Menu
▾
▴
Re: [SM-imapproxy] [PATCH] use prctl(PRCTL_SET_NO_NEW_PRIVS, 1) for added security
|
From: Shawn L. <sh...@ch...> - 2013-08-25 17:37:38
|
From: "Paul Lesniewski"
On Sat, Aug 24, 2013 at 7:56 PM, Shawn Landden wrote:
This is a great idea, and we really appreciate you providing the patch
ready to go. Is this version any different than what you sent to the
squirrelmail-devel list yesterday?
I changed the error message to say which version the feature appeared in (Linux 3.5)
---
include/imapproxy.h | 3 +++
src/becomenonroot.c | 16 +++++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/include/imapproxy.h b/include/imapproxy.h
index ce0b13b..aa090c4 100644
--- a/include/imapproxy.h
+++ b/include/imapproxy.h
@@ -152,6 +152,9 @@
#include
#endif
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
/*
* Common definitions
diff --git a/src/becomenonroot.c b/src/becomenonroot.c
index f19a9fb..7399ba8 100644
--- a/src/becomenonroot.c
+++ b/src/becomenonroot.c
@@ -57,6 +57,9 @@
#if HAVE_UNISTD_H
#include
#endif
+#ifdef __linux__
+#include
+#endif
#include "imapproxy.h"
@@ -185,7 +188,18 @@ extern int BecomeNonRoot( void )
newuid, strerror(errno));
return(-1);
}
-
+
+#ifdef __linux__
+ if ( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
+ {
+ syslog( LOG_WARNING, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) failed: %s", fn,
+ strerror(errno));
+ if ( errno == EINVAL )
+ syslog( LOG_INFO, "%s: Perhaps kernel too old (
|