Re: [SM-imapproxy] [PATCH] use prctl(PRCTL_SET_NO_NEW_PRIVS, 1) for added security

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Shawn,

Sorry for the delay.  This has been added.

Thank you!

On 2013年08月24日 19:56, Shawn Landden wrote:
> from prctl(2):
> 
> With  no_new_privs  set  to  1,  execve(2) promises not to grant
> privileges to do anything that could not have been done  without
> the  execve(2)  call (for example, rendering the set-user-ID and
> set-group-ID permission bits, and  file  capabilities  non-func‐
> tional).   Once  set,  this bit cannot be unset.  The setting of
> this bit  is  inherited  by  children  created  by  fork(2)  and
> clone(2), and preserved across execve(2).
> ---
>  include/imapproxy.h |  3 +++
>  src/becomenonroot.c | 16 +++++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/include/imapproxy.h b/include/imapproxy.h
> index ce0b13b..aa090c4 100644
> --- a/include/imapproxy.h
> +++ b/include/imapproxy.h
> @@ -152,6 +152,9 @@
>  #include <limits.h>
>  #endif
>  
> +#ifndef PR_SET_NO_NEW_PRIVS
> +#define PR_SET_NO_NEW_PRIVS	38
> +#endif
>  
>  /* 
>   * Common definitions 
> diff --git a/src/becomenonroot.c b/src/becomenonroot.c
> index f19a9fb..7399ba8 100644
> --- a/src/becomenonroot.c
> +++ b/src/becomenonroot.c
> @@ -57,6 +57,9 @@
>  #if HAVE_UNISTD_H
>  #include <unistd.h>
>  #endif
> +#ifdef __linux__
> +#include <sys/prctl.h>
> +#endif
>  
>  #include "imapproxy.h"
>  
> @@ -185,7 +188,18 @@ extern int BecomeNonRoot( void )
>  	       newuid, strerror(errno));
>  	return(-1);
>      }
> -    
> +
> +#ifdef __linux__
> +    if ( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
> +    {
> +        syslog( LOG_WARNING, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) failed: %s",  fn,
> +               strerror(errno));
> +        if ( errno == EINVAL )
> +            syslog( LOG_INFO, "%s: Perhaps kernel too old (<3.5)", fn);
> +    } else
> +        syslog( LOG_INFO, "%s: enabled no_new_privs",  fn)
> +#endif
> +
>      return(0);
>  }
>  
> 

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php