[TUNING] Make the 'dropping CAP_SETUID' feature configurable, default…

… to off.
litespeedtech · Feb 18, 2021 · 878b2d9 · 878b2d9
1 parent 1837cfa
commit 878b2d9
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 1 deletion.
diff --git a/src/extensions/extworkerconfig.cpp b/src/extensions/extworkerconfig.cpp
@@ -50,6 +50,7 @@ ExtWorkerConfig::ExtWorkerConfig(const char *pName)
  , m_gid(-1)
  , m_pServerAddr(new GSockAddr())
  , m_pOrgEnv(NULL)
+ , m_iDropCaps(0)
 {
 }
 
@@ -72,6 +73,7 @@ ExtWorkerConfig::ExtWorkerConfig()
  , m_gid(-1)
  , m_pServerAddr(new GSockAddr())
  , m_pOrgEnv(NULL)
+ , m_iDropCaps(0)
 {}
 
 
@@ -102,6 +104,7 @@ ExtWorkerConfig::ExtWorkerConfig(const ExtWorkerConfig &rhs)
  m_iDaemonSuEXEC = rhs.m_iDaemonSuEXEC;
  m_uid = rhs.m_uid;
  m_gid = rhs.m_gid;
+ m_iDropCaps = rhs.m_iDropCaps;
  if (m_iRefAddr)
  m_pServerAddr = rhs.m_pServerAddr;
  else

diff --git a/src/extensions/localworkerconfig.cpp b/src/extensions/localworkerconfig.cpp
@@ -407,5 +407,6 @@ void LocalWorkerConfig::configExtAppUserGroup(const XmlNode *pNode,
  lstrncpy(sHomeDir, "/home/nobody", szHomeDir); //If failed, use default as
  }
  setUGid(uid, gid);
- setDropCaps(1);
+ if (!HttpServerConfig::getInstance().getAllowExtAppSetuid())
+ setDropCaps(1);
 }
diff --git a/src/http/httpserverconfig.cpp b/src/http/httpserverconfig.cpp
@@ -65,6 +65,7 @@ HttpServerConfig::HttpServerConfig()
  , m_pGlobalVHost(NULL)
  , m_bwrap(BWRAP_DISABLED)
  , m_pBwrapCmdLine(NULL)
+ , m_iAllowExtAppSetuid(1)
 {
  m_pDeniedDir = new DeniedDir();
 }

diff --git a/src/http/httpserverconfig.h b/src/http/httpserverconfig.h
@@ -78,6 +78,7 @@ class HttpServerConfig : public TSingleton<HttpServerConfig>
  int m_iEnableH2c;
  int m_iProcNo;
  int m_iChildren;
+ int m_iAllowExtAppSetuid;
 
  const char *m_pAdminSock;
  DeniedDir *m_pDeniedDir;
@@ -223,6 +224,9 @@ class HttpServerConfig : public TSingleton<HttpServerConfig>
 
  void setBwrapCmdLine(const char *c) { m_pBwrapCmdLine = c; }
  const char *getBwrapCmdLine() const { return m_pBwrapCmdLine; }
+
+ void setAllowExtAppSetuid(int val) { m_iAllowExtAppSetuid = val; }
+ int getAllowExtAppSetuid() const { return m_iAllowExtAppSetuid; }
 };
 
 LS_SINGLETON_DECL(HttpServerConfig);

diff --git a/src/main/httpserver.cpp b/src/main/httpserver.cpp
@@ -2596,6 +2596,12 @@ int HttpServerImpl::configSecurity(const XmlNode *pRoot)
  "banPeriod", 1, INT_MAX, 60));
  }
 
+ const int iAllowExtAppSetuid = currentCtx.getLongValue(pNode,
+ "allowExtAppSetuid", 0, 1, 1);
+ LS_INFO("setuid %s allowed in Ext Apps",
+ iAllowExtAppSetuid ? "is" : "is not");
+ config.setAllowExtAppSetuid(iAllowExtAppSetuid);
+
  // CGI
  CgidWorker *pWorker = (CgidWorker *) ExtAppRegistry::addApp(
  EA_CGID, LSCGID_NAME);

diff --git a/src/main/plainconf.cpp b/src/main/plainconf.cpp
@@ -435,6 +435,8 @@ plainconfKeywords plainconf::sKeywords[] =
  {"quicidletimeout", NULL},
  {"quicpush", NULL},
  {"quiccongestionctrl", NULL},
+
+ {"allowextappsetuid", NULL},
 };
 
 static HashStringMap<plainconfKeywords *> allKeyword(29, GHash::hfCiString,