It turns out that setting +i on the wrapper does not add the capability to the CAP_INHERITABLE
set for the wrapper process, thus it is not passed through exec
. I therefore had to manually add CAP_DAC_OVERRIDE
to CAP_INHERITABLE
before calling execl
:
#include <sys/capability.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv[]) {
cap_t caps = cap_get_proc();
printf("Capabilities: %s\n", cap_to_text(caps, NULL));
cap_value_t newcaps[1] = { CAP_DAC_OVERRIDE, };
cap_set_flag(caps, CAP_INHERITABLE, 1, newcaps, CAP_SET);
cap_set_proc(caps);
printf("Capabilities: %s\n", cap_to_text(caps, NULL));
cap_free(caps);
return execl("/usr/bin/net", "net", "ads", "dns", "register", "-P", NULL);
}
In addition, I had to add cap_dac_override
to the permitted file capabilities set on /usr/bin/net
and set the effective bit:
~ $ sudo setcap cap_dac_override=p ./registerdns
~ $ sudo setcap cap_dac_override=ei /usr/bin/net
~ $ ./registerdns
Capabilities = cap_dac_override+p
Capabilities = cap_dac_override+ip
Successfully registered hostname with DNS
I think I now fully understand what's happening:
- The wrapper needs
CAP_DAC_OVERRIDE
in its permitted set so it can add it to its inheritable set.
- The wrapper's process inheritable set is different than its file inheritable set, so setting +i on the file is useless; the wrapper must explicitly add
CAP_DAC_OVERRIDE
to CAP_INHERITABLE
using cap_set_flag
/cap_set_proc
.
- The
net
file needs to have CAP_DAC_OVERRIDE
in its inheritable set so that it can in fact inherit the capability from the wrapper into its CAP_PERMITTED
set. It also needs the effective bit to be set so that it will be automatically promoted to CAP_EFFECTIVE
.
If you want to build specific packages according to your own liking, you could use the Gentoo prefix project. It allows you to compile and install packages to a specific directory, as a regular user. This way you can enjoy the flexibility and repositories of Gentoo, without breaking or changing your system.
Best Answer
Sadly, no. There isn't a way to make
dpkg
use file capabilities, and apparently nobody has ever asked, though the library itself is available.I skimmed through the Debian Policy Manual, and there isn't a single entry that reference this feature. That said, you can use
dh_override_install
(if you usedebhelper
), pre/post maintainer scripts or modifying thedebian/rules
file to reproduce this behavior, but I don't see any obviously easy way to implement it.