master: Allow child processes to setgroups()

Grant master process capabilities to children, so the children
can drop root privileges. This is enforced more strictly
by some kernels than others.

diff --git a/src/master/capabilities-posix.c b/src/master/capabilities-posix.c
index 666b07214e37d6c2855cedd828f7d10c9eead719..7763f1ae195cf4c3c4921bdf39c13194930363c6 100644 (file)
--- a/src/master/capabilities-posix.c
+++ b/src/master/capabilities-posix.c
@@ -28,6 +28,8 @@ void drop_capabilities(void)
                     N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
        cap_set_flag(caps, CAP_EFFECTIVE,
                     N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
+       cap_set_flag(caps, CAP_INHERITABLE,
+                    N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
        cap_set_proc(caps);
        cap_free(caps);
 }