1. Forum
  2. DOVE-Net
  3. Synchronet Sysops

  • Linux setcap not working on non-symlink install

    From Daniel Clough@VERT to GitLab issue in main/sbbs on Tue Jan 16 05:45:11 2024
    open https://gitlab.synchro.net/main/sbbs/-/issues/699

    I'm going to paste in the text from a message I posted on DoveNet regarding this:

    I've been off-and-on fighting with using 'setcap' to allow binding to ñ
    low ports as a non-root user, and today found (I think) what might be ñ
    causing my difficulties. ñ
    ñ
    I've been doing my updates with an automated script, and the setcap ø
    option on the make line didn't seem to work. So, I was trying to use it ø
    in the update script as a command (sudo setcap ...<blah>). That didn't ø
    work either, and I think it's because there are weird/complicated things ø
    with 'setuid' and 'inherited' permissions type things in a bash script. ø
    With both of those issues not working, I just manually did the setcap ø
    command after the build was complete, and that works as expected. ø
    ø
    So today I once again used the command on the make line, thus: ø
    ø
    cd /sbbs/repo/src/sbbs3; make RELEASE=1 setcap install ø
    ø
    That *appears* to work, as the relevant make output is this:
    ø
    Linking gcc.linux.x64.exe.release/umonitor ø
    make[1]: Leaving directory '/sbbs/repo/src/sbbs3/umonitor' ø
    sudo `whereis -b setcap | cut -d" " -f2` 'cap_net_bind_service=+ep' ø
    gcc.linux.x64.exe.release/sbbs ø
    install gcc.linux.x64.exe.release/* /sbbs/exec ñ
    install gcc.linux.x64.lib.release/* /sbbs/exec ñ
    install */gcc.linux.x64.exe.release/* /sbbs/exec ñ
    ñ
    (side note: it doesn't prompt me for user password because I have my ø
    user allowed to run all sudo commands without a password). ø
    ø
    The problem is that it.... still doesn't work, 'sbbs' fails to bind to a ø
    low port number. So I started looking closer. In a Linux terminal ø
    window, my files appear in different colors depending on file ø
    extensions, when using the 'ls' command. The executable files in ø
    /sbbs/exec are green, for example. The 'sbbs' executable is green after running the build. If I manually use setcap to give it binding ø
    capabilities, it now shows as black text on a red background, which I'm ø
    sure means it is now considered some kind of "special" file. ø
    However.... the 'sbbs' executable in ø
    /sbbs/repo/src/sbbs3/gcc.linux.x64.exe.release/ is.... RED, even when ø
    the 'sbbs' executable in /sbbs/exec is green (not capable). What's ø
    happening is that the install commands there above that copy the newly ø
    compiled executables to /sbbs/exec remove the special capabilities. ø
    ø
    This problem isn't noticed by those that use 'symlinks' on their make ñ
    line, only when a person uses 'install', because that copies the file ñ
    somewhere else, which apparently breaks the capabilites that it's been ñ
    given.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net