Package: slim
Severity: wishlist
Version: 1.4.1-2
Recent version of slim install systemd.service with limited
capabilities bounding set:
CapabilityBoundingSet=~CAP_SYS_PTRACE
In other words, it removes CAP_SYS_PTRACE capability, that in result
breaks some root operations, when user run su in terminal emulator, eg.
i was not able to run lxc-ls -f nor lxc-info to get (autostarted)
container's IPs. Another example is hidepid option for proc, which
was applied to root (via su) too. And it doesn't matter, if su is run
with o without -l option.
It is not big problem to override that, but it took long time, until i
found what caused these problems...
I am not sure, if that is good or wrong, nor if it is expected ro not
expected setting, but i am sure that it is unexpected behavior, thus
IMO at least worth to mention in NEWS, to inform admins on upgrade.
BTW, to restore full bounding set, one can add to override:
CapabilityBoundingSet=~
regards
--
Slavko
https://www.slavino.sk
