From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Thu, 4 Jul 2024 15:19:18 +0000 (+0200)
Subject: MINOR: startup: only worker gets capabilities from bin
X-Git-Tag: v3.1-dev10~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb0f1f42e134bb64bda3a6032654158e7160d5a1;p=thirdparty%2Fhaproxy.git

MINOR: startup: only worker gets capabilities from bin

Due to moving the master-worker fork in init(), we need to protect
prepare_caps_from_permitted_set() call, which is executed after init(). This
call makes sense only for worker, daemon and for foreground mono process modes.

prepare_caps_from_permitted_set() allows to read Linux capabilities from
haproxy binary and to move some of them in process Effective set, if 'setcap'
keyword lists needed capabilities in the global section.
---

diff --git a/src/haproxy.c b/src/haproxy.c
index 296769def0..411562e396 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -3412,7 +3412,8 @@ int main(int argc, char **argv)
 	 * is started and run under the same non-root user, this allows
 	 * binding to privileged ports.
 	 */
-	prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
+	if (!(global.mode & MODE_MWORKER))
+	    prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
 #endif
 
 	/* Try to get the listeners FD from the previous process using