Hi,
the new upstream version of one of my packages tries to set the
CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
during "make install" (using setcap(8)). (The affected tool sends ICMP
ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
the file capability is a nicer approach than setting the setuid bit.)Now, the question is: is it allowed to ship files having special capabilities set. I couldn't find anything neither in the policy nor in the devref. If the answer to that is "yes", how should the package handle that? Using setcap(8) requires root privileges, so it cannot be used in debian/rules. Would it be fine to do that in postinst? TIA for any comments or pointers! Cheers, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
