[PATCH 4/7] Run master as a privileged process

[Simon Horman]

In preparation for running the master outside of the chroot,
and thus allowing children to chroot themselves shortly
after being forked.

This removes the motivation for using capabilities and that code
has been removed in this changeset. As such it is in essence a
reversal of d5ea2ef3 ("Use CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE").

Signed-off-by: Simon Horman <ho...@verge.net.au>
---
 Makefile      |    8 ------
 src/haproxy.c |   75 +++++++-------------------------------------------------
 2 files changed, 10 insertions(+), 73 deletions(-)

diff --git a/Makefile b/Makefile
index c532f3f..6d3f156 100644
--- a/Makefile
+++ b/Makefile
@@ -23,7 +23,6 @@
 #   USE_LIBCRYPT         : enable crypted passwords using -lcrypt
 #   USE_CRYPT_H          : set it if your system requires including crypt.h
 #   USE_VSYSCALL         : enable vsyscall on Linux x86, bypassing libc
-#   USE_LIBCAP          : enable non-root processes to bind to privileged ports
 #
 # Options can be forced by specifying "USE_xxx=1" or can be disabled by using
 # "USE_xxx=" (empty string).
@@ -213,7 +212,6 @@ ifeq ($(TARGET),linux26)
   USE_SEPOLL      = implicit
   USE_TPROXY      = implicit
   USE_LIBCRYPT    = implicit
-  USE_LIBCAP      = implicit
 else
 ifeq ($(TARGET),solaris)
   # This is for Solaris 8
@@ -391,12 +389,6 @@ OPTIONS_CFLAGS += -DCONFIG_HAP_LINUX_VSYSCALL
 BUILD_OPTIONS  += $(call ignore_implicit,USE_VSYSCALL)
 endif
 
-ifneq ($(USE_LIBCAP),)
-OPTIONS_CFLAGS  += -DCONFIG_HAP_CAP
-BUILD_OPTIONS   += $(call ignore_implicit,USE_LIBCAP)
-OPTIONS_LDFLAGS += -lcap
-endif
-
 ifneq ($(USE_NETFILTER),)
 OPTIONS_CFLAGS += -DNETFILTER
 BUILD_OPTIONS  += $(call ignore_implicit,USE_NETFILTER)
diff --git a/src/haproxy.c b/src/haproxy.c
index 4ae8920..26a3dc5 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -44,10 +44,6 @@
 #include <sys/resource.h>
 #include <time.h>
 #include <syslog.h>
-#ifdef CONFIG_HAP_CAP
-#include <sys/prctl.h>
-#include <sys/capability.h>
-#endif
 #include <sys/wait.h>
 
 #ifdef DEBUG_FULL
@@ -421,7 +417,11 @@ pid_t ppid;
 
 struct task *task_ping_master(struct task *t)
 {
-       if (unlikely(kill(ppid, 0))) {
+       /* Ignore EPERM as this will occur when running in master/worker
+        * mode if setid() has run successfully on worker processes -
+        * the master will still be privileged
+        */
+       if (kill(ppid, 0) && errno != EPERM) {
                send_log(NULL, LOG_INFO, "Parent disappeared, exiting.\n");
                sig_soft_stop(NULL);
                t->expire = TICK_ETERNITY;
@@ -1097,31 +1097,10 @@ static void setid(const char *name)
                }
        }
 
-       if (global.uid) {
-#ifdef CONFIG_HAP_CAP
-               cap_t caps;
-
-               if (prctl(PR_SET_KEEPCAPS, 1)) {
-                       Alert("[%s.setid()] Cannot set prctl 
PR_SET_KEEPCAPS.\n",
-                             name);
-                       goto err;
-               }
-#endif
-               if (setuid(global.uid) == -1) {
-                       Alert("[%s.setid()] Cannot set uid %d.\n",
-                             name, global.uid);
-                       goto err;
-               }
-#ifdef CONFIG_HAP_CAP
-               caps = cap_from_text("cap_net_bind_service=+eip "
-                                    "cap_sys_resource=+eip");
-               if (!caps || cap_set_proc(caps)) {
-                       Alert("[%s.setid()] Cannot set CAP_NET_BIND_SERVICE "
-                             "and CAP_SYS_RESOURCE capabilities.\n", name);
-                       protocol_unbind_all();
-                       exit(1);
-               }
-#endif
+       if (global.uid && setuid(global.uid) == -1) {
+               Alert("[%s.setid()] Cannot set uid %d.\n",
+                     name, global.uid);
+               goto err;
        }
 
        return;
@@ -1130,36 +1109,6 @@ err:
        exit(1);
 }
 
-static void drop_capabilities(void)
-{
-#ifdef CONFIG_HAP_CAP
-       cap_t cap;
-       /* Drop all capabilities */
-       cap = cap_from_text("");
-       if (!cap || cap_set_proc(cap)) {
-               send_log(NULL, LOG_ERR, "Cannot drop capabilities.\n");
-               protocol_unbind_all();
-               exit(1);
-       }
-#endif
-}
-
-static void setid_early(const char *name)
-{
-#ifdef CONFIG_HAP_CAP
-       Warning("[%s.setsid_early()] enter.\n", name);
-       setid(name);
-#endif
-}
-
-static void setid_late(const char *name)
-{
-#ifndef CONFIG_HAP_CAP
-       Warning("[%s.setsid_late()] enter.\n", name);
-       setid(name);
-#endif
-}
-
 static FILE *prepare(int argc, char **argv)
 {
        int err, retry;
@@ -1255,8 +1204,6 @@ static FILE *prepare(int argc, char **argv)
        }
        free(global.chroot);  global.chroot = NULL;
 
-       setid_early(argv[0]);
-
        /* ulimits */
        if (!global.rlimit_nofile)
                global.rlimit_nofile = global.maxsock;
@@ -1365,8 +1312,6 @@ static FILE *prepare(int argc, char **argv)
         * be able to restart the old pids.
         */
 
-       setid_late(argv[0]);
-
        /* check ulimits */
        limit.rlim_cur = limit.rlim_max = 0;
        getrlimit(RLIMIT_NOFILE, &limit);
@@ -1548,7 +1493,7 @@ int main(int argc, char **argv)
                create_processes(argc, argv, pidfile);
 
                if (!is_master)
-                       drop_capabilities();
+                       setid(argv[0]);
 
                protocol_enable_all();
 
-- 
1.7.2.3