--- /dev/null
+Please check http://www.friedhoff.org/posixfilecaps.html to get more
+information on POSIX File Capabilities.
+
+
+Example: how to remove the SUID root bit from /bin/ping?
+--------------------------------------------------------
+
+Make sure you have kernel 2.6.24 or newer you have
+CONFIG_SECURITY_CAPABILITIES and CONFIG_SECURITY_FILE_CAPABILITIES
+enabled. The Debian kernels are fine.
+
+ $ ls -l /bin/ping
+ -rwsr-xr-x 1 root root 30736 2007-01-31 00:10 /bin/ping
+ ^
+That is not good.
+
+ $ sudo chmod 755 /bin/ping
+
+Or use dpkg-statoverride.
+
+ $ ls -l /bin/ping
+ -rwxr-xr-x 1 root root 30736 2007-01-31 00:10 /bin/ping
+
+That is better but ping fails.
+
+ $ ping -c1 localhost
+ ping: icmp open socket: Operation not permitted
+
+Now set the missing capability:
+
+ $ sudo setcap cap_net_raw+ep /bin/ping
+
+... and ping will work again.
+
+ $ ping -c1 localhost
+ PING localhost (127.0.0.1) 56(84) bytes of data.
+ 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.026 ms
+
+ --- localhost ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
+
+
+
+Torsten Werner
+
--- /dev/null
+This package uses quilt to modify upstream source code. Please check
+/usr/share/doc/quilt/README.source for more information.
+
+ -- Torsten Werner <twerner@debian.org> Wed, 30 Sep 2009 21:58:13 +0200
--- /dev/null
+.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.36.
+.TH CAPSH "8" "September 2009" "capsh 2.17" "System Administration Utilities"
+.SH NAME
+capsh \- 'bash' wrapper to raise and lower the bset and pI capabilities
+.SH DESCRIPTION
+\fB/sbin/capsh\fR [args ...]
+.TP
+\fB\-\-help\fR
+this message
+.TP
+\fB\-\-print\fR
+display capability relevant state
+.TP
+\fB\-\-decode\fR=\fIxxx\fR
+decode a hex string to a list of caps
+.TP
+\fB\-\-drop\fR=\fIxxx\fR
+remove xxx,.. capabilities from bset
+.TP
+\fB\-\-caps\fR=\fIxxx\fR
+set caps as per cap_from_text()
+.TP
+\fB\-\-inh\fR=\fIxxx\fR
+set xxx,.. inheritiable set
+.TP
+\fB\-\-secbits=\fR<n>
+write a new value for securebits
+.TP
+\fB\-\-keep=\fR<n>
+set keep\-capabability bit to <n>
+.TP
+\fB\-\-uid=\fR<n>
+set uid to <n> (hint: id <username>)
+.TP
+\fB\-\-chroot\fR=\fIpath\fR
+chroot(2) to this path to invoke bash
+.TP
+\fB\-\-killit=\fR<n>
+send signal(n) to child
+.TP
+\fB\-\-forkfor=\fR<n>
+fork and make child sleep for <n> sec
+.TP
+\fB==\fR
+re\-exec(capsh) with args as for \fB\-\-\fR
+.TP
+\fB\-\-\fR
+remaing arguments are for /bin/bash
+(without \fB\-\-\fR [/sbin/capsh] will simply exit(0))
--- /dev/null
+libcap2 (1:2.21-1slp2+s3) unstable; urgency=low
+
+ * Revert to version with dependency on indent
+
+ -- Mike McCormack <mj.mccormack@samsung.com> Thu, 16 Jun 2011 10:34:19 +0900
+
+libcap2 (1:2.21-1slp2+s1) unstable; urgency=low
+
+ * Disable dependencies on pam.
+ * Set SLP package maintainers.
+
+ -- Rafal Krypa <r.krypa@samsung.com> Tue, 24 May 2011 12:48:39 +0200
+
+libcap2 (1:2.21-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches/0001-fix-Makefiles.patch: link pam_cap against -lpam.
+ (Closes: #591410) (LP: #582769)
+
+ -- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 20 May 2011 08:28:55 -0500
+
+libcap2 (1:2.20-1) unstable; urgency=low
+
+ * New upstream release.
+ * Remove all patches because they have been included upstream.
+
+ -- Torsten Werner <twerner@debian.org> Fri, 11 Feb 2011 20:31:45 +0100
+
+libcap2 (1:2.19-3) unstable; urgency=high
+
+ * Add a versioned dependency on libpam-runtime to libcap2-bin because
+ pam-auth-update is needed in postinst. (Closes: #593250)
+ * Set urgency to high because we are fixing a RC bug.
