Package: mmdebstrap Version: 0.7.5-2 Severity: important Hi,
/bin/ping (from iputils-ping) uses the security capabilities to allow users to use the program: ``` $ getcap /bin/ping /bin/ping cap_net_raw=ep ``` When generating a squashfs images with mmdebstrap, these security capabilities are lost. Example for a minimal chroot on Debian unstable: ``` $ apt install -y bdebstrap mmdebstrap squashfs-tools-ng $ mkdir -p ~/.ssh $ touch ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys $ bdebstrap -c /usr/share/doc/bdebstrap/examples/Debian-buster-live.yaml --packages iputils-ping -n example2 [...] W: tar2sqfs does not support extended attributes [...] $ rdsquashfs -x /bin/ping example2/root.squashfs $ ``` Adding `push @taropts, '--xattrs';` after the tar2sqfs warning line 5355 will produce a squashfs image that contains the security capabilities: ``` $ rdsquashfs -x /bin/ping example2/root.squashfs security.capability=0x0100000200200000000000000000000000000000 ``` This test was done on Debian unstable and Debian bullseye with mmdebstrap 0.7.5-2 and squashfs-tools-ng 1.0.4-1. -- Benjamin Drung Senior DevOps Engineer and Debian & Ubuntu Developer Compute Platform Operations 1&1 IONOS SE | Greifswalder Str. 207 | 10405 Berlin | Deutschland E-Mail: benjamin.dr...@ionos.com | Web: www.ionos.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498 Vorstand: Hüseyin Dogan, Dr. Martin Endreß, Claudia Frese, Henning Kettler, Arthur Mai, Matthias Steinberg, Achim Weiß Aufsichtsratsvorsitzender: Markus Kadelke Member of United Internet
