Bug#409657: marked as done (libcap-bin, linux-2.6: setting capabilities does not work with Debian kernels)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 4 Feb 2007 17:37:22 +0100
with message-id <20070204163722.GA10803@wavehammer.waldi.eu.org>
and subject line Bug#409657: libcap-bin, linux-2.6: setting capabilities does not work with Debian kernels
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libcap-bin, linux-2.6: setting capabilities does not work with Debian kernels
• From: Aurelien Jarno <aurel32@debian.org>
• Date: Sun, 04 Feb 2007 16:55:51 +0100
• Message-id: <[🔎] 20070204155551.12380.82932.reportbug@amd64.aurel32.net>

Package: libcap-bin,linux-2.6
Severity: grave
Justification: renders package unusable

The Debian kernels does not give the CAP_SETPCAP capability to the root
user, so the utilities in libcap-bin are not usable.

In my case this is a problem since the 2.6.18 kernel has added 
/dev/net/tun to the CAP_SYS_ADMIN list. This means only the root user can
access this file, whatever the permissions of this file are. setpcaps or 
sucap can't change that. This is a regression from the 2.6.17 kernel.


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

--- End Message ---

--- Begin Message ---

• To: 409657-done@bugs.debian.org
• Subject: Re: Bug#409657: libcap-bin, linux-2.6: setting capabilities does not work with Debian kernels
• From: Bastian Blank <waldi@debian.org>
• Date: Sun, 4 Feb 2007 17:37:22 +0100
• Message-id: <20070204163722.GA10803@wavehammer.waldi.eu.org>
• In-reply-to: <[🔎] 20070204155551.12380.82932.reportbug@amd64.aurel32.net>
• References: <[🔎] 20070204155551.12380.82932.reportbug@amd64.aurel32.net>

On Sun, Feb 04, 2007 at 04:55:51PM +0100, Aurelien Jarno wrote:
> The Debian kernels does not give the CAP_SETPCAP capability to the root
> user, so the utilities in libcap-bin are not usable.

It was never available.

> In my case this is a problem since the 2.6.18 kernel has added 
> /dev/net/tun to the CAP_SYS_ADMIN list. This means only the root user can
> access this file, whatever the permissions of this file are. setpcaps or 
> sucap can't change that. This is a regression from the 2.6.17 kernel.

Incorrect. There was a security fix. Now only CAP_SYS_ADMIN is allowed to
create new devices.

Anyway. Nothing here is a bug. CAP_SETPCAP was never available and
the proposed permissions for this device was 700 before this change (now
they are 666), so no regression.

Bastian

-- 
There is an order of things in this universe.
		-- Apollo, "Who Mourns for Adonais?" stardate 3468.1

--- End Message ---