Commit 5cbb278 introduced cap_sys_admin support, and enforced checks for
both binds and servers. However, when binding into a namespace, the bind
is done before dropping privileges. Hence, checking that we have
cap_sys_admin capability set in this case is not needed (and it would
decrease security to add it).
For users starting haproxy with other user than root and without
cap_sys_admin, bind should have already failed.
As a consequence, relax runtime check for binds into a namespace.
---
src/cfgparse-tcp.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c
index 2f68daf1c..1841c66db 100644
--- a/src/cfgparse-tcp.c
+++ b/src/cfgparse-tcp.c
@@ -169,7 +169,6 @@ static int bind_parse_namespace(char **args, int cur_arg,
struct proxy *px, stru
ha_alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
- global.last_checks |= LSTCHK_SYSADM;
return 0;
}
--
2.43.0
