Post date: Oct 25, 2008 11:07:11 PM
capsh now has a --decode=XXX option (use this to make sense of the capability sets you can see in /proc/<PID>/status)
$ grep Cap /proc/$$/status
CapInh: 0000000080000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
$ capsh --decode=0000000080000000
0x0000000080000000=cap_setfcap
$
setcap binary now has a -v option (use this to verify that the capabilities on a file match what you would expect)
$ getcap setcap
setcap = cap_setfcap+i
$ setcap -v cap_setfcap=i setcap
setcap: OK
$
("= cap_setfcap+i" is equivalent to "cap_setfcap=i", read more about this with, man 3 cap_from_text .)
Following a suggestion from the Slackware folk (Thanks Robby Workman for pointing out Pat's change). For non-development build trees (with no .git directory), link the progs/ files dynamically - they will work after they are installed. To override this behavior, you can be explicit on the make command line as follows:
to build the programs statically (they can be used stand alone):
$ make distclean ; make DYNAMIC=no
to build the programs dynamically (they will only work correctly when installed):
$ make distclean ; make DYNAMIC=yes
Documentation fix in cap_clear(3) for CAP_DIFFERS(), namely a non-zero value implies a difference exists.