>If you want to fix it, simply remove "LSTCHK_NETADM" in proto_tcp.c, >function bind_parse_interface(). Awesome thanks a lot! This fix works :) I would like to contribute this back, but like you mentioned there might be other places where a similar change is needed in which case someone else will be better skilled to fix this in a more generic manner.
>I suspect that most people don't get this simply because the setups where >they bind to multiple interfaces are the same where they also bind to >interfaces for outgoing connections or they're running in transparent >mode, both of which require runtime privileges as well. Is it common to run HAProxy as root (with chroot jail) I was unsure, because I dont fully understand the worst case scenario which could be exploited in case of future CVE, when running as root? Thanks, Ankit On Sun, Mar 26, 2017 at 11:28 PM, Willy Tarreau <[email protected]> wrote: > On Sun, Mar 26, 2017 at 07:12:33PM -0700, Ankit Malp wrote: > > Thanks for the suggestions. Adding more details - so if i just bind on > port > > 80 (without interface awareness), dropping of privileges works exactly as > > documented. > > > > More details > > HAProxy versions tried:1.6.11 and 1.7.2 > > OS: Amazon Linux > > > > *#Works:* > > global > > user haproxy > > frontend frontend_tcp > > mode tcp > > bind 0.0.0.0:80 > > > > *#Does not work* > > global > > user haproxy > > frontend frontend_tcp_eth1 > > mode tcp > > bind 0.0.0.0:80 interface eth1 > > [ALERT] 084/185646 (13289) : [<>/bin/haproxy.main()] Some configuration > > options require full privileges, so global.uid cannot be changed > > > > Removing the "user haproxy" part in the above config works (but now > HAProxy > > is running as root) > > Thank you. I understand the problem. In the permissions check, there's no > difference between "need to run as root" and "need to start as root". The > interface binding is an example of such an incorrect check. I'll see if > it's easy to change this or not. But probably we could simply remove the > check since it will automatically fail if it cannot bind (the check is > in fact here to avoid runtime issues). > > If you want to fix it, simply remove "LSTCHK_NETADM" in proto_tcp.c, > function bind_parse_interface(). > > I suspect that most people don't get this simply because the setups where > they bind to multiple interfaces are the same where they also bind to > interfaces for outgoing connections or they're running in transparent > mode, both of which require runtime privileges as well. But in my opinion > you're clearly facing a bug that we have to fix. > > Thanks, > Willy >
