Bug 1550745

Summary: Running `rpm --setugids iputils` removes the capabilities flags from ping, arping and clockdiff
Product: Red Hat Enterprise Linux 7 Reporter: Trevor Hemsley <trevor.hemsley>
Component: rpmAssignee: Pavlina Moravcova Varekova <pmoravco>
Status: CLOSED ERRATA QA Contact: Eva Mrakova <emrakova>
Severity: medium Docs Contact: Marie Hornickova <mdolezel>
Priority: medium    
Version: 7.4CC: dmach, emrakova, mdolezel, mdomonko, pasik, pmatilai, pmoravco
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rpm-4.11.3-36.el7 Doc Type: Bug Fix
Doc Text:
.The `rpm` command now supports the `--setcaps` and `--restore` options This update introduces the `--setcaps` and `--restore` options for the `rpm` command. The `--setcaps` option sets capabilities of files in a required package. The syntax is as follows: rpm --setcaps _PACKAGE_NAME_ The `--restore` option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows: rpm --restore _PACKAGE_NAME_
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1630909, 1630918    

Description Trevor Hemsley 2018-03-02 00:01:37 UTC 
Description of problem:
rpm --setugids removes capabilities from files defined in the rpm spec file

Version-Release number of selected component (if applicable):
rpm-4.11.3-25.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. rpm -V iputils
2. rpm --setugids iputils
3. rpm -V iputils

Actual results:
[root@centos7 ~]# rpm -V iputils
[root@centos7 ~]# rpm --setugids iputils
[root@centos7 ~]# rpm -V iputils
........P    /usr/bin/ping
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
[root@centos7 ~]# 
 

Expected results:
Capabilities flags as defined in the rpm spec file should be preserved by rpm when resetting user/group ownership of files in the given package. Using rpm --setperms is fine but --setugids appears broken. Removing these capabilities from those executables means they no longer function correctly.

Additional info:
Comment 2 Panu Matilainen 2018-03-02 07:54:58 UTC 
Yes, --setugids strips suid/sgid bits and capabilities, just like chown/chgrp do because that's all --setugids does. Because of that, you need to run --setperms afterwards, but that's not capability-aware and there's no --setcaps at all. 
So this is actually expected behavior from the implementation POV, user expectations may differ...

--setugids and --setperms seemed like nifty tricks with popt back in the turn of millenium, these days people expect more and there's a growing list of bugs and RFE's all of which require reimplementing the simplistic popt-hack with an actual C implementation. Very unlikely to happen in RHEL 7 though, --setcaps or such might be doable.
Comment 3 Pavlina Moravcova Varekova 2018-04-30 08:05:38 UTC 
Upstream commit here:
https://github.com/rpm-software-management/rpm/commit/af1fcf0b0a7c093e3d926680fe73fcf2077fd57c
Comment 4 Pavlina Moravcova Varekova 2018-11-05 11:28:02 UTC 
Fix of the upstream commit:
https://github.com/rpm-software-management/rpm/commit/b4178c979fff344a1c5142a305f274dd9aff8f45
Comment 18 errata-xmlrpc 2019-08-06 13:11:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2259