From: Kirill A. Korinskiy <catap@catap.ru>

capset(CAP_CHOWN) grand the proccess rule to change arbitrary to file.

CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH bypass file read, write and
execute permission checks.

CAP_SETUID need for rewert back to privileged processes (whose
effective user ID is 0).
---
src/os/unix/ngx_process.c | 9 +++++++++
src/os/unix/ngx_user.c | 13 +++++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
index 18b2601aff17895cc250e54621651d72aee09790..9f06fdfa460ceadac032a62aae18559238fc17c6 100644
--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
@@ -247,6 +247,15 @@ ngx_execute_proc(ngx_cycle_t *cycle, void *data)
{
ngx_exec_ctx_t *ctx = data;

+#if (NGX_HAVE_CAPABILITIES)
+ if (setuid(0) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "setuid(0) failed");
+ /* fatal */
+ exit(2);
+ }
+#endif
+
if (execve(ctx->path, ctx->argv, ctx->envp) == -1) {
ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
"execve() failed while executing %s \"%s\"",
diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
index d5ebb6c3e22b96d66a5e816dbfa860635fa7a3d8..d3f6b5bd1d7d379ff4de9418955bcc285f0696d4 100644
--- a/src/os/unix/ngx_user.c
+++ b/src/os/unix/ngx_user.c
@@ -149,14 +149,23 @@ void ngx_set_capabilities(ngx_cycle_t *cycle)

ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);

- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "prctl(%d) failed", ccf->user);
+ /* fatal */
+ exit(2);
+ }

ngx_switch_user(cycle);

header.version = _LINUX_CAPABILITY_VERSION;
header.pid = 0;

- cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE);
+ cap.effective = cap.permitted = (1 << CAP_NET_BIND_SERVICE |
+ 1 << CAP_CHOWN |
+ 1 << CAP_DAC_OVERRIDE |
+ 1 << CAP_DAC_READ_SEARCH |
+ 1 << CAP_SETUID);

if (capset(&header, &cap) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
--
1.6.2