On Thu, Dec 18, 2008 at 2:34 AM, Graham Leggett <[email protected]> wrote: > Pranav Desai wrote: > >> Yeah, the application changes are restricted to a few lines. I believe >> you mean the connect_backend() and not the proxy_connect module for >> the CONNECT method ? > > I did yes, sorry. > > If this can be made available to all the proxy modules in one go, it would > be ideal. >
There are more changes than I thought there would be. Tproxy needs the CAP_NET_ADMIN capability for setting the setsockopt(). So it seems like I have to preserve the capabilities using prctl and then after the effective user changes to non-privileged, set the CAP_NET_ADMIN capability for that process. What I am not sure of is: * Whats the best place to keep the capabilities, since it would have to be done before it drops the privilege. * Would I have to add the capability for all processes that are created for handling requests ? Is there a better way to set the capabilities of all the spawned processes ? Thanks -- Pranav > Regards, > Graham > -- >
