From: Martti Rannanjärvi Date: Mon, 18 Dec 2017 09:35:27 +0000 (+0200) Subject: lib: Flip drop_setuid_root in restrict_access_settings X-Git-Tag: 2.3.9~2324 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de0034cc6bb52585bc82289801435418a7ee7298;p=thirdparty%2Fdovecot%2Fcore.git lib: Flip drop_setuid_root in restrict_access_settings --- diff --git a/src/lib-storage/mail-storage-service.c b/src/lib-storage/mail-storage-service.c index f4b73f9f98..1d0467c98a 100644 --- a/src/lib-storage/mail-storage-service.c +++ b/src/lib-storage/mail-storage-service.c @@ -568,6 +568,7 @@ service_drop_privileges(struct mail_storage_service_user *user, current_euid = geteuid(); restrict_access_init(&rset); restrict_access_get_env(&rset); + rset.allow_setuid_root = keep_setuid_root; if (priv->uid != (uid_t)-1) { rset.uid = priv->uid; rset.uid_source = priv->uid_source; diff --git a/src/lib/restrict-access.c b/src/lib/restrict-access.c index c189ad3808..72768f184f 100644 --- a/src/lib/restrict-access.c +++ b/src/lib/restrict-access.c @@ -265,7 +265,7 @@ void restrict_access(const struct restrict_access_settings *set, is_root = geteuid() == 0; if (!is_root && - set->drop_setuid_root && + !set->allow_setuid_root && getuid() == 0) { /* recover current effective UID */ if (target_uid == (uid_t)-1) diff --git a/src/lib/restrict-access.h b/src/lib/restrict-access.h index 8ca2c9d784..de26a48ff4 100644 --- a/src/lib/restrict-access.h +++ b/src/lib/restrict-access.h @@ -26,9 +26,10 @@ struct restrict_access_settings { /* Chroot directory */ const char *chroot_dir; - /* Set TRUE to attempt to drop any root privileges - FIXME: Reverse logic on v2.3 */ - bool drop_setuid_root; + /* Allow running in setuid-root mode, where real UID is root and + * effective UID is non-root. By default the real UID is changed + * to be the same as the effective UID. */ + bool allow_setuid_root; }; /* Initialize settings with values that don't change anything. */