On Fri, May 11, 2018 at 1:50 PM Mantas Mikulėnas <graw...@nullroute.eu.org> wrote:
> On Fri, May 11, 2018 at 1:02 PM Luca Boccassi <bl...@debian.org> wrote: > >> >> Hi, >> >> I've added check to see if CAP_NET_ADMIN is set to INHERITABLE, which >> is what happens when a program with ambient caps forks and execs ip, >> but it is not set by the iproute2 package (for the vrf exec case). >> >> Before I send that upstream for comments, would you be up to test it >> and see if it fixes your problems? I've tried with a simple program >> that uses the ambient caps, but I don't use zerotier-one nor virtual >> box so I'd like to be sure. >> >> Here's a built amd64 package for buster/sid: >> >> >> https://download.opensuse.org/repositories/home:/bluca/Debian_Next/amd64/iproute2_4.16.0-3~git1_amd64.deb >> >> Thanks! >> >> -- >> Kind regards, >> Luca Boccassi > > > Your patch seems to work, but there's also another problem: /sbin/ip has > an empty (but present) security.capability xattr, which gets ANDed with > effective capabilities on exec. In other words, ip starts with > inheritable=NET_ADMIN but effective=0. (When debconf asked me about making > ip setuid, I chose "No".) > > This is a bug in Debian's postinst – if $CAPS is empty, it should call > `setcap -r /bin/ip` to remove the xattr, instead of setting it to an empty > value. > > After installing your patched version *and* clearing the empty caps xattr, > I verified that zerotier-one finally works correctly. > (For the record, it still works correctly if I choose "yes" and /sbin/ip has the file capabilities added.) -- Mantas Mikulėnas
