Re: Adding CAP_NET_RAW to binaries

On 10/11/17 17:38, nicolas.mail...@laposte.net wrote: Full details are in cap_from_text(3) by the looks of it. Unfortunately, no. None of the fine manuals I located explain the difference between ep and just p flags :( Everyone seems to use +ep blindly, but the Fedora spec only adds p? The

Re: Adding CAP_NET_RAW to binaries

> Full details are in cap_from_text(3) by the looks of it. Unfortunately, no. None of the fine manuals I located explain the difference between ep and just p flags :( Everyone seems to use +ep blindly, but the Fedora spec only adds p? Regards, -- Nicolas mailhot __

Re: Re: Adding CAP_NET_RAW to binaries

- Mail original - De: "Jeffrey Ollie" > Instead of setting CAP_NET_RAW on the binary, why not have systemd give the > service the capability at runtime? The blackbox exporter isn't something > that you run from the CLI much anyway is it? Yes that's another solution, I hadn't thought so f

Re: Adding CAP_NET_RAW to binaries

On 10/11/17 16:47, nicolas.mail...@laposte.net wrote: Thanks a lot, I should have thought of it myself, I must be tired today. Is there a difference between setcap cap_net_raw+ep and %caps(cap_net_raw=p) I can't seem to locate a correct setcap or %caps() reference I imagine you want =ep to

Re: Adding CAP_NET_RAW to binaries

Instead of setting CAP_NET_RAW on the binary, why not have systemd give the service the capability at runtime? The blackbox exporter isn't something that you run from the CLI much anyway is it? Here's what part of my service file looks like: [Service] User=blackbox_exporter Group=blackbox_exporte

Re: Adding CAP_NET_RAW to binaries

Hi Tom Thanks a lot, I should have thought of it myself, I must be tired today. Is there a difference between setcap cap_net_raw+ep and %caps(cap_net_raw=p) I can't seem to locate a correct setcap or %caps() reference Regards, -- Nicolas Mailhot _

Re: Adding CAP_NET_RAW to binaries

Hi, There is a RPM macro for it. You may find a good example in the spec file of wireshark On November 10, 2017 5:07:28 PM GMT+01:00, nicolas.mail...@laposte.net wrote: >Hi, > >I'm building the prometheus blackbox exporter that needs the >CAP_NET_RAW capability to conduct ICMP probes (I don't w

Re: Adding CAP_NET_RAW to binaries

On 10/11/17 16:07, nicolas.mail...@laposte.net wrote: I'm building the prometheus blackbox exporter that needs the CAP_NET_RAW capability to conduct ICMP probes (I don't want to run it as root) I've done the naïve setcap cap_net_raw+ep /builddir/build/BUILDROOT/prometheus-blackbox-exporter-0.