nfqws,tpws: separate droproot from dropcaps

docs/changes.txt

@@ -464,3 +464,4 @@ v70.4
 nfqws,tpws: ^ prefix in hostlist to disable subdomain matches
 nfqws,tpws: optional systemd notify support. compile using 'make systemd'
 nfqws,tpws: systemd instance templates for nfqws and tpws
+nfqws,tpws: separate droproot from dropcaps

nfq/nfqws.c

@@ -293,7 +293,7 @@ static int nfq_main(void)
 	ssize_t rd;
 
 	sec_harden();
-	if (params.droproot && !droproot(params.uid, params.gid))
+	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
 		return 1;
 	print_id();
 	if (params.droproot && !test_list_files())

nfq/sec.c

@@ -287,7 +287,7 @@ bool can_drop_root(void)
 {
 #ifdef __linux__
 	// has some caps
-	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID)|(1<<CAP_SETPCAP));
+	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID));
 #else
 	// effective root
 	return !geteuid();
@@ -319,11 +319,7 @@ bool droproot(uid_t uid, gid_t gid)
 		DLOG_PERROR("setuid");
 		return false;
 	}
-#ifdef __linux__
-	return dropcaps();
-#else
 	return true;
-#endif
 }
 
 void print_id(void)

tpws/sec.c

@@ -263,7 +263,7 @@ bool can_drop_root(void)
 {
 #ifdef __linux__
 	// has some caps
-	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID)|(1<<CAP_SETPCAP));
+	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID));
 #else
 	// effective root
 	return !geteuid();
@@ -295,11 +295,7 @@ bool droproot(uid_t uid, gid_t gid)
 		DLOG_PERROR("setuid");
 		return false;
 	}
-#ifdef __linux__
-	return dropcaps();
-#else
 	return true;
-#endif
 }
 
 void print_id(void)

tpws/tpws.c

@@ -1947,6 +1947,10 @@ int main(int argc, char *argv[])
 	sec_harden();
 	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
+#ifdef __linux__
+	if (!dropcaps())
+		goto exiterr;
+#endif
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;