Hi Damien! On Fri, Dec 20, 2024 at 01:36:34PM +0000, Damien Claisse wrote: > Commit 5cbb278 introduced cap_sys_admin support, and enforced checks for > both binds and servers. However, when binding into a namespace, the bind > is done before dropping privileges. Hence, checking that we have > cap_sys_admin capability set in this case is not needed (and it would > decrease security to add it). > For users starting haproxy with other user than root and without > cap_sys_admin, bind should have already failed. > As a consequence, relax runtime check for binds into a namespace.
Interesting, thanks for reporting it! I'm Ccing Valentine so that she can have a final check before we merge it, but based on your description I think you're right. Cheers, willy > --- > src/cfgparse-tcp.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c > index 2f68daf1c..1841c66db 100644 > --- a/src/cfgparse-tcp.c > +++ b/src/cfgparse-tcp.c > @@ -169,7 +169,6 @@ static int bind_parse_namespace(char **args, int cur_arg, > struct proxy *px, stru > ha_alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]); > return ERR_ALERT | ERR_FATAL; > } > - global.last_checks |= LSTCHK_SYSADM; > > return 0; > } > -- > 2.43.0 > >