YQL-16964 moved yql/utils/sys

34 files changed, 2618 insertions, 0 deletions

diff --git a/.mapping.json b/.mapping.json
index fa0af57507..244ebef6e1 100644
--- a/.mapping.json
+++ b/.mapping.json
@@ -375,6 +375,9 @@
   "contrib/libs/libc_compat/CMakeLists.linux-x86_64.txt":"",
   "contrib/libs/libc_compat/CMakeLists.txt":"",
   "contrib/libs/libc_compat/CMakeLists.windows-x86_64.txt":"",
+  "contrib/libs/libcap/CMakeLists.linux-aarch64.txt":"",
+  "contrib/libs/libcap/CMakeLists.linux-x86_64.txt":"",
+  "contrib/libs/libcap/CMakeLists.txt":"",
   "contrib/libs/libevent/CMakeLists.darwin-x86_64.txt":"",
   "contrib/libs/libevent/CMakeLists.linux-aarch64.txt":"",
   "contrib/libs/libevent/CMakeLists.linux-x86_64.txt":"",
@@ -8805,6 +8808,11 @@
   "ydb/library/yql/utils/simd/ut/CMakeLists.linux-x86_64.txt":"",
   "ydb/library/yql/utils/simd/ut/CMakeLists.txt":"",
   "ydb/library/yql/utils/simd/ut/CMakeLists.windows-x86_64.txt":"",
+  "ydb/library/yql/utils/sys/CMakeLists.darwin-x86_64.txt":"",
+  "ydb/library/yql/utils/sys/CMakeLists.linux-aarch64.txt":"",
+  "ydb/library/yql/utils/sys/CMakeLists.linux-x86_64.txt":"",
+  "ydb/library/yql/utils/sys/CMakeLists.txt":"",
+  "ydb/library/yql/utils/sys/CMakeLists.windows-x86_64.txt":"",
   "ydb/library/yql/utils/test_http_server/CMakeLists.darwin-x86_64.txt":"",
   "ydb/library/yql/utils/test_http_server/CMakeLists.linux-aarch64.txt":"",
   "ydb/library/yql/utils/test_http_server/CMakeLists.linux-x86_64.txt":"",
diff --git a/contrib/libs/CMakeLists.linux-aarch64.txt b/contrib/libs/CMakeLists.linux-aarch64.txt
index 9baeaba9de..106dc8bb4a 100644
--- a/contrib/libs/CMakeLists.linux-aarch64.txt
+++ b/contrib/libs/CMakeLists.linux-aarch64.txt
@@ -32,6 +32,7 @@ add_subdirectory(jemalloc)
 add_subdirectory(jwt-cpp)
 add_subdirectory(libbz2)
 add_subdirectory(libc_compat)
+add_subdirectory(libcap)
 add_subdirectory(libevent)
 add_subdirectory(libfyaml)
 add_subdirectory(libunwind)
diff --git a/contrib/libs/CMakeLists.linux-x86_64.txt b/contrib/libs/CMakeLists.linux-x86_64.txt
index 5a5c430a16..ba2f03dac0 100644
--- a/contrib/libs/CMakeLists.linux-x86_64.txt
+++ b/contrib/libs/CMakeLists.linux-x86_64.txt
@@ -33,6 +33,7 @@ add_subdirectory(jemalloc)
 add_subdirectory(jwt-cpp)
 add_subdirectory(libbz2)
 add_subdirectory(libc_compat)
+add_subdirectory(libcap)
 add_subdirectory(libevent)
 add_subdirectory(libfyaml)
 add_subdirectory(libunwind)
diff --git a/contrib/libs/libcap/CMakeLists.linux-aarch64.txt b/contrib/libs/libcap/CMakeLists.linux-aarch64.txt
new file mode 100644
index 0000000000..454d8162b9
--- /dev/null
+++ b/contrib/libs/libcap/CMakeLists.linux-aarch64.txt
@@ -0,0 +1,28 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(contrib-libs-libcap)
+target_compile_options(contrib-libs-libcap PRIVATE
+  $<IF:$<CXX_COMPILER_ID:MSVC>,,-Wno-everything>
+)
+target_include_directories(contrib-libs-libcap PUBLIC
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/include
+)
+target_link_libraries(contrib-libs-libcap PUBLIC
+  contrib-libs-linux-headers
+  contrib-libs-cxxsupp
+)
+target_sources(contrib-libs-libcap PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_alloc.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_extint.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_file.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_flag.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_proc.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_text.c
+)
diff --git a/contrib/libs/libcap/CMakeLists.linux-x86_64.txt b/contrib/libs/libcap/CMakeLists.linux-x86_64.txt
new file mode 100644
index 0000000000..454d8162b9
--- /dev/null
+++ b/contrib/libs/libcap/CMakeLists.linux-x86_64.txt
@@ -0,0 +1,28 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(contrib-libs-libcap)
+target_compile_options(contrib-libs-libcap PRIVATE
+  $<IF:$<CXX_COMPILER_ID:MSVC>,,-Wno-everything>
+)
+target_include_directories(contrib-libs-libcap PUBLIC
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/include
+)
+target_link_libraries(contrib-libs-libcap PUBLIC
+  contrib-libs-linux-headers
+  contrib-libs-cxxsupp
+)
+target_sources(contrib-libs-libcap PRIVATE
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_alloc.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_extint.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_file.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_flag.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_proc.c
+  ${CMAKE_SOURCE_DIR}/contrib/libs/libcap/cap_text.c
+)
diff --git a/contrib/libs/libcap/CMakeLists.txt b/contrib/libs/libcap/CMakeLists.txt
new file mode 100644
index 0000000000..4d48dcdee6
--- /dev/null
+++ b/contrib/libs/libcap/CMakeLists.txt
@@ -0,0 +1,13 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+if (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" AND NOT HAVE_CUDA)
+  include(CMakeLists.linux-aarch64.txt)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND NOT HAVE_CUDA)
+  include(CMakeLists.linux-x86_64.txt)
+endif()
diff --git a/contrib/libs/libcap/License b/contrib/libs/libcap/License
new file mode 100644
index 0000000000..8a352bc5bd
--- /dev/null
+++ b/contrib/libs/libcap/License
@@ -0,0 +1,385 @@
+Unless otherwise *explicitly* stated, the following text describes the
+licensed conditions under which the contents of this libcap release
+may be used and distributed:
+
+-------------------------------------------------------------------------
+Redistribution and use in source and binary forms of libcap, with
+or without modification, are permitted provided that the following
+conditions are met:
+
+1. Redistributions of source code must retain any existing copyright
+   notice, and this entire permission notice in its entirety,
+   including the disclaimer of warranties.
+
+2. Redistributions in binary form must reproduce all prior and current
+   copyright notices, this list of conditions, and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+3. The name of any author may not be used to endorse or promote
+   products derived from this software without their specific prior
+   written permission.
+
+ALTERNATIVELY, this product may be distributed under the terms of the
+GNU General Public License (v2.0 - see below), in which case the
+provisions of the GNU GPL are required INSTEAD OF the above
+restrictions.  (This clause is necessary due to a potential conflict
+between the GNU GPL and the restrictions contained in a BSD-style
+copyright.)
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGE.
+-------------------------------------------------------------------------
+
+-------------------------
+Full text of gpl-2.0.txt:
+-------------------------
+
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/contrib/libs/libcap/cap_alloc.c b/contrib/libs/libcap/cap_alloc.c
new file mode 100644
index 0000000000..525ea90361
--- /dev/null
+++ b/contrib/libs/libcap/cap_alloc.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with allocation and deallocation of internal
+ * capability sets as specified by POSIX.1e (formerlly, POSIX 6).
+ */
+
+#include "libcap.h"
+
+/*
+ * Obtain a blank set of capabilities
+ */
+
+cap_t cap_init(void)
+{
+    __u32 *raw_data;
+    cap_t result;
+
+    raw_data = malloc( sizeof(__u32) + sizeof(*result) );
+
+    if (raw_data == NULL) {
+	_cap_debug("out of memory");
+	errno = ENOMEM;
+	return NULL;
+    }
+
+    *raw_data = CAP_T_MAGIC;
+    result = (cap_t) (raw_data + 1);
+    memset(result, 0, sizeof(*result));
+
+    result->head.version = _LIBCAP_CAPABILITY_VERSION;
+    capget(&result->head, NULL);      /* load the kernel-capability version */
+
+    switch (result->head.version) {
+#ifdef _LINUX_CAPABILITY_VERSION_1
+    case _LINUX_CAPABILITY_VERSION_1:
+	break;
+#endif
+#ifdef _LINUX_CAPABILITY_VERSION_2
+    case _LINUX_CAPABILITY_VERSION_2:
+	break;
+#endif
+#ifdef _LINUX_CAPABILITY_VERSION_3
+    case _LINUX_CAPABILITY_VERSION_3:
+	break;
+#endif
+    default:                          /* No idea what to do */
+	cap_free(result);
+	result = NULL;
+	break;
+    }
+
+    return result;
+}
+
+/*
+ * This is an internal library function to duplicate a string and
+ * tag the result as something cap_free can handle.
+ */
+
+char *_libcap_strdup(const char *old)
+{
+    __u32 *raw_data;
+
+    if (old == NULL) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
+    if (raw_data == NULL) {
+	errno = ENOMEM;
+	return NULL;
+    }
+
+    *(raw_data++) = CAP_S_MAGIC;
+    strcpy((char *) raw_data, old);
+
+    return ((char *) raw_data);
+}
+
+/*
+ * This function duplicates an internal capability set with
+ * malloc()'d memory. It is the responsibility of the user to call
+ * cap_free() to liberate it.
+ */
+
+cap_t cap_dup(cap_t cap_d)
+{
+    cap_t result;
+
+    if (!good_cap_t(cap_d)) {
+	_cap_debug("bad argument");
+	errno = EINVAL;
+	return NULL;
+    }
+
+    result = cap_init();
+    if (result == NULL) {
+	_cap_debug("out of memory");
+	return NULL;
+    }
+
+    memcpy(result, cap_d, sizeof(*cap_d));
+
+    return result;
+}
+
+
+/*
+ * Scrub and then liberate an internal capability set.
+ */
+
+int cap_free(void *data_p)
+{
+    if ( !data_p )
+	return 0;
+
+    if ( good_cap_t(data_p) ) {
+	data_p = -1 + (__u32 *) data_p;
+	memset(data_p, 0, sizeof(__u32) + sizeof(struct _cap_struct));
+	free(data_p);
+	data_p = NULL;
+	return 0;
+    }
+
+    if ( good_cap_string(data_p) ) {
+	size_t length = strlen(data_p) + sizeof(__u32);
+     	data_p = -1 + (__u32 *) data_p;
+     	memset(data_p, 0, length);
+     	free(data_p);
+     	data_p = NULL;
+     	return 0;
+    }
+
+    _cap_debug("don't recognize what we're supposed to liberate");
+    errno = EINVAL;
+    return -1;
+}
diff --git a/contrib/libs/libcap/cap_extint.c b/contrib/libs/libcap/cap_extint.c
new file mode 100644
index 0000000000..7d6e7ade05
--- /dev/null
+++ b/contrib/libs/libcap/cap_extint.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 1997-8 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with exchanging internal and external
+ * representations of capability sets.
+ */
+
+#include "libcap.h"
+
+/*
+ * External representation for capabilities. (exported as a fixed
+ * length)
+ */
+#define CAP_EXT_MAGIC "\220\302\001\121"
+#define CAP_EXT_MAGIC_SIZE 4
+const static __u8 external_magic[CAP_EXT_MAGIC_SIZE+1] = CAP_EXT_MAGIC;
+
+struct cap_ext_struct {
+    __u8 magic[CAP_EXT_MAGIC_SIZE];
+    __u8 length_of_capset;
+    /*
+     * note, we arrange these so the caps are stacked with byte-size
+     * resolution
+     */
+    __u8 bytes[CAP_SET_SIZE][NUMBER_OF_CAP_SETS];
+};
+
+/*
+ * return size of external capability set
+ */
+
+ssize_t cap_size(cap_t caps)
+{
+    return ssizeof(struct cap_ext_struct);
+}
+
+/*
+ * Copy the internal (cap_d) capability set into an external
+ * representation.  The external representation is portable to other
+ * Linux architectures.
+ */
+
+ssize_t cap_copy_ext(void *cap_ext, cap_t cap_d, ssize_t length)
+{
+    struct cap_ext_struct *result = (struct cap_ext_struct *) cap_ext;
+    int i;
+
+    /* valid arguments? */
+    if (!good_cap_t(cap_d) || length < ssizeof(struct cap_ext_struct)
+	|| cap_ext == NULL) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    /* fill external capability set */
+    memcpy(&result->magic, external_magic, CAP_EXT_MAGIC_SIZE);
+    result->length_of_capset = CAP_SET_SIZE;
+
+    for (i=0; i<NUMBER_OF_CAP_SETS; ++i) {
+	size_t j;
+	for (j=0; j<CAP_SET_SIZE; ) {
+	    __u32 val;
+
+	    val = cap_d->u[j/sizeof(__u32)].flat[i];
+
+	    result->bytes[j++][i] =  val        & 0xFF;
+	    result->bytes[j++][i] = (val >>= 8) & 0xFF;
+	    result->bytes[j++][i] = (val >>= 8) & 0xFF;
+	    result->bytes[j++][i] = (val >> 8)  & 0xFF;
+	}
+    }
+
+    /* All done: return length of external representation */
+    return (ssizeof(struct cap_ext_struct));
+}
+
+/*
+ * Import an external representation to produce an internal rep.
+ * the internal rep should be liberated with cap_free().
+ */
+
+cap_t cap_copy_int(const void *cap_ext)
+{
+    const struct cap_ext_struct *export =
+	(const struct cap_ext_struct *) cap_ext;
+    cap_t cap_d;
+    int set, blen;
+
+    /* Does the external representation make sense? */
+    if ((export == NULL)
+	|| memcmp(export->magic, external_magic, CAP_EXT_MAGIC_SIZE)) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    /* Obtain a new internal capability set */
+    if (!(cap_d = cap_init()))
+       return NULL;
+
+    blen = export->length_of_capset;
+    for (set=0; set<NUMBER_OF_CAP_SETS; ++set) {
+	unsigned blk;
+	int bno = 0;
+	for (blk=0; blk<(CAP_SET_SIZE/sizeof(__u32)); ++blk) {
+	    __u32 val = 0;
+
+	    if (bno != blen)
+		val  = export->bytes[bno++][set];
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 8;
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 16;
+	    if (bno != blen)
+		val |= export->bytes[bno++][set] << 24;
+
+	    cap_d->u[blk].flat[set] = val;
+	}
+    }
+
+    /* all done */
+    return cap_d;
+}
+
diff --git a/contrib/libs/libcap/cap_file.c b/contrib/libs/libcap/cap_file.c
new file mode 100644
index 0000000000..40756ea46a
--- /dev/null
+++ b/contrib/libs/libcap/cap_file.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (c) 1997,2007,2016 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with setting capabilities on files.
+ */
+
+#include <sys/types.h>
+#include <byteswap.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <linux/xattr.h>
+
+/*
+ * We hardcode the prototypes for the Linux system calls here since
+ * there are no libcap library APIs that expose the user to these
+ * details, and that way we don't need to foce clients to link any
+ * other libraries to access them.
+ */
+extern ssize_t getxattr(const char *, const char *, void *, size_t);
+extern ssize_t fgetxattr(int, const char *, void *, size_t);
+extern int setxattr(const char *, const char *, const void *, size_t, int);
+extern int fsetxattr(int, const char *, const void *, size_t, int);
+extern int removexattr(const char *, const char *);
+extern int fremovexattr(int, const char *);
+
+#include "libcap.h"
+
+#ifdef VFS_CAP_U32
+
+#if VFS_CAP_U32 != __CAP_BLKS
+# error VFS representation of capabilities is not the same size as kernel
+#endif
+
+#if __BYTE_ORDER == __BIG_ENDIAN
+#define FIXUP_32BITS(x) bswap_32(x)
+#else
+#define FIXUP_32BITS(x) (x)
+#endif
+
+static cap_t _fcaps_load(struct vfs_cap_data *rawvfscap, cap_t result,
+			 int bytes)
+{
+    __u32 magic_etc;
+    unsigned tocopy, i;
+
+    magic_etc = FIXUP_32BITS(rawvfscap->magic_etc);
+    switch (magic_etc & VFS_CAP_REVISION_MASK) {
+#ifdef VFS_CAP_REVISION_1
+    case VFS_CAP_REVISION_1:
+	tocopy = VFS_CAP_U32_1;
+	bytes -= XATTR_CAPS_SZ_1;
+	break;
+#endif
+
+#ifdef VFS_CAP_REVISION_2
+    case VFS_CAP_REVISION_2:
+	tocopy = VFS_CAP_U32_2;
+	bytes -= XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+    default:
+	cap_free(result);
+	result = NULL;
+	return result;
+    }
+
+    /*
+     * Verify that we loaded exactly the right number of bytes
+     */
+    if (bytes != 0) {
+	cap_free(result);
+	result = NULL;
+	return result;
+    }
+
+    for (i=0; i < tocopy; i++) {
+	result->u[i].flat[CAP_INHERITABLE]
+	    = FIXUP_32BITS(rawvfscap->data[i].inheritable);
+	result->u[i].flat[CAP_PERMITTED]
+	    = FIXUP_32BITS(rawvfscap->data[i].permitted);
+	if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
+	    result->u[i].flat[CAP_EFFECTIVE]
+		= result->u[i].flat[CAP_INHERITABLE]
+		| result->u[i].flat[CAP_PERMITTED];
+	}
+    }
+    while (i < __CAP_BLKS) {
+	result->u[i].flat[CAP_INHERITABLE]
+	    = result->u[i].flat[CAP_PERMITTED]
+	    = result->u[i].flat[CAP_EFFECTIVE] = 0;
+	i++;
+    }
+
+    return result;
+}
+
+static int _fcaps_save(struct vfs_cap_data *rawvfscap, cap_t cap_d,
+		       int *bytes_p)
+{
+    __u32 eff_not_zero, magic;
+    unsigned tocopy, i;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    switch (cap_d->head.version) {
+#ifdef _LINUX_CAPABILITY_VERSION_1
+    case _LINUX_CAPABILITY_VERSION_1:
+	magic = VFS_CAP_REVISION_1;
+	tocopy = VFS_CAP_U32_1;
+	*bytes_p = XATTR_CAPS_SZ_1;
+	break;
+#endif
+
+#ifdef _LINUX_CAPABILITY_VERSION_2
+    case _LINUX_CAPABILITY_VERSION_2:
+	magic = VFS_CAP_REVISION_2;
+	tocopy = VFS_CAP_U32_2;
+	*bytes_p = XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+#ifdef _LINUX_CAPABILITY_VERSION_3
+    case _LINUX_CAPABILITY_VERSION_3:
+	magic = VFS_CAP_REVISION_2;
+	tocopy = VFS_CAP_U32_2;
+	*bytes_p = XATTR_CAPS_SZ_2;
+	break;
+#endif
+
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting named file capabilities");
+
+    for (eff_not_zero = 0, i = 0; i < tocopy; i++) {
+	eff_not_zero |= cap_d->u[i].flat[CAP_EFFECTIVE];
+    }
+    while (i < __CAP_BLKS) {
+	if ((cap_d->u[i].flat[CAP_EFFECTIVE]
+	     || cap_d->u[i].flat[CAP_INHERITABLE]
+	     || cap_d->u[i].flat[CAP_PERMITTED])) {
+	    /*
+	     * System does not support these capabilities
+	     */
+	    errno = EINVAL;
+	    return -1;
+	}
+	i++;
+    }
+
+    for (i=0; i < tocopy; i++) {
+	rawvfscap->data[i].permitted
+	    = FIXUP_32BITS(cap_d->u[i].flat[CAP_PERMITTED]);
+	rawvfscap->data[i].inheritable
+	    = FIXUP_32BITS(cap_d->u[i].flat[CAP_INHERITABLE]);
+
+	if (eff_not_zero
+	    && ((~(cap_d->u[i].flat[CAP_EFFECTIVE]))
+		& (cap_d->u[i].flat[CAP_PERMITTED]
+		   | cap_d->u[i].flat[CAP_INHERITABLE]))) {
+	    errno = EINVAL;
+	    return -1;
+	}
+    }
+
+    if (eff_not_zero == 0) {
+	rawvfscap->magic_etc = FIXUP_32BITS(magic);
+    } else {
+	rawvfscap->magic_etc = FIXUP_32BITS(magic|VFS_CAP_FLAGS_EFFECTIVE);
+    }
+
+    return 0;      /* success */
+}
+
+/*
+ * Get the capabilities of an open file, as specified by its file
+ * descriptor.
+ */
+
+cap_t cap_get_fd(int fildes)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	struct vfs_cap_data rawvfscap;
+	int sizeofcaps;
+
+	_cap_debug("getting fildes capabilities");
+
+	/* fill the capability sets via a system call */
+	sizeofcaps = fgetxattr(fildes, XATTR_NAME_CAPS,
+			       &rawvfscap, sizeof(rawvfscap));
+	if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) {
+	    cap_free(result);
+	    result = NULL;
+	} else {
+	    result = _fcaps_load(&rawvfscap, result, sizeofcaps);
+	}
+    }
+
+    return result;
+}
+
+/*
+ * Get the capabilities from a named file.
+ */
+
+cap_t cap_get_file(const char *filename)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	struct vfs_cap_data rawvfscap;
+	int sizeofcaps;
+
+	_cap_debug("getting filename capabilities");
+
+	/* fill the capability sets via a system call */
+	sizeofcaps = getxattr(filename, XATTR_NAME_CAPS,
+			      &rawvfscap, sizeof(rawvfscap));
+	if (sizeofcaps < ssizeof(rawvfscap.magic_etc)) {
+	    cap_free(result);
+	    result = NULL;
+	} else {
+	    result = _fcaps_load(&rawvfscap, result, sizeofcaps);
+	}
+    }
+
+    return result;
+}
+
+/*
+ * Set the capabilities of an open file, as specified by its file
+ * descriptor.
+ */
+
+int cap_set_fd(int fildes, cap_t cap_d)
+{
+    struct vfs_cap_data rawvfscap;
+    int sizeofcaps;
+    struct stat buf;
+
+    if (fstat(fildes, &buf) != 0) {
+	_cap_debug("unable to stat file descriptor %d", fildes);
+	return -1;
+    }
+    if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+	_cap_debug("file descriptor %d for non-regular file", fildes);
+	errno = EINVAL;
+	return -1;
+    }
+
+    if (cap_d == NULL) {
+	_cap_debug("deleting fildes capabilities");
+	return fremovexattr(fildes, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+	return -1;
+    }
+
+    _cap_debug("setting fildes capabilities");
+
+    return fsetxattr(fildes, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
+}
+
+/*
+ * Set the capabilities of a named file.
+ */
+
+int cap_set_file(const char *filename, cap_t cap_d)
+{
+    struct vfs_cap_data rawvfscap;
+    int sizeofcaps;
+    struct stat buf;
+
+    if (lstat(filename, &buf) != 0) {
+	_cap_debug("unable to stat file [%s]", filename);
+	return -1;
+    }
+    if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+	_cap_debug("file [%s] is not a regular file", filename);
+	errno = EINVAL;
+	return -1;
+    }
+
+    if (cap_d == NULL) {
+	_cap_debug("removing filename capabilities");
+	return removexattr(filename, XATTR_NAME_CAPS);
+    } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+	return -1;
+    }
+
+    _cap_debug("setting filename capabilities");
+    return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
+}
+
+#else /* ie. ndef VFS_CAP_U32 */
+
+cap_t cap_get_fd(int fildes)
+{
+    errno = EINVAL;
+    return NULL;
+}
+
+cap_t cap_get_file(const char *filename)
+{
+    errno = EINVAL;
+    return NULL;
+}
+
+int cap_set_fd(int fildes, cap_t cap_d)
+{
+    errno = EINVAL;
+    return -1;
+}
+
+int cap_set_file(const char *filename, cap_t cap_d)
+{
+    errno = EINVAL;
+    return -1;
+}
+
+#endif /* def VFS_CAP_U32 */
diff --git a/contrib/libs/libcap/cap_flag.c b/contrib/libs/libcap/cap_flag.c
new file mode 100644
index 0000000000..52ec3b32e0
--- /dev/null
+++ b/contrib/libs/libcap/cap_flag.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * This file deals with flipping of capabilities on internal
+ * capability sets as specified by POSIX.1e (formerlly, POSIX 6).
+ */
+
+#include "libcap.h"
+
+/*
+ * Return the state of a specified capability flag.  The state is
+ * returned as the contents of *raised.  The capability is from one of
+ * the sets stored in cap_d as specified by set and value
+ */
+
+int cap_get_flag(cap_t cap_d, cap_value_t value, cap_flag_t set,
+		 cap_flag_value_t *raised)
+{
+    /*
+     * Do we have a set and a place to store its value?
+     * Is it a known capability?
+     */
+
+    if (raised && good_cap_t(cap_d) && value >= 0 && value < __CAP_BITS
+	&& set >= 0 && set < NUMBER_OF_CAP_SETS) {
+	*raised = isset_cap(cap_d,value,set) ? CAP_SET:CAP_CLEAR;
+	return 0;
+    } else {
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+    }
+}
+
+/*
+ * raise/lower a selection of capabilities
+ */
+
+int cap_set_flag(cap_t cap_d, cap_flag_t set,
+		 int no_values, const cap_value_t *array_values,
+		 cap_flag_value_t raise)
+{
+    /*
+     * Do we have a set and a place to store its value?
+     * Is it a known capability?
+     */
+
+    if (good_cap_t(cap_d) && no_values > 0 && no_values <= __CAP_BITS
+	&& (set >= 0) && (set < NUMBER_OF_CAP_SETS)
+	&& (raise == CAP_SET || raise == CAP_CLEAR) ) {
+	int i;
+	for (i=0; i<no_values; ++i) {
+	    if (array_values[i] < 0 || array_values[i] >= __CAP_BITS) {
+		_cap_debug("weird capability (%d) - skipped", array_values[i]);
+	    } else {
+		int value = array_values[i];
+
+		if (raise == CAP_SET) {
+		    cap_d->raise_cap(value,set);
+		} else {
+		    cap_d->lower_cap(value,set);
+		}
+	    }
+	}
+	return 0;
+
+    } else {
+
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+
+    }
+}
+
+/*
+ *  Reset the capability to be empty (nothing raised)
+ */
+
+int cap_clear(cap_t cap_d)
+{
+    if (good_cap_t(cap_d)) {
+
+	memset(&(cap_d->u), 0, sizeof(cap_d->u));
+	return 0;
+
+    } else {
+
+	_cap_debug("invalid pointer");
+	errno = EINVAL;
+	return -1;
+
+    }
+}
+
+/*
+ *  Reset the all of the capability bits for one of the flag sets
+ */
+
+int cap_clear_flag(cap_t cap_d, cap_flag_t flag)
+{
+    switch (flag) {
+    case CAP_EFFECTIVE:
+    case CAP_PERMITTED:
+    case CAP_INHERITABLE:
+	if (good_cap_t(cap_d)) {
+	    unsigned i;
+
+	    for (i=0; i<_LIBCAP_CAPABILITY_U32S; i++) {
+		cap_d->u[i].flat[flag] = 0;
+	    }
+	    return 0;
+	}
+	/*
+	 * fall through
+	 */
+
+    default:
+	_cap_debug("invalid pointer");
+	errno = EINVAL;
+	return -1;
+    }
+}
+
+/*
+ * Compare two capability sets
+ */
+
+int cap_compare(cap_t a, cap_t b)
+{
+    unsigned i;
+    int result;
+
+    if (!(good_cap_t(a) && good_cap_t(b))) {
+	_cap_debug("invalid arguments");
+	errno = EINVAL;
+	return -1;
+    }
+
+    for (i=0, result=0; i<_LIBCAP_CAPABILITY_U32S; i++) {
+	result |=
+	    ((a->u[i].flat[CAP_EFFECTIVE] != b->u[i].flat[CAP_EFFECTIVE])
+	     ? LIBCAP_EFF : 0)
+	    | ((a->u[i].flat[CAP_INHERITABLE] != b->u[i].flat[CAP_INHERITABLE])
+	       ? LIBCAP_INH : 0)
+	    | ((a->u[i].flat[CAP_PERMITTED] != b->u[i].flat[CAP_PERMITTED])
+	       ? LIBCAP_PER : 0);
+    }
+    return result;
+}
diff --git a/contrib/libs/libcap/cap_names.h b/contrib/libs/libcap/cap_names.h
new file mode 100644
index 0000000000..b97c3363a5
--- /dev/null
+++ b/contrib/libs/libcap/cap_names.h
@@ -0,0 +1,51 @@
+/*
+ * DO NOT EDIT: this file is generated automatically from
+ *
+ *     <linux/capability.h>
+ */
+#define __CAP_BITS   38
+
+#ifdef LIBCAP_PLEASE_INCLUDE_ARRAY
+  char const *_cap_names[__CAP_BITS] = {
+      /* 0 */	"cap_chown",
+      /* 1 */	"cap_dac_override",
+      /* 2 */	"cap_dac_read_search",
+      /* 3 */	"cap_fowner",
+      /* 4 */	"cap_fsetid",
+      /* 5 */	"cap_kill",
+      /* 6 */	"cap_setgid",
+      /* 7 */	"cap_setuid",
+      /* 8 */	"cap_setpcap",
+      /* 9 */	"cap_linux_immutable",
+      /* 10 */	"cap_net_bind_service",
+      /* 11 */	"cap_net_broadcast",
+      /* 12 */	"cap_net_admin",
+      /* 13 */	"cap_net_raw",
+      /* 14 */	"cap_ipc_lock",
+      /* 15 */	"cap_ipc_owner",
+      /* 16 */	"cap_sys_module",
+      /* 17 */	"cap_sys_rawio",
+      /* 18 */	"cap_sys_chroot",
+      /* 19 */	"cap_sys_ptrace",
+      /* 20 */	"cap_sys_pacct",
+      /* 21 */	"cap_sys_admin",
+      /* 22 */	"cap_sys_boot",
+      /* 23 */	"cap_sys_nice",
+      /* 24 */	"cap_sys_resource",
+      /* 25 */	"cap_sys_time",
+      /* 26 */	"cap_sys_tty_config",
+      /* 27 */	"cap_mknod",
+      /* 28 */	"cap_lease",
+      /* 29 */	"cap_audit_write",
+      /* 30 */	"cap_audit_control",
+      /* 31 */	"cap_setfcap",
+      /* 32 */	"cap_mac_override",
+      /* 33 */	"cap_mac_admin",
+      /* 34 */	"cap_syslog",
+      /* 35 */	"cap_wake_alarm",
+      /* 36 */	"cap_block_suspend",
+      /* 37 */	"cap_audit_read",
+  };
+#endif /* LIBCAP_PLEASE_INCLUDE_ARRAY */
+
+/* END OF FILE */
diff --git a/contrib/libs/libcap/cap_proc.c b/contrib/libs/libcap/cap_proc.c
new file mode 100644
index 0000000000..8ecb57ae90
--- /dev/null
+++ b/contrib/libs/libcap/cap_proc.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 1997-8,2007,2011 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file deals with getting and setting capabilities on processes.
+ */
+
+#include <sys/prctl.h>
+
+#include "libcap.h"
+
+cap_t cap_get_proc(void)
+{
+    cap_t result;
+
+    /* allocate a new capability set */
+    result = cap_init();
+    if (result) {
+	_cap_debug("getting current process' capabilities");
+
+	/* fill the capability sets via a system call */
+	if (capget(&result->head, &result->u[0].set)) {
+	    cap_free(result);
+	    result = NULL;
+	}
+    }
+
+    return result;
+}
+
+int cap_set_proc(cap_t cap_d)
+{
+    int retval;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting process capabilities");
+    retval = capset(&cap_d->head, &cap_d->u[0].set);
+
+    return retval;
+}
+
+/* the following two functions are not required by POSIX */
+
+/* read the caps on a specific process */
+
+int capgetp(pid_t pid, cap_t cap_d)
+{
+    int error;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("getting process capabilities for proc %d", pid);
+
+    cap_d->head.pid = pid;
+    error = capget(&cap_d->head, &cap_d->u[0].set);
+    cap_d->head.pid = 0;
+
+    return error;
+}
+
+/* allocate space for and return capabilities of target process */
+
+cap_t cap_get_pid(pid_t pid)
+{
+    cap_t result;
+
+    result = cap_init();
+    if (result) {
+	if (capgetp(pid, result) != 0) {
+	    int my_errno;
+
+	    my_errno = errno;
+	    cap_free(result);
+	    errno = my_errno;
+	    result = NULL;
+	}
+    }
+
+    return result;
+}
+
+/* set the caps on a specific process/pg etc.. */
+
+int capsetp(pid_t pid, cap_t cap_d)
+{
+    int error;
+
+    if (!good_cap_t(cap_d)) {
+	errno = EINVAL;
+	return -1;
+    }
+
+    _cap_debug("setting process capabilities for proc %d", pid);
+    cap_d->head.pid = pid;
+    error = capset(&cap_d->head, &cap_d->u[0].set);
+    cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
+    cap_d->head.pid = 0;
+
+    return error;
+}
+
+/* get a capability from the bounding set */
+
+int cap_get_bound(cap_value_t cap)
+{
+    int result;
+
+    result = prctl(PR_CAPBSET_READ, cap);
+    return result;
+}
+
+/* drop a capability from the bounding set */
+
+int cap_drop_bound(cap_value_t cap)
+{
+    int result;
+
+    result = prctl(PR_CAPBSET_DROP, cap);
+    return result;
+}
diff --git a/contrib/libs/libcap/cap_text.c b/contrib/libs/libcap/cap_text.c
new file mode 100644
index 0000000000..42fb685221
--- /dev/null
+++ b/contrib/libs/libcap/cap_text.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 1997-8,2007-8 Andrew G Morgan <morgan@kernel.org>
+ * Copyright (c) 1997 Andrew Main <zefram@dcs.warwick.ac.uk>
+ *
+ * This file deals with exchanging internal and textual
+ * representations of capability sets.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#define LIBCAP_PLEASE_INCLUDE_ARRAY
+#include "libcap.h"
+
+#include <ctype.h>
+#include <limits.h>
+
+/* Maximum output text length (16 per cap) */
+#define CAP_TEXT_SIZE    (16*__CAP_MAXBITS)
+
+/*
+ * Parse a textual representation of capabilities, returning an internal
+ * representation.
+ */
+
+#define raise_cap_mask(flat, c)  (flat)[CAP_TO_INDEX(c)] |= CAP_TO_MASK(c)
+
+static void setbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks)
+{
+    int n;
+    for (n = blks; n--; ) {
+	a->u[n].flat[set] |= b[n];
+    }
+}
+
+static void clrbits(cap_t a, const __u32 *b, cap_flag_t set, unsigned blks)
+{
+    int n;
+    for (n = blks; n--; )
+	a->u[n].flat[set] &= ~b[n];
+}
+
+static char const *namcmp(char const *str, char const *nam)
+{
+    while (*nam && tolower((unsigned char)*str) == *nam) {
+	str++;
+	nam++;
+    }
+    if (*nam || isalnum((unsigned char)*str) || *str == '_')
+	return NULL;
+    return str;
+}
+
+static void forceall(__u32 *flat, __u32 value, unsigned blks)
+{
+    unsigned n;
+
+    for (n = blks; n--; flat[n] = value);
+
+    return;
+}
+
+static int lookupname(char const **strp)
+{
+    union {
+	char const *constp;
+	char *p;
+    } str;
+
+    str.constp = *strp;
+    if (isdigit(*str.constp)) {
+	unsigned long n = strtoul(str.constp, &str.p, 0);
+	if (n >= __CAP_MAXBITS)
+	    return -1;
+	*strp = str.constp;
+	return n;
+    } else {
+	int c;
+	unsigned len;
+
+	for (len=0; (c = str.constp[len]); ++len) {
+	    if (!(isalpha(c) || (c == '_'))) {
+		break;
+	    }
+	}
+
+#ifdef GPERF_DOWNCASE
+	const struct __cap_token_s *token_info;
+
+	token_info = __cap_lookup_name(str.constp, len);
+	if (token_info != NULL) {
+	    *strp = str.constp + len;
+	    return token_info->index;
+	}
+#else /* ie., ndef GPERF_DOWNCASE */
+	char const *s;
+	unsigned n;
+
+	for (n = __CAP_BITS; n--; )
+	    if (_cap_names[n] && (s = namcmp(str.constp, _cap_names[n]))) {
+		*strp = s;
+		return n;
+	    }
+#endif /* def GPERF_DOWNCASE */
+
+	return -1;   	/* No definition available */
+    }
+}
+
+cap_t cap_from_text(const char *str)
+{
+    cap_t res;
+    int n;
+    unsigned cap_blks;
+
+    if (str == NULL) {
+	_cap_debug("bad argument");
+	errno = EINVAL;
+	return NULL;
+    }
+
+    if (!(res = cap_init()))
+	return NULL;
+
+    switch (res->head.version) {
+    case _LINUX_CAPABILITY_VERSION_1:
+	cap_blks = _LINUX_CAPABILITY_U32S_1;
+	break;
+    case _LINUX_CAPABILITY_VERSION_2:
+	cap_blks = _LINUX_CAPABILITY_U32S_2;
+	break;
+    case _LINUX_CAPABILITY_VERSION_3:
+	cap_blks = _LINUX_CAPABILITY_U32S_3;
+	break;
+    default:
+	errno = EINVAL;
+	return NULL;
+    }
+    
+    _cap_debug("%s", str);
+
+    for (;;) {
+	__u32 list[__CAP_BLKS];
+	char op;
+	int flags = 0, listed=0;
+
+	forceall(list, 0, __CAP_BLKS);
+
+	/* skip leading spaces */
+	while (isspace((unsigned char)*str))
+	    str++;
+	if (!*str) {
+	    _cap_debugcap("e = ", *res, CAP_EFFECTIVE);
+	    _cap_debugcap("i = ", *res, CAP_INHERITABLE);
+	    _cap_debugcap("p = ", *res, CAP_PERMITTED);
+
+	    return res;
+	}
+
+	/* identify caps specified by this clause */
+	if (isalnum((unsigned char)*str) || *str == '_') {
+	    for (;;) {
+		if (namcmp(str, "all")) {
+		    str += 3;
+		    forceall(list, ~0, cap_blks);
+		} else {
+		    n = lookupname(&str);
+		    if (n == -1)
+			goto bad;
+		    raise_cap_mask(list, n);
+		}
+		if (*str != ',')
+		    break;
+		if (!isalnum((unsigned char)*++str) && *str != '_')
+		    goto bad;
+	    }
+	    listed = 1;
+	} else if (*str == '+' || *str == '-') {
+	    goto bad;                    /* require a list of capabilities */
+	} else {
+	    forceall(list, ~0, cap_blks);
+	}
+
+	/* identify first operation on list of capabilities */
+	op = *str++;
+	if (op == '=' && (*str == '+' || *str == '-')) {
+	    if (!listed)
+		goto bad;
+	    op = (*str++ == '+' ? 'P':'M'); /* skip '=' and take next op */
+	} else if (op != '+' && op != '-' && op != '=')
+	    goto bad;
+
+	/* cycle through list of actions */
+	do {
+	    _cap_debug("next char = `%c'", *str);
+	    if (*str && !isspace(*str)) {
+		switch (*str++) {    /* Effective, Inheritable, Permitted */
+		case 'e':
+		    flags |= LIBCAP_EFF;
+		    break;
+		case 'i':
+		    flags |= LIBCAP_INH;
+		    break;
+		case 'p':
+		    flags |= LIBCAP_PER;
+		    break;
+		default:
+		    goto bad;
+		}
+	    } else if (op != '=') {
+		_cap_debug("only '=' can be followed by space");
+		goto bad;
+	    }
+
+	    _cap_debug("how to read?");
+	    switch (op) {               /* how do we interpret the caps? */
+	    case '=':
+	    case 'P':                                              /* =+ */
+	    case 'M':                                              /* =- */
+		clrbits(res, list, CAP_EFFECTIVE, cap_blks);
+		clrbits(res, list, CAP_PERMITTED, cap_blks);
+		clrbits(res, list, CAP_INHERITABLE, cap_blks);
+		if (op == 'M')
+		    goto minus;
+		/* fall through */
+	    case '+':
+		if (flags & LIBCAP_EFF)
+		    setbits(res, list, CAP_EFFECTIVE, cap_blks);
+		if (flags & LIBCAP_PER)
+		    setbits(res, list, CAP_PERMITTED, cap_blks);
+		if (flags & LIBCAP_INH)
+		    setbits(res, list, CAP_INHERITABLE, cap_blks);
+		break;
+	    case '-':
+	    minus:
+		if (flags & LIBCAP_EFF)
+		    clrbits(res, list, CAP_EFFECTIVE, cap_blks);
+		if (flags & LIBCAP_PER)
+		    clrbits(res, list, CAP_PERMITTED, cap_blks);
+		if (flags & LIBCAP_INH)
+		    clrbits(res, list, CAP_INHERITABLE, cap_blks);
+		break;
+	    }
+
+	    /* new directive? */
+	    if (*str == '+' || *str == '-') {
+		if (!listed) {
+		    _cap_debug("for + & - must list capabilities");
+		    goto bad;
+		}
+		flags = 0;                       /* reset the flags */
+		op = *str++;
+		if (!isalpha(*str))
+		    goto bad;
+	    }
+	} while (*str && !isspace(*str));
+	_cap_debug("next clause");
+    }
+
+bad:
+    cap_free(res);
+    res = NULL;
+    errno = EINVAL;
+    return res;
+}
+
+/*
+ * lookup a capability name and return its numerical value
+ */
+int cap_from_name(const char *name, cap_value_t *value_p)
+{
+    int n;
+
+    if (((n = lookupname(&name)) >= 0) && (value_p != NULL)) {
+	*value_p = (unsigned) n;
+    }
+    return -(n < 0);
+}
+
+/*
+ * Convert a single capability index number into a string representation
+ */
+char *cap_to_name(cap_value_t cap)
+{
+    if ((cap < 0) || (cap >= __CAP_BITS)) {
+#if UINT_MAX != 4294967295U
+# error Recompile with correctly sized numeric array
+#endif
+	char *tmp, *result;
+
+	asprintf(&tmp, "%u", cap);
+	result = _libcap_strdup(tmp);
+	free(tmp);
+
+	return result;
+    } else {
+	return _libcap_strdup(_cap_names[cap]);
+    }
+}
+
+/*
+ * Convert an internal representation to a textual one. The textual
+ * representation is stored in static memory. It will be overwritten
+ * on the next occasion that this function is called.
+ */
+
+static int getstateflags(cap_t caps, int capno)
+{
+    int f = 0;
+
+    if (isset_cap(caps, capno, CAP_EFFECTIVE)) {
+	f |= LIBCAP_EFF;
+    }
+    if (isset_cap(caps, capno, CAP_PERMITTED)) {
+	f |= LIBCAP_PER;
+    }
+    if (isset_cap(caps, capno, CAP_INHERITABLE)) {
+	f |= LIBCAP_INH;
+    }
+
+    return f;
+}
+
+#define CAP_TEXT_BUFFER_ZONE 100
+
+char *cap_to_text(cap_t caps, ssize_t *length_p)
+{
+    char buf[CAP_TEXT_SIZE+CAP_TEXT_BUFFER_ZONE];
+    char *p;
+    int histo[8];
+    int m, t;
+    unsigned n;
+    unsigned cap_maxbits, cap_blks;
+
+    /* Check arguments */
+    if (!good_cap_t(caps)) {
+	errno = EINVAL;
+	return NULL;
+    }
+
+    switch (caps->head.version) {
+    case _LINUX_CAPABILITY_VERSION_1:
+	cap_blks = _LINUX_CAPABILITY_U32S_1;
+	break;
+    case _LINUX_CAPABILITY_VERSION_2:
+	cap_blks = _LINUX_CAPABILITY_U32S_2;
+	break;
+    case _LINUX_CAPABILITY_VERSION_3:
+	cap_blks = _LINUX_CAPABILITY_U32S_3;
+	break;
+    default:
+	errno = EINVAL;
+	return NULL;
+    }
+
+    cap_maxbits = 32 * cap_blks;
+
+    _cap_debugcap("e = ", *caps, CAP_EFFECTIVE);
+    _cap_debugcap("i = ", *caps, CAP_INHERITABLE);
+    _cap_debugcap("p = ", *caps, CAP_PERMITTED);
+
+    memset(histo, 0, sizeof(histo));
+
+    /* default prevailing state to the upper - unnamed bits */
+    for (n = cap_maxbits-1; n > __CAP_BITS; n--)
+	histo[getstateflags(caps, n)]++;
+
+    /* find which combination of capability sets shares the most bits
+       we bias to preferring non-set (m=0) with the >= 0 test. Failing
+       to do this causes strange things to happen with older systems
+       that don't know about bits 32+. */
+    for (m=t=7; t--; )
+	if (histo[t] >= histo[m])
+	    m = t;
+
+    /* capture remaining bits - selecting m from only the unnamed bits,
+       we maximize the likelihood that we won't see numeric capability
+       values in the text output. */
+    while (n--)
+	histo[getstateflags(caps, n)]++;
+
+    /* blank is not a valid capability set */
+    p = sprintf(buf, "=%s%s%s",
+		(m & LIBCAP_EFF) ? "e" : "",
+		(m & LIBCAP_INH) ? "i" : "",
+		(m & LIBCAP_PER) ? "p" : "" ) + buf;
+
+    for (t = 8; t--; )
+	if (t != m && histo[t]) {
+	    *p++ = ' ';
+	    for (n = 0; n < cap_maxbits; n++)
+		if (getstateflags(caps, n) == t) {
+		    char *this_cap_name;
+
+		    this_cap_name = cap_to_name(n);
+		    if ((strlen(this_cap_name) + (p - buf)) > CAP_TEXT_SIZE) {
+			cap_free(this_cap_name);
+			errno = ERANGE;
+			return NULL;
+		    }
+		    p += sprintf(p, "%s,", this_cap_name);
+		    cap_free(this_cap_name);
+		}
+	    p--;
+	    n = t & ~m;
+	    if (n)
+		p += sprintf(p, "+%s%s%s",
+			     (n & LIBCAP_EFF) ? "e" : "",
+			     (n & LIBCAP_INH) ? "i" : "",
+			     (n & LIBCAP_PER) ? "p" : "");
+	    n = ~t & m;
+	    if (n)
+		p += sprintf(p, "-%s%s%s",
+			     (n & LIBCAP_EFF) ? "e" : "",
+			     (n & LIBCAP_INH) ? "i" : "",
+			     (n & LIBCAP_PER) ? "p" : "");
+	    if (p - buf > CAP_TEXT_SIZE) {
+		errno = ERANGE;
+		return NULL;
+	    }
+	}
+
+    _cap_debug("%s", buf);
+    if (length_p) {
+	*length_p = p - buf;
+    }
+
+    return (_libcap_strdup(buf));
+}
diff --git a/contrib/libs/libcap/include/sys/capability.h b/contrib/libs/libcap/include/sys/capability.h
new file mode 100644
index 0000000000..4d3b7bfe23
--- /dev/null
+++ b/contrib/libs/libcap/include/sys/capability.h
@@ -0,0 +1,126 @@
+/*
+ * <sys/capability.h>
+ *
+ * Copyright (C) 1997   Aleph One
+ * Copyright (C) 1997-8,2008 Andrew G. Morgan <morgan@kernel.org>
+ *
+ * defunct POSIX.1e Standard: 25.2 Capabilities           <sys/capability.h>
+ */
+
+#ifndef _SYS_CAPABILITY_H
+#define _SYS_CAPABILITY_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * This file complements the kernel file by providing prototype
+ * information for the user library.
+ */
+
+#include <sys/types.h>
+#include <stdint.h>
+#include <linux/types.h>
+
+#ifndef __user
+#define __user
+#endif
+#include <linux/capability.h>
+
+/*
+ * POSIX capability types
+ */
+
+/*
+ * Opaque capability handle (defined internally by libcap)
+ * internal capability representation
+ */
+typedef struct _cap_struct *cap_t;
+
+/* "external" capability representation is a (void *) */
+
+/*
+ * This is the type used to identify capabilities
+ */
+
+typedef int cap_value_t;
+
+/*
+ * Set identifiers
+ */
+typedef enum {
+    CAP_EFFECTIVE=0,                        /* Specifies the effective flag */
+    CAP_PERMITTED=1,                        /* Specifies the permitted flag */
+    CAP_INHERITABLE=2                     /* Specifies the inheritable flag */
+} cap_flag_t;
+
+/*
+ * These are the states available to each capability
+ */
+typedef enum {
+    CAP_CLEAR=0,                            /* The flag is cleared/disabled */
+    CAP_SET=1                                    /* The flag is set/enabled */
+} cap_flag_value_t;
+
+/*
+ * User-space capability manipulation routines
+ */
+
+/* libcap/cap_alloc.c */
+extern cap_t   cap_dup(cap_t);
+extern int     cap_free(void *);
+extern cap_t   cap_init(void);
+
+/* libcap/cap_flag.c */
+extern int     cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *);
+extern int     cap_set_flag(cap_t, cap_flag_t, int, const cap_value_t *,
+			    cap_flag_value_t);
+extern int     cap_clear(cap_t);
+extern int     cap_clear_flag(cap_t, cap_flag_t);
+
+/* libcap/cap_file.c */
+extern cap_t   cap_get_fd(int);
+extern cap_t   cap_get_file(const char *);
+extern int     cap_set_fd(int, cap_t);
+extern int     cap_set_file(const char *, cap_t);
+
+/* libcap/cap_proc.c */
+extern cap_t   cap_get_proc(void);
+extern cap_t   cap_get_pid(pid_t);
+extern int     cap_set_proc(cap_t);
+
+extern int     cap_get_bound(cap_value_t);
+extern int     cap_drop_bound(cap_value_t);
+
+#define CAP_IS_SUPPORTED(cap)  (cap_get_bound(cap) >= 0)
+
+/* libcap/cap_extint.c */
+extern ssize_t cap_size(cap_t);
+extern ssize_t cap_copy_ext(void *, cap_t, ssize_t);
+extern cap_t   cap_copy_int(const void *);
+
+/* libcap/cap_text.c */
+extern cap_t   cap_from_text(const char *);
+extern char *  cap_to_text(cap_t, ssize_t *);
+extern int     cap_from_name(const char *, cap_value_t *);
+extern char *  cap_to_name(cap_value_t);
+
+#define CAP_DIFFERS(result, flag)  (((result) & (1 << (flag))) != 0)
+extern int     cap_compare(cap_t, cap_t);
+
+/* system calls - look to libc for function to system call mapping */
+extern int capget(cap_user_header_t header, cap_user_data_t data);
+extern int capset(cap_user_header_t header, const cap_user_data_t data);
+
+/* deprecated - use cap_get_pid() */
+extern int capgetp(pid_t pid, cap_t cap_d);
+
+/* not valid with filesystem capability support - use cap_set_proc() */
+extern int capsetp(pid_t pid, cap_t cap_d);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _SYS_CAPABILITY_H */
diff --git a/contrib/libs/libcap/include/sys/securebits.h b/contrib/libs/libcap/include/sys/securebits.h
new file mode 100644
index 0000000000..14cf3c5a49
--- /dev/null
+++ b/contrib/libs/libcap/include/sys/securebits.h
@@ -0,0 +1,22 @@
+/*
+ * <sys/securebits.h>
+ * Copyright (C) 2010	Serge Hallyn <serue@us.ibm.com>
+ */
+
+#ifndef _SYS_SECUREBITS_H
+#define _SYS_SECUREBITS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef __user
+#define __user
+#endif
+#include <linux/securebits.h>
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _SYS_SECUREBITS_H */
diff --git a/contrib/libs/libcap/libcap.h b/contrib/libs/libcap/libcap.h
new file mode 100644
index 0000000000..eabf8d3cdb
--- /dev/null
+++ b/contrib/libs/libcap/libcap.h
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 1997 Andrew G Morgan <morgan@kernel.org>
+ *
+ * This file contains internal definitions for the various functions in
+ * this small capability library.
+ */
+
+#ifndef LIBCAP_H
+#define LIBCAP_H
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/capability.h>
+
+#ifndef __u8
+#define __u8    uint8_t
+#endif /* __8 */
+
+#ifndef __u32
+#define __u32   uint32_t
+#endif /* __u32 */
+
+/* include the names for the caps and a definition of __CAP_BITS */
+#include "cap_names.h"
+
+#ifndef _LINUX_CAPABILITY_U32S_1
+# define _LINUX_CAPABILITY_U32S_1          1
+#endif /* ndef _LINUX_CAPABILITY_U32S */
+
+/*
+ * Do we match the local kernel?
+ */
+
+#if !defined(_LINUX_CAPABILITY_VERSION)
+
+# error Kernel <linux/capability.h> does not support library
+# error file "libcap.h" --> fix and recompile libcap
+
+#elif !defined(_LINUX_CAPABILITY_VERSION_2)
+
+# warning Kernel <linux/capability.h> does not support 64-bit capabilities
+# warning and libcap is being built with no support for 64-bit capabilities
+
+# ifndef _LINUX_CAPABILITY_VERSION_1
+#  define _LINUX_CAPABILITY_VERSION_1 0x19980330
+# endif
+
+# _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
+# _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
+
+#elif defined(_LINUX_CAPABILITY_VERSION_3)
+
+# if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522)
+#  error Kernel <linux/capability.h> v3 does not match library
+#  error file "libcap.h" --> fix and recompile libcap
+# else
+#  define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_3
+#  define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_3
+# endif
+
+#elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026)
+
+# error Kernel <linux/capability.h> does not match library
+# error file "libcap.h" --> fix and recompile libcap
+
+#else
+
+# define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_2
+# define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_2
+
+#endif
+
+#undef _LINUX_CAPABILITY_VERSION
+#undef _LINUX_CAPABILITY_U32S
+
+/*
+ * This is a pointer to a struct containing three consecutive
+ * capability sets in the order of the cap_flag_t type: the are
+ * effective,inheritable and permitted.  This is the type that the
+ * user-space routines think of as 'internal' capabilities - this is
+ * the type that is passed to the kernel with the system calls related
+ * to processes.
+ */
+
+#if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32)
+# define VFS_CAP_U32_1                   1
+# define XATTR_CAPS_SZ_1                 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
+# define VFS_CAP_U32                     VFS_CAP_U32_1
+struct _cap_vfs_cap_data {
+    __le32 magic_etc;
+    struct {
+	__le32 permitted;
+	__le32 inheritable;
+    } data[VFS_CAP_U32_1];
+};
+# define vfs_cap_data                    _cap_vfs_cap_data
+#endif
+
+#ifndef CAP_TO_INDEX
+# define CAP_TO_INDEX(x)     ((x) >> 5)  /* 1 << 5 == bits in __u32 */
+#endif /* ndef CAP_TO_INDEX */
+
+#ifndef CAP_TO_MASK
+# define CAP_TO_MASK(x)      (1 << ((x) & 31))
+#endif /* ndef CAP_TO_MASK */
+
+#define NUMBER_OF_CAP_SETS      3   /* effective, inheritable, permitted */
+#define __CAP_BLKS   (_LIBCAP_CAPABILITY_U32S)
+#define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32))
+
+#define CAP_T_MAGIC 0xCA90D0
+struct _cap_struct {
+    struct __user_cap_header_struct head;
+    union {
+	struct __user_cap_data_struct set;
+	__u32 flat[NUMBER_OF_CAP_SETS];
+    } u[_LIBCAP_CAPABILITY_U32S];
+};
+
+/* the maximum bits supportable */
+#define __CAP_MAXBITS (__CAP_BLKS * 32)
+
+/* string magic for cap_free */
+#define CAP_S_MAGIC 0xCA95D0
+
+/*
+ * kernel API cap set abstraction
+ */
+
+#define raise_cap(x,set)   u[(x)>>5].flat[set]       |=  (1<<((x)&31))
+#define lower_cap(x,set)   u[(x)>>5].flat[set]       &= ~(1<<((x)&31))
+#define isset_cap(y,x,set) ((y)->u[(x)>>5].flat[set] &   (1<<((x)&31)))
+
+/*
+ * Private definitions for internal use by the library.
+ */
+
+#define __libcap_check_magic(c,magic) ((c) && *(-1+(__u32 *)(c)) == (magic))
+#define good_cap_t(c)        __libcap_check_magic(c, CAP_T_MAGIC)
+#define good_cap_string(c)   __libcap_check_magic(c, CAP_S_MAGIC)
+
+/*
+ * These match CAP_DIFFERS() expectations
+ */
+#define LIBCAP_EFF   (1 << CAP_EFFECTIVE)
+#define LIBCAP_INH   (1 << CAP_INHERITABLE)
+#define LIBCAP_PER   (1 << CAP_PERMITTED)
+
+/*
+ * library debugging
+ */
+#ifdef DEBUG
+
+#include <stdio.h>
+# define _cap_debug(f, x...)  do { \
+    fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \
+    fprintf(stderr, f, ## x); \
+    fprintf(stderr, "\n"); \
+} while (0)
+
+# define _cap_debugcap(s, c, set) do { \
+    unsigned _cap_index; \
+    fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \
+    for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \
+       fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \
+    } \
+    fprintf(stderr, "\n"); \
+} while (0)
+
+#else /* !DEBUG */
+
+# define _cap_debug(f, x...)
+# define _cap_debugcap(s, c, set)
+
+#endif /* DEBUG */
+
+extern char *_libcap_strdup(const char *text);
+
+/*
+ * These are semi-public prototypes, they will only be defined in
+ * <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we
+ * place them here too.
+ */
+
+extern int capget(cap_user_header_t header, cap_user_data_t data);
+extern int capset(cap_user_header_t header, const cap_user_data_t data);
+extern int capgetp(pid_t pid, cap_t cap_d);
+extern int capsetp(pid_t pid, cap_t cap_d);
+
+/* prctl based API for altering character of current process */
+#define PR_GET_KEEPCAPS    7
+#define PR_SET_KEEPCAPS    8
+#define PR_CAPBSET_READ   23
+#define PR_CAPBSET_DROP   24
+#define PR_GET_SECUREBITS 27
+#define PR_SET_SECUREBITS 28
+
+/*
+ * The library compares sizeof() with integer return values. To avoid
+ * signed/unsigned comparisons, leading to unfortunate
+ * misinterpretations of -1, we provide a convenient cast-to-signed-integer
+ * version of sizeof().
+ */
+#define ssizeof(x) ((ssize_t) sizeof(x))
+
+#endif /* LIBCAP_H */
diff --git a/contrib/libs/libcap/ya.make b/contrib/libs/libcap/ya.make
new file mode 100644
index 0000000000..428acb5304
--- /dev/null
+++ b/contrib/libs/libcap/ya.make
@@ -0,0 +1,28 @@
+LIBRARY()
+
+LICENSE("(BSD-3-Clause OR GPL-2.0-only)")
+
+LICENSE_TEXTS(.yandex_meta/licenses.list.txt)
+
+VERSION(2.25)
+
+ORIGINAL_SOURCE(https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/)
+
+ADDINCL(
+    GLOBAL contrib/libs/libcap/include
+)
+
+NO_COMPILER_WARNINGS()
+
+NO_UTIL()
+
+SRCS(
+    cap_alloc.c
+    cap_extint.c
+    cap_file.c
+    cap_flag.c
+    cap_proc.c
+    cap_text.c
+)
+
+END()
diff --git a/ydb/library/yql/utils/CMakeLists.darwin-x86_64.txt b/ydb/library/yql/utils/CMakeLists.darwin-x86_64.txt
index edaa00c8e7..9b7905a1a9 100644
--- a/ydb/library/yql/utils/CMakeLists.darwin-x86_64.txt
+++ b/ydb/library/yql/utils/CMakeLists.darwin-x86_64.txt
@@ -15,6 +15,7 @@ add_subdirectory(failure_injector)
 add_subdirectory(fetch)
 add_subdirectory(log)
 add_subdirectory(simd)
+add_subdirectory(sys)
 add_subdirectory(test_http_server)
 add_subdirectory(threading)
 add_subdirectory(ut)
diff --git a/ydb/library/yql/utils/CMakeLists.linux-aarch64.txt b/ydb/library/yql/utils/CMakeLists.linux-aarch64.txt
index 4c3b746969..f5a8cdd94b 100644
--- a/ydb/library/yql/utils/CMakeLists.linux-aarch64.txt
+++ b/ydb/library/yql/utils/CMakeLists.linux-aarch64.txt
@@ -15,6 +15,7 @@ add_subdirectory(failure_injector)
 add_subdirectory(fetch)
 add_subdirectory(log)
 add_subdirectory(simd)
+add_subdirectory(sys)
 add_subdirectory(test_http_server)
 add_subdirectory(threading)
 add_subdirectory(ut)
diff --git a/ydb/library/yql/utils/CMakeLists.linux-x86_64.txt b/ydb/library/yql/utils/CMakeLists.linux-x86_64.txt
index 4c3b746969..f5a8cdd94b 100644
--- a/ydb/library/yql/utils/CMakeLists.linux-x86_64.txt
+++ b/ydb/library/yql/utils/CMakeLists.linux-x86_64.txt
@@ -15,6 +15,7 @@ add_subdirectory(failure_injector)
 add_subdirectory(fetch)
 add_subdirectory(log)
 add_subdirectory(simd)
+add_subdirectory(sys)
 add_subdirectory(test_http_server)
 add_subdirectory(threading)
 add_subdirectory(ut)
diff --git a/ydb/library/yql/utils/CMakeLists.windows-x86_64.txt b/ydb/library/yql/utils/CMakeLists.windows-x86_64.txt
index edaa00c8e7..9b7905a1a9 100644
--- a/ydb/library/yql/utils/CMakeLists.windows-x86_64.txt
+++ b/ydb/library/yql/utils/CMakeLists.windows-x86_64.txt
@@ -15,6 +15,7 @@ add_subdirectory(failure_injector)
 add_subdirectory(fetch)
 add_subdirectory(log)
 add_subdirectory(simd)
+add_subdirectory(sys)
 add_subdirectory(test_http_server)
 add_subdirectory(threading)
 add_subdirectory(ut)
diff --git a/ydb/library/yql/utils/sys/CMakeLists.darwin-x86_64.txt b/ydb/library/yql/utils/sys/CMakeLists.darwin-x86_64.txt
new file mode 100644
index 0000000000..2a8129ae24
--- /dev/null
+++ b/ydb/library/yql/utils/sys/CMakeLists.darwin-x86_64.txt
@@ -0,0 +1,18 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(yql-utils-sys)
+target_link_libraries(yql-utils-sys PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+)
+target_sources(yql-utils-sys PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user_dummy.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/linux_version.cpp
+)
diff --git a/ydb/library/yql/utils/sys/CMakeLists.linux-aarch64.txt b/ydb/library/yql/utils/sys/CMakeLists.linux-aarch64.txt
new file mode 100644
index 0000000000..98acee73f5
--- /dev/null
+++ b/ydb/library/yql/utils/sys/CMakeLists.linux-aarch64.txt
@@ -0,0 +1,21 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(yql-utils-sys)
+target_link_libraries(yql-utils-sys PUBLIC
+  contrib-libs-linux-headers
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-libcap
+)
+target_sources(yql-utils-sys PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user_dummy.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/linux_version.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user.cpp
+)
diff --git a/ydb/library/yql/utils/sys/CMakeLists.linux-x86_64.txt b/ydb/library/yql/utils/sys/CMakeLists.linux-x86_64.txt
new file mode 100644
index 0000000000..98acee73f5
--- /dev/null
+++ b/ydb/library/yql/utils/sys/CMakeLists.linux-x86_64.txt
@@ -0,0 +1,21 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(yql-utils-sys)
+target_link_libraries(yql-utils-sys PUBLIC
+  contrib-libs-linux-headers
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-libcap
+)
+target_sources(yql-utils-sys PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user_dummy.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/linux_version.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user.cpp
+)
diff --git a/ydb/library/yql/utils/sys/CMakeLists.txt b/ydb/library/yql/utils/sys/CMakeLists.txt
new file mode 100644
index 0000000000..f8b31df0c1
--- /dev/null
+++ b/ydb/library/yql/utils/sys/CMakeLists.txt
@@ -0,0 +1,17 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+if (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" AND NOT HAVE_CUDA)
+  include(CMakeLists.linux-aarch64.txt)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "Darwin" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64")
+  include(CMakeLists.darwin-x86_64.txt)
+elseif (WIN32 AND CMAKE_SYSTEM_PROCESSOR STREQUAL "AMD64" AND NOT HAVE_CUDA)
+  include(CMakeLists.windows-x86_64.txt)
+elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND NOT HAVE_CUDA)
+  include(CMakeLists.linux-x86_64.txt)
+endif()
diff --git a/ydb/library/yql/utils/sys/CMakeLists.windows-x86_64.txt b/ydb/library/yql/utils/sys/CMakeLists.windows-x86_64.txt
new file mode 100644
index 0000000000..2a8129ae24
--- /dev/null
+++ b/ydb/library/yql/utils/sys/CMakeLists.windows-x86_64.txt
@@ -0,0 +1,18 @@
+
+# This file was generated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(yql-utils-sys)
+target_link_libraries(yql-utils-sys PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+)
+target_sources(yql-utils-sys PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/become_user_dummy.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/library/yql/utils/sys/linux_version.cpp
+)
diff --git a/ydb/library/yql/utils/sys/become_user.cpp b/ydb/library/yql/utils/sys/become_user.cpp
new file mode 100644
index 0000000000..bfeb28bf63
--- /dev/null
+++ b/ydb/library/yql/utils/sys/become_user.cpp
@@ -0,0 +1,188 @@
+#include "become_user.h"
+
+#ifdef _linux_
+#include <ydb/library/yql/utils/sys/linux_version.h>
+
+#include <util/generic/yexception.h>
+#include <util/system/user.h>
+
+#include <memory>
+#include <vector>
+#include <errno.h>
+
+#include <grp.h>
+#include <pwd.h>
+#include <unistd.h>
+
+#include <sys/prctl.h>
+#include <contrib/libs/libcap/include/sys/capability.h>
+#include <contrib/libs/libcap/include/sys/securebits.h>
+
+// strange, but sometimes we have to specify values manually
+#define PR_CAP_AMBIENT 47
+#define PR_CAP_AMBIENT_IS_SET 1
+#define PR_CAP_AMBIENT_RAISE 2
+#define PR_CAP_AMBIENT_LOWER 3
+#define PR_CAP_AMBIENT_CLEAR_ALL 4
+
+namespace NYql {
+
+namespace {
+
+void SetCapFlag(cap_t caps, cap_flag_t flag, cap_value_t value) {
+    if (cap_set_flag(caps, flag, 1, &value, CAP_SET) < 0) {
+        throw TSystemError() << "cap_set_flag() failed, flag = " << static_cast<int>(flag) << ", value = " << value;
+    }
+}
+
+void SetCapFlags(cap_t caps, cap_value_t value) {
+    SetCapFlag(caps, CAP_EFFECTIVE, value);
+    SetCapFlag(caps, CAP_PERMITTED, value);
+    SetCapFlag(caps, CAP_INHERITABLE, value);
+}
+
+void ClearAmbientCapFlags() {
+    // from man: PR_CAP_AMBIENT (since Linux 4.3)
+    if (IsLinuxKernelBelow4_3()) {
+        return;
+    }
+
+    if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0) < 0) {
+        throw TSystemError() << "prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, ....) failed";
+    }
+}
+
+void SetAmbientCapFlag(cap_value_t value) {
+    if (IsLinuxKernelBelow4_3()) {
+        return;
+    }
+
+    if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, value, 0, 0) < 0) {
+        throw TSystemError() << "prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, ....) failed, value = " << value;
+    }
+}
+
