[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-fai
Subject:    Re: File-based capabilities missing after installation
From:       Marcus Karlsson <mk () acc ! umu ! se>
Date:       2014-05-08 6:43:25
Message-ID: 20140508064325.GL14341 () hirohito ! acc ! umu ! se
[Download RAW message or body]

On Tue, May 06, 2014 at 02:58:34PM +0200, Thomas Lange wrote:
> >>>>> On Tue, 6 May 2014 14:21:35 +0200, Marcus Karlsson <mk@acc.umu.se> said:
> 
>     > unable to use the ping program. It turns out that Ubuntu nowdays (at
>     > least 14.04) don't use setuid for ping and relies on file based
>     > capabiltiies instead. But this is not preserved during the installation.
> 
>     > Has anyone else run into this, or has any ideas on what we can do to
>     > solve it? Reinstalling the package fixes it but we would like to avoid
>     > that if possible.
> Can you have a look at the postisnt script of the package which you
> have reinstalled (I guess the package that contains the ping
> executable). What do they do inside this script to set the
> capabiltiies?

if [ "$1" = configure ]; then
    # If we have setcap is installed, try setting cap_net_raw+ep,
    # which allows us to install our binaries without the setuid
    # bit.
    if command -v setcap > /dev/null; then
        if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then
            echo "Setcap worked! Ping(6) is not suid!"
        else
            echo "Setcap failed on /bin/ping, falling back to setuid" >&2
            chmod u+s /bin/ping /bin/ping6
        fi
    else
        echo "Setcap is not installed, falling back to setuid" >&2
        chmod u+s /bin/ping /bin/ping6
    fi
fi

Looks like they simply attemt to invoke setcap and falls back to setting
the suid bit if it fails or is unavailable.

> Maybe we only need to add the libcap2 package into FAI?

I'm not sure if that will help. Iputils-ping is installed as part of
base.tar.xz so that would be where the capabilities are dropped. GNU
Tar does not support capabilities as far as I know, although Fedora is
working on local patches for it [1]. A solution could be to use a
modified version of tar when creating and extracting it.

		Marcus

[1] https://bugzilla.redhat.com/show_bug.cgi?id=771927
[prev in list] [next in list] [prev in thread] [next in thread]