[PATCH 2/2] Setting more capabilities(CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH and CAP_SETUID).

Kirill A. Korinskiy catap+nginx at catap.ru
Wed Mar 18 18:45:42 MSK 2009


From: Kirill A. Korinskiy <catap at catap.ru>

capset(CAP_CHOWN) grand the proccess rule to change arbitrary to file.

CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH bypass file read, write and
execute permission checks.

CAP_SETUID need for rewert back to privileged processes (whose
effective user ID is 0).
---
 src/os/unix/ngx_process.c |    9 +++++++++
 src/os/unix/ngx_user.c    |   13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
index 18b2601aff17895cc250e54621651d72aee09790..9f06fdfa460ceadac032a62aae18559238fc17c6 100644
--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
@@ -247,6 +247,15 @@ ngx_execute_proc(ngx_cycle_t *cycle, void *data)
 {
     ngx_exec_ctx_t  *ctx = data;
 
+#if (NGX_HAVE_CAPABILITIES)
+    if (setuid(0) == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                      "setuid(0) failed");
+        /* fatal */
+        exit(2);
+    }
+#endif
+
     if (execve(ctx->path, ctx->argv, ctx->envp) == -1) {
         ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
                       "execve() failed while executing %s \"%s\"",
diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
index d5ebb6c3e22b96d66a5e816dbfa860635fa7a3d8..d3f6b5bd1d7d379ff4de9418955bcc285f0696d4 100644
--- a/src/os/unix/ngx_user.c
+++ b/src/os/unix/ngx_user.c
@@ -149,14 +149,23 @@ void ngx_set_capabilities(ngx_cycle_t *cycle)
 
     ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
 
-    prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+    if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+        ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+                      "prctl(%d) failed", ccf->user);
+        /* fatal */
+        exit(2);
+    }
 
     ngx_switch_user(cycle);
 
     header.version = _LINUX_CAPABILITY_VERSION;
     header.pid = 0;
 
-    cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE);
+    cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE |
+				     1 << CAP_CHOWN |
+				     1 << CAP_DAC_OVERRIDE |
+				     1 << CAP_DAC_READ_SEARCH |
+				     1 << CAP_SETUID);
 
     if (capset(&header, &cap) == -1) {
         ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-- 
1.6.2






More information about the nginx-ru mailing list