implement --enable-fcaps=yes

autogen.sh

@@ -9,4 +9,5 @@ autoreconf -v -f --install || exit 1
 	--disable-shared \
 	--without-libpam \
 	--with-selinux \
+        --enable-fcaps=auto \
 	"$@"

configure.ac

@@ -357,6 +357,24 @@ if test "$enable_subids" != "no"; then
 fi
 AM_CONDITIONAL(ENABLE_SUBIDS, test "x$enable_subids" != "xno")
 
+AC_ARG_ENABLE(fcaps,
+	[AC_HELP_STRING([--enable-fcaps],
+		[use file capabilities for newuidmap@<:@default=yes@:>@])],
+	[enable_fcaps="${enableval}"],
+	[enable_fcaps="maybe"]
+)
+
+if test "$enable_fcaps" != "no"; then
+	AC_CHECK_PROGS(capcmd, "setcap")
+	if test "x$capcmd" = "x" ; then
+		if test "x$enable_fcaps" = "xyes" ; then
+			AC_MSG_ERROR([setcap command not available])
+		fi
+		enable_fcaps="no"
+	fi
+fi
+AM_CONDITIONAL(ENABLE_FCAPS, test "x$enable_fcaps" != "xno")
+
 AC_SUBST(LIBCRYPT)
 AC_CHECK_LIB(crypt, crypt, [LIBCRYPT=-lcrypt],
 	[AC_MSG_ERROR([crypt() not found])])

src/Makefile.am

@@ -52,6 +52,7 @@ usbin_PROGRAMS = \
 # id and groups are from gnu, sulogin from sysvinit
 noinst_PROGRAMS = id sulogin
 
+fcapubins      =
 suidbins       = su
 suidubins      = chage chfn chsh expiry gpasswd newgrp
 if !WITH_TCB
@@ -61,8 +62,12 @@ if ACCT_TOOLS_SETUID
 suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
+if ENABLE_FCAPS
+fcapubins += newgidmap newuidmap
+else
 suidubins += newgidmap newuidmap
 endif
+endif
 
 if WITH_TCB
 shadowsgidubins = passwd
@@ -129,6 +134,9 @@ install-am: all-am
 	for i in $(suidbins); do \
 		chmod $(suidperms) $(DESTDIR)$(bindir)/$$i; \
 	done
+	for i in $(fcapubins); do \
+		setcap cap_setuid,cap_setgid=pe $(DESTDIR)$(ubindir)/$$i; \
+	done
 	for i in $(suidubins); do \
 		chmod $(suidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done