Commits (4)
iproute2 (4.16.0-3) unstable; urgency=medium
* Add Russian translation for Debconf template. Thanks Lev Lamberov!
(Closes: #898164)
* Add Portuguese translation for Debconf template. Thanks Portuguese
Translation Team!
(Closes: #898292)
* iproute2.postinst: use setcap -r instead of empty set.
Thanks Mantas Mikulėnas!
* Backport patch to avoid dropping caps if NET_ADMIN is inherited to
avoid breaking applications that set ambient capabilities and then
fork and exec ip.
(Closes: #898015)
* Re-enable pristine-tar (note: needs v1.43).
-- Luca Boccassi <bluca@debian.org> Tue, 15 May 2018 09:46:01 +0100
iproute2 (4.16.0-2) unstable; urgency=medium
* Restrict iproute2 to linux-any
debian-branch = master
upstream-branch = upstream
pristine-tar = False
pristine-tar = True
compression = xz
sign-tags = True
......@@ -14,13 +14,16 @@ case "$1" in
# Allow dpkg-reconfigure to remove caps
if test "$RET" = "true"; then
if ! setcap "cap_dac_override,cap_sys_admin,cap_net_admin=ep" /bin/ip; then
echo "Setcap failed on /bin/ip, ip vrf exec will not be runnable by non-root" >&2
if ! setcap "$CAPS" /bin/ip; then
echo "Setcap failed on /bin/ip, ip vrf exec will not be runnable by non-root" >&2
# setcap -r fails if the xattr is not present
if getcap /bin/ip | grep -qs "/bin/ip"; then
if ! setcap "-r" /bin/ip; then
echo "Setcap -r failed on /bin/ip, could not remove capabilities" >&2
Description: ip: do not drop capabilities if net_admin=i is set
Users have reported a regression due to ip now dropping capabilities
zerotier-one VPN and VirtualBox use ambient capabilities in their
binary and then fork out to ip to set routes and links, and this
does not work anymore.
As a workaround, do not drop caps if CAP_NET_ADMIN (the most common
capability used by ip) is set with the INHERITABLE flag.
Users that want ip vrf exec to work do not need to set INHERITABLE,
which will then only set when the calling program had privileges to
give itself the ambient capability.
Bug: https://bugs.debian.og/898015
Forwarded: https://patchwork.ozlabs.org/patch/911981/
Applied-Upstream: commit: 9b13cc98f5952f62b825461727c8170d37a4037d
Author: Luca Boccassi <bluca@debian.org>
Last-Update: 2018-05-15
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -1492,14 +1492,23 @@ void drop_cap(void)
/* don't harmstring root/sudo */
if (getuid() != 0 && geteuid() != 0) {
cap_t capabilities;
+ cap_value_t net_admin = CAP_NET_ADMIN;
+ cap_flag_t inheritable = CAP_INHERITABLE;
+ cap_flag_value_t is_set;
capabilities = cap_get_proc();
if (!capabilities)
- if (cap_clear(capabilities) != 0)
- if (cap_set_proc(capabilities) != 0)
+ if (cap_get_flag(capabilities, net_admin, inheritable,
+ &is_set) != 0)
+ /* apps with ambient caps can fork and call ip */
+ if (is_set == CAP_CLEAR) {
+ if (cap_clear(capabilities) != 0)
+ if (cap_set_proc(capabilities) != 0)
+ }
--- a/man/man8/ip-vrf.8
+++ b/man/man8/ip-vrf.8
@@ -70,6 +70,10 @@ This command also requires to be ran as
CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
capabilities are added to the ip binary program via setcap, the program will
drop them as the first thing when invoked, unless the command is vrf exec.
+NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
+to avoid breaking programs with ambient capabilities that call ip.
+Do not set the INHERITABLE flag on the ip binary itself.
.B ip vrf identify [PID] - Report VRF association for process