4a2a0337d0
Similar to suid binaries, abuild will now error out if the package includes binaries with setcap(8) capabilities but doesn't have `setcap` in `$options`. This eases identifying package which ship binaries with extra capabilities. Furthermore, if these binaries are executable by others a warning is emitted. This warning could be changed to an error in the future. The recommendation is to make such binaries only executable by owner and group, thereby requiring the system administrator to explicitly add users to a specific group in order to give them accesses to these capabilities. See: https://gitlab.alpinelinux.org/alpine/tsc/-/issues/45 Discussion: This change requires abuild to depend on the `libcap` package for the `getcap` binary. It does not seem to be possible at the moment to use scanelf(1) to identify these binaries. |
||
|---|---|---|
| .. | ||
| APKBUILD | ||