Package: iputils-clockdiff Version: 3:20240905-2 Severity: normal Dear Maintainer,
Since 3:20240905-1, CAP_SYS_NICE is set on the clockdiff executable via `setcap cap_net_raw+ep $PROGRAM && setcap cap_sys_nice+ep $PROGRAM` in postinst. However, the latte overrides the former, making clockdiff lose the capability to create SOCK_RAW sockets. $ clockdiff 127.0.0.1 clockdiff: socket: Operation not permitted $ sudo getcap /usr/bin/clockdiff /usr/bin/clockdiff cap_sys_nice=ep This can be easily fixed by setting two capabilities at once in postinst: setcap 'cap_net_raw+ep cap_sys_nice+ep' $PROGRAM Meanwhile, the NEWS entry of 3:20240905-2 said: [...] clockdiff are no longer installed with access to the CAP_NET_RAW linux capability, but instead use ICMP_PROTO datagram sockets for network communication. Access to these sockets is controlled by GID based on the net.ipv4.ping_group_range sysctl. [...] In normal installations, the linux-sysctl-defaults pacakge [...] allowing unprivileged users to use these commands as expected. This is not true. net.ipv4.ping_group_range has nothing to do with clockdiff, which always creates SOCK_RAW sockets, making CAP_NET_RAW mandatory for unprivileged users. Thus, the NEWS entry may also need to be corrected. Thanks, Rong
