Default capability of cap_setfcap+i should be set on setcap
Bug #1700814 reported by
Matthew Walker
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libcap2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
If I grant a user (via pam_cap) cap_setfcap+i, I would then expect them to be able to use setcap without sudo. setcap is not provided with any default file capabilities however, so either the user has to sudo, or I have to grant the setfcap capability to setcap with setcap.
In my mind, it would be reasonable to grant setfcap+i to setcap by default on installation.
Changed in libcap2 (Ubuntu): | |
assignee: | Serge Hallyn (serge-hallyn) → Balint Reczey (rbalint) |
Changed in libcap2 (Ubuntu): | |
assignee: | Balint Reczey (rbalint) → nobody |
tags: | added: foundations-triage-discuss |
To post a comment you must log in.
Indeed it should be reasonable to do so. Note that there are cases, including unprivileged containers, where file capabilities cannot be set, so the packaging would have to gracefully handle (i.e. ignore) that failure rather than fail the package install.