diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:20:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:20:30 +0000 |
commit | ddfc40eabdbc59a607b568e946fb116dcd3439fd (patch) | |
tree | b3253de65399448dbbf12e5b65d2da56c53d3af6 /src/linuxcap.c | |
parent | Adding upstream version 2.9.6. (diff) | |
download | haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.tar.xz haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.zip |
Adding upstream version 2.9.7.upstream/2.9.7
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | src/linuxcap.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/linuxcap.c b/src/linuxcap.c index 919086c..4a2a3ab 100644 --- a/src/linuxcap.c +++ b/src/linuxcap.c @@ -23,6 +23,7 @@ #include <haproxy/api.h> #include <haproxy/cfgparse.h> #include <haproxy/errors.h> +#include <haproxy/global.h> #include <haproxy/tools.h> /* supported names, zero-terminated */ @@ -59,9 +60,10 @@ static uint32_t caplist; * - switch euid to non-zero * - set the effective and permitted caps again * - then the caller can safely call setuid() + * On success LSTCHK_NETADM is unset from global.last_checks, if CAP_NET_ADMIN + * or CAP_NET_RAW was found in the caplist from config. * We don't do this if the current euid is not zero or if the target uid - * is zero. Returns >=0 on success, negative on failure. Alerts or warnings - * may be emitted. + * is zero. Returns 0 on success, negative on failure. Alerts may be emitted. */ int prepare_caps_for_setuid(int from_uid, int to_uid) { @@ -101,6 +103,10 @@ int prepare_caps_for_setuid(int from_uid, int to_uid) ha_alert("Failed to set the final capabilities using capset(): %s\n", strerror(errno)); return -1; } + + if (caplist & ((1 << CAP_NET_ADMIN)|(1 << CAP_NET_RAW))) + global.last_checks &= ~LSTCHK_NETADM; + /* all's good */ return 0; } |