Quantcast

[PATCH] use prctl(PRCTL_SET_NO_NEW_PRIVS, 1) for added security

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] use prctl(PRCTL_SET_NO_NEW_PRIVS, 1) for added security

Shawn Landden
---
 include/imapproxy.h |  3 +++
 src/becomenonroot.c | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/include/imapproxy.h b/include/imapproxy.h
index ce0b13b..aa090c4 100644
--- a/include/imapproxy.h
+++ b/include/imapproxy.h
@@ -152,6 +152,9 @@
 #include <limits.h>
 #endif
 
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
 
 /*
  * Common definitions
diff --git a/src/becomenonroot.c b/src/becomenonroot.c
index f19a9fb..59dfb37 100644
--- a/src/becomenonroot.c
+++ b/src/becomenonroot.c
@@ -57,6 +57,9 @@
 #if HAVE_UNISTD_H
 #include <unistd.h>
 #endif
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
 
 #include "imapproxy.h"
 
@@ -185,7 +188,18 @@ extern int BecomeNonRoot( void )
        newuid, strerror(errno));
  return(-1);
     }
-    
+
+#ifdef __linux__
+    if ( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
+    {
+        syslog( LOG_WARNING, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) failed: %s",  fn,
+               strerror(errno));
+        if ( errno == EINVAL )
+            syslog( LOG_INFO, "%s: Perhaps kernel too old", fn);
+    } else
+        syslog( LOG_INFO, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) succeeded",  fn)
+#endif
+
     return(0);
 }
 
--
1.8.4.rc3


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
Loading...