From cb0f1f42e134bb64bda3a6032654158e7160d5a1 Mon Sep 17 00:00:00 2001
From: Valentine Krasnobaeva <vkrasnobaeva@haproxy.com>
Date: Thu, 4 Jul 2024 17:19:18 +0200
Subject: [PATCH] MINOR: startup: only worker gets capabilities from bin

Due to moving the master-worker fork in init(), we need to protect
prepare_caps_from_permitted_set() call, which is executed after init(). This
call makes sense only for worker, daemon and for foreground mono process modes.

prepare_caps_from_permitted_set() allows to read Linux capabilities from
haproxy binary and to move some of them in process Effective set, if 'setcap'
keyword lists needed capabilities in the global section.
---
 src/haproxy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/haproxy.c b/src/haproxy.c
index 296769def0..411562e396 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -3412,7 +3412,8 @@ int main(int argc, char **argv)
 	 * is started and run under the same non-root user, this allows
 	 * binding to privileged ports.
 	 */
-	prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
+	if (!(global.mode & MODE_MWORKER))
+	    prepare_caps_from_permitted_set(geteuid(), global.uid, argv[0]);
 #endif
 
 	/* Try to get the listeners FD from the previous process using
-- 
2.47.3