On 13/03/11 19:56, Sebastian Harl wrote:
> Hi,
>
> the new upstream version of one of my packages tries to set the
> CAP_NET_RAW (permission to use RAW and PACKET sockets) file capability
> during "make install" (using setcap(8)). (The affected tool sends ICMP
> ECHO_REQUESTS ("pings"), thus needs to open a RAW socket. Imho, setting
> the file capability is a nicer approach than setting the setuid bit.)
>
> Now, the question is: is it allowed to ship files having special
> capabilities set. I couldn't find anything neither in the policy nor in
> the devref. If the answer to that is "yes", how should the package
> handle that? Using setcap(8) requires root privileges, so it cannot be
> used in debian/rules. Would it be fine to do that in postinst?
That's exactly what gnome-keyring from experimental does (for CAP_IPC_LOCK). You
can have a look at its postinst.
Cheers,
Emilio
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d7d27f0.7090...@debian.org
