From c28c2cde43cee41d560b18defe8aed9b06ede254 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 15 Sep 2020 12:02:49 +0200
Subject: [PATCH] sys_linux: don't keep NET_BIND_SERVICE for unprivileged port

Don't keep the NET_BIND_SERVICE capability if the configured NTP port is
not privileged (i.e. not smaller than 1024).
---
 sys_linux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys_linux.c b/sys_linux.c
index 411ceec..456a332 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -437,12 +437,14 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
   
   UTI_DropRoot(uid, gid);
 
-  /* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound.
+  /* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound
+     to a privileged port.
      Keep CAP_NET_RAW if an NTP socket may need to be bound to a device on
      kernels before 5.7.
      Keep CAP_SYS_TIME if the clock control is enabled. */
   if (snprintf(cap_text, sizeof (cap_text), "%s %s %s",
-               CNF_GetNTPPort() ? "cap_net_bind_service=ep" : "",
+               (CNF_GetNTPPort() > 0 && CNF_GetNTPPort() < 1024) ?
+                 "cap_net_bind_service=ep" : "",
                (CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface()) &&
                  !SYS_Linux_CheckKernelVersion(5, 7) ? "cap_net_raw=ep" : "",
                clock_control ? "cap_sys_time=ep" : "") >= sizeof (cap_text))