From b5ea00158d6a0437919d08604660af4dd6acfe7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Mon, 2 Jul 2018 08:47:32 +0200
Subject: [PATCH] Improve documentation and error messages when libcap is not
 available

---
 CHANGES           |  4 +++-
 configure         |  6 ++++--
 configure.in      |  6 ++++--
 doc/arm/notes.xml | 11 +++++++++++
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8e40250b07..63f92e5ea9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,6 @@
-4986.	[func]		Linux capabilities now require libcap library.
+4986.	[func]		When built on Linux, BIND now requires the libcap library
+			to set process privileges, unless capability support is
+			explicitly overridden with "configure --disable-linux-caps".
 			[GL #321]
 
 4985.	[func]		Add a new slave zone option, "mirror", to enable
diff --git a/configure b/configure
index 516c59017b..f5c42c90dc 100755
--- a/configure
+++ b/configure
@@ -19825,7 +19825,8 @@ if test "x$ac_cv_header_sys_capability_h" = xyes; then :
 _ACEOF
 
 else
-  as_fn_error $? "sys/capability.h header is required for Linux capabilities support" "$LINENO" 5
+  as_fn_error $? "sys/capability.h header is required for Linux capabilities support.
+Either install libcap or use --disable-linux-caps." "$LINENO" 5
 fi
 
 done
@@ -19886,7 +19887,8 @@ if test "$ac_res" != no; then :
   test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
   LIBCAP_LIBS="$ac_cv_search_cap_set_proc"
 else
-  as_fn_error $? "libcap is required for Linux capabilities support" "$LINENO" 5
+  as_fn_error $? "libcap is required for Linux capabilities support.
+Either install libcap or use --disable-linux-caps." "$LINENO" 5
 fi
 
        LIBS="$save_LIBS"
diff --git a/configure.in b/configure.in
index 60168f5f48..464febe0ce 100644
--- a/configure.in
+++ b/configure.in
@@ -3585,11 +3585,13 @@ AS_IF([test "$enable_linux_caps" = "yes"],
       [AC_MSG_RESULT([yes])
        AC_CHECK_HEADERS([sys/capability.h],
 			[],
-			[AC_MSG_ERROR([sys/capability.h header is required for Linux capabilities support])])
+			[AC_MSG_ERROR([sys/capability.h header is required for Linux capabilities support.
+Either install libcap or use --disable-linux-caps.])])
        save_LIBS="$LIBS"
        AC_SEARCH_LIBS([cap_set_proc], [cap],
 		      [LIBCAP_LIBS="$ac_cv_search_cap_set_proc"],
-		      [AC_MSG_ERROR([libcap is required for Linux capabilities support])])
+		      [AC_MSG_ERROR([libcap is required for Linux capabilities support.
+Either install libcap or use --disable-linux-caps.])])
        LIBS="$save_LIBS"],
       [AC_MSG_RESULT([no])])
 AC_SUBST([LIBCAP_LIBS])
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index bf7406144d..336d51ca03 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -119,6 +119,17 @@
 	  setting might change to <command>strict</command> in the future.
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  When built on Linux, BIND now requires the <command>libcap</command>
+	  library to set process privileges.  The adds a new compile-time
+	  dependency, which can be met on most Linux platforms by installing the
+	  <command>libcap-dev</command> or <command>libcap-devel</command>
+	  package. BIND can also be built without capability support by using
+	  <command>configure --disable-linux-caps</command>, at the cost of some
+	  loss of security.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>