On Mon, Mar 14, 2011 at 01:17:02PM +, Ben Hutchings wrote:
> No, I don't think there's a way to do that programmatically. You would
> just have to try capset and then chmod u+s.
instead of chmod, you would actually want something that checked/respected
dpkg-statoverride, rather than hard-codi
On Mon, Mar 14, 2011 at 2:17 PM, Ben Hutchings wrote:
> On Mon, 2011-03-14 at 09:17 +0100, Sebastian Harl wrote:
> [...]
>> > > Would it be fine to do that in postinst?
>> >
>> > It must be done in postinst, and you may need to fall back to setuid if
>> > the filesystem does not support setcap.
>>
Sebastian Harl writes:
> Imho, setting the file capability is a nicer approach than setting the
> setuid bit.
Do you know about any lurking bugs (in udev, dbus, etc?) that could
allow one to escalate CAP_NET_RAW to full root privileges in regular
squeeze installations?
--
To UNSUBSCRIBE, email
On Mon, 2011-03-14 at 09:17 +0100, Sebastian Harl wrote:
[...]
> > > Would it be fine to do that in postinst?
> >
> > It must be done in postinst, and you may need to fall back to setuid if
> > the filesystem does not support setcap.
>
> Do you know of a way to find out if the filesystem supports
Hi,
On Sun, Mar 13, 2011 at 08:37:53PM +, Ben Hutchings wrote:
> On Sun, 2011-03-13 at 20:56 +0100, Sebastian Harl wrote:
> > the new upstream version of one of my packages tries to set the
> > CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> > during "make install" (us
On Sun, Mar 13, 2011 at 08:24:16PM +, Emilio Pozuelo Monfort wrote:
> That's exactly what gnome-keyring from experimental does (for CAP_IPC_LOCK).
> You
> can have a look at its postinst.
wireshark-common also does that since 2010.
--
WBR, wRAR
signature.asc
Description: Digital signature
On 13/03/11 19:56, Sebastian Harl wrote:
> Hi,
>
> the new upstream version of one of my packages tries to set the
> CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> during "make install" (using setcap(8)). (The affected tool sends ICMP
> ECHO_REQUESTS ("pings"), thus needs
On Sun, 2011-03-13 at 20:56 +0100, Sebastian Harl wrote:
> Hi,
>
> the new upstream version of one of my packages tries to set the
> CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> during "make install" (using setcap(8)). (The affected tool sends ICMP
> ECHO_REQUESTS ("pin
Hi,
the new upstream version of one of my packages tries to set the
CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
during "make install" (using setcap(8)). (The affected tool sends ICMP
ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
the file capabil
9 matches
Mail list logo
