From bd8decddc5932ad1d6a6b4bcfacf0f3299d1a947 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Thu, 13 Mar 2025 21:54:28 +0300
Subject: [PATCH] nfqws,tpws: separate droproot from dropcaps

---
 docs/changes.txt | 1 +
 nfq/nfqws.c      | 2 +-
 nfq/sec.c        | 6 +-----
 tpws/sec.c       | 6 +-----
 tpws/tpws.c      | 4 ++++
 5 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/docs/changes.txt b/docs/changes.txt
index 7ab30ade..d8d88200 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -464,3 +464,4 @@ v70.4
 nfqws,tpws: ^ prefix in hostlist to disable subdomain matches
 nfqws,tpws: optional systemd notify support. compile using 'make systemd'
 nfqws,tpws: systemd instance templates for nfqws and tpws
+nfqws,tpws: separate droproot from dropcaps
diff --git a/nfq/nfqws.c b/nfq/nfqws.c
index bd6e8b9d..b469fe11 100644
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -293,7 +293,7 @@ static int nfq_main(void)
 	ssize_t rd;
 
 	sec_harden();
-	if (params.droproot && !droproot(params.uid, params.gid))
+	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
 		return 1;
 	print_id();
 	if (params.droproot && !test_list_files())
diff --git a/nfq/sec.c b/nfq/sec.c
index 71ba1c75..4fabd16a 100644
--- a/nfq/sec.c
+++ b/nfq/sec.c
@@ -287,7 +287,7 @@ bool can_drop_root(void)
 {
 #ifdef __linux__
 	// has some caps
-	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID)|(1<<CAP_SETPCAP));
+	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID));
 #else
 	// effective root
 	return !geteuid();
@@ -319,11 +319,7 @@ bool droproot(uid_t uid, gid_t gid)
 		DLOG_PERROR("setuid");
 		return false;
 	}
-#ifdef __linux__
-	return dropcaps();
-#else
 	return true;
-#endif
 }
 
 void print_id(void)
diff --git a/tpws/sec.c b/tpws/sec.c
index 873c8752..ca48c59e 100644
--- a/tpws/sec.c
+++ b/tpws/sec.c
@@ -263,7 +263,7 @@ bool can_drop_root(void)
 {
 #ifdef __linux__
 	// has some caps
-	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID)|(1<<CAP_SETPCAP));
+	return checkpcap((1<<CAP_SETUID)|(1<<CAP_SETGID));
 #else
 	// effective root
 	return !geteuid();
@@ -295,11 +295,7 @@ bool droproot(uid_t uid, gid_t gid)
 		DLOG_PERROR("setuid");
 		return false;
 	}
-#ifdef __linux__
-	return dropcaps();
-#else
 	return true;
-#endif
 }
 
 void print_id(void)
diff --git a/tpws/tpws.c b/tpws/tpws.c
index b3c68014..ff6bfc86 100644
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@@ -1947,6 +1947,10 @@ int main(int argc, char *argv[])
 	sec_harden();
 	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
+#ifdef __linux__
+	if (!dropcaps())
+		goto exiterr;
+#endif
 	print_id();
 	if (params.droproot && !test_list_files())
 		goto exiterr;