Default to installing setcap with an inheritable capability.
For my conveneince, default to installing an inheritable
file capability on setcap when installed. This requires the
process inherit a capability for it to take effect, but that's
what pam_cap is for...
You can disable this install feature with:
make RAISE_SETFCAP=no install
Also, clean up Make files and a test, and add more comments.
The make files needed a fix (remove -lpam from pam_cap/Makefile)
and I've added a number of comments in support of various issues
folk have asked me about.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
diff --git a/Make.Rules b/Make.Rules
index c0f8b55..011aa14 100644
--- a/Make.Rules
+++ b/Make.Rules
@@ -9,6 +9,8 @@
# Autoconf-style prefixes are activated when $(prefix) is defined.
# Otherwise binaries and libraraies are installed in /{lib,sbin}/,
# header files in /usr/include/ and documentation in /usr/man/man?/.
+# These choices are motivated by the fact that getcap and setcap are
+# administrative operations that could be needed to recover a system.
ifndef lib
lib=$(shell ldd /usr/bin/ld|fgrep ld-linux|cut -d/ -f2)
@@ -68,6 +70,16 @@
DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
LIBATTR := yes
+# When installing setcap, set its inheritable bit to be able to place
+# capabilities on files. It can be used in conjunction with pam_cap
+# (associated with su and certain users say) to make it useful for
+# specially blessed users. If you wish to drop this install feature,
+# use this command when running install
+#
+# make RAISE_SETFCAP=no install
+#
+RAISE_SETFCAP := $(LIBATTR)
+
# Global cleanup stuff
LOCALCLEAN=rm -f *~ core