MINOR: startup: only worker gets capabilities from bin

Due to moving the master-worker fork in init(), we need to protect
prepare_caps_from_permitted_set() call, which is executed after init(). This
call makes sense only for worker, daemon and for foreground mono process modes.

prepare_caps_from_permitted_set() allows to read Linux capabilities from
haproxy binary and to move some of them in process Effective set, if 'setcap'
keyword lists needed capabilities in the global section.

diff --git a/src/haproxy.c b/src/haproxy.c
index 296769def0b9f55eb9a9d523ddfb522f9cfad2b0..411562e396f4a9740935c92248c5884f34c5cada 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -3412,7 +3412,8 @@ int main(int argc, char **argv)
         * is started and run under the same non-root user, this allows
         * binding to privileged ports.
         */
-       prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
+       if (!(global.mode & MODE_MWORKER))
+           prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
 #endif
 
        /* Try to get the listeners FD from the previous process using