Hi,
Sven-Haegar Koch wrote:
> On Fri, 21 Mar 2014, Axel Beckert wrote:
> > Sven-Haegar Koch wrote:
> > > On Fri, 21 Mar 2014, Axel Beckert wrote:
> > > > Am I right that you are installing this on a machine with an
> > > > individual kernel which doesn't support POSIX capabilities?
> > >
> > > Correct.
So setcap is installed but fails... We definitely need to catch that case.
> > Thanks. I wonder how to handle this case. I've looked into other
> > packages which should have the same problem to solve and how they
> > solved it.
>
> This is what iputils-ping uses in postinst:
Wireshark actually does more or less the same.
> if [ "$1" = configure ]; then
> # If we have setcap is installed, try setting cap_net_raw+ep,
> # which allows us to install our binaries without the setuid
> # bit.
> if command -v setcap > /dev/null; then
> if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then
> echo "Setcap worked! Ping(6) is not suid!"
> else
> echo "Setcap failed on /bin/ping, falling back to setuid" >&2
> chmod u+s /bin/ping /bin/ping6
> fi
> else
> echo "Setcap is not installed, falling back to setuid" >&2
> chmod u+s /bin/ping /bin/ping6
> fi
> fi
The main reason why I haven't copied this way yet is that it would
ignore and overwrite any statoverride set by a local admin.
Petter Reinholdtsen wrote:
> This issue also affect the autopkgtest check for debian-edu, where
> fping fail to install because the file system do not support
> capabilities. I am not sure what the file system used is, but jwilk on
> #debian-qa believe it is aufs, which when tested exposes this bug.
Thanks for the heads up.
> Any hope to have the issue fixed in unstable soon?
Would any of the following potential solutions would be ok for you two:
* Check if capabilities are supported by first querying them. If
querying fails, ignore any error happening when trying to set them.
Bail out (installation fails) if querying worked, but setting
failed.
* Check if capabilities are supported by first querying them. If
querying fails, don't try to set them at all and emit a warning.
* Don't bail out if setcap fails, just emit a warning. (Easiest, but
may trigger further, possibly invalid bug reports. Will likely add a
bug-script checking the capabilities states in that case.)
Regards, Axel
--
,''`. | Axel Beckert <[email protected]>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
