1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: cfgparse-tcp: relax namespace bind check

Browse Source 
Commit 5cbb278 introduced cap_sys_admin support, and enforced checks for
both binds and servers. However, when binding into a namespace, the bind
is done before dropping privileges. Hence, checking that we have
cap_sys_admin capability set in this case is not needed (and it would
decrease security to add it).
For users starting haproxy with other user than root and without
cap_sys_admin, bind should have already failed.
As a consequence, relax runtime check for binds into a namespace.
This commit is contained in:
Damien Claisse 2024-12-20 13:36:34 +00:00 committed by Willy Tarreau
parent dc7913d814
commit f0a07f834c
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/cfgparse-tcp.c
View File

@ -173,7 +173,6 @@ static int bind_parse_namespace(char **args, int cur_arg, struct proxy *px, stru
ha_alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
global.last_checks |= LSTCHK_SYSADM;
return 0;
}