[Pkg-cacti-maint] Bug#904332: Enable Linux capabilities support

Sven Hartge sven at svenhartge.de
Tue Jul 24 16:14:44 BST 2018 

Um 14:32 Uhr am 24.07.18 schrieb Paul Gevers:
> On 23-07-18 13:31, Sven Hartge wrote:

>> This is useful so one can use the "ICMP Ping" uptime checker in spine
>> without needing to set spine setuid-root, just cap_net_raw is enough to
>> get this working.
 
> Sounds cool. I have zero knowledge of Linux capabilities though. Could
> you provide a link to some good (for the noob) documentation on this?

As "usual" with core concepts in Linux, the documentation is a bit sparse.
A good starting point is capabilities(7).

TL,DR: capabilites allow non-privileged programs to do stuff normally only
root is allowed to do, for example use raw sockets or bind to ports <1024,
etc.

>> Currently this is not enabled because libcap-dev is missing as
>> build-dependency.
> 
> Is that all that's needed?

For spine? Yes. When libcap-dev is present and "--enable-lcap" is passed
to configure, it will enable it.

Beware: libcap is a Linux-only thing, kFreeBSD/Hurd would need special handling, like:

ifeq ($(DEB_HOST_ARCH_OS),linux)
CONF_LCAP        += --enable-lcap
endif

override_dh_auto_configure::
        ./configure --host=$(DEB_HOST_GNU_TYPE) \
                       --build=$(DEB_BUILD_GNU_TYPE) \
                       --prefix=/usr \
                       --bindir=/usr/sbin \
                       $(CONF_LCAP) \
                       $(shell dpkg-buildflags --export=configure)

>> An additional dependency on libcap2-bin is necessary to allow "setcap
>> cap_net_raw+ep /usr/sbin/spine" to work in postinst.
> 
> Can you elaborate? I guess you mean the binary package needs that
> dependency manually added by me. And I guess that I should add some code
> to the postinst. Where should it go (or doesn't it matter)? Any
> drawbacks of doing this for all systems?

"libcap2-bin [linux-any]" has to be added manually, either as a hard Depends: or
Recommends:, there is not fancy debhelper automatism doing this.

iputils-ping does the latter and then checks in its postinst if setcap is
available:

,----
| if [ "$1" = configure ]; then
|     # If we have setcap is installed, try setting cap_net_raw+ep,
|     # which allows us to install our binaries without the setuid
|     # bit.
|     if command -v setcap > /dev/null; then
|         if setcap cap_net_raw+ep /bin/ping; then
|             chmod u-s /bin/ping
|         else
|             echo "Setcap failed on /bin/ping, falling back to setuid" >&2
|             chmod u+s /bin/ping
|         fi
|     else
|         echo "Setcap is not installed, falling back to setuid" >&2
|         chmod u+s /bin/ping
|     fi
| fi
`----

This approach would also work without changes for the !Linux archs out
there, if you decide to use a hard "Depends:".

You can of course skip the "chmod u+s" part, then without setcap present
spine would behave just like it does today.

I have build a local test-package without the postinst code to test if the
capabilities support for spine works as designed and confirm it working
correctly after manually setting cap_net_raw+ep.

Grüße,
Sven.

More information about the Pkg-cacti-maint mailing list