summaryrefslogtreecommitdiffstats
path: root/src/haproxy.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
commitddfc40eabdbc59a607b568e946fb116dcd3439fd (patch)
treeb3253de65399448dbbf12e5b65d2da56c53d3af6 /src/haproxy.c
parentAdding upstream version 2.9.6. (diff)
downloadhaproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.tar.xz
haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.zip
Adding upstream version 2.9.7.upstream/2.9.7
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--src/haproxy.c43
1 files changed, 28 insertions, 15 deletions
diff --git a/src/haproxy.c b/src/haproxy.c
index 4c739f4..1659d3d 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -3571,21 +3571,6 @@ int main(int argc, char **argv)
}
}
- if ((global.last_checks & LSTCHK_NETADM) && global.uid) {
- ha_alert("[%s.main()] Some configuration options require full privileges, so global.uid cannot be changed.\n"
- "", argv[0]);
- protocol_unbind_all();
- exit(1);
- }
-
- /* If the user is not root, we'll still let them try the configuration
- * but we inform them that unexpected behaviour may occur.
- */
- if ((global.last_checks & LSTCHK_NETADM) && getuid())
- ha_warning("[%s.main()] Some options which require full privileges"
- " might not work well.\n"
- "", argv[0]);
-
if ((global.mode & (MODE_MWORKER|MODE_DAEMON)) == 0) {
/* chroot if needed */
@@ -3614,6 +3599,34 @@ int main(int argc, char **argv)
if ((global.mode & (MODE_MWORKER | MODE_DAEMON)) == 0)
set_identity(argv[0]);
+ /* set_identity() above might have dropped LSTCHK_NETADM if
+ * it changed to a new UID while preserving enough permissions
+ * to honnor LSTCHK_NETADM.
+ */
+ if ((global.last_checks & LSTCHK_NETADM) && getuid()) {
+ /* If global.uid is present in config, it is already set as euid
+ * and ruid by set_identity() call just above, so it's better to
+ * remind the user to fix uncoherent settings.
+ */
+ if (global.uid) {
+ ha_alert("[%s.main()] Some configuration options require full "
+ "privileges, so global.uid cannot be changed.\n", argv[0]);
+#if defined(USE_LINUX_CAP)
+ ha_alert("[%s.main()] Alternately, if your system supports "
+ "Linux capabilities, you may also consider using "
+ "'setcap cap_net_raw' or 'setcap cap_net_admin' in the "
+ "'global' section.\n", argv[0]);
+#endif
+ protocol_unbind_all();
+ exit(1);
+ }
+ /* If the user is not root, we'll still let them try the configuration
+ * but we inform them that unexpected behaviour may occur.
+ */
+ ha_warning("[%s.main()] Some options which require full privileges"
+ " might not work well.\n", argv[0]);
+ }
+
/* check ulimits */
limit.rlim_cur = limit.rlim_max = 0;
getrlimit(RLIMIT_NOFILE, &limit);