Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yggdrasil: setpriv: libcap-ng is too old for "all" caps #26188

Closed
whoizit opened this issue Nov 6, 2020 · 7 comments
Closed

yggdrasil: setpriv: libcap-ng is too old for "all" caps #26188

whoizit opened this issue Nov 6, 2020 · 7 comments

Comments

@whoizit
Copy link
Contributor

whoizit commented Nov 6, 2020

System

  • xuname:
    output of xuname (part of xtools)
~ $ xuname 
Do you want to import this public key? [Y/n] Y
Void 5.8.18_1 x86_64 AuthenticAMD notuptodate rF
  • package:
    affected package(s) including the version: xbps-query -p pkgver <pkgname>
    yggdrasil-0.3.14_2

Expected behavior

Actual behavior

Steps to reproduce the behavior

~ $ doas /etc/sv/yggdrasil/run 
setpriv: libcap-ng is too old for "all" caps
~ $ xrs libcap
[*] libcap-2.45_1           POSIX.1e capabilities suite
[-] libcap-devel-2.45_1     POSIX.1e capabilities suite - development files
[*] libcap-ng-0.8_2         Alternate POSIX capabilities library
[-] libcap-ng-devel-0.8_2   Alternate POSIX capabilities library - development files
[-] libcap-ng-progs-0.8_2   Alternate POSIX capabilities library - utilities
[-] libcap-ng-python-0.8_2  Alternate POSIX capabilities library - transitional dummy pkg
[-] libcap-ng-python3-0.8_2 Alternate POSIX capabilities library - Python3 bindings
[-] libcap-pam-2.34_1       POSIX.1e capabilities suite - PAM module
[*] libcap-progs-2.45_1     POSIX.1e capabilities suite - utilities
@Piraty
Copy link
Member

Piraty commented Nov 7, 2020

@jcgruenhage

@jcgruenhage
Copy link
Contributor

The bug is not in yggdrasil or our package. It needs to be fixed by rebuilding some lib with newer kernel headers, but tbh, I don't know enough about that.

The 0.3.15 update PR disables the dropping of all privileges, which works around this, but it's not merged yet

@ericonr
Copy link
Member

ericonr commented Nov 7, 2020

The plan was to wait on the 5.10 release for a new kernel-libc-headers package. We could queue a libcap rebuild then.

@ericonr
Copy link
Member

ericonr commented Nov 7, 2020

The bug is not in yggdrasil or our package.

It is our package, more specifically the yggdrasil service.

@jcgruenhage
Copy link
Contributor

@ericonr Isn't this a bug in util-linux which causes things to break in our service?

@ericonr
Copy link
Member

ericonr commented Nov 8, 2020

Kinda? I'm not sure if it's a bug or intended, so I reached out to upstream util-linux, which might end up with me reaching out to upstream libcap-ng as well.

But still, we were the ones who added setpriv to the service.

@ericonr
Copy link
Member

ericonr commented Dec 30, 2020

This has been temporarily fixed; I will see about backporting the util-linux changes so we can re-enable dropping capabilities in the service.

@ericonr ericonr closed this as completed Dec 30, 2020
@pudiva pudiva mentioned this issue Apr 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@whoizit @jcgruenhage @Piraty @ericonr