On Fri, May 11, 2018 at 1:02 PM Luca Boccassi <bl...@debian.org> wrote:
> > Hi, > > I've added check to see if CAP_NET_ADMIN is set to INHERITABLE, which > is what happens when a program with ambient caps forks and execs ip, > but it is not set by the iproute2 package (for the vrf exec case). > > Before I send that upstream for comments, would you be up to test it > and see if it fixes your problems? I've tried with a simple program > that uses the ambient caps, but I don't use zerotier-one nor virtual > box so I'd like to be sure. > > Here's a built amd64 package for buster/sid: > > > https://download.opensuse.org/repositories/home:/bluca/Debian_Next/amd64/iproute2_4.16.0-3~git1_amd64.deb > > Thanks! > > -- > Kind regards, > Luca Boccassi Your patch seems to work, but there's also another problem: /sbin/ip has an empty (but present) security.capability xattr, which gets ANDed with effective capabilities on exec. In other words, ip starts with inheritable=NET_ADMIN but effective=0. (When debconf asked me about making ip setuid, I chose "No".) This is a bug in Debian's postinst – if $CAPS is empty, it should call `setcap -r /bin/ip` to remove the xattr, instead of setting it to an empty value. After installing your patched version *and* clearing the empty caps xattr, I verified that zerotier-one finally works correctly. -- Mantas Mikulėnas
