summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_credential.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/nxt_credential.c66
1 files changed, 37 insertions, 29 deletions
diff --git a/src/nxt_credential.c b/src/nxt_credential.c
index 9f275b7d..168db9cf 100644
--- a/src/nxt_credential.c
+++ b/src/nxt_credential.c
@@ -280,61 +280,69 @@ free:
nxt_int_t
-nxt_credential_set(nxt_task_t *task, nxt_credential_t *uc)
+nxt_credential_setuid(nxt_task_t *task, nxt_credential_t *uc)
{
- nxt_debug(task, "user cred set: \"%s\" uid:%d base gid:%d",
- uc->user, uc->uid, uc->base_gid);
+ nxt_debug(task, "user cred set: \"%s\" uid:%d", uc->user, uc->uid);
- if (setgid(uc->base_gid) != 0) {
+ if (setuid(uc->uid) != 0) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
- "application namespace.", uc->base_gid);
+ nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
+ "valid in the application namespace.", uc->uid, uc->user);
return NXT_ERROR;
}
#endif
- nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
+ nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
return NXT_ERROR;
}
- if (uc->gids != NULL) {
- if (setgroups(uc->ngroups, uc->gids) != 0) {
+ return NXT_OK;
+}
-#if (NXT_HAVE_CLONE)
- if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
- "supplementary group ids not valid in the application "
- "namespace.", uc->user, uc->uid);
- return NXT_ERROR;
- }
-#endif
- nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
- return NXT_ERROR;
- }
+nxt_int_t
+nxt_credential_setgids(nxt_task_t *task, nxt_credential_t *uc)
+{
+ nxt_runtime_t *rt;
- } else {
- /* MacOSX fallback. */
- if (initgroups(uc->user, uc->base_gid) != 0) {
- nxt_alert(task, "initgroups(%s, %d) failed %E",
- uc->user, uc->base_gid, nxt_errno);
+ nxt_debug(task, "user cred set gids: base gid:%d, ngroups: %d",
+ uc->base_gid, uc->ngroups);
+
+ rt = task->thread->runtime;
+
+ if (setgid(uc->base_gid) != 0) {
+
+#if (NXT_HAVE_CLONE)
+ if (nxt_errno == EINVAL) {
+ nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
+ "application namespace.", uc->base_gid);
return NXT_ERROR;
}
+#endif
+
+ nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
+ return NXT_ERROR;
}
- if (setuid(uc->uid) != 0) {
+ if (!rt->capabilities.setid) {
+ return NXT_OK;
+ }
+
+ if (nxt_slow_path(uc->ngroups > 0
+ && setgroups(uc->ngroups, uc->gids) != 0)) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
- "valid in the application namespace.", uc->uid, uc->user);
+ nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
+ "supplementary group ids not valid in the application "
+ "namespace.", uc->user, uc->uid);
return NXT_ERROR;
}
#endif
- nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
+ nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
return NXT_ERROR;
}