+
+ -- Torsten Werner <twerner@debian.org> Mon, 16 Aug 2010 23:13:50 +0200
+
+libcap2 (1:2.19-2) unstable; urgency=medium
+
+ * Add -lpam to LDLIBS. Thanks to Sebastian Ramacher for suggesting the patch!
+ (Closes: 591410)
+ * Set urgency to medium.
+ * Improve patch description.
+
+ -- Torsten Werner <twerner@debian.org> Wed, 04 Aug 2010 05:22:23 +0200
+
+libcap2 (1:2.19-1) unstable; urgency=low
+
+ [ Kees Cook ]
+ * Add pam_cap.so to the default PAM auth stack. (Closes: #573089)
+
+ [ Torsten Werner ]
+ * New upstream release.
+ * Convert package to source format 3.0.
+ * Remove quilt from Build-Depends.
+ * Add static library to -dev package. Thanks to Stephan Sürken. (Closes:
+ #589840)
+ * Fix typo in Description. Thanks to Pascal De Vuyst. (Closes: #557496)
+ * Add a patch to fix the man page cap_from_text(3). Thanks to Roland
+ Koebler. (Closes: #567350)
+ * Update Standards-Version: 3.9.0 (no changes).
+
+ -- Torsten Werner <twerner@debian.org> Thu, 22 Jul 2010 23:50:25 +0200
+
+libcap2 (1:2.17-2) unstable; urgency=low
+
+ * Explain in the long description of the -bin package that the manpage
+ cap_from_text(3) is part of -dev package. (Closes: #548080)
+
+ -- Torsten Werner <twerner@debian.org> Sun, 18 Oct 2009 19:55:39 +0200
+
+libcap2 (1:2.17-1) unstable; urgency=low
+
+ * new upstream release
+ * Switch from cdbs to dh.
+ * Update Standards-Version: 3.8.3 (no changes).
+ * Use gbp-pq to edit quilt patch.
+ * Change Build-Depends: debhelper (>= 7.0.50~).
+ * Add README.source.
+ * Add man page capsh.8.
+
+ -- Torsten Werner <twerner@debian.org> Wed, 30 Sep 2009 22:26:51 +0200
+
+libcap2 (1:2.16-5) unstable; urgency=low
+
+ * Remove reference to kernel version 2.2 in debian/control. (Closes:
+ #260005)
+ * Add Suggests: libcap-dev to binary package libcap2-bin. (Closes: #433782)
+
+ -- Torsten Werner <twerner@debian.org> Wed, 01 Apr 2009 23:32:37 +0200
+
+libcap2 (1:2.16-4) unstable; urgency=low
+
+ * Add Conflicts: and Replaces: libcap2-dev to binary package libcap-dev.
+ * Add epoch to version number because the old package had an epoch.
+ * Add missing files to package libcap-dev which got lost in the previous
+ version.
+
+ -- Torsten Werner <twerner@debian.org> Sun, 22 Mar 2009 21:23:50 +0100
+
+libcap2 (2.16-3) unstable; urgency=low
+
+ * Rename binary package libcap2-dev to libcap-dev as requested by the
+ release team to continue the transition from libcap1. (Closes: #520553)
+ * Add Provides: libcap2-dev to binary package libcap-dev to ease transition
+ from older versions of libcap2.
+ * Remove Conflicts: libcap-dev.
+
+ -- Torsten Werner <twerner@debian.org> Sat, 21 Mar 2009 21:22:24 +0100
+
+libcap2 (2.16-2) unstable; urgency=low
+
+ * upload to unstable
+
+ -- Torsten Werner <twerner@debian.org> Sun, 15 Feb 2009 22:09:04 +0100
+
+libcap2 (2.16-1) experimental; urgency=low
+
+ * new upstream release
+ * Always install libraries into /lib (never /lib64).
+ (Closes: #508315)
+
+ -- Torsten Werner <twerner@debian.org> Sun, 14 Dec 2008 12:24:50 +0100
+
+libcap2 (2.15-3) experimental; urgency=low
+
+ * Set Priority: standard for binary package libcap2. (Closes: #507781)
+
+ -- Torsten Werner <twerner@debian.org> Thu, 04 Dec 2008 14:15:48 +0100
+
+libcap2 (2.15-2) experimental; urgency=low
+
+ * Update shlibs file libcap2 (>= 2.10). (Closes: #464712)
+
+ -- Torsten Werner <twerner@debian.org> Wed, 03 Dec 2008 23:42:19 +0100
+
+libcap2 (2.15-1) experimental; urgency=low
+
+ * new upstream release
+ * Add Homepage header.
+ * Bump Up Standards-Version: 3.8.0.
+ * Update patch build.diff.
+
+ -- Torsten Werner <twerner@debian.org> Mon, 01 Dec 2008 00:26:09 +0100
+
+libcap2 (2.11-2) unstable; urgency=low
+
+ * Call dh_makeshlibs with -V. (Closes: #492467)
+ * Reformat debian/copyright.
