File protection mystery
Eric S. Raymond
esr at thyrsus.com
Wed Jan 3 03:58:52 UTC 2018
Hal Murray via devel <devel at ntpsec.org>:
>
> Found it. (It was right in front of my eyes.)
>
> setcap isn't doing what I expect.
>
> My install script says:
> setcap cap_ipc_lock,cap_sys_nice,cap_sys_time,cap_net_bind_service=pe \
> /usr/local/sbin/ntpd
>
> Note the =pe on the end.
>
> But getcap says:
> /usr/local/sbin/ntpd = cap_net_bind_service,cap_ipc_lock,cap_sys_nice,cap_sys_
> time+ep
>
> Note the +ep on the end. It's adding the caps I want to what root has rather
> than replacing them.
>
> If I start it as non-root, it can't read the keys file. If I change the
> owner, it works.
>
> Anybody understand setcap?
Alas, I've never used it.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list