Andrey Panin
2008-Nov-21 12:30 UTC
[Dovecot] [PATCH] drop root privileges on solaris, request for testing
Hello all, this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot. Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Best regards. -------------- next part -------------- diff -r 8f41c9f3f392 configure.in --- a/configure.in Wed Nov 19 16:11:01 2008 +0200 +++ b/configure.in Wed Nov 19 14:31:56 2008 +0000 @@ -461,7 +461,8 @@ AC_CHECK_FUNCS(fcntl flock lockf inet_at setrlimit setproctitle seteuid setreuid setegid setresgid \ strtoull strtoll strtouq strtoq \ setpriority quotactl getmntent kqueue kevent backtrace_symbols \ - walkcontext dirfd clearenv malloc_usable_size clock_gettime) + walkcontext dirfd clearenv malloc_usable_size clock_gettime \ + setppriv) dnl strtoimax and strtoumax are macros in HP-UX, so inttypes.h must be included AC_MSG_CHECKING([for strtoimax]) diff -r 8f41c9f3f392 src/master/Makefile.am --- a/src/master/Makefile.am Wed Nov 19 16:11:01 2008 +0200 +++ b/src/master/Makefile.am Wed Nov 19 14:18:36 2008 +0000 @@ -22,6 +22,7 @@ dovecot_SOURCES = \ auth-process.c \ askpass.c \ capabilities-posix.c \ + capabilities-solaris.c \ child-process.c \ dict-process.c \ dup2-array.c \ diff -r 8f41c9f3f392 src/master/capabilities.h --- a/src/master/capabilities.h Wed Nov 19 16:11:01 2008 +0200 +++ b/src/master/capabilities.h Wed Nov 19 14:18:38 2008 +0000 @@ -1,7 +1,7 @@ #ifndef CAPABILITIES_H #define CAPABILITIES_H -#if defined(HAVE_LIBCAP) +#if defined(HAVE_LIBCAP) || defined(HAVE_SETPPRIV) void drop_capabilities(void); diff -r 8f41c9f3f392 src/master/capabilities-solaris.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/master/capabilities-solaris.c Wed Nov 19 14:18:39 2008 +0000 @@ -0,0 +1,54 @@ +/* Copyright (c) 2008 Dovecot authors, see the included COPYING file */ + +#include "common.h" +#include "capabilities.h" + +#ifdef HAVE_SETPPRIV + +#include <priv.h> + +void drop_capabilities(void) +{ + static const char* privs[] = { + "PRIV_PROC_FORK", + "PRIV_PROC_EXEC", + "PRIV_FILE_CHOWN", + "PRIV_PROC_SETID", + "PRIV_PROC_CHROOT", + "PRIV_NET_PRIVADDR", + "PRIV_FILE_DAC_READ", + "PRIV_FILE_DAC_WRITE", + NULL + }, **p; + priv_set_t *priv_set; + int ret; + + priv_set = priv_allocset(); + if (priv_set == NULL) { + i_warning("Can't allocate memory for privilege set: %m"); + return; + } + + priv_emptyset(priv_set); + + for (p = privs; *p != NULL; p++) { + ret = priv_addset(priv_set, *p); + if (ret != 0) { + i_warning("Can't drop %s from privilege set: %m", *p); + } + } + + ret = setppriv(PRIV_SET, PRIV_PERMITTED, priv_set); + if (ret) { + i_warning("Can't set %s privelege set: %m", "PERMITTED"); + } + + ret = setppriv(PRIV_SET, PRIV_EFFECTIVE, priv_set); + if (ret) { + i_warning("Can't set %s privelege set: %m", "EFFECTIVE"); + } + + priv_freeset(priv_set); +} + +#endif
Timo Sirainen
2008-Dec-14 06:03 UTC
[Dovecot] [PATCH] drop root privileges on solaris, request for testing
On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote:> Hello all, > > this patch allows master process to drop more root priveleges under > Solaris. My limited testing shows that code works, but I'm not sure > that defined privilege set is permissive enough for dovecot. > > Unfortunately I have no root access to our Solaris servers to really > test it. So if someone is ready to test this patch please do it :)Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081214/d195815d/attachment-0002.bin>
Andrey Panin
2008-Dec-16 06:52 UTC
[Dovecot] [PATCH] drop root privileges on solaris, request for testing
On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote:> On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote: > > Hello all, > > > > this patch allows master process to drop more root priveleges under > > Solaris. My limited testing shows that code works, but I'm not sure > > that defined privilege set is permissive enough for dovecot. > > > > Unfortunately I have no root access to our Solaris servers to really > > test it. So if someone is ready to test this patch please do it :) > > Since no-one's offered to test perhaps I'll just put this into v1.2 and > see if anyone complains? :)I have no objections for this plan :)