[SM-imapproxy] [PATCH] use prctl(PRCTL_SET_NO_NEW_PRIVS, 1) for added security

Sat, 24 Aug 2013 19:58:30 -0700 

from prctl(2):

With  no_new_privs  set  to  1,  execve(2) promises not to grant
privileges to do anything that could not have been done  without
the  execve(2)  call (for example, rendering the set-user-ID and
set-group-ID permission bits, and  file  capabilities  non-func‐
tional).   Once  set,  this bit cannot be unset.  The setting of
this bit  is  inherited  by  children  created  by  fork(2)  and
clone(2), and preserved across execve(2).
---
 include/imapproxy.h |  3 +++
 src/becomenonroot.c | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/include/imapproxy.h b/include/imapproxy.h
index ce0b13b..aa090c4 100644
--- a/include/imapproxy.h
+++ b/include/imapproxy.h
@@ -152,6 +152,9 @@
 #include <limits.h>
 #endif
 
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS    38
+#endif
 
 /* 
  * Common definitions 
diff --git a/src/becomenonroot.c b/src/becomenonroot.c
index f19a9fb..7399ba8 100644
--- a/src/becomenonroot.c
+++ b/src/becomenonroot.c
@@ -57,6 +57,9 @@
 #if HAVE_UNISTD_H
 #include <unistd.h>
 #endif
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
 
 #include "imapproxy.h"
 
@@ -185,7 +188,18 @@ extern int BecomeNonRoot( void )
               newuid, strerror(errno));
        return(-1);
     }
-    
+
+#ifdef __linux__
+    if ( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
+    {
+        syslog( LOG_WARNING, "%s: prctl(PR_SET_NO_NEW_PRIVS, 1) failed: %s",  
fn,
+               strerror(errno));
+        if ( errno == EINVAL )
+            syslog( LOG_INFO, "%s: Perhaps kernel too old (<3.5)", fn);
+    } else
+        syslog( LOG_INFO, "%s: enabled no_new_privs",  fn)
+#endif
+
     return(0);
 }
 
-- 
1.8.4.rc3


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
-----
squirrelmail-imapproxy mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [email protected]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy
List info (subscribe/unsubscribe/change options): 
https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy

Reply via email to