Mercurial > hg > nginx
comparison src/os/unix/ngx_process_cycle.c @ 7176:7f28b61c92f0
Fixed capabilities version.
Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3. With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted. As a
result, random stack memory was accessed and random capabilities were requested
by the worker. This sometimes caused capset() errors. Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead. This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 19 Dec 2017 19:00:27 +0300 |
parents | 56923e8e01a5 |
children | 7cbf6389194b |
comparison
equal
deleted
inserted
replaced
7175:56923e8e01a5 | 7176:7f28b61c92f0 |
---|---|
863 struct __user_cap_header_struct header; | 863 struct __user_cap_header_struct header; |
864 | 864 |
865 ngx_memzero(&header, sizeof(struct __user_cap_header_struct)); | 865 ngx_memzero(&header, sizeof(struct __user_cap_header_struct)); |
866 ngx_memzero(&data, sizeof(struct __user_cap_data_struct)); | 866 ngx_memzero(&data, sizeof(struct __user_cap_data_struct)); |
867 | 867 |
868 header.version = _LINUX_CAPABILITY_VERSION_3; | 868 header.version = _LINUX_CAPABILITY_VERSION_1; |
869 data.effective = CAP_TO_MASK(CAP_NET_RAW); | 869 data.effective = CAP_TO_MASK(CAP_NET_RAW); |
870 data.permitted = data.effective; | 870 data.permitted = data.effective; |
871 | 871 |
872 if (syscall(SYS_capset, &header, &data) == -1) { | 872 if (syscall(SYS_capset, &header, &data) == -1) { |
873 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | 873 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, |