abuild: Scan for binaries with extra setcap(8) capabilities
Similar to suid binaries, abuild will now error out if the package
includes binaries with setcap(8) capabilities but doesn't have setcap
in $options
. This eases identifying package which ship binaries
with extra capabilities.
Furthermore, if these binaries are executable by others a warning is emitted. This warning could be changed to an error in the future. The recommendation is to make such binaries only executable by owner and group, thereby requiring the system administrator to explicitly add users to a specific group in order to give them accesses to these capabilities.
See: tsc#45 (closed)
Discussion: This change requires abuild to depend on the libcap
package for the getcap
binary. It does not seem to be possible
at the moment to use scanelf(1) to identify these binaries.