Hi. On Thu, May 30, 2019 at 02:44:58AM +0000, Andy Smith wrote: > So my question is, are installs done by debootstrap somehow losing > the file capabilities? I ask because in this thread, one of the > other people reporting a /bin/ping without the correct capabilities > did their install through debootstrap.
Easy. You run debootstrap, set some --include options (which pull libcap2-bin by dependency), and then you tar the whole resulting filesystem. tar never understood file capabilities, so they are lost in the process. > If you've just done a debootstrap, what does getcap return for the > /bin/ping that got installed? I'm not Cindy (obviously), but I'm not lazy, so I just run debootstrap a couple of times. debootstrap --variant=minbase does not install iputils-ping at all. debootstrap (no --variant) does install iputils-ping, but does not install libcap2-bin. Hence iputils-ping postinst script simply sets suid bit on /bin/ping as postinst cannot locate setcap. Reco
