From: Paul L. <pa...@sq...> - 2016-09-14 02:02:41
|
Shawn, Sorry for the delay. This has been added. Thank you! On 2013年08月24日 19:56, Shawn Landden wrote: > from prctl(2): > > With no_new_privs set to 1, execve(2) promises not to grant > privileges to do anything that could not have been done without > the execve(2) call (for example, rendering the set-user-ID and > set-group-ID permission bits, and file capabilities non-func‐ > tional). Once set, this bit cannot be unset. The setting of > this bit is inherited by children created by fork(2) and > clone(2), and preserved across execve(2). > --- > include/imapproxy.h | 3 +++ > src/becomenonroot.c | 16 +++++++++++++++- > 2 files changed, 18 insertions(+), 1 deletion(-) > > diff --git a/include/imapproxy.h b/include/imapproxy.h > index ce0b13b..aa090c4 100644 > --- a/include/imapproxy.h > +++ b/include/imapproxy.h > @@ -152,6 +152,9 @@ > #include <limits.h> > #endif > > +#ifndef PR_SET_NO_NEW_PRIVS > +#define PR_SET_NO_NEW_PRIVS 38 > +#endif > > /* > * Common definitions > diff --git a/src/becomenonroot.c b/src/becomenonroot.c > index f19a9fb..7399ba8 100644 > --- a/src/becomenonroot.c > +++ b/src/becomenonroot.c > @@ -57,6 +57,9 @@ > #if HAVE_UNISTD_H > #include <unistd.h> > #endif > +#ifdef __linux__ > +#include <sys/prctl.h> > +#endif > > #include "imapproxy.h" > > @@ -185,7 +188,18 @@ extern int BecomeNonRoot( void ) > newuid, strerror(errno)); > return(-1); > } > - > + > +#ifdef __linux__ > + if ( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) > + { > + syslog( LOG_WARNING, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) failed: %s", fn, > + strerror(errno)); > + if ( errno == EINVAL ) > + syslog( LOG_INFO, "%s: Perhaps kernel too old (<3.5)", fn); > + } else > + syslog( LOG_INFO, "%s: enabled no_new_privs", fn) > +#endif > + > return(0); > } > > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php |