1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.DPKG

  • Re: Bug#1038789: Enable capabilities feature

    From Guillem Jover@21:1/5 to Mark Hindley on Wed Jun 28 02:00:01 2023
    Hi!

    On Wed, 2023-06-21 at 17:20:35 +0100, Mark Hindley wrote:
    Many thanks for this suggestion. I appreciate the advantages of
    capabilities support.

    Openrc also has optional capabilities support in supervise-daemon which might be
    an advantage to users, but isn't used by default in Debian.

    It might be worth exploring adding capabilities support to src:dpkg start-stop-daemon. Maybe the src:openrc code would be a starting point. I haven't looked how much the two codebases have diverged.

    Guillem,

    What do you think?

    Some time ago I asked on d-d whether anyone would have an issue with
    dpkg.deb in Debian linking against libcap [D]. And where I had worked
    on the following branch:

    https://git.hadrons.org/git/debian/dpkg/dpkg.git/log/?h=next/s-s-d-posix-caps

    Which I need to go over again before merging. But otherwise support
    for this in that or some other similar form should be coming soon to
    s-s-d.

    Thanks,
    Guillem

    [D] https://lists.debian.org/debian-devel/2022/07/msg00045.html

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Dennis Camera on Tue Jul 4 00:10:01 2023
    Hi!

    On Wed, 2023-06-28 at 10:02:55 +0200, Dennis Camera wrote:
    On Wed, 28 Jun 2023 01:57:27 +0200
    Guillem Jover <[email protected]> wrote:
    Some time ago I asked on d-d whether anyone would have an issue with dpkg.deb in Debian linking against libcap [D]. And where I had worked
    on the following branch:

    https://git.hadrons.org/git/debian/dpkg/dpkg.git/log/?h=next/s-s-d-posix-caps

    Which I need to go over again before merging. But otherwise support
    for this in that or some other similar form should be coming soon to
    s-s-d.

    I had a quick look at the branch you posted and I'm not sure it
    overlaps with the feature requested with this bug.

    If I understand --dropcap correctly it is meant to remove capabilities
    from the daemon started by s-s-d, correct?

    Yes.

    What I am looking for is quite the opposite, however. I'm looking for a
    way to add new capabilities to the ambient set of the started daemon.
    The ambient set is important for daemons written in interpreted
    languages where capabilities cannot be set on the executable file and
    where the language may not provide a means to manipulate capabilities
    itself.
    In such cases, s-s-d would need to set up the capabilities for the
    daemon prior to it being exec'ed.

    Ah, right! Sure, will add something to cover this case too.

    Also I would favour if OpenRC's and dpkg's start-stop-daemon could try
    to share a common interface. This would make life easier for init
    script writers.

    I'll check whether those interfaces make sense, but then AFAIR the
    OpenRC s-s-d reimplementation never provided a complete interface and
    already diverged from the start on the options supported and their
    semantics, :/ so I'm not sure being constrained by it makes much sense
    here.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)