microstack/patches/nginx/0001-drop-setuid-setgid-initgroups.patch

From a8df30a8a837c223945a13fe4cd9418084d8ed21 Mon Sep 17 00:00:00 2001
From: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
Date: Wed, 10 Jun 2020 20:14:32 +0000
Subject: [PATCH] drop setuid/setgid/initgroups

---
 src/os/unix/ngx_process_cycle.c | 54 ---------------------------------
 1 file changed, 54 deletions(-)

diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 5817a2c2..305c6823 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -825,60 +825,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
         }
     }

-    if (geteuid() == 0) {
-        if (setgid(ccf->group) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "setgid(%d) failed", ccf->group);
-            /* fatal */
-            exit(2);
-        }
-
-        if (initgroups(ccf->username, ccf->group) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "initgroups(%s, %d) failed",
-                          ccf->username, ccf->group);
-        }
-
-#if (NGX_HAVE_PR_SET_KEEPCAPS && NGX_HAVE_CAPABILITIES)
-        if (ccf->transparent && ccf->user) {
-            if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
-                ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                              "prctl(PR_SET_KEEPCAPS, 1) failed");
-                /* fatal */
-                exit(2);
-            }
-        }
-#endif
-
-        if (setuid(ccf->user) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "setuid(%d) failed", ccf->user);
-            /* fatal */
-            exit(2);
-        }
-
-#if (NGX_HAVE_CAPABILITIES)
-        if (ccf->transparent && ccf->user) {
-            struct __user_cap_data_struct    data;
-            struct __user_cap_header_struct  header;
-
-            ngx_memzero(&header, sizeof(struct __user_cap_header_struct));
-            ngx_memzero(&data, sizeof(struct __user_cap_data_struct));
-
-            header.version = _LINUX_CAPABILITY_VERSION_1;
-            data.effective = CAP_TO_MASK(CAP_NET_RAW);
-            data.permitted = data.effective;
-
-            if (syscall(SYS_capset, &header, &data) == -1) {
-                ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                              "capset() failed");
-                /* fatal */
-                exit(2);
-            }
-        }
-#endif
-    }
-
     if (worker >= 0) {
         cpu_affinity = ngx_get_cpu_affinity(worker);

--
2.17.1