> FWIW This used to be the default inside the libcap build tree, but the > problems with the container defaults (eventually fixed with > https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
Thanks for the links. For a moment I was worried that there was an issue with containers in general, but I see, this is an implementation issue with one container engine implementation. And... they rated the importance low? > ) changed my position on this: > https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=2b5f5635be6131d7e89b4c6244b29f32ebd163c1 Hm. Maybe this is the wrong place to discuss this. I started this comment intending to propose the opposite, but indeed if admins are expected to use pam to set pI per username, then perhaps it is best if they also have to set fI on each program they intend it to exist on, since otherwise they may not *really* be sure what they are handing the user... Andrew, is it your intention to leave libcap's install without the fI? If so then we should either (1) deliverately override Andrew's decision during ubuntu packaging's postinst (which I don't think we should do), or (2) mark this bug Invalid rather than Incomplete. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcap2 in Ubuntu. https://bugs.launchpad.net/bugs/1700814 Title: Default capability of cap_setfcap+i should be set on setcap Status in libcap2 package in Ubuntu: Incomplete Bug description: If I grant a user (via pam_cap) cap_setfcap+i, I would then expect them to be able to use setcap without sudo. setcap is not provided with any default file capabilities however, so either the user has to sudo, or I have to grant the setfcap capability to setcap with setcap. In my mind, it would be reasonable to grant setfcap+i to setcap by default on installation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcap2/+bug/1700814/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
