diff options
| author | Andrei Belov <defan@nginx.com> | 2019-05-30 17:44:29 +0300 |
|---|---|---|
| committer | Andrei Belov <defan@nginx.com> | 2019-05-30 17:44:29 +0300 |
| commit | 4921df052be8437d912f3c60faa9a667890e4498 (patch) | |
| tree | 3678c551f148a0d177721597de978c090237f205 /src/nxt_process.c | |
| parent | 3b7a7ff2aa5840d4238584410ee1ebc6860fb9c5 (diff) | |
| parent | 7da320a93af07765e79c929287704936c431f3cd (diff) | |
| download | unit-1.9.0-1.tar.gz unit-1.9.0-1.tar.bz2 | |
Merged with the default branch.1.9.0-1
Diffstat (limited to 'src/nxt_process.c')
| -rw-r--r-- | src/nxt_process.c | 49 |
1 files changed, 33 insertions, 16 deletions
diff --git a/src/nxt_process.c b/src/nxt_process.c index 59520297..c4aef21c 100644 --- a/src/nxt_process.c +++ b/src/nxt_process.c @@ -136,9 +136,11 @@ nxt_process_start(nxt_task_t *task, nxt_process_t *process) nxt_random_init(&thread->random); - if (init->user_cred != NULL && getuid() == 0) { - /* Super-user. */ - + if (init->user_cred != NULL) { + /* + * Changing user credentials requires either root privileges + * or CAP_SETUID and CAP_SETGID capabilities on Linux. + */ ret = nxt_user_cred_set(task, init->user_cred); if (ret != NXT_OK) { goto fail; @@ -434,11 +436,7 @@ nxt_user_cred_get(nxt_task_t *task, nxt_user_cred_t *uc, const char *group) uc->base_gid = grp->gr_gid; } - if (getuid() == 0) { - return nxt_user_groups_get(task, uc); - } - - return NXT_OK; + return nxt_user_groups_get(task, uc); } @@ -505,14 +503,26 @@ nxt_user_groups_get(nxt_task_t *task, nxt_user_cred_t *uc) if (nsaved == -1) { nxt_alert(task, "getgroups(%d) failed %E", nsaved, nxt_errno); - goto fail; + goto free; } nxt_debug(task, "getgroups(): %d", nsaved); if (initgroups(uc->user, uc->base_gid) != 0) { - nxt_alert(task, "initgroups(%s, %d) failed", uc->user, uc->base_gid); - goto restore; + if (nxt_errno == NXT_EPERM) { + nxt_log(task, NXT_LOG_NOTICE, + "initgroups(%s, %d) failed %E, ignored", + uc->user, uc->base_gid, nxt_errno); + + ret = NXT_OK; + + goto free; + + } else { + nxt_alert(task, "initgroups(%s, %d) failed %E", + uc->user, uc->base_gid, nxt_errno); + goto restore; + } } ngroups = getgroups(0, NULL); @@ -567,7 +577,7 @@ restore: ret = NXT_ERROR; } -fail: +free: nxt_free(saved); @@ -582,8 +592,15 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc) uc->user, (uint64_t) uc->uid, (uint64_t) uc->base_gid); if (setgid(uc->base_gid) != 0) { - nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno); - return NXT_ERROR; + if (nxt_errno == NXT_EPERM) { + nxt_log(task, NXT_LOG_NOTICE, "setgid(%d) failed %E, ignored", + uc->base_gid, nxt_errno); + return NXT_OK; + + } else { + nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno); + return NXT_ERROR; + } } if (uc->gids != NULL) { @@ -595,8 +612,8 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc) } else { /* MacOSX fallback. */ if (initgroups(uc->user, uc->base_gid) != 0) { - nxt_alert(task, "initgroups(%s, %d) failed", - uc->user, uc->base_gid); + nxt_alert(task, "initgroups(%s, %d) failed %E", + uc->user, uc->base_gid, nxt_errno); return NXT_ERROR; } } |