Hi Damien!

On Fri, Dec 20, 2024 at 01:36:34PM +0000, Damien Claisse wrote:
> Commit 5cbb278 introduced cap_sys_admin support, and enforced checks for
> both binds and servers. However, when binding into a namespace, the bind
> is done before dropping privileges. Hence, checking that we have
> cap_sys_admin capability set in this case is not needed (and it would
> decrease security to add it).
> For users starting haproxy with other user than root and without
> cap_sys_admin, bind should have already failed.
> As a consequence, relax runtime check for binds into a namespace.

Interesting, thanks for reporting it! I'm Ccing Valentine so that she
can have a final check before we merge it, but based on your description
I think you're right.

Cheers,
willy

> ---
>  src/cfgparse-tcp.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c
> index 2f68daf1c..1841c66db 100644
> --- a/src/cfgparse-tcp.c
> +++ b/src/cfgparse-tcp.c
> @@ -169,7 +169,6 @@ static int bind_parse_namespace(char **args, int cur_arg, 
> struct proxy *px, stru
>               ha_alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]);
>               return ERR_ALERT | ERR_FATAL;
>       }
> -     global.last_checks |= LSTCHK_SYSADM;
>  
>       return 0;
>  }
> -- 
> 2.43.0
> 
> 


Reply via email to