diff options
Diffstat (limited to '')
-rw-r--r-- | src/master/capabilities-posix.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/src/master/capabilities-posix.c b/src/master/capabilities-posix.c new file mode 100644 index 0000000..666b072 --- /dev/null +++ b/src/master/capabilities-posix.c @@ -0,0 +1,35 @@ +/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */ + +#include "common.h" +#include "capabilities.h" + +#ifdef HAVE_LIBCAP + +#include <sys/capability.h> + +void drop_capabilities(void) +{ + /* the capabilities that we *need* in order to operate */ + static cap_value_t suidcaps[] = { + CAP_CHOWN, + CAP_KILL, + CAP_SYS_CHROOT, + CAP_SETUID, + CAP_SETGID, + CAP_NET_BIND_SERVICE, + /* we may want to open any config/log files */ + CAP_DAC_OVERRIDE + }; + cap_t caps; + + caps = cap_init(); + cap_clear(caps); + cap_set_flag(caps, CAP_PERMITTED, + N_ELEMENTS(suidcaps), suidcaps, CAP_SET); + cap_set_flag(caps, CAP_EFFECTIVE, + N_ELEMENTS(suidcaps), suidcaps, CAP_SET); + cap_set_proc(caps); + cap_free(caps); +} + +#endif |