From 59cae244d055a7b5ba9de460d3ebbb5700d6ab17 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 26 Apr 2010 14:55:46 -0700 Subject: Set capabilities on standard utilities This sets extended capablities on some common utilities --- debian/control | 1 + debian/vyatta-cfg-system.postinst.in | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/debian/control b/debian/control index c1d19a95..57fdb2c7 100644 --- a/debian/control +++ b/debian/control @@ -28,6 +28,7 @@ Depends: acpid, vyatta-keepalived (>= 1.1.15-1-vyatta-5), bridge-utils, ethtool, + libcap2-bin, ssh (>= 1:5.1p1-5), openssh-server (>= 1:5.1p1-5), ed, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index b2719bc5..288ea7c5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -154,6 +154,17 @@ dpkg-reconfigure -f noninteractive openssh-server rm -f /etc/ssh/*.broken update-rc.d -f ssh remove >/dev/null +# +# Set extended capabilities on some files +setcap cap_net_admin+e /usr/sbin/ethtool +setcap cap_sys_admin+e /sbin/sysctl +setcap cap_audit_write+e /bin/vbash +setcap cap_net_admin+e /sbin/ip +setcap cap_net_admin+e /sbin/tc cap_net_admin+e /sbin/ip +setcap cap_net_admin+e /usr/sbin/arp +setcap cap_net_admin+e /sbin/iptables cap_net_admin+e /sbin/ip6tables +setcap cap_net_admin+e /usr/sbin/conntrack + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -- cgit v1.2.3