* Should the snippet use dpkg-statoverride instead of a chmod?
(If dpkg-statoverride is used, how will this interact with the next
bullet?)
* Should the snippet use $DPKG_ROOT for the CMD even though setcap
would presumably have to be run from the HOST system?
PS: I am also happy to receive suggestions for how to integrate this better with dpkg. My understanding though is that it will come with the dpkg manifest format, so I assumed the package helper just had to do some maintscript glue for now.
Hi Niels,
thanks for reaching out.
On Sat, Nov 18, 2023 at 05:13:44PM +0100, Niels Thykier wrote:
* Should the snippet use dpkg-statoverride instead of a chmod?
(If dpkg-statoverride is used, how will this interact with the next
bullet?)
I don't think dpkg-statoverride can do capabilities so we couldn't track
that anyway.
Also note that dpkg-statoverride needs a bit of attention
when it comes to /usr-merge (DEP17 P5) while the snippet will probably
just work.
* Should the snippet use $DPKG_ROOT for the CMD even though setcap
would presumably have to be run from the HOST system?
The commands should be used from the build system (i.e. without
DPKG_ROOT). We expect that if DPKG_ROOT is being used, it is being used
for all operations on the chroot and that packages are never upgraded
(i.e. we're always in a kind of bootstrap setting).
On the flip side, the paths to be operated on would benefit from being prefixed by DPKG_ROOT.
PS: I am also happy to receive suggestions for how to integrate this better >> with dpkg. My understanding though is that it will come with the dpkg
manifest format, so I assumed the package helper just had to do some
maintscript glue for now.
I also hope that we have more fundamental dpkg support for this before
too long.
Helmut
Hi,
I have seen the following pattern in multiple packages, where we use
`setcap` to replace a setuid (or setgid) mode with a capability. I think
it is about time that we get proper packaging helper support for it.
[...]
Best regards,
Niels
[...]
# Snippet source: debputy (translate-capabilities)
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ]; then
if command -v setcap > /dev/null; then
# Triggered by: packages.dh-debputy.transformations[0].path-metadata <Search for: /usr/bin/dh_debputy>
_TPATH=$(dpkg-divert --truename /usr/bin/dh_debputy)
if setcap cap_net_raw+ep "${DPKG_ROOT}${_TPATH}"; then
chmod a-s "${DPKG_ROOT}${_TPATH}"
echo "Successfully applied capabilities cap_net_raw+ep on ${_TPATH}"
else
echo "The setcap failed to processes cap_net_raw+ep on ${_TPATH}; falling back to no capability support" >&2
fi
unset _TPATH
else
echo "The setcap utility is not installed available; falling back to no capability support" >&2
fi
fi
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 51:52:53 |
Calls: | 6,712 |
Calls today: | 5 |
Files: | 12,243 |
Messages: | 5,355,044 |
Posted today: | 1 |