Nginx-ru mailing list archive (nginx-ru@sysoev.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 2/2] Setting more capabilities(CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH and CAP_SETUID).
From: Kirill A. Korinskiy <catap@xxxxxxxx>
capset(CAP_CHOWN) grand the proccess rule to change arbitrary to file.
CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH bypass file read, write and
execute permission checks.
CAP_SETUID need for rewert back to privileged processes (whose
effective user ID is 0).
---
src/os/unix/ngx_process.c | 9 +++++++++
src/os/unix/ngx_user.c | 13 +++++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
index
18b2601aff17895cc250e54621651d72aee09790..9f06fdfa460ceadac032a62aae18559238fc17c6
100644
--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
@@ -247,6 +247,15 @@ ngx_execute_proc(ngx_cycle_t *cycle, void *data)
{
ngx_exec_ctx_t *ctx = data;
+#if (NGX_HAVE_CAPABILITIES)
+ if (setuid(0) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "setuid(0) failed");
+ /* fatal */
+ exit(2);
+ }
+#endif
+
if (execve(ctx->path, ctx->argv, ctx->envp) == -1) {
ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
"execve() failed while executing %s \"%s\"",
diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
index
d5ebb6c3e22b96d66a5e816dbfa860635fa7a3d8..d3f6b5bd1d7d379ff4de9418955bcc285f0696d4
100644
--- a/src/os/unix/ngx_user.c
+++ b/src/os/unix/ngx_user.c
@@ -149,14 +149,23 @@ void ngx_set_capabilities(ngx_cycle_t *cycle)
ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "prctl(%d) failed", ccf->user);
+ /* fatal */
+ exit(2);
+ }
ngx_switch_user(cycle);
header.version = _LINUX_CAPABILITY_VERSION;
header.pid = 0;
- cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE);
+ cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE |
+ 1 << CAP_CHOWN |
+ 1 << CAP_DAC_OVERRIDE |
+ 1 << CAP_DAC_READ_SEARCH |
+ 1 << CAP_SETUID);
if (capset(&header, &cap) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
--
1.6.2
|