[lxc-users] setcap capabilities
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Feb 29 20:24:44 UTC 2016
Quoting Mark Constable (markc at renta.net):
> FWIW another package that requires setcap. This is the first one I've seen
> that falls back to setuid OOTB.
>
> Setting up mtr-tiny (0.86-1) ...
> Failed to set capabilities on file `/usr/bin/mtr' (Invalid argument)
> The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
> Setcap failed on /usr/bin/mtr, falling back to setuid
Nice. Although, looking at the package, in the setuid-root case
it pre-opens network then setuids to the caller's uid. But in
the file capabilities case it does the same thing - but setuid
in that case won't do anything (because it's not switching gid
or uid to/from root) and so won't drop the cap_net_raw capability.
Ideally it would drop those by hand when it knows how to.
More information about the lxc-users
mailing list