Description: Drop code where dnsmasq drops privileges from root.
  This code isn't required because in strict mode we run worker
  processes as root:root and setuid is not allowed by the current
  plugs.
Author: Corey Bryant <corey.bryant@canonical.com>
Forwarded: no

---
 src/dnsmasq.c | 88 -----------------------------------------------------------
 1 file changed, 88 deletions(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 045ec53..4fe5531 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -578,94 +578,6 @@ int main (int argc, char **argv)
       daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
 #endif
 
-  if (!option_bool(OPT_DEBUG) && getuid() == 0)   
-    {
-      int bad_capabilities = 0;
-      gid_t dummy;
-      
-      /* remove all supplimentary groups */
-      if (gp && 
-	  (setgroups(0, &dummy) == -1 ||
-	   setgid(gp->gr_gid) == -1))
-	{
-	  send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname);
-	  _exit(0);
-	}
-  
-      if (ent_pw && ent_pw->pw_uid != 0)
-	{     
-#if defined(HAVE_LINUX_NETWORK)	  
-	  /* On linux, we keep CAP_NETADMIN (for ARP-injection) and
-	     CAP_NET_RAW (for icmp) if we're doing dhcp. If we have yet to bind 
-	     ports because of DAD, or we're doing it dynamically,
-	     we need CAP_NET_BIND_SERVICE too. */
-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
-	    data->effective = data->permitted = data->inheritable =
-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | 
-	      (1 << CAP_SETUID) | (1 << CAP_NET_BIND_SERVICE);
-	  else
-	    data->effective = data->permitted = data->inheritable =
-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID);
-	  
-	  /* Tell kernel to not clear capabilities when dropping root */
-	  if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1)
-	    bad_capabilities = errno;
-			  
-#elif defined(HAVE_SOLARIS_NETWORK)
-	  /* http://developers.sun.com/solaris/articles/program_privileges.html */
-	  priv_set_t *priv_set;
-	  
-	  if (!(priv_set = priv_str_to_set("basic", ",", NULL)) ||
-	      priv_addset(priv_set, PRIV_NET_ICMPACCESS) == -1 ||
-	      priv_addset(priv_set, PRIV_SYS_NET_CONFIG) == -1)
-	    bad_capabilities = errno;
-
-	  if (priv_set && bad_capabilities == 0)
-	    {
-	      priv_inverse(priv_set);
-	  
-	      if (setppriv(PRIV_OFF, PRIV_LIMIT, priv_set) == -1)
-		bad_capabilities = errno;
-	    }
-
-	  if (priv_set)
-	    priv_freeset(priv_set);
-
-#endif    
-
-	  if (bad_capabilities != 0)
-	    {
-	      send_event(err_pipe[1], EVENT_CAP_ERR, bad_capabilities, NULL);
-	      _exit(0);
-	    }
-	  
-	  /* finally drop root */
-	  if (setuid(ent_pw->pw_uid) == -1)
-	    {
-	      send_event(err_pipe[1], EVENT_USER_ERR, errno, daemon->username);
-	      _exit(0);
-	    }     
-
-#ifdef HAVE_LINUX_NETWORK
-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
-	   data->effective = data->permitted =
-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_NET_BIND_SERVICE);
-	 else
-	   data->effective = data->permitted = 
-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
-	  data->inheritable = 0;
-	  
-	  /* lose the setuid and setgid capbilities */
-	  if (capset(hdr, data) == -1)
-	    {
-	      send_event(err_pipe[1], EVENT_CAP_ERR, errno, NULL);
-	      _exit(0);
-	    }
-#endif
-	  
-	}
-    }
-  
 #ifdef HAVE_LINUX_NETWORK
   free(hdr);
   free(data);
-- 
2.11.0