From be693024d7e49173f7ff37566232238fc5ea1887 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Fri, 4 Nov 2022 19:24:03 +0000 Subject: [PATCH] BUILD: insecure-setuid-wanted support on FreeBSD. using the procctl api to ignore the suid/sgid bits to be ignored. --- src/haproxy.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index 806497062..94b9bde4e 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -3003,7 +3003,7 @@ static void *run_thread_poll_loop(void *data) pthread_mutex_unlock(&init_mutex); #endif -#if defined(PR_SET_NO_NEW_PRIVS) && defined(USE_PRCTL) +#if (defined(PR_SET_NO_NEW_PRIVS) && defined(USE_PRCTL)) || (defined(PROC_NO_NEW_PRIVS_CTL) && defined(USE_PROCCTL)) /* Let's refrain from using setuid executables. This way the impact of * an eventual vulnerability in a library remains limited. It may * impact external checks but who cares about them anyway ? In the @@ -3014,7 +3014,14 @@ static void *run_thread_poll_loop(void *data) */ if (!(global.tune.options & GTUNE_INSECURE_SETUID) && !master) { static int warn_fail; - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 && !_HA_ATOMIC_FETCH_ADD(&warn_fail, 1)) { +#if defined(USE_PRCTL) + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1 +#else + int refrain_setuid = PROC_NO_NEW_PRIVS_ENABLE; + /* we can save one syscall once freebsd 14 becomes the minimum version, removing getpid */ + if (procctl(P_PID, getpid(), PROC_NO_NEW_PRIVS_CTL, &refrain_setuid) == -1 +#endif + && !_HA_ATOMIC_FETCH_ADD(&warn_fail, 1)) { ha_warning("Failed to disable setuid, please report to developers with detailed " "information about your operating system. You can silence this warning " "by adding 'insecure-setuid-wanted' in the 'global' section.\n"); -- 2.38.1