check_icmp/check_dhcp: Implementing setcap

debian/README.Debian

@@ -65,14 +65,20 @@ example if you're installing nrpe or nsca on a remote host), try the
 monitoring-plugins-basic package.
 
 ================================================================================
-plugins needing root privilege
+plugins needing root privilege or capabilities(7) set
 ================================================================================
 
-the check_dhcp, check_icmp and maybe others plugins require root privileges to
-run, because of the low-level packet mangling that they perform.
-but, in the interest of the "safe default", these plugins will not
-be installed with the suid bit set.  there are two recommended ways
-about overriding this on your system:
+the check_dhcp, check_icmp and maybe others plugins require root privileges or
+capabilities(7) to run, because of the low-level packet mangling that they
+perform. but, in the interest of the "safe default", these plugins will not
+be installed with the suid bit set.
+if setcap is able set the necessary capabilities, you are fine. if the setcap
+binary is not installed or not able to set the capabilities, you need to
+eighter set the capabilities (cap_net_raw+ep) for your own or provide root
+privileges.
+
+there are two recommended ways about providing root privilegethis on your
+system:
 
 - set the suid bit with dpkg-statoverride:
 

debian/control

@@ -38,6 +38,7 @@ Description: Common files for plugins for nagios compatible monitoring
 Package: monitoring-plugins-basic
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, monitoring-plugins-common, procps, iputils-ping [linux-any], inetutils-ping (>= 2:1.9-1~) [kfreebsd-any hurd-any], ucf
+Recommends: libcap2-bin [linux-any]
 Replaces: nagios-plugins-basic (<< 1.6-1~)
 Breaks: nagios-plugins-basic (<< 1.6-1~)
 Suggests: nagios3 | icinga

debian/monitoring-plugins-basic.postinst

@@ -4,9 +4,26 @@ set -e
 
 templdir=/usr/share/monitoring-plugins/templates-basic
 . /usr/share/monitoring-plugins/dpkg/functions
+plugindir=/usr/lib/nagios/plugins/
 
 if [ "$1" = "configure" ]; then
 	register_cfgs $2
+
+	# If we have setcap is installed, try setting cap_net_raw+ep,
+	# which allows us to make our binaries working without the
+        # setuid bit
+	if command -v setcap > /dev/null; then
+		if setcap cap_net_raw+ep ${plugindir}/check_icmp cap_net_raw+ep ${plugindir}/check_dhcp; then
+			echo "Setcap for check_icmp and check_dhcp worked!"
+		else
+			echo "Setcap for check_icmp and check_dhcp failed." >&2
+			echo "Please refer README.Debian.gz for using plugins needing" >&2
+			echo "higher privileges!" >&2
+		fi
+	else
+		echo "Setcap is not installed, please refer README.Debian.gz for using" >&2
+		echo "plugins needing higher privileges!" >&2
+	fi
 fi
 
 #DEBHELPER#