diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:20:30 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:20:30 +0000 |
| commit | ddfc40eabdbc59a607b568e946fb116dcd3439fd (patch) | |
| tree | b3253de65399448dbbf12e5b65d2da56c53d3af6 /src/haproxy.c | |
| parent | Adding upstream version 2.9.6. (diff) | |
| download | haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.tar.xz haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.zip | |
Adding upstream version 2.9.7.upstream/2.9.7
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
| -rw-r--r-- | src/haproxy.c | 43 |
1 files changed, 28 insertions, 15 deletions
diff --git a/src/haproxy.c b/src/haproxy.c index 4c739f4..1659d3d 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -3571,21 +3571,6 @@ int main(int argc, char **argv) } } - if ((global.last_checks & LSTCHK_NETADM) && global.uid) { - ha_alert("[%s.main()] Some configuration options require full privileges, so global.uid cannot be changed.\n" - "", argv[0]); - protocol_unbind_all(); - exit(1); - } - - /* If the user is not root, we'll still let them try the configuration - * but we inform them that unexpected behaviour may occur. - */ - if ((global.last_checks & LSTCHK_NETADM) && getuid()) - ha_warning("[%s.main()] Some options which require full privileges" - " might not work well.\n" - "", argv[0]); - if ((global.mode & (MODE_MWORKER|MODE_DAEMON)) == 0) { /* chroot if needed */ @@ -3614,6 +3599,34 @@ int main(int argc, char **argv) if ((global.mode & (MODE_MWORKER | MODE_DAEMON)) == 0) set_identity(argv[0]); + /* set_identity() above might have dropped LSTCHK_NETADM if + * it changed to a new UID while preserving enough permissions + * to honnor LSTCHK_NETADM. + */ + if ((global.last_checks & LSTCHK_NETADM) && getuid()) { + /* If global.uid is present in config, it is already set as euid + * and ruid by set_identity() call just above, so it's better to + * remind the user to fix uncoherent settings. + */ + if (global.uid) { + ha_alert("[%s.main()] Some configuration options require full " + "privileges, so global.uid cannot be changed.\n", argv[0]); +#if defined(USE_LINUX_CAP) + ha_alert("[%s.main()] Alternately, if your system supports " + "Linux capabilities, you may also consider using " + "'setcap cap_net_raw' or 'setcap cap_net_admin' in the " + "'global' section.\n", argv[0]); +#endif + protocol_unbind_all(); + exit(1); + } + /* If the user is not root, we'll still let them try the configuration + * but we inform them that unexpected behaviour may occur. + */ + ha_warning("[%s.main()] Some options which require full privileges" + " might not work well.\n", argv[0]); + } + /* check ulimits */ limit.rlim_cur = limit.rlim_max = 0; getrlimit(RLIMIT_NOFILE, &limit); |