use CAP_NET_RAW instead of global setuid bit

All of the binaries call desuid() as soon as they've created an AF_PACKET socket, which is fine for security, but there's no reason to give them root in the first place.
author: Mantas Mikulėnas 2022-02-23 16:02:06 +0200
committer: Mantas Mikulėnas 2022-02-23 16:02:06 +0200
commit: 99f0175601e0b1e05cdce910463ed410ad1be4b1 (patch)
tree: 5c4218fa3205ec77a2974ef1eb57857fadcf900c /PKGBUILD
parent: 3291045d7fb27b88c66e4bf8be6bd525fa605686 (diff)
download: aur-99f0175601e0b1e05cdce910463ed410ad1be4b1.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/PKGBUILD b/PKGBUILD
index 5b255e4d14d1..3af33d1a4202 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Mantas Mikulėnas <grawity@gmail.com>
 pkgname=open-plc-utils
 pkgver=r524.gbb50f635
-pkgrel=2
+pkgrel=3
 pkgdesc="Qualcomm Atheros Open Powerline Toolkit for HomePlug AV"
 arch=(i686 x86_64)
 url=https://github.com/qca/open-plc-utils
@@ -29,6 +29,11 @@ package() {
   install -D -m 644 LICENSE "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
   mkdir -p "$pkgdir"/usr/share/doc/$pkgname
   cp -av docbook "$pkgdir"/usr/share/doc/$pkgname/docbook
+
+  # Make the binaries look less scary in `ls`
+  find "$pkgdir"/usr/bin -type f -perm /u+s,g+s \
+    -exec chmod -c u-s {} \; \
+    -exec setcap cap_net_raw=ep {} \;
 }
 
 # vim: ts=2:sw=2:et:
author	Mantas Mikulėnas	2022-02-23 16:02:06 +0200
committer	Mantas Mikulėnas	2022-02-23 16:02:06 +0200
commit	99f0175601e0b1e05cdce910463ed410ad1be4b1 (patch)
tree	5c4218fa3205ec77a2974ef1eb57857fadcf900c /PKGBUILD
parent	3291045d7fb27b88c66e4bf8be6bd525fa605686 (diff)
download	aur-99f0175601e0b1e05cdce910463ed410ad1be4b1.tar.gz