On Tue, May 06, 2014 at 02:58:34PM +0200, Thomas Lange wrote: > >>>>> On Tue, 6 May 2014 14:21:35 +0200, Marcus Karlsson <m...@acc.umu.se> > >>>>> said: > > > unable to use the ping program. It turns out that Ubuntu nowdays (at > > least 14.04) don't use setuid for ping and relies on file based > > capabiltiies instead. But this is not preserved during the installation. > > > Has anyone else run into this, or has any ideas on what we can do to > > solve it? Reinstalling the package fixes it but we would like to avoid > > that if possible. > Can you have a look at the postisnt script of the package which you > have reinstalled (I guess the package that contains the ping > executable). What do they do inside this script to set the > capabiltiies?
if [ "$1" = configure ]; then # If we have setcap is installed, try setting cap_net_raw+ep, # which allows us to install our binaries without the setuid # bit. if command -v setcap > /dev/null; then if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then echo "Setcap worked! Ping(6) is not suid!" else echo "Setcap failed on /bin/ping, falling back to setuid" >&2 chmod u+s /bin/ping /bin/ping6 fi else echo "Setcap is not installed, falling back to setuid" >&2 chmod u+s /bin/ping /bin/ping6 fi fi Looks like they simply attemt to invoke setcap and falls back to setting the suid bit if it fails or is unavailable. > Maybe we only need to add the libcap2 package into FAI? I'm not sure if that will help. Iputils-ping is installed as part of base.tar.xz so that would be where the capabilities are dropped. GNU Tar does not support capabilities as far as I know, although Fedora is working on local patches for it [1]. A solution could be to use a modified version of tar when creating and extracting it. Marcus [1] https://bugzilla.redhat.com/show_bug.cgi?id=771927