On 13/03/11 19:56, Sebastian Harl wrote: > Hi, > > the new upstream version of one of my packages tries to set the > CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability > during "make install" (using setcap(8)). (The affected tool sends ICMP > ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting > the file capability is a nicer approach than setting the setuid bit.) > > Now, the question is: is it allowed to ship files having special > capabilities set. I couldn't find anything neither in the policy nor in > the devref. If the answer to that is "yes", how should the package > handle that? Using setcap(8) requires root privileges, so it cannot be > used in debian/rules. Would it be fine to do that in postinst?
That's exactly what gnome-keyring from experimental does (for CAP_IPC_LOCK). You can have a look at its postinst. Cheers, Emilio -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d7d27f0.7090...@debian.org