From: Kirill A. Korinskiy <cat...@catap.ru>

capset(CAP_CHOWN) grand the proccess rule to change arbitrary to file.

CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH bypass file read, write and execute permission checks.

CAP_SETUID need for rewert back to privileged processes (whose effective user ID is 0).

--- src/os/unix/ngx_process.c | 9 +++++++++ src/os/unix/ngx_user.c | 13 +++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c index
18b2601aff17895cc250e54621651d72aee09790..9f06fdfa460ceadac032a62aae18559238fc17c6
100644 --- a/src/os/unix/ngx_process.c +++ b/src/os/unix/ngx_process.c @@ -247,6 +247,15 @@ ngx_execute_proc(ngx_cycle_t *cycle, void *data) { ngx_exec_ctx_t *ctx = data;

+#if (NGX_HAVE_CAPABILITIES) + if (setuid(0) == -1) { + ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, + "setuid(0) failed"); + /* fatal */ + exit(2); + } +#endif + if (execve(ctx->path, ctx->argv, ctx->envp) == -1) { ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, "execve() failed while executing %s \"%s\"", diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c index
d5ebb6c3e22b96d66a5e816dbfa860635fa7a3d8..d3f6b5bd1d7d379ff4de9418955bcc285f0696d4
100644 --- a/src/os/unix/ngx_user.c +++ b/src/os/unix/ngx_user.c @@ -149,14 +149,23 @@ void ngx_set_capabilities(ngx_cycle_t *cycle)

ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);

- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { + ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, + "prctl(%d) failed", ccf->user); + /* fatal */ + exit(2); + }

ngx_switch_user(cycle);

header.version = _LINUX_CAPABILITY_VERSION; header.pid = 0;

- cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE); + cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE | + 1 << CAP_CHOWN | + 1 << CAP_DAC_OVERRIDE | + 1 << CAP_DAC_READ_SEARCH | + 1 << CAP_SETUID);

if (capset(&header, &cap) == -1) { ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,