Mercurial > dovecot > original-hg > dovecot-1.2

--- a/src/master/Makefile.am	Sun Jun 10 12:58:06 2007 +0400
+++ b/src/master/Makefile.am	Wed Jun 20 14:08:27 2007 +0400
@@ -21,6 +21,7 @@
 dovecot_SOURCES = \
 	auth-process.c \
 	askpass.c \
+	capabilities-posix.c \
 	dict-process.c \
 	log.c \
 	login-process.c \
@@ -33,6 +34,7 @@
 noinst_HEADERS = \
 	auth-process.h \
 	askpass.h \
+	capabilities.h \
 	dict-process.h \
 	common.h \
 	log.h \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/master/capabilities-posix.c	Wed Jun 20 14:08:27 2007 +0400
@@ -0,0 +1,30 @@
+#include "common.h"
+#include "capabilities.h"
+
+#ifdef HAVE_LIBCAP
+
+#include <sys/capability.h>
+
+void drop_capabilities(void)
+{
+	/* the capabilities that we *need* in order to operate */
+	static cap_value_t suidcaps[] = {
+		CAP_CHOWN,
+		CAP_SYS_CHROOT,
+		CAP_SETUID,
+		CAP_SETGID,
+		CAP_NET_BIND_SERVICE
+	};
+	cap_t caps;
+
+	caps = cap_init();
+	cap_clear(caps);
+	cap_set_flag(caps, CAP_PERMITTED,
+		     sizeof(suidcaps) / sizeof(cap_value_t), suidcaps, CAP_SET);
+	cap_set_flag(caps, CAP_EFFECTIVE,
+		     sizeof(suidcaps) / sizeof(cap_value_t), suidcaps, CAP_SET);
+	cap_set_proc(caps);
+	cap_free(caps);
+}
+
+#endif
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/master/capabilities.h	Wed Jun 20 14:08:27 2007 +0400
@@ -0,0 +1,14 @@
+#ifndef __CAPABILITIES_H__
+#define __CAPABILITIES_H__
+
+#if defined(HAVE_LIBCAP)
+
+void drop_capabilities(void);
+
+#else
+
+static inline void drop_capabilities(void) {}
+
+#endif
+
+#endif	/* __CAPABILITIES_H__ */
--- a/src/master/main.c	Sun Jun 10 12:58:06 2007 +0400
+++ b/src/master/main.c	Wed Jun 20 14:08:27 2007 +0400
@@ -10,6 +10,7 @@

 #include "askpass.h"
 #include "auth-process.h"
+#include "capabilities.h"
 #include "dict-process.h"
 #include "login-process.h"
 #include "mail-process.h"
@@ -24,9 +25,6 @@
 #include <syslog.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
-#ifdef HAVE_LIBCAP
-#include <sys/capability.h>
-#endif

 const char *process_names[PROCESS_TYPE_MAX] = {
 	"unknown",
@@ -39,18 +37,6 @@
 	"dict"
 };

-/* the capabilities that we *need* in order to operate */
-#ifdef HAVE_LIBCAP
-cap_t caps;
-cap_value_t suidcaps[] = {
-	CAP_CHOWN,
-	CAP_SYS_CHROOT,
-	CAP_SETUID,
-	CAP_SETGID,
-	CAP_NET_BIND_SERVICE
-};
-#endif
-
 static const char *configfile = SYSCONFDIR "/" PACKAGE ".conf";
 static const char *env_tz;

@@ -607,17 +593,7 @@
 		i_fatal("This is Dovecot's fatal log");
 	}

-#ifdef HAVE_LIBCAP
-	/* drop capabilities that we don't need, be very restrictive. */
-	caps = cap_init();
-	cap_clear(caps);
-	cap_set_flag(caps, CAP_PERMITTED,
-		     sizeof(suidcaps) / sizeof(cap_value_t), suidcaps, CAP_SET);
-	cap_set_flag(caps, CAP_EFFECTIVE,
-		     sizeof(suidcaps) / sizeof(cap_value_t), suidcaps, CAP_SET);
-	cap_set_proc(caps);
-	cap_free(caps);
-#endif
+	drop_capabilities();

 	lib_signals_init();
         lib_signals_set_handler(SIGINT, TRUE, sig_die, NULL);