summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_runtime.c
diff options
context:
space:
mode:
authorTiago de Bem Natel de Moura <t.nateldemoura@f5.com>2019-09-19 15:25:23 +0300
committerTiago de Bem Natel de Moura <t.nateldemoura@f5.com>2019-09-19 15:25:23 +0300
commitc554941b4f826d83d92d5ca8d7713bea4167896e (patch)
tree86afb0a5efc790e1852124426acb73d8164341af /src/nxt_runtime.c
parent6346e641eef4aacf92e81e0f1ea4f42ed1e62834 (diff)
downloadunit-c554941b4f826d83d92d5ca8d7713bea4167896e.tar.gz
unit-c554941b4f826d83d92d5ca8d7713bea4167896e.tar.bz2
Initial applications isolation support using Linux namespaces.
Diffstat (limited to 'src/nxt_runtime.c')
-rw-r--r--src/nxt_runtime.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/src/nxt_runtime.c b/src/nxt_runtime.c
index 06478f72..de41ba4d 100644
--- a/src/nxt_runtime.c
+++ b/src/nxt_runtime.c
@@ -692,14 +692,26 @@ nxt_runtime_conf_init(nxt_task_t *task, nxt_runtime_t *rt)
rt->state = NXT_STATE;
rt->control = NXT_CONTROL_SOCK;
+ nxt_memzero(&rt->capabilities, sizeof(nxt_capabilities_t));
+
if (nxt_runtime_conf_read_cmd(task, rt) != NXT_OK) {
return NXT_ERROR;
}
- if (nxt_user_cred_get(task, &rt->user_cred, rt->group) != NXT_OK) {
+ if (nxt_capability_set(task, &rt->capabilities) != NXT_OK) {
return NXT_ERROR;
}
+ if (rt->capabilities.setid) {
+ if (nxt_user_cred_get(task, &rt->user_cred, rt->group) != NXT_OK) {
+ return NXT_ERROR;
+ }
+
+ } else {
+ nxt_log(task, NXT_LOG_WARN, "Unit is running unprivileged, then it "
+ "cannot use arbitrary user and group.");
+ }
+
/* An engine's parameters. */
interface = nxt_service_get(rt->services, "engine", rt->engine);
generated by cgit (git 2.34.1) at 2024-11-17 02:46:57 +0000