On Wed, 2020-11-18 at 14:32 -0500, Steve Grubb wrote:
On Thursday, November 12, 2020 2:45:41 PM EST Steve Grubb wrote:
> A new version of libcap-ng is going to be released next week. Normally this
> isn't newsworthy, nor is this a soname version bump. But it is important
> to let the broader community know something about it. The behaviour of
> capng_apply is changing slightly.
>
> In the past, capng_apply would silently eat errors when the bounding set
> could not be changed. In order to change the bounding set, you have to have
>
> CAP_SETPCAP. A developer reported an issue in github where their project
> needed to know that capng_apply was completely successful changing the
> bounding set. Meaning that they need an error returned. I didn't think too
> much of it and made the change.
>
> Then one day I noticed that I could not update a package against Fedora's
> git or push a change. Looking into this, I found gnome-keyring was not
> working. [1] I dug into the source code and found that it was trying to
> change the bounding set when it had partial capabilities. The fix is to
> simply verify that you have CAP_SETPCAP before attempting this.
>
> I don't know of any other software that is affected. But I wanted to give
> everyone a heads up before I push it out. I always dogfood libraries I
> work on, so maybe this is the only issue.
>
> Eventually libcap-ng needs to get pushed over to F33 because there is a
> problem with ambient capailities that the new release fixes. And speaking
> of ambient capabilities, the new version of libcap-ng contains a new
> library libdrop_ambient.so. You can use it with LD_PRELOAD to force an app
> to drop ambient capabilities leaving the other capabilities intact. All
> the work is done in the constructor, so no function calls are needed.
Hello,
The new libcap-ng has been built into rawhide.
...and it does break gnome-keyring, and it also breaks cifs-utils (so
you can't mount CIFS/SMB shares), as per this upstream bug report:
https://github.com/stevegrubb/libcap-ng/issues/21
whose reporter also noted what looks like a valid problem in your
gnome-keyring fix.
Was it really necessary to build this when you *knew* a major package
did not work with it? Did you talk to the Workstation folks about
getting the patch applied to gnome-keyring?
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net