Mercurial > hg > nginx
comparison src/os/unix/ngx_process_cycle.c @ 7174:84e53e4735a4
Retain CAP_NET_RAW capability for transparent proxying.
The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.
The feature is only available in Linux.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Wed, 13 Dec 2017 20:40:53 +0300 |
parents | 8b84d60ef13d |
children | 56923e8e01a5 |
comparison
equal
deleted
inserted
replaced
7173:057adb2a9d23 | 7174:84e53e4735a4 |
---|---|
837 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | 837 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, |
838 "initgroups(%s, %d) failed", | 838 "initgroups(%s, %d) failed", |
839 ccf->username, ccf->group); | 839 ccf->username, ccf->group); |
840 } | 840 } |
841 | 841 |
842 #if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES) | |
843 if (ccf->transparent && ccf->user) { | |
844 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { | |
845 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | |
846 "prctl(PR_SET_KEEPCAPS, 1) failed"); | |
847 /* fatal */ | |
848 exit(2); | |
849 } | |
850 } | |
851 #endif | |
852 | |
842 if (setuid(ccf->user) == -1) { | 853 if (setuid(ccf->user) == -1) { |
843 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | 854 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, |
844 "setuid(%d) failed", ccf->user); | 855 "setuid(%d) failed", ccf->user); |
845 /* fatal */ | 856 /* fatal */ |
846 exit(2); | 857 exit(2); |
847 } | 858 } |
859 | |
860 #if (NGX_HAVE_CAPABILITIES) | |
861 if (ccf->transparent && ccf->user) { | |
862 struct __user_cap_data_struct data; | |
863 struct __user_cap_header_struct header; | |
864 | |
865 ngx_memzero(&header, sizeof(struct __user_cap_header_struct)); | |
866 ngx_memzero(&data, sizeof(struct __user_cap_data_struct)); | |
867 | |
868 header.version = _LINUX_CAPABILITY_VERSION_3; | |
869 data.effective = CAP_TO_MASK(CAP_NET_RAW); | |
870 data.permitted = data.effective; | |
871 | |
872 if (capset(&header, &data) == -1) { | |
873 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, | |
874 "capset() failed"); | |
875 /* fatal */ | |
876 exit(2); | |
877 } | |
878 } | |
879 #endif | |
848 } | 880 } |
849 | 881 |
850 if (worker >= 0) { | 882 if (worker >= 0) { |
851 cpu_affinity = ngx_get_cpu_affinity(worker); | 883 cpu_affinity = ngx_get_cpu_affinity(worker); |
852 | 884 |