summaryrefslogtreecommitdiffstats
path: root/src/master/capabilities-posix.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/master/capabilities-posix.c35
1 files changed, 35 insertions, 0 deletions
diff --git a/src/master/capabilities-posix.c b/src/master/capabilities-posix.c
new file mode 100644
index 0000000..666b072
--- /dev/null
+++ b/src/master/capabilities-posix.c
@@ -0,0 +1,35 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "common.h"
+#include "capabilities.h"
+
+#ifdef HAVE_LIBCAP
+
+#include <sys/capability.h>
+
+void drop_capabilities(void)
+{
+ /* the capabilities that we *need* in order to operate */
+ static cap_value_t suidcaps[] = {
+ CAP_CHOWN,
+ CAP_KILL,
+ CAP_SYS_CHROOT,
+ CAP_SETUID,
+ CAP_SETGID,
+ CAP_NET_BIND_SERVICE,
+ /* we may want to open any config/log files */
+ CAP_DAC_OVERRIDE
+ };
+ cap_t caps;
+
+ caps = cap_init();
+ cap_clear(caps);
+ cap_set_flag(caps, CAP_PERMITTED,
+ N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
+ cap_set_flag(caps, CAP_EFFECTIVE,
+ N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
+ cap_set_proc(caps);
+ cap_free(caps);
+}
+
+#endif