All files from this thread

File Name	File Size		Posted by	Date
0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch	3.5 KB	open | download	shankerwangmiao	02/21/2018	Read message

> 在 2018年2月21日，23:34，Vladimir Homutov <vl@nginx.com> 写道：
>
>> On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
>> Hi,
>>
>> I noticed that you have introduced `ngx_event_udp_accept()`, which can
>> create a separate socket for receiving datagrams from a specific client.
>> I understand that it is necessary for DTLS servers. However I wonder
>> why it is also called for normal udp servers.
>
> for normal udp server this is beneficial if you need to process
> bidirectional stream, i.e. proxying DTLS or similar protocols without
> offloading it. Probably this should be at least configurable.
>
>> For udp servers listening on a port below 1024, such call will fail if
>> the worker processes drop their privilege as a non-root user.
>> The following patch solves this problem by retaining CAP_NET_BIND_SERVICE
>> after worker processes change UID.
>
> yes, there is an issue in such case, and retaining (partial) permissions
> is a possible (but ugly) solution.

You can see from the code that it is not the first time to use that solution. I wonder if there is better solution for this issue.

Cheers,

Miao Wang

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx