[Pkg-cacti-maint] Bug#904332: Enable Linux capabilities support
Sven Hartge
sven at svenhartge.de
Tue Jul 24 16:14:44 BST 2018
Um 14:32 Uhr am 24.07.18 schrieb Paul Gevers:
> On 23-07-18 13:31, Sven Hartge wrote:
>> This is useful so one can use the "ICMP Ping" uptime checker in spine
>> without needing to set spine setuid-root, just cap_net_raw is enough to
>> get this working.
> Sounds cool. I have zero knowledge of Linux capabilities though. Could
> you provide a link to some good (for the noob) documentation on this?
As "usual" with core concepts in Linux, the documentation is a bit sparse.
A good starting point is capabilities(7).
TL,DR: capabilites allow non-privileged programs to do stuff normally only
root is allowed to do, for example use raw sockets or bind to ports <1024,
etc.
>> Currently this is not enabled because libcap-dev is missing as
>> build-dependency.
>
> Is that all that's needed?
For spine? Yes. When libcap-dev is present and "--enable-lcap" is passed
to configure, it will enable it.
Beware: libcap is a Linux-only thing, kFreeBSD/Hurd would need special handling, like:
ifeq ($(DEB_HOST_ARCH_OS),linux)
CONF_LCAP += --enable-lcap
endif
override_dh_auto_configure::
./configure --host=$(DEB_HOST_GNU_TYPE) \
--build=$(DEB_BUILD_GNU_TYPE) \
--prefix=/usr \
--bindir=/usr/sbin \
$(CONF_LCAP) \
$(shell dpkg-buildflags --export=configure)
>> An additional dependency on libcap2-bin is necessary to allow "setcap
>> cap_net_raw+ep /usr/sbin/spine" to work in postinst.
>
> Can you elaborate? I guess you mean the binary package needs that
> dependency manually added by me. And I guess that I should add some code
> to the postinst. Where should it go (or doesn't it matter)? Any
> drawbacks of doing this for all systems?
"libcap2-bin [linux-any]" has to be added manually, either as a hard Depends: or
Recommends:, there is not fancy debhelper automatism doing this.
iputils-ping does the latter and then checks in its postinst if setcap is
available:
,----
| if [ "$1" = configure ]; then
| # If we have setcap is installed, try setting cap_net_raw+ep,
| # which allows us to install our binaries without the setuid
| # bit.
| if command -v setcap > /dev/null; then
| if setcap cap_net_raw+ep /bin/ping; then
| chmod u-s /bin/ping
| else
| echo "Setcap failed on /bin/ping, falling back to setuid" >&2
| chmod u+s /bin/ping
| fi
| else
| echo "Setcap is not installed, falling back to setuid" >&2
| chmod u+s /bin/ping
| fi
| fi
`----
This approach would also work without changes for the !Linux archs out
there, if you decide to use a hard "Depends:".
You can of course skip the "chmod u+s" part, then without setcap present
spine would behave just like it does today.
I have build a local test-package without the postinst code to test if the
capabilities support for spine works as designed and confirm it working
correctly after manually setting cap_net_raw+ep.
Grüße,
Sven.
More information about the Pkg-cacti-maint
mailing list