RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

Daniel J Walsh dwalsh at
Mon Nov 1 15:04:09 UTC 2010

Hash: SHA1

On 11/01/2010 09:44 AM, Paul Howarth wrote:
> On 29/10/10 04:15, Jason L Tibbitts III wrote:
>>>>>>> "JN" == Joe Nall<joe at>  writes:
>> JN>  On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
>>>> More to the point, I can easily see the setuid bit easily on a
>>>> binary.
>>>> How do I tell if these strange/hidden "capabilities" are
>>>> present on a binary?  'ls' doesn't mention anything.
>> JN>  getcap
>> Interesting.  That's in the libcap package, which is sort of oddly named
>> because it includes executables.  And of course it's multilib, but the
>> binaries are arch-specific which I believe is a multilib conflict.
>> Probably needs the executables split out into a libcap-tools packages.
>> I notice that rpm supports that %caps() directive in the %files list to
>> specify capabilities.  I don't recall seeing that before; how long ago
>> did rpm grow support for it?  It looks like it came in around rpm 4.7,
>> so all supported Fedora releases have it.  However, I'm certain it's not
>> in RHEL4 and I'm pretty sure it's not in RHEL5 either, so at least the
>> EPEL folks will need to make a note of it.
> I've just come across another issue with this. I use the "tmpfs" plugin 
> with mock usually, and it appears that tmpfs doesn't support the 
> necessary file capabilities, as I get these errors when setting up the 
> buildroot:
> DEBUG  Error unpacking rpm package 
> iputils-20101006-2.fc15.x86_64
> DEBUG  error: unpacking of archive failed on file 
> /bin/ping: cpio: cap_set_file failed - Operation not supported
> DEBUG  Error unpacking rpm package 
> policycoreutils-2.0.83-32.fc15.x86_64
> DEBUG  error: unpacking of archive failed on file 
> /usr/sbin/seunshare: cpio: cap_set_file failed - Operation not supported
> If I disable the tmpfs plugin, so mock uses the ext3 filesystem I have 
> on /var/lib/mock, the build succeeds. So at least I have a workaround 
> but I'd like to have tmpfs working as it *really* improves performance.
> Paul.
Paul is this because NOSUID is set on tmpfs?
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -


More information about the devel mailing list