fix capability removal error handling

https://forums.whonix.org/t/disable-suid-binaries/7706/45
This commit is contained in:
Patrick Schleizer 2019-12-23 00:47:49 -05:00
parent b631e2ecd8
commit 17a8c29470
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -386,10 +386,17 @@ set_file_perms() {
fi fi
if [ "$capability_from_config" = "none" ]; then if [ "$capability_from_config" = "none" ]; then
# sudo setcap -r /usr/bin/ping ## https://forums.whonix.org/t/disable-suid-binaries/7706/45
# sudo setcap -r /usr/bin/ping 2>/dev/null
# Failed to set capabilities on file `/usr/bin/ping' (No data available) # Failed to set capabilities on file `/usr/bin/ping' (No data available)
# The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
echo_wrapper_audit setcap -r "$fso" ## Therefore use echo_wrapper_ignore.
echo_wrapper_ignore setcap -r "$fso"
getcap_output="$(getcap "$fso")"
if [ ! "$getcap_output" = "" ]; then
echo "ERROR: removing capabilities for fso '$fso' failed!" >&2
continue
fi
else else
if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then
echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2