meson: prevent use of suid fallback without explicit consent

This caused a surprise since the package providing setcap changed on
alpine linux, and the binary stopped being present in the environment,
causing bst to be setuid root instead of using file capabilities.

.github/workflows/build.yaml

@@ -24,6 +24,6 @@ jobs:
           command -v apk && apk add --no-cache linux-headers scdoc
           command -v apt && apt-get update && apt-get install -y scdoc
           command -v dnf && dnf install -y glibc-static scdoc
-          CPPFLAGS='-Wconversion -pedantic-errors' meson build
+          CPPFLAGS='-Wconversion -pedantic-errors' meson build -Dsuid-fallback=true
           ninja -C build
 

meson.build

@@ -137,6 +137,9 @@ if not get_option('no-setcap-or-suid')
 			meson.add_install_script(sh.path(), '-c', '@0@ @1@ ${MESON_INSTALL_DESTDIR_PREFIX}/bin/@2@'.format(setcap.path(), ','.join(caps) + '=p', bin))
 		endforeach
 	else
+		if not get_option('suid-fallback')
+			error('no setcap program available, and suid-fallback=true was not set')
+		endif
 		chmod = find_program('chmod')
 		foreach bin, _ : capabilities
 			meson.add_install_script(sh.path(), '-c', '@0@ u+s ${MESON_INSTALL_DESTDIR_PREFIX}/bin/@1@'.format(chmod.path(), bin))

meson_options.txt

@@ -2,3 +2,4 @@ option('version', type: 'string', value: '')
 option('tests', type: 'boolean', value: true)
 option('man-pages', type: 'feature', value: 'auto')
 option('no-setcap-or-suid', type: 'boolean', value: false)
+option('suid-fallback', type: 'boolean', value: false)