From a8df30a8a837c223945a13fe4cd9418084d8ed21 Mon Sep 17 00:00:00 2001
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Date: Wed, 10 Jun 2020 20:14:32 +0000
Subject: [PATCH] drop setuid/setgid/initgroups
---
src/os/unix/ngx_process_cycle.c | 54 ---------------------------------
1 file changed, 54 deletions(-)
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 5817a2c2..305c6823 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -825,60 +825,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
}
}
- if (geteuid() == 0) {
- if (setgid(ccf->group) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "setgid(%d) failed", ccf->group);
- /* fatal */
- exit(2);
- }
-
- if (initgroups(ccf->username, ccf->group) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "initgroups(%s, %d) failed",
- ccf->username, ccf->group);
- }
-
-#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES)
- if (ccf->transparent && ccf->user) {
- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "prctl(PR_SET_KEEPCAPS, 1) failed");
- /* fatal */
- exit(2);
- }
- }
-#endif
-
- if (setuid(ccf->user) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "setuid(%d) failed", ccf->user);
- /* fatal */
- exit(2);
- }
-
-#if (NGX_HAVE_CAPABILITIES)
- if (ccf->transparent && ccf->user) {
- struct __user_cap_data_struct data;
- struct __user_cap_header_struct header;
-
- ngx_memzero(&header, sizeof(struct __user_cap_header_struct));
- ngx_memzero(&data, sizeof(struct __user_cap_data_struct));
-
- header.version = _LINUX_CAPABILITY_VERSION_1;
- data.effective = CAP_TO_MASK(CAP_NET_RAW);
- data.permitted = data.effective;
-
- if (syscall(SYS_capset, &header, &data) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "capset() failed");
- /* fatal */
- exit(2);
- }
- }
-#endif
- }
-
if (worker >= 0) {
cpu_affinity = ngx_get_cpu_affinity(worker);
--
2.17.1