capset failed: Operation not permitted

Question

capset failed: Operation not permitted

vrutkovs opened this issue 10 years ago · 6 comments

Running on Continuous VM image:

qemux86-64:~$ xdg-app --user install-app test-repo org.gnome.GEdit

Receiving objects: 99% (2102/2103) 237.1 kB/s 11.6 MB          

** (xdg-app install-app:1950): WARNING **: Non-prefixed filename org.gnome.gedit.desktop in app org.gnome.GEdit, ignoring.


** (xdg-app install-app:1950): WARNING **: Non-prefixed filename org.gnome.gedit.service in app org.gnome.GEdit, ignoring.

capset failed: Operation not permitted
capset failed: Operation not permitted
capset failed: Operation not permitted
qemux86-64:~$ xdg-app run org.gnome.GEdit
capset failed: Operation not permitted

Answer 1 · 2015-03-02T10:24:22.000Z

That seems to indicate that the xdg-app-helper binary is not setuid. Can you verify?

Answer 2 · 2015-03-02T10:34:04.000Z

Indeed, its not:
-rwxrwxr-x 3 root root 25408 Jan 1 1970 /usr/bin/xdg-app-helper,
https://git.gnome.org/browse/gnome-continuous/commit/?id=72cb863f5743401164463b1ac2d0696b25efbd31 should fix it

Answer 3 · 2015-03-02T10:40:36.000Z

There is no need for xdg-app itself to be setuid.

Answer 4 · 2015-03-02T11:43:28.000Z

I've realized xdg-app is built with "--with-priv-mode=none". Will try this with '--with-priv-mode=setuid'

Answer 5 · 2015-03-02T12:29:57.000Z

No, that is fine. That is how its meant to work. That does nothing to set priv mode at install time and lets you make it setuid or file-caps on your own.

Answer 6 · 2015-03-02T12:34:22.000Z

Rebuilt xdg-app with correct setuid path and "--with-priv-mode=none" - works now