Hi Heinrich, as you might know - you haven't asked to make it a setuid binary by default as most others, so I assume you do know - we do not want to make it setuid enabled by default for security concerns. We want it to be an admins choice to change it willingly as it opens a potential risk.
But you are absolutely right that it is quite uncomfortable to lose that setting after every related package upgrade. I think there are two ways here: - One is to create fine mechanic in preinst to detect if setuid was set and in postinst to re-set it if it was done so. But we all have seen such it works fine until an edge case comes around and then it gets messy for more users (remember that this use case is the rather uncommon one). - The alternative is to show how a sysadmin would apply such changes to persist throughout package updates. I think unless convinced otherwise I'm going for the latter here. If not for permissions one would think of https://www.debian.org/doc/debian-policy/ap-pkg-diversions.html as the Debian/Ubuntu way to keep local modifications. An alternative might be to make it a conffile in the packaging, but the conffile changed prompt on no-content-but-permission change is not helpful. Therefore I think the best approach to this is to set a DPKG hook to fix up the permission after upgrade. AFAIK it can't filter but the operation here is lightweight, so the following works for me in my experiments: $ cat /etc/apt/apt.conf.d/99setuid-qemu-bridge-helper.conf DPkg::Post-Invoke { "chmod u+s /usr/lib/qemu/qemu-bridge-helper"; }; root@p:~# apt install --reinstall qemu-system-common ... root@p:~# ll /usr/lib/qemu/qemu-bridge-helper -rwsr-xr-x 1 root root 830712 Apr 9 07:59 /usr/lib/qemu/qemu-bridge-helper* Now the bit is and stays set after an upgrade. With sufficient argument I could be convinced to consider an in-package solution, but I do not want to make using less secure options more comfortable. For now with the workaround provided I consider this Won't Fix. P.S. why cap_net_admin fails you I do not know and haven't seen any other report :-/ If you drill down into that let us know. P.P.S. I've thought about adding an info of this to the server guide, but we do not speak about qemu-bridge-helper at all (to not give focus to a not too recommended way). And adding a whole page saying "you best do not use it" to then say "if you do, this is the admittedly odd way to retain the setuid" felt wrong. Sorry, you might have realized that I'm unhappy about this, I want to help more but feel if I do I'll make it worse :-/ ** Changed in: qemu (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107611 Title: Keep chmod u+s /usr/lib/qemu/qemu-bridge-helper To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2107611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
