mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-24 04:11:02 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: startup: only worker gets capabilities from bin

Browse Source 
Due to moving the master-worker fork in init(), we need to protect
prepare_caps_from_permitted_set() call, which is executed after init(). This
call makes sense only for worker, daemon and for foreground mono process modes.

prepare_caps_from_permitted_set() allows to read Linux capabilities from
haproxy binary and to move some of them in process Effective set, if 'setcap'
keyword lists needed capabilities in the global section.
This commit is contained in:
Valentine Krasnobaeva 2024-07-04 17:19:18 +02:00 committed by Willy Tarreau
parent fe04c2ad37
commit cb0f1f42e1
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/haproxy.c
View File

@ -3412,7 +3412,8 @@ int main(int argc, char **argv)
* is started and run under the same non-root user, this allows
* binding to privileged ports.
*/
prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
if (!(global.mode & MODE_MWORKER))
prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
#endif
/* Try to get the listeners FD from the previous process using