Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • abuild abuild
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 58
    • Issues 58
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 32
    • Merge requests 32
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpinealpine
  • abuildabuild
  • Merge requests
  • !146

abuild: Scan for binaries with extra setcap(8) capabilities

  • Review changes

  • Download
  • Email patches
  • Plain diff
Open Sören Tempel requested to merge nmeum/abuild:setcap-scan into master Jun 19, 2022
  • Overview 12
  • Commits 1
  • Pipelines 0
  • Changes 5

Similar to suid binaries, abuild will now error out if the package includes binaries with setcap(8) capabilities but doesn't have setcap in $options. This eases identifying package which ship binaries with extra capabilities.

Furthermore, if these binaries are executable by others a warning is emitted. This warning could be changed to an error in the future. The recommendation is to make such binaries only executable by owner and group, thereby requiring the system administrator to explicitly add users to a specific group in order to give them accesses to these capabilities.

See: tsc#45 (closed)

Discussion: This change requires abuild to depend on the libcap package for the getcap binary. It does not seem to be possible at the moment to use scanelf(1) to identify these binaries.

Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: setcap-scan