All files from this thread

File Name	File Size		Posted by	Date
0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch	3.5 KB	open | download	shankerwangmiao	02/21/2018	Read message

On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
> Hi,
>
> I noticed that you have introduced `ngx_event_udp_accept()`, which can
> create a separate socket for receiving datagrams from a specific client.
> I understand that it is necessary for DTLS servers. However I wonder
> why it is also called for normal udp servers.

for normal udp server this is beneficial if you need to process
bidirectional stream, i.e. proxying DTLS or similar protocols without
offloading it. Probably this should be at least configurable.

> For udp servers listening on a port below 1024, such call will fail if
> the worker processes drop their privilege as a non-root user.
> The following patch solves this problem by retaining CAP_NET_BIND_SERVICE
> after worker processes change UID.

yes, there is an issue in such case, and retaining (partial) permissions
is a possible (but ugly) solution.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx