nginx: src/os/unix/ngx_process

comparison src/os/unix/ngx_process_cycle.c @ 7174:84e53e4735a4

Retain CAP_NET_RAW capability for transparent proxying. The capability is retained automatically in unprivileged worker processes after changing UID if transparent proxying is enabled at least once in nginx configuration. The feature is only available in Linux.

author	Roman Arutyunyan <arut@nginx.com>
date	Wed, 13 Dec 2017 20:40:53 +0300
parents	8b84d60ef13d
children	56923e8e01a5

comparison

equal deleted inserted replaced

-:057adb2a9d23
+:84e53e4735a4
 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
 "initgroups(%s, %d) failed",
 ccf->username, ccf->group);
 }
+#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES)
+if (ccf->transparent && ccf->user) {
+if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+"prctl(PR_SET_KEEPCAPS, 1) failed");
+/* fatal */
+exit(2);
+}
+}
+#endif
 if (setuid(ccf->user) == -1) {
 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
 "setuid(%d) failed", ccf->user);
 /* fatal */
 exit(2);
 }
+#if (NGX_HAVE_CAPABILITIES)
+if (ccf->transparent && ccf->user) {
+struct __user_cap_data_struct    data;
+struct __user_cap_header_struct  header;
+ngx_memzero(&header, sizeof(struct __user_cap_header_struct));
+ngx_memzero(&data, sizeof(struct __user_cap_data_struct));
+header.version = _LINUX_CAPABILITY_VERSION_3;
+data.effective = CAP_TO_MASK(CAP_NET_RAW);
+data.permitted = data.effective;
+if (capset(&header, &data) == -1) {
+ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+"capset() failed");
+/* fatal */
+exit(2);
+}
+}
+#endif
 }
 if (worker >= 0) {
 cpu_affinity = ngx_get_cpu_affinity(worker);

Mercurial > hg > nginx

comparison src/os/unix/ngx_process_cycle.c @ 7174:84e53e4735a4