+ * Add Build-Depends: libpam0g-dev to build the pam module.
+ * Ship the pam module in the package libcap2-bin.
+
+ -- Torsten Werner <twerner@debian.org> Sat, 26 Jul 2008 15:40:42 +0200
+
+libcap2 (2.11-1) unstable; urgency=low
+
+ * new upstream release
+ * Remove patch bug487223.diff because it is not needed anymore.
+ * Refresh patch build.diff.
+
+ -- Torsten Werner <twerner@debian.org> Thu, 24 Jul 2008 20:42:41 +0200
+
+libcap2 (2.10-3) unstable; urgency=low
+
+ * Add patch from upstream author to fix 'cap_copy_int() always returns NULL
+ (EINVAL)'. (Closes: #487223)
+
+ -- Torsten Werner <twerner@debian.org> Mon, 07 Jul 2008 23:03:52 +0200
+
+libcap2 (2.10-2) unstable; urgency=medium
+
+ * Add Build-Depends: indent because it is needed on alpha. (Closes: #489477)
+ * Set urgency to medium because we are fixing a FTBFS bug.
+
+ -- Torsten Werner <twerner@debian.org> Sun, 06 Jul 2008 11:34:15 +0200
+
+libcap2 (2.10-1) unstable; urgency=low
+
+ * new upstream release
+
+ -- Torsten Werner <twerner@debian.org> Wed, 11 Jun 2008 23:37:06 +0200
+
+libcap2 (2.09-1) unstable; urgency=low
+
+ * new upstream release
+ * Change Priority: optional of package libcap2.
+
+ -- Torsten Werner <twerner@debian.org> Sat, 10 May 2008 11:48:53 +0200
+
+libcap2 (2.08-2) unstable; urgency=low
+
+ * Do not install the old manpages capget(2) and capset(2) because the
+ package manpages-dev ships more recent ones.
+ * Replace Conflicts: manpages-dev by Suggests: manpages-dev.
+ (Closes: #473072)
+
+ -- Torsten Werner <twerner@debian.org> Sat, 29 Mar 2008 10:19:58 +0100
+
+libcap2 (2.08-1) unstable; urgency=low
+
+ * Initial Release. (Closes: #464727)
+
+ -- Torsten Werner <twerner@debian.org> Fri, 21 Mar 2008 16:26:04 +0100
--- /dev/null
+Source: libcap2
+Section: libs
+Priority: optional
+Maintainer: Rafal Krypa <r.krypa@samsung.com>, Karol Lewandowski <k.lewandowsk@samsung.com>
+X-Original-Maintainer: Torsten Werner <twerner@debian.org>
+Standards-Version: 3.9.0
+Build-Depends: debhelper (>= 7.0.50~), indent, libattr1-dev
+Homepage: http://sites.google.com/site/fullycapable/
+Vcs-Svn: https://bollin.googlecode.com/svn/libcap2/
+Vcs-Browser: http://bollin.googlecode.com/svn/libcap2/
+
+Package: libcap2-bin
+Section: utils
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Suggests: libcap-dev
+Conflicts: libcap-bin
+Description: basic utility programs for using capabilities
+ This package contains the programs sucap, execap, getpcaps, setpcaps for
+ manipulation of capabilities. The manpages of this package reference the
+ manpage cap_from_text(3) from the libcap-dev package. Please install the
+ libcap-dev package if you need its documentation.
+
+Package: libcap2
+Priority: standard
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: support for getting/setting POSIX.1e capabilities
+ This library implements the user-space interfaces to the POSIX
+ 1003.1e capabilities available in Linux kernels. These capabilities are
+ a partitioning of the all powerful root privilege into a set of distinct
+ privileges.
+
+Package: libcap-dev
+Section: libdevel
+Architecture: any
+Depends: libcap2 (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends}
+Provides: libcap2-dev
+Conflicts: libcap2-dev
+Replaces: libcap2-dev
+Suggests: manpages-dev
+Description: development libraries and header files for libcap2
+ Contains the necessary support for building applications that use
+ capabilities.
--- /dev/null
+This package was debianized by Torsten Werner <twerner@debian.org> on
+Fri Mar 21 16:35:46 CET 2008 based on the package 'libcap' that is
+maintained by Michael Vogt.
