Niels Thykier:
Hi,
I have seen the following pattern in multiple packages, where we use
`setcap` to replace a setuid (or setgid) mode with a capability. I think
it is about time that we get proper packaging helper support for it.
[...]
Best regards,
Niels
[...]
Hi
Thanks for the feedback so far. :)
I have ended up with the snippet below, which includes:
1) Use of `dpkg-divert --truename` to make the code work the same even
if the command has been diverted (seen in iputils-ping's setcap
script).
2) Use of `${DPKG_ROOT}` as suggested by Helmut.
# Snippet source: debputy (translate-capabilities)
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [
"$1" = "abort-remove" ]; then
if command -v setcap > /dev/null; then
# Triggered by: packages.dh-debputy.transformations[0].path-metadata <Search
for: /usr/bin/dh_debputy>
_TPATH=$(dpkg-divert --truename /usr/bin/dh_debputy)
if setcap cap_net_raw+ep "${DPKG_ROOT}${_TPATH}"; then
chmod a-s "${DPKG_ROOT}${_TPATH}"
echo "Successfully applied capabilities cap_net_raw+ep on ${_TPATH}"
else
echo "The setcap failed to processes cap_net_raw+ep on ${_TPATH}; falling back to
no capability support" >&2
fi
unset _TPATH
else
echo "The setcap utility is not installed available; falling back to no capability
support" >&2
fi
fi
The use of `/usr/bin/dh_debputy` and related capability was just a value
for the sake of testing the code.
Best regards,
Niels
