I intend to take a look later at setting capabilities directly from the IDE. I'm unsure of the exact incantation, but in principle it should be possible to bless the IDE with the capability of running setcap which could then assign capabilities to a newly-built program without a password prompt. An IDE extension could obviously do it more cleanly.
https://unix.stackexchange.com/questions/106336/unable-to-set-capability-cap-setfcap-by-userhttps://unix.stackexchange.com/questions/128394/passing-capabilities-through-exec(Later)
If a copy of setcap is blessed with CAP_SETFCAP, then any user that can run it (e.g. controlled by group membership) can set arbitrary privileges on other binaries:
$ sudo setcap CAP_SETFCAP=p+e ./setcap2
$ rm scratch
$ cp -p Watch-x86_64-linux-gtk2 scratch
$ /usr/sbin/getcap scratch
$ ./setcap2 CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE=p+e scratch
$ /usr/sbin/getcap scratch
scratch = cap_dac_override,cap_net_bind_service+ep
The two capabilities that I've assigned to the scratch binary will allow it to create a unix domain socket in /var/run, and to create a low-numbered UDP socket.
I think that it should be possible to fudge something like blessing both the Lazarus IDE and setcap with an inheritable CAP_SETFCAP, but I haven't worked the detail out yet. To be honest I think I'm more comfortable with the idea that there should be a blessed copy of setcap runnable by only development users than I am with the idea of having the main copy semi-blessed and at risk of compromising the system if run by anybody who can himself gain a bit of extra privilege by subterfuge.
But the best solution might still be running under kdesudo/gksu provided that it's available, since prompting the developer occasionally for confirmation that this is actually what he wants is probably no bad thing.
MarkMLl
Recent
