Skip to content

abuild: Scan for binaries with extra setcap(8) capabilities

Sören Tempel requested to merge nmeum/abuild:setcap-scan into master

Similar to suid binaries, abuild will now error out if the package includes binaries with setcap(8) capabilities but doesn't have setcap in $options. This eases identifying package which ship binaries with extra capabilities.

Furthermore, if these binaries are executable by others a warning is emitted. This warning could be changed to an error in the future. The recommendation is to make such binaries only executable by owner and group, thereby requiring the system administrator to explicitly add users to a specific group in order to give them accesses to these capabilities.

See: tsc#45 (closed)

Discussion: This change requires abuild to depend on the libcap package for the getcap binary. It does not seem to be possible at the moment to use scanelf(1) to identify these binaries.

Merge request reports