FWIW This used to be the default inside the libcap build tree, but the problems with the container defaults (eventually fixed with https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq ) changed my position on this:
https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=2b5f5635be6131d7e89b4c6244b29f32ebd163c1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcap2 in Ubuntu. https://bugs.launchpad.net/bugs/1700814 Title: Default capability of cap_setfcap+i should be set on setcap Status in libcap2 package in Ubuntu: New Bug description: If I grant a user (via pam_cap) cap_setfcap+i, I would then expect them to be able to use setcap without sudo. setcap is not provided with any default file capabilities however, so either the user has to sudo, or I have to grant the setfcap capability to setcap with setcap. In my mind, it would be reasonable to grant setfcap+i to setcap by default on installation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcap2/+bug/1700814/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
