technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Ignoring EPERM error when changing application process uid/gid.

Browse Source 
This closes #228 issue on GitHub.
This commit is contained in:
Max Romanov
2019-03-22 15:32:58 +03:00
parent 1b7514dca3
commit 6c694d4b47
1 changed files with 33 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/nxt_process.c
View File

@@ -136,9 +136,11 @@ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
nxt_random_init(&thread->random); nxt_random_init(&thread->random);
if (init->user_cred != NULL && getuid() == 0) { if (init->user_cred != NULL) {
/* Super-user. */ /*
* Changing user credentials requires either root privileges
* or CAP_SETUID and CAP_SETGID capabilities on Linux.
*/
ret = nxt_user_cred_set(task, init->user_cred); ret = nxt_user_cred_set(task, init->user_cred);
if (ret != NXT_OK) { if (ret != NXT_OK) {
goto fail; goto fail;
@@ -434,13 +436,9 @@ nxt_user_cred_get(nxt_task_t *task, nxt_user_cred_t *uc, const char *group)
uc->base_gid = grp->gr_gid; uc->base_gid = grp->gr_gid;
} }
if (getuid() == 0) {
return nxt_user_groups_get(task, uc); return nxt_user_groups_get(task, uc);
} }
return NXT_OK;
}
/* /*
* nxt_user_groups_get() stores an array of groups IDs which should be * nxt_user_groups_get() stores an array of groups IDs which should be
@@ -505,15 +503,27 @@ nxt_user_groups_get(nxt_task_t *task, nxt_user_cred_t *uc)
if (nsaved == -1) { if (nsaved == -1) {
nxt_alert(task, "getgroups(%d) failed %E", nsaved, nxt_errno); nxt_alert(task, "getgroups(%d) failed %E", nsaved, nxt_errno);
goto fail; goto free;
} }
nxt_debug(task, "getgroups(): %d", nsaved); nxt_debug(task, "getgroups(): %d", nsaved);
if (initgroups(uc->user, uc->base_gid) != 0) { if (initgroups(uc->user, uc->base_gid) != 0) {
nxt_alert(task, "initgroups(%s, %d) failed", uc->user, uc->base_gid); if (nxt_errno == NXT_EPERM) {
nxt_log(task, NXT_LOG_NOTICE,
"initgroups(%s, %d) failed %E, ignored",
uc->user, uc->base_gid, nxt_errno);
ret = NXT_OK;
goto free;
} else {
nxt_alert(task, "initgroups(%s, %d) failed %E",
uc->user, uc->base_gid, nxt_errno);
goto restore; goto restore;
} }
}
ngroups = getgroups(0, NULL); ngroups = getgroups(0, NULL);
@@ -567,7 +577,7 @@ restore:
ret = NXT_ERROR; ret = NXT_ERROR;
} }
fail: free:
nxt_free(saved); nxt_free(saved);
@@ -582,9 +592,16 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc)
uc->user, (uint64_t) uc->uid, (uint64_t) uc->base_gid); uc->user, (uint64_t) uc->uid, (uint64_t) uc->base_gid);
if (setgid(uc->base_gid) != 0) { if (setgid(uc->base_gid) != 0) {
if (nxt_errno == NXT_EPERM) {
nxt_log(task, NXT_LOG_NOTICE, "setgid(%d) failed %E, ignored",
uc->base_gid, nxt_errno);
return NXT_OK;
} else {
nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno); nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
return NXT_ERROR; return NXT_ERROR;
} }
}
if (uc->gids != NULL) { if (uc->gids != NULL) {
if (setgroups(uc->ngroups, uc->gids) != 0) { if (setgroups(uc->ngroups, uc->gids) != 0) {
@@ -595,8 +612,8 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc)
} else { } else {
/* MacOSX fallback. */ /* MacOSX fallback. */
if (initgroups(uc->user, uc->base_gid) != 0) { if (initgroups(uc->user, uc->base_gid) != 0) {
nxt_alert(task, "initgroups(%s, %d) failed", nxt_alert(task, "initgroups(%s, %d) failed %E",
uc->user, uc->base_gid); uc->user, uc->base_gid, nxt_errno);
return NXT_ERROR; return NXT_ERROR;
} }
} }