Drop capabilities

Explicitly drop capabilities. This functionality is enabled if compiled with -DLIBCAP=1 and linked with -lcap. It uses libcap library.

It secures xtrlock more against exploits in case it's running with elevated capabilities - which is safer than running it setuid/setgid.

Setup it by enabling the CAP_DAC_READ_SEARCH capability which allows reading shadow password record for regular user:

 # setcap cap_dac_read_search+ep ./xtrlock

With this patch it drops the CAP_DAC_READ_SEARCH capability (and all others) as soon as it is not required.

Of course it would be better to use PAM instead of shadow passwords, but it would be more complex change.

Signed-off-by: Jaroslav Škarvada jskarvad@redhat.com