never upgraded
(i.e. we're always in a kind of bootstrap setting).
On the flip side, the paths to be operated on would benefit from being
prefixed by DPKG_ROOT.
Ok. Just confirm, are we then looking at something like:
```
if [ "$1" = configure ]; then
if command -v setcap > /dev/null; then
if setcap CAP ${DPKG_ROOT}CMD then
chmod u-s ${DPKG_ROOT}CMD
else
echo "Setcap failed ..." >&2
fi
else
echo "Setcap is not installed, ..." >&2
fi
fi
```
PS: I am also happy to receive suggestions for how to integrate this better
with dpkg. My understanding though is that it will come with the dpkg
manifest format, so I assumed the package helper just had to do some
maintscript glue for now.
I also hope that we have more fundamental dpkg support for this before
too long.
Helmut
:)
Thanks,
~Niels
Reply to: