Hello,
I am running gentoo in an unpriviledged container and this is what I am getting when installing software using portage.
* ERROR: sys-libs/pam-1.3.0-r2::core-kit failed (postinst phase):
* Checking caps 'cap_dac_override=ep' on '/sbin/unix_chkpwd' failed
*
* Call stack:
* ebuild.sh, line 121: Called pkg_postinst
* environment, line 3471: Called fcaps 'cap_dac_override' 'sbin/unix_chkpwd'
* environment, line 1723: Called die
* The specific snippet of code:
* ${cmd}_verify || die "Checking caps '${caps}' on '${file}' failed";
*
* If you need support, post the output of `emerge --info '=sys-libs/pam-1.3.0-r2::core-kit'`,
* the complete build log and the output of `emerge -pqv '=sys-libs/pam-1.3.0-r2::core-kit'`.
* The complete build log is located at '/var/tmp/portage/sys-libs/pam-1.3.0-r2/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-libs/pam-1.3.0-r2/temp/environment'.
* Working directory: '/var/tmp/portage/sys-libs/pam-1.3.0-r2/homedir'
* S: '/var/tmp/portage/sys-libs/pam-1.3.0-r2/work/Linux-PAM-1.3.0'
* FAILED postinst: 1
this is inside the same container:
fun-gnome26-test ~ # capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,"cap_setfcap",cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=
Is this expected? What capabilities are dropped in unprivileged mode?
Thank you for clarifying.
Pavol