On 12.02.26 02:51, Otto Kekäläinen wrote:
The linked issue recommends running `sudo setcap cap_perfmon=ep
/usr/bin/btop` to set the capability for the binary.
I am not aware of how to set capabilities in Debian packaging. There
are no signs of any automated way to do it:
https://manpages.debian.org/unstable/debhelper/dh_installdeb.1.en.html
https://manpages.debian.org/unstable/manpages/capabilities.7.en.html
https://manpages.debian.org/unstable/libcap2-bin/setcap.8.en.html
I would rather not introduce custom mainters scripts to run misc shell
commands with security implications during install. Maybe we need to
wait for Debian to introduce some general capability management
facility in Debian packaging, like a debian/btop.setcap file etc.
I do agree that a generalized capability management would be nice
instead of needing to add shell code to the postinst, but unfortunately
this is how this is done currently, when you look at other packages.
My locally created package has this in the postinst:
#
if [ "$1" = configure ]; then
if command -v setcap > /dev/null; then
setcap cap_sys_admin=+ep /usr/bin/btop ||:
fi
fi
#
If you look at codesearch, you will find man examples of exactly this
kind of code.
For btop there is a tradeoff to be discussed: Some stats, most
prominently the GPU stats, are only available when running as root (or
with sys_admin privileges), so running btop via sudo or people getting
advise to make it setuid could be seen as the worse alternative to
setting the capabilities.
Grüße,
Sven.
