From c18dd1f65b9eba988bb621a4b540fb6c7bda36c8 Mon Sep 17 00:00:00 2001
From: Andrew Clayton <a.clayton@nginx.com>
Date: Thu, 16 Mar 2023 21:35:01 +0000
Subject: Default PR_SET_NO_NEW_PRIVS to off.

This prctl(2) option was enabled in commit 0277d8f1 ("Isolation: Fix the
enablement of PR_SET_NO_NEW_PRIVS.") and this was being set by default.

This prctl(2) when enabled renders (amongst other things) the set-UID
and set-GID bits on executables ineffective after an execve(2).

This causes an issue for applications that want to execute the
sendmail(8) binary, this includes the PHP mail() function, which is
usually set-GID.

After some internal discussion it was decided to disable this option by
default.

Closes: <https://github.com/nginx/unit/issues/852>
Fixes: 0277d8f1 ("Isolation: Fix the enablement of PR_SET_NO_NEW_PRIVS.")
Fixes: e2b53e16 ("Added "rootfs" feature.")
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_isolation.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index 614d6bb5..cfa494a8 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -80,6 +80,10 @@ nxt_isolation_main_prefork(nxt_task_t *task, nxt_process_t *process,
     app_conf = process->data.app;
     cap_setid = rt->capabilities.setid;
 
+#if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
+    process->isolation.new_privs = 1;
+#endif
+
     if (app_conf->isolation != NULL) {
         ret = nxt_isolation_set(task, app_conf->isolation, process);
         if (nxt_slow_path(ret != NXT_OK)) {
-- 
cgit