Package: iproute2 Version: 4.16.0-2 Severity: normal zerotier-one (a mesh-VPN program) calls `ip addr add` as non-root, but with the necessary capabilities present (ambient, inheritable, and effective).
However, the latest iproute2 version made `ip` drop all capabilities unconditionally (except for `ip vrf exec`), so this no longer works -- ip receives "Operation not permitted" and ZeroTier becomes unable to configure its tunnel interface, making the VPN completely unusable. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iproute2 depends on: ii debconf [debconf-2.0] 1.5.66 ii libc6 2.27-3 ii libcap2 1:2.25-1.2 ii libcap2-bin 1:2.25-1.2 ii libdb5.3 5.3.28-13.1+b1 ii libelf1 0.170-0.4 ii libmnl0 1.0.4-2 ii libselinux1 2.7-2+b2 Versions of packages iproute2 recommends: pn libatm1 <none> ii libxtables12 1.6.2-1 Versions of packages iproute2 suggests: pn iproute2-doc <none> -- Configuration Files: /etc/iproute2/rt_tables changed [not included] -- debconf information excluded
