Different CapBnd with libcap-ng

[mruprich]

Probably not a bug, I just wanted to ask this question. Having libcap-ng when building tcpdump means that when privileges are dropped, CapBnd are different than when libcap-ng is not in the system. Basically when using just initgroups and setgid and setuid, CapBnd are 000001ffffffffff, with libcap-ng are all zeroed out.

I am not sure whether I should expect both cases to have the same CapBnd or is it just that without libcap-ng it is much more complicated to drop the Bnd?

Thanks,
Michal

[infrastation]

At a glance this difference does not immediately look out of place: if it was practicable to drop as many privileges without the library, it would likely be already done without the library. Of course, it would take a longer look into the documentation to tell with confidence.

[mruprich]

@infrastation Hi, thanks, so do I understand this correctly, that the situation with libcap-ng is actually better because more privileges are dropped and that is desirable?

[infrastation]

That's my understanding, although I cannot recall a use case that would require me to flex or to verify individual capabilities. @msekletar added support for libcap-ng 10 years ago in commit 19bb00a, it was refined a number of times since then.