Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 35 insertions, 0 deletions

diff --git a/src/master/capabilities-posix.c b/src/master/capabilities-posix.c
new file mode 100644
index 0000000..666b072
--- /dev/null
+++ b/src/master/capabilities-posix.c
@@ -0,0 +1,35 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "common.h"
+#include "capabilities.h"
+
+#ifdef HAVE_LIBCAP
+
+#include <sys/capability.h>
+
+void drop_capabilities(void)
+{
+	/* the capabilities that we *need* in order to operate */
+	static cap_value_t suidcaps[] = {
+		CAP_CHOWN,
+		CAP_KILL,
+		CAP_SYS_CHROOT,
+		CAP_SETUID,
+		CAP_SETGID,
+		CAP_NET_BIND_SERVICE,
+		/* we may want to open any config/log files */
+		CAP_DAC_OVERRIDE
+	};
+	cap_t caps;
+
+	caps = cap_init();
+	cap_clear(caps);
+	cap_set_flag(caps, CAP_PERMITTED,
+		     N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
+	cap_set_flag(caps, CAP_EFFECTIVE,
+		     N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
+	cap_set_proc(caps);
+	cap_free(caps);
+}
+
+#endif