Ubuntu
libcap2 package

Default capability of cap_setfcap+i should be set on setcap

Bug #1700814 reported by Matthew Walker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcap2 (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

If I grant a user (via pam_cap) cap_setfcap+i, I would then expect them to be able to use setcap without sudo. setcap is not provided with any default file capabilities however, so either the user has to sudo, or I have to grant the setfcap capability to setcap with setcap.

In my mind, it would be reasonable to grant setfcap+i to setcap by default on installation.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Indeed it should be reasonable to do so. Note that there are cases, including unprivileged containers, where file capabilities cannot be set, so the packaging would have to gracefully handle (i.e. ignore) that failure rather than fail the package install.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Even unprivileged containers are now usable in containers with the right kernel, so this would be a good thing to add to the packaging.

I'm not sure when I'll have time, but assigning to myself so that I can more easily find it when I do.

Changed in libcap2 (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
Serge Hallyn (serge-hallyn)
Changed in libcap2 (Ubuntu):
assignee: Serge Hallyn (serge-hallyn) → Balint Reczey (rbalint)
Revision history for this message
Balint Reczey (rbalint) wrote :

@serge-hallyn I'm not sure why I got this bug assigned. :-)

Revision history for this message
Andrew G. Morgan (morganlibcap) wrote :

FWIW This used to be the default inside the libcap build tree, but the problems with the container defaults (eventually fixed with https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
 ) changed my position on this:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=2b5f5635be6131d7e89b4c6244b29f32ebd163c1

Balint Reczey (rbalint)
Changed in libcap2 (Ubuntu):
assignee: Balint Reczey (rbalint) → nobody
Dan Bungert (dbungert)
tags: added: foundations-triage-discuss
Revision history for this message
Dan Bungert (dbungert) wrote :

Yes, this appears to be deliberate upstream behavior and I'm not sure we should revert that. Marking incomplete, if there is further info please share.

tags: removed: foundations-triage-discuss
Changed in libcap2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

> FWIW This used to be the default inside the libcap build tree, but the
> problems with the container defaults (eventually fixed with
> https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq

Thanks for the links. For a moment I was worried that there was an
issue with containers in general, but I see, this is an implementation
issue with one container engine implementation.

And... they rated the importance low?

> ) changed my position on this:

> https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=2b5f5635be6131d7e89b4c6244b29f32ebd163c1

Hm. Maybe this is the wrong place to discuss this. I started this
comment intending to propose the opposite, but indeed if admins are
expected to use pam to set pI per username, then perhaps it is best if
they also have to set fI on each program they intend it to exist on,
since otherwise they may not *really* be sure what they are handing
the user...

Andrew, is it your intention to leave libcap's install without the fI?
If so then we should either (1) deliverately override Andrew's decision
during ubuntu packaging's postinst (which I don't think we should do),
or (2) mark this bug Invalid rather than Incomplete.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libcap2 (Ubuntu) because there has been no activity for 60 days.]

Changed in libcap2 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.