[Bug 1700814] Re: Default capability of cap_setfcap+i should be set on setcap
Serge Hallyn
1700814 at bugs.launchpad.net
Tue Oct 18 15:40:13 UTC 2022
> FWIW This used to be the default inside the libcap build tree, but the
> problems with the container defaults (eventually fixed with
> https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
Thanks for the links. For a moment I was worried that there was an
issue with containers in general, but I see, this is an implementation
issue with one container engine implementation.
And... they rated the importance low?
> ) changed my position on this:
>
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=2b5f5635be6131d7e89b4c6244b29f32ebd163c1
Hm. Maybe this is the wrong place to discuss this. I started this
comment intending to propose the opposite, but indeed if admins are
expected to use pam to set pI per username, then perhaps it is best if
they also have to set fI on each program they intend it to exist on,
since otherwise they may not *really* be sure what they are handing
the user...
Andrew, is it your intention to leave libcap's install without the fI?
If so then we should either (1) deliverately override Andrew's decision
during ubuntu packaging's postinst (which I don't think we should do),
or (2) mark this bug Invalid rather than Incomplete.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libcap2 in Ubuntu.
https://bugs.launchpad.net/bugs/1700814
Title:
Default capability of cap_setfcap+i should be set on setcap
Status in libcap2 package in Ubuntu:
Incomplete
Bug description:
If I grant a user (via pam_cap) cap_setfcap+i, I would then expect
them to be able to use setcap without sudo. setcap is not provided
with any default file capabilities however, so either the user has to
sudo, or I have to grant the setfcap capability to setcap with setcap.
In my mind, it would be reasonable to grant setfcap+i to setcap by
default on installation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcap2/+bug/1700814/+subscriptions
More information about the foundations-bugs
mailing list