+void SetCapFlagsVector(const std::vector<cap_value_t>& flags) {
+    cap_t caps = cap_init();
+    std::unique_ptr<std::remove_reference_t<decltype(*caps)>, decltype(&cap_free)> capsHolder(caps, &cap_free);
+
+    if (!caps) {
+        throw TSystemError() << "cap_init() failed";
+    }
+
+    cap_clear(caps);
+
+    for (auto f : flags) {
+        SetCapFlags(caps, f);
+    }
+
+    if (cap_set_proc(caps) < 0) {
+        throw TSystemError() << "cap_set_proc() failed";
+    }
+
+    ClearAmbientCapFlags();
+    for (auto f : flags) {
+        SetAmbientCapFlag(f);
+    }
+}
+
+void EnsureCapFlagsVectorCannotBeRaised(const std::vector<cap_value_t>& flags) {
+    for (auto f : flags) {
+        try {
+            // one-by-one
+            SetCapFlagsVector({ f });
+        } catch (const TSystemError&) {
+            continue;
+        }
+
+        throw yexception() << "Cap flag " << f << " raised unexpectedly";
+    }
+}
+
+void DoBecomeUser(const char* username, const char* groupname) {
+    errno = 0;
+    passwd* pw = getpwnam(username);
+    if (pw == nullptr) {
+        if (errno == 0) {
+            ythrow yexception() << "unknown user: " << username;
+        } else {
+            ythrow TSystemError() << "can't get user info";
+        }
+    }
+
+    if (groupname == nullptr || strlen(groupname) == 0) {
+        groupname = username;
+    }
+
+    errno = 0;
+    group* gr = getgrnam(groupname);
+    if (gr == nullptr) {
+        if (errno == 0) {
+            ythrow yexception() << "unknown group: " << groupname;
+        } else {
+            ythrow TSystemError() << "can't get group info";
+        }
+    }
+
+    if (setgid(gr->gr_gid) == -1) {
+        ythrow TSystemError() << "can't change process group";
+    }
+
+    if (initgroups(username, gr->gr_gid) == -1) {
+        ythrow TSystemError() << "can't initgroups";
+    }
+
+    if (setuid(pw->pw_uid) == -1) {
+        ythrow TSystemError() << "can't change process user";
+    }
+
+    if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) == -1) {
+        ythrow TSystemError() << "can't set dumpable flag for a process";
+    }
+}
+
+}
+
+void BecomeUser(const TString& username, const TString& groupname) {
+    DoBecomeUser(username.data(), groupname.data());
+}
+
+void TurnOnBecomeUserAmbientCaps() {
+    SetCapFlagsVector({ CAP_SETUID, CAP_SETGID, CAP_SETPCAP, CAP_KILL });
+    if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED, 0, 0, 0) == -1) {
+        ythrow TSystemError() << "can't set secure bits for a process";
+    }
+}
+
+void TurnOffBecomeUserAbility() {
+    ClearAmbientCapFlags();
+    SetCapFlagsVector({});
+    EnsureCapFlagsVectorCannotBeRaised({ CAP_SETUID, CAP_SETGID, CAP_SETPCAP, CAP_KILL });
+
+    // ensure we cannot get root access back
+    if (setuid(0) != -1) {
+        ythrow TSystemError() << "unexpected switch to root in TurnOffBecomeUserAbility";
+    }
+}
+
+void DumpCaps(const TString& title) {
+    cap_t caps = cap_get_proc();
+    std::unique_ptr<std::remove_reference_t<decltype(*caps)>, decltype(&cap_free)> capsHolder(caps, &cap_free);
+
+    ssize_t size;
+    char* capsText = cap_to_text(caps, &size);
+    Cerr << title << ": current user: " << GetUsername() << ", proc caps: " << capsText << Endl;
+
+    cap_free(capsText);
+}
+
+void SendSignalOnParentThreadExit(int signo)
+{
+    if (::prctl(PR_SET_PDEATHSIG, signo) == -1) {
+        ythrow TSystemError() << "Cannot set signal " << strsignal(signo) << " for parent death using prctl";
+    }
+}
+
+}
+
+#endif
diff --git a/ydb/library/yql/utils/sys/become_user.h b/ydb/library/yql/utils/sys/become_user.h
new file mode 100644
index 0000000000..c5c2025d8b
--- /dev/null
+++ b/ydb/library/yql/utils/sys/become_user.h
@@ -0,0 +1,26 @@
+#pragma once
+
+#include <util/generic/string.h>
+
+namespace NYql {
+
+// works on Linux only
+
+// assume we have enough capabilities to do so: CAP_SETUID, CAP_SETGID
+void BecomeUser(const TString& username, const TString& groupname);
+
+// should be called by root (more specifically caps required: CAP_SETPCAP)
+// special ambient capabilities will be set up: CAP_SETUID, CAP_SETGID, CAP_KILL
+// they will be preserved by fork and exec*
+void TurnOnBecomeUserAmbientCaps();
+
+// forget ambient capabilities and ensure we cannot setuid to root
+void TurnOffBecomeUserAbility();
+
+// dump to stderr current secirity context incluing uid/guid/caps
+void DumpCaps(const TString& title);
+
+// subscribe child process on receiving signal on parent process death (particularly on parent thread exit)
+void SendSignalOnParentThreadExit(int signo);
+
+}
diff --git a/ydb/library/yql/utils/sys/become_user_dummy.cpp b/ydb/library/yql/utils/sys/become_user_dummy.cpp
new file mode 100644
index 0000000000..897d9c3977
--- /dev/null
+++ b/ydb/library/yql/utils/sys/become_user_dummy.cpp
@@ -0,0 +1,26 @@
+#include "become_user.h"
+#ifndef _linux_
+namespace NYql {
+
+void BecomeUser(const TString& username, const TString& groupname) {
+    Y_UNUSED(username);
+    Y_UNUSED(groupname);
+}
+
+void TurnOnBecomeUserAmbientCaps() {
+}
+
+void TurnOffBecomeUserAbility() {
+}
+
+void DumpCaps(const TString& title) {
+    Y_UNUSED(title);
+}
+
+void SendSignalOnParentThreadExit(int signo)
+{
+    Y_UNUSED(signo);
+}
+
+}
+#endif
diff --git a/ydb/library/yql/utils/sys/linux_version.cpp b/ydb/library/yql/utils/sys/linux_version.cpp
new file mode 100644
index 0000000000..5d10af8294
--- /dev/null
+++ b/ydb/library/yql/utils/sys/linux_version.cpp
@@ -0,0 +1,46 @@
+#include "linux_version.h"
+
+#include <util/generic/yexception.h>
+#include <util/system/platform.h>
+
+#ifdef _linux_
+#   include <sys/utsname.h>
+#endif
+
+namespace NYql {
+    std::tuple<int, int, int> DetectLinuxKernelVersion3() {
+#ifdef _linux_
+        // see https://github.com/torvalds/linux/blob/master/Makefile
+        // version is composed as follows:
+        // VERSION = 4
+        // PATCHLEVEL = 18
+        // SUBLEVEL = 0
+        // EXTRAVERSION = -rc4
+        // KERNELVERSION = $(VERSION)$(if $(PATCHLEVEL),.$(PATCHLEVEL)$(if $(SUBLEVEL),.$(SUBLEVEL)))$(EXTRAVERSION)
+
+        utsname buf = {};
+        if (uname(&buf)) {
+            ythrow TSystemError() << "uname call failed";
+        }
+
+        int v = 0;
+        int p = 0;
+        int s = 0;
+        if (sscanf(buf.release, "%d.%d.%d", &v, &p, &s) != 3) {
+            ythrow yexception() << "Failed to parse linux kernel version " << buf.release;
+        }
+        return std::make_tuple(v, p, s);
+#else
+        return {};
+#endif
+    }
+
+    std::pair<int, int> DetectLinuxKernelVersion2() {
+        auto v = DetectLinuxKernelVersion3();
+        return std::make_pair(std::get<0>(v), std::get<1>(v));
+    }
+
+    bool IsLinuxKernelBelow4_3() {
+        return DetectLinuxKernelVersion2() < std::make_pair(4, 3);
+    }
+}
diff --git a/ydb/library/yql/utils/sys/linux_version.h b/ydb/library/yql/utils/sys/linux_version.h
new file mode 100644
index 0000000000..c8c32da125
--- /dev/null
+++ b/ydb/library/yql/utils/sys/linux_version.h
@@ -0,0 +1,13 @@
+#pragma once
+
+#include <tuple>
+
+namespace NYql {
+    // returns version, patch level, sublevel, e.g. (4, 4, 114) for `uname -r` == "4.4.114-50"
+    std::tuple<int, int, int> DetectLinuxKernelVersion3();
+
+    // returns version, patch level
+    std::pair<int, int> DetectLinuxKernelVersion2();
+
+    bool IsLinuxKernelBelow4_3();
+}
diff --git a/ydb/library/yql/utils/sys/ya.make b/ydb/library/yql/utils/sys/ya.make
new file mode 100644
index 0000000000..698aeb8ba8
--- /dev/null
+++ b/ydb/library/yql/utils/sys/ya.make
@@ -0,0 +1,20 @@
+LIBRARY()
+
+SRCS(
+    become_user.h
+    become_user_dummy.cpp
+    linux_version.cpp
+    linux_version.h
+)
+
+IF (OS_LINUX)
+    PEERDIR(
+        contrib/libs/libcap
+    )
+
+    SRCS(
+        become_user.cpp
+    )
+ENDIF()
+
+END()
diff --git a/ydb/library/yql/utils/ya.make b/ydb/library/yql/utils/ya.make
index bfe8005099..196b85b2cf 100644
--- a/ydb/library/yql/utils/ya.make
+++ b/ydb/library/yql/utils/ya.make
@@ -61,6 +61,7 @@ RECURSE(
     fetch
     log
     simd
+    sys
     test_http_server
     threading
 )