From a8df30a8a837c223945a13fe4cd9418084d8ed21 Mon Sep 17 00:00:00 2001 From: Dmitrii Shcherbakov Date: Wed, 10 Jun 2020 20:14:32 +0000 Subject: [PATCH] drop setuid/setgid/initgroups --- src/os/unix/ngx_process_cycle.c | 54 --------------------------------- 1 file changed, 54 deletions(-) diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c index 5817a2c2..305c6823 100644 --- a/src/os/unix/ngx_process_cycle.c +++ b/src/os/unix/ngx_process_cycle.c @@ -825,60 +825,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker) } } - if (geteuid() == 0) { - if (setgid(ccf->group) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "setgid(%d) failed", ccf->group); - /* fatal */ - exit(2); - } - - if (initgroups(ccf->username, ccf->group) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "initgroups(%s, %d) failed", - ccf->username, ccf->group); - } - -#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES) - if (ccf->transparent && ccf->user) { - if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "prctl(PR_SET_KEEPCAPS, 1) failed"); - /* fatal */ - exit(2); - } - } -#endif - - if (setuid(ccf->user) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "setuid(%d) failed", ccf->user); - /* fatal */ - exit(2); - } - -#if (NGX_HAVE_CAPABILITIES) - if (ccf->transparent && ccf->user) { - struct __user_cap_data_struct data; - struct __user_cap_header_struct header; - - ngx_memzero(&header, sizeof(struct __user_cap_header_struct)); - ngx_memzero(&data, sizeof(struct __user_cap_data_struct)); - - header.version = _LINUX_CAPABILITY_VERSION_1; - data.effective = CAP_TO_MASK(CAP_NET_RAW); - data.permitted = data.effective; - - if (syscall(SYS_capset, &header, &data) == -1) { - ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, - "capset() failed"); - /* fatal */ - exit(2); - } - } -#endif - } - if (worker >= 0) { cpu_affinity = ngx_get_cpu_affinity(worker); -- 2.17.1