Re: Proper way to do setcap in maintscript

[Niels Thykier <niels@thykier.net>]

Niels Thykier:
> Hi,
>
> I have seen the following pattern in multiple packages, where we use 
> `setcap` to replace a setuid (or setgid) mode with a capability. I think 
> it is about time that we get proper packaging helper support for it.
>
> [...]
>
> Best regards,
> Niels
>
> [...]

Hi

Thanks for the feedback so far. :)

I have ended up with the snippet below, which includes:

 1) Use of `dpkg-divert --truename` to make the code work the same even
    if the command has been diverted (seen in iputils-ping's setcap
    script).
 2) Use of `${DPKG_ROOT}` as suggested by Helmut.

> # Snippet source: debputy (translate-capabilities)
> if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then
>   if command -v setcap > /dev/null; then
>       # Triggered by: packages.dh-debputy.transformations[0].path-metadata <Search for: /usr/bin/dh_debputy>
>       _TPATH=$(dpkg-divert --truename /usr/bin/dh_debputy)
>       if setcap cap_net_raw+ep "${DPKG_ROOT}${_TPATH}"; then
>           chmod a-s "${DPKG_ROOT}${_TPATH}"
>           echo "Successfully applied capabilities cap_net_raw+ep on ${_TPATH}"
>       else
>           echo "The setcap failed to processes cap_net_raw+ep on ${_TPATH}; falling back to no capability support" >&2
>       fi
>       unset _TPATH
>   else
>       echo "The setcap utility is not installed available; falling back to no capability support" >&2
>   fi
> fi


The use of `/usr/bin/dh_debputy` and related capability was just a value 
for the sake of testing the code.

Best regards,
Niels