Bug 1550745 - Running `rpm --setugids iputils` removes the capabilities flags from ping, arping and clockdiff
Summary: Running `rpm --setugids iputils` removes the capabilities flags from ping, ar...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Pavlina Moravcova Varekova
QA Contact: Eva Mrakova
Marie Hornickova
Depends On:
Blocks: 1630909 1630918
TreeView+ depends on / blocked
Reported: 2018-03-02 00:01 UTC by Trevor Hemsley
Modified: 2019-08-06 13:11 UTC (History)
7 users (show)

Fixed In Version: rpm-4.11.3-36.el7
Doc Type: Bug Fix
Doc Text:
.The `rpm` command now supports the `--setcaps` and `--restore` options This update introduces the `--setcaps` and `--restore` options for the `rpm` command. The `--setcaps` option sets capabilities of files in a required package. The syntax is as follows: rpm --setcaps _PACKAGE_NAME_ The `--restore` option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows: rpm --restore _PACKAGE_NAME_
Clone Of:
Last Closed: 2019-08-06 13:11:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:2259 0 None None None 2019-08-06 13:11:37 UTC

Description Trevor Hemsley 2018-03-02 00:01:37 UTC
Description of problem:
rpm --setugids removes capabilities from files defined in the rpm spec file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. rpm -V iputils
2. rpm --setugids iputils
3. rpm -V iputils

Actual results:
[root@centos7 ~]# rpm -V iputils
[root@centos7 ~]# rpm --setugids iputils
[root@centos7 ~]# rpm -V iputils
........P    /usr/bin/ping
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
[root@centos7 ~]# 

Expected results:
Capabilities flags as defined in the rpm spec file should be preserved by rpm when resetting user/group ownership of files in the given package. Using rpm --setperms is fine but --setugids appears broken. Removing these capabilities from those executables means they no longer function correctly.

Additional info:

Comment 2 Panu Matilainen 2018-03-02 07:54:58 UTC
Yes, --setugids strips suid/sgid bits and capabilities, just like chown/chgrp do because that's all --setugids does. Because of that, you need to run --setperms afterwards, but that's not capability-aware and there's no --setcaps at all. 
So this is actually expected behavior from the implementation POV, user expectations may differ...

--setugids and --setperms seemed like nifty tricks with popt back in the turn of millenium, these days people expect more and there's a growing list of bugs and RFE's all of which require reimplementing the simplistic popt-hack with an actual C implementation. Very unlikely to happen in RHEL 7 though, --setcaps or such might be doable.

Comment 3 Pavlina Moravcova Varekova 2018-04-30 08:05:38 UTC
Upstream commit here:

Comment 4 Pavlina Moravcova Varekova 2018-11-05 11:28:02 UTC
Fix of the upstream commit:

Comment 18 errata-xmlrpc 2019-08-06 13:11:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.