Bug#898015: marked as done (iproute2: 'ip addr add' drops capabilities, breaking ZeroTier)

Debian Bug Tracking System Tue, 15 May 2018 02:34:09 -0700

Your message dated Tue, 15 May 2018 09:29:41 +0000
with message-id <[email protected]>
and subject line Bug#898015: fixed in iproute2 4.16.0-3
has caused the Debian Bug report #898015,
regarding iproute2: 'ip addr add' drops capabilities, breaking ZeroTier
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
898015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898015
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: iproute2
Version: 4.16.0-2
Severity: normal

zerotier-one (a mesh-VPN program) calls `ip addr add` as non-root, but
with the necessary capabilities present (ambient, inheritable, and
effective).

However, the latest iproute2 version made `ip` drop all capabilities
unconditionally (except for `ip vrf exec`), so this no longer works --
ip receives "Operation not permitted" and ZeroTier becomes unable to
configure its tunnel interface, making the VPN completely unusable.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages iproute2 depends on:
ii  debconf [debconf-2.0]  1.5.66
ii  libc6                  2.27-3
ii  libcap2                1:2.25-1.2
ii  libcap2-bin            1:2.25-1.2
ii  libdb5.3               5.3.28-13.1+b1
ii  libelf1                0.170-0.4
ii  libmnl0                1.0.4-2
ii  libselinux1            2.7-2+b2

Versions of packages iproute2 recommends:
pn  libatm1       <none>
ii  libxtables12  1.6.2-1

Versions of packages iproute2 suggests:
pn  iproute2-doc  <none>

-- Configuration Files:
/etc/iproute2/rt_tables changed [not included]

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: iproute2
Source-Version: 4.16.0-3

We believe that the bug you reported is fixed in the latest version of
iproute2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <[email protected]> (supplier of updated iproute2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 15 May 2018 09:46:01 +0100
Source: iproute2
Binary: iproute2 iproute2-doc
Architecture: source
Version: 4.16.0-3
Distribution: unstable
Urgency: medium
Maintainer: Alexander Wirt <[email protected]>
Changed-By: Luca Boccassi <[email protected]>
Description:
 iproute2   - networking and traffic control tools
 iproute2-doc - networking and traffic control tools - documentation
Closes: 898015 898164 898292
Changes:
 iproute2 (4.16.0-3) unstable; urgency=medium
 .
   * Add Russian translation for Debconf template. Thanks Lev Lamberov!
     (Closes: #898164)
   * Add Portuguese translation for Debconf template. Thanks Portuguese
     Translation Team!
     (Closes: #898292)
   * iproute2.postinst: use setcap -r instead of empty set.
     Thanks Mantas Mikulėnas!
   * Backport patch to avoid dropping caps if NET_ADMIN is inherited to
     avoid breaking applications that set ambient capabilities and then
     fork and exec ip.
     (Closes: #898015)
   * Re-enable pristine-tar (note: needs v1.43).
Checksums-Sha1:
 c93608d637fd493ce4d941717a7fe8d48285f580 1882 iproute2_4.16.0-3.dsc
 2af5becdecc356780a36c7abf57b61f66fb27c30 141424 iproute2_4.16.0-3.debian.tar.xz
 b1643e00b302ef59660ed25a53d043631c26f773 7031 
iproute2_4.16.0-3_source.buildinfo
Checksums-Sha256:
 767adaae58b549400452a69d1df80bcf0d218cde07a9924aba6f524d5043ed00 1882 
iproute2_4.16.0-3.dsc
 7f2295d4eb915225beae69cbbb96393fc9b861e8e12468d51025efcf0573f6ca 141424 
iproute2_4.16.0-3.debian.tar.xz
 f29959eac3354401c7d123454d1ac8c76dd65faae4bd611837603b9fff955eb9 7031 
iproute2_4.16.0-3_source.buildinfo
Files:
 67a04cbda1f91bed4ee5567ce1ab2a2a 1882 net optional iproute2_4.16.0-3.dsc
 a4a418a7b6d8d405f79c2bc80a04433c 141424 net optional 
iproute2_4.16.0-3.debian.tar.xz
 adbf80ef59bd123d85de2d3da7ed2d05 7031 net optional 
iproute2_4.16.0-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCgAvFiEE6g0RLAGYhL9yp9G8SylmgFB4UWIFAlr6n9YRHGJsdWNhQGRl
Ymlhbi5vcmcACgkQSylmgFB4UWJtNAf+N9RKF67NScf9/NIuan+Rj0nsVLPFySYe
UoZy8HSkH/TQscV5+BYRXfD24dGnmwkQwKJFnNUwYvd+KqUWprmArBttURE4Oy9v
rzWm3HIHTpAkV2+KQCoNK2UyJwu8WLG++2Cn2ZU5l8pYXtP84+Bc0hPY9zGrRgEP
LmbRMhhJovT6Vm7E9sUbTR4AcEuTZ/nZl77Skpsod+khppV8WYfYF8Qn+OALOfLg
9Y/T+hFmg/1cFgfHXvtkil6jIo/iL2uMimFYmBX0Ed0tWmQwsFB7UpvmRGQ4WW1M
E1kao9loBNjt/wb5wQyDQDxL0CU5V99CUp2pXNady88z2ktGnZNrHg==
=BfhK
-----END PGP SIGNATURE-----

--- End Message ---

Bug#898015: marked as done (iproute2: 'ip addr add' drops capabilities, breaking ZeroTier)

Reply via email to