FS#67781 : [util-linux] Reports libcap-ng being too old to drop all capabilities

FS#67781 - [util-linux] Reports libcap-ng being too old to drop all capabilities

Attached to Project: Arch Linux
Opened by Nico Wellpott (mightyBroccoli) - Monday, 31 August 2020, 14:37 GMT
Last edited by Christian Hesse (eworm) - Wednesday, 02 September 2020, 09:10 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Dave Reisner (falconindy) Christian Hesse (eworm)
Architecture	x86_64
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
The setpriv binary installed from util-linux utilizing libcap-ng reports it being to old to drop all capabilities.

# setpriv --clear-groups --inh-caps=-all /bin/bash
setpriv: libcap-ng is too old for "all" caps

Additional info:
* util-linux: 2.36-2
* libcap-ng: 0.7.11-1

Steps to reproduce:
Have util-linux and libcap-ng installed and call it as seen above.

This task depends upon

Closed by Christian Hesse (eworm)
Wednesday, 02 September 2020, 09:10 GMT
Reason for closing: Fixed
Additional comments about closing: libcap-ng 0.7.11-2
util-linux 2.36-3

Comment by Levente Polyak (anthraxx) - Monday, 31 August 2020, 15:06 GMT

whats the output of the followings?

# cat /proc/sys/kernel/cap_last_cap
# pacman -Qi linux|grep Version
# uname -a

Comment by Nico Wellpott (mightyBroccoli) - Monday, 31 August 2020, 15:09 GMT

# cat /proc/sys/kernel/cap_last_cap
36

# pacman -Qi linux|grep Version
5.8.5.arch1-1

# uname -a
Linux dashwood.domain.tld 5.8.5-arch1-1 #1 SMP PREEMPT Thu, 27 Aug 2020 18:53:02 +0000 x86_64 GNU/Linux

Comment by Christian Hesse (eworm) - Monday, 31 August 2020, 15:09 GMT

Has it always been this way or is there a regression?

Comment by Levente Polyak (anthraxx) - Monday, 31 August 2020, 15:12 GMT

The error is a safe guard in setpriv to exit if it wouldn't drop all caps because of inconsistency what "all" means.
it checks /proc/sys/kernel/cap_last_cap against CAP_LAST_CAP from /usr/include/linux/capability.h

Comment by Nico Wellpott (mightyBroccoli) - Monday, 31 August 2020, 15:12 GMT

I noticed it just recently due to various containers not finishing their entrypoints due to this error.

Comment by Levente Polyak (anthraxx) - Monday, 31 August 2020, 15:14 GMT

the buildinfo says linux-api-headers-5.7-1-any was used when discovering CAP_LAST_CAP
I guess it may just needs a rebuild

Comment by Nico Wellpott (mightyBroccoli) - Monday, 31 August 2020, 15:14 GMT

Curious is that, with a different Debian system it works perfectly.

Comment by Levente Polyak (anthraxx) - Monday, 31 August 2020, 15:18 GMT

oh, linux-api-headers is outdated

Comment by Christian Hesse (eworm) - Monday, 31 August 2020, 15:19 GMT

But linux-api-headers has not been updated since, no? So what do you think needs a rebuild?

Comment by Levente Polyak (anthraxx) - Monday, 31 August 2020, 15:24 GMT

linux-api-headers needs a bump to 5.8.x, the toolchain rebuild against it and then util-linux as well (potentially also libcap-ng)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#67781 - [util-linux] Reports libcap-ng being too old to drop all capabilities

Details

Loading...