since the introduction of mworker, the setuid/setgid was duplicated in two places; try to improve that by creating a dedicated function. this patch does not introduce any functional change.
Signed-off-by: William Dauchy <w.dau...@criteo.com> --- src/haproxy.c | 63 ++++++++++++++++++++------------------------------- 1 file changed, 24 insertions(+), 39 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index 44375f6d..4f9761e2 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -2776,6 +2776,27 @@ static struct task *manage_global_listener_queue(struct task *t, void *context, return t; } +/* set uid/gid depending on global settings */ +static void set_identity(const char *program_name) { + if (global.gid) { + if (getgroups(0, NULL) > 0 && setgroups(0, NULL) == -1) + ha_warning("[%s.main()] Failed to drop supplementary groups. Using 'gid'/'group'" + " without 'uid'/'user' is generally useless.\n", program_name); + + if (setgid(global.gid) == -1) { + ha_alert("[%s.main()] Cannot set gid %d.\n", program_name, global.gid); + protocol_unbind_all(); + exit(1); + } + } + + if (global.uid && setuid(global.uid) == -1) { + ha_alert("[%s.main()] Cannot set uid %d.\n", program_name, global.uid); + protocol_unbind_all(); + exit(1); + } +} + int main(int argc, char **argv) { int err, retry; @@ -3045,26 +3066,8 @@ int main(int argc, char **argv) * be able to restart the old pids. */ - if ((global.mode & (MODE_MWORKER|MODE_DAEMON)) == 0) { - /* setgid / setuid */ - if (global.gid) { - if (getgroups(0, NULL) > 0 && setgroups(0, NULL) == -1) - ha_warning("[%s.main()] Failed to drop supplementary groups. Using 'gid'/'group'" - " without 'uid'/'user' is generally useless.\n", argv[0]); - - if (setgid(global.gid) == -1) { - ha_alert("[%s.main()] Cannot set gid %d.\n", argv[0], global.gid); - protocol_unbind_all(); - exit(1); - } - } - - if (global.uid && setuid(global.uid) == -1) { - ha_alert("[%s.main()] Cannot set uid %d.\n", argv[0], global.uid); - protocol_unbind_all(); - exit(1); - } - } + if ((global.mode & (MODE_MWORKER | MODE_DAEMON)) == 0) + set_identity(argv[0]); /* check ulimits */ limit.rlim_cur = limit.rlim_max = 0; @@ -3269,25 +3272,7 @@ int main(int argc, char **argv) free(global.chroot); global.chroot = NULL; - - /* setgid / setuid */ - if (global.gid) { - if (getgroups(0, NULL) > 0 && setgroups(0, NULL) == -1) - ha_warning("[%s.main()] Failed to drop supplementary groups. Using 'gid'/'group'" - " without 'uid'/'user' is generally useless.\n", argv[0]); - - if (setgid(global.gid) == -1) { - ha_alert("[%s.main()] Cannot set gid %d.\n", argv[0], global.gid); - protocol_unbind_all(); - exit(1); - } - } - - if (global.uid && setuid(global.uid) == -1) { - ha_alert("[%s.main()] Cannot set uid %d.\n", argv[0], global.uid); - protocol_unbind_all(); - exit(1); - } + set_identity(argv[0]); /* pass through every cli socket, and check if it's bound to * the current process and if it exposes listeners sockets. -- 2.24.0