+
+It was downloaded from
+http://www.eu.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
+
+Upstream Author: Andrew G. Morgan <morgan@linux.kernel.org>
+
+Copyright: (c) 1999-2008 Andrew G. Morgan <morgan@linux.kernel.org>
+
+Unless otherwise *explicitly* stated, the following text describes the
+licensed conditions under which the contents of this libcap release
+may be used and distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of libcap, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+ notice, and this entire permission notice in its entirety,
+ including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+ copyright notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+ products derived from this software without their specific prior
+ written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License, in which case the provisions of the GNU
+GPL are required INSTEAD OF the above restrictions. (This clause is
+necessary due to a potential conflict between the GNU GPL and the
+restrictions contained in a BSD-style copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
+You can find the GPL in /usr/share/common-licenses/GPL
--- /dev/null
+debian/tmp/usr/include/*
+debian/tmp/lib/lib*.so
+debian/tmp/lib/lib*.a
--- /dev/null
+debian/tmp/usr/share/man/man3/*
--- /dev/null
+#usr/share/pam-configs
+#etc/security
--- /dev/null
+#debian/tmp/lib/security/*
+debian/tmp/sbin/*
+#debian/pam-configs/* usr/share/pam-configs/
+#pam_cap/capability.conf etc/security/
--- /dev/null
+debian/tmp/usr/share/man/man8/*
+debian/capsh.8
--- /dev/null
+#!/bin/sh
+# postinst script for libcap2-bin
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ configure|abort-upgrade|abort-remove|abort-deconfigure)
+ pam-auth-update --package
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh
+# prerm script for libcap2-bin
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ remove)
+ pam-auth-update --package --remove capability
+ ;;
+
+ upgrade|deconfigure|failed-upgrade)
+ ;;
+
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+debian/tmp/lib/lib*.so.*
--- /dev/null
+#!/bin/sh -e
+
+# called by uscan with '--upstream-version' <version> <file>
+
+# move to directory 'tarballs'
+if [ -r .svn/deb-layout ]; then
+ . .svn/deb-layout
+ mv $3 $origDir
+ echo "moved $3 to $origDir"
+fi
--- /dev/null
+Name: Inheritable Capabilities Management
+Default: yes
+Priority: 0
+Auth-Type: Additional
+Auth-Final:
+ optional pam_cap.so
--- /dev/null
+Description: compile pam_cap with -lpam
+ A similar fix was in Debian but appears to have been accidentally
+ dropped. Drop this one if or when debian gets it back so we can
+ directly sync.
+Author: Andrew Straw <strawman@astraw.com>
+Forwarded: no
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libcap2/+bug/582769
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591410
+
+Index: libcap2-2.20/pam_cap/Makefile
+===================================================================
+--- libcap2-2.20.orig/pam_cap/Makefile 2011-05-10 10:15:02.540359338 -0500
++++ libcap2-2.20/pam_cap/Makefile 2011-05-10 10:15:07.600359338 -0500
+@@ -7,7 +7,7 @@
+ # that this next line does *not* require -lpam on it.) If you think it
+ # does, *verify that it does*, and if you observe that it fails as
+ # written (and you know why it fails), email me and explain why. Thanks!
+-LDLIBS += -L../libcap -lcap
++LDLIBS += -L../libcap -lcap -lpam
+
+ all: pam_cap.so
+ $(MAKE) testcompile
--- /dev/null
+#0001-fix-Makefiles.patch
--- /dev/null
+#!/usr/bin/make -f
+
+%:
+ dh $@
+
+override_dh_auto_install:
+ dh_auto_install -- lib=lib RAISE_SETFCAP=no
+
+override_dh_makeshlibs:
+ dh_makeshlibs -V 'libcap2 (>= 2.10)'
+
+get-orig-source:
+ -uscan --upstream-version 0
--- /dev/null
+3.0 (quilt)
--- /dev/null
+version=3
+http://www.eu.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-(.*)\.tar\.gz \
+ debian debian/orig-tar.sh
Name: libcap
Version: 2.21
-Release: 2
-VCS: external/libcap#submit/trunk/20121022.071522-2-g987e044673c6ec4df12d1862a80b9a4650499a9b
+Release: 1
Summary: Library for getting and setting POSIX
Source: http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz
Url: http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
Group: System/Libraries
BuildRequires: libattr-devel
-Patch0: libcap_aslr_20150407.patch
%description
libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
%prep
%setup -q
-%patch0 -p1 -b .aslr
%build
# libcap can not be build with _smp_mflags:
+++ /dev/null
-diff -Nur libcap/progs/Makefile libcap_patch/progs/Makefile
---- libcap/progs/Makefile 2015-03-12 09:30:15.313213680 +0900
-+++ libcap_patch/progs/Makefile 2015-04-07 16:28:24.510784418 +0900
-@@ -19,7 +19,7 @@
- all: $(BUILD)
-
- $(BUILD): %: %.o
-- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LDLIBS)
-+ $(CC) $(CFLAGS) $(LDFLAGS) -pie -o $@ $< $(LDLIBS)
-
- %.o: %.c $(INCS)
- $(CC) $(IPATH) $(CFLAGS) -c $< -o $@