Hello, my first post to the debian user list for a quite vexing issue. I'm running debian squeeze.
I'm trying to get capabilities working along the lines of blog.fpmurphy.com/2009/05/linux-security-capabilities.html. I installed libcap2 (1:2.22-1.2), libcap2-bin (1:2.22-1.2), and libpam-cap(1:2.22-1.2), and edited /etc/security/capbilities.conf in order to give the user luke the cap_net_raw capability. Everything seems set up correctly according to this check: luke@leda:~$ /sbin/capsh --decode=$(grep CapInh /proc/$$/status|awk '{print $2}') 0x0000000000002000=cap_net_raw However, actually using the capability with a copy of the ping binary is impossible: luke@leda:~$ ls -al ./ping -rwxr-xr-x 1 luke luke 36136 Nov 9 17:18 ./ping luke@leda:~$ /sbin/getcap ./ping ./ping = cap_net_raw+ip luke@leda:~$ ./ping localhost ping: icmp open socket: Operation not permitted As one can see, cap_net_raw is the capability required, since directly putting it into the effective capabilities works: root@leda:~# setcap cap_net_raw=pie /home/luke/ping luke@leda:~$ ./ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_req=1 ttl=64 time=0.019 ms My google-fu has failed to turn up anything other than an old bug report that didn't go anywhere: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633991 Any help or pointers muchly appreciated. Best regards, Luke. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/527e6d12.9020...@lerlacher.de