RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-17 00:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
a45a8b5171
haproxy/doc
History
Willy Tarreau a45a8b5171 MEDIUM: init: set NO_NEW_PRIVS by default when supported 
HAProxy doesn't need to call executables at run time (except when using
external checks which are strongly recommended against), and is even expected
to isolate itself into an empty chroot. As such, there basically is no valid
reason to allow a setuid executable to be called without the user being fully
aware of the risks. In a situation where haproxy would need to call external
checks and/or disable chroot, exploiting a vulnerability in a library or in
haproxy itself could lead to the execution of an external program. On Linux
it is possible to lock the process so that any setuid bit present on such an
executable is ignored. This significantly reduces the risk of privilege
escalation in such a situation. This is what haproxy does by default. In case
this causes a problem to an external check (for example one which would need
the "ping" command), then it is possible to disable this protection by
explicitly adding this directive in the global section. If enabled, it is
possible to turn it back off by prefixing it with the "no" keyword.

Before the option:

  $ socat - /tmp/sock1 <<< "expert-mode on; debug dev exec sudo /bin/id"
  uid=0(root) gid=0(root) groups=0(root

After the option:
  $ socat - /tmp/sock1 <<< "expert-mode on; debug dev exec sudo /bin/id"
  sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
        'nosuid' option set or an NFS file system without root privileges?
2019-12-06 17:20:26 +01:00
..
design-thoughts DOC: Fix typos in different subsections of the documentation 2018-11-18 22:23:15 +01:00
internals DOC: internal: document the init calls 2019-11-20 16:52:56 +01:00
lua-api DOC: Fix typos in different subsections of the documentation 2018-11-18 22:23:15 +01:00
51Degrees-device-detection.txt CLEANUP: 51d: move the 51d dummy lib to contrib/51d/src to match the real lib 2019-06-13 15:56:10 +02:00
acl.fig [DOC] add diagrams of queuing and future ACL design 2009-02-22 16:46:38 +01:00
architecture.txt DOC: fix a few typos in the documentation 2018-11-18 22:23:15 +01:00
close-options.txt DOC: fix a few typos in the documentation 2018-11-18 22:23:15 +01:00
coding-style.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
configuration.txt MEDIUM: init: set NO_NEW_PRIVS by default when supported 2019-12-06 17:20:26 +01:00
cookie-options.txt DOC: fix a few typos in the documentation 2018-11-18 22:23:15 +01:00
DeviceAtlas-device-detection.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
gpl.txt
haproxy.1 MINOR: doc: update the manpage and usage message about -S 2019-06-13 17:09:27 +02:00
intro.txt [RELEASE] Released version 2.2-dev0 2019-11-25 20:36:16 +01:00
lgpl.txt
linux-syn-cookies.txt DOC: add doc/linux-syn-cookies.txt 2015-08-11 12:17:41 +02:00
lua.txt DOC: update few references to the linux* targets and change them to linux-glibc 2019-06-15 18:03:48 +02:00
management.txt DOC: ssl/cli: set/commit/abort ssl cert 2019-11-29 16:53:08 +01:00
netscaler-client-ip-insertion-protocol.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
network-namespaces.txt MAJOR: namespace: add Linux network namespace support 2014-11-21 07:51:57 +01:00
peers-v2.0.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
peers.txt DOC: peers: Update for dictionary cache entries for peers protocol. 2019-06-07 15:47:54 +02:00
proxy-protocol.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
queuing.fig [DOC] add diagrams of queuing and future ACL design 2009-02-22 16:46:38 +01:00
regression-testing.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
seamless_reload.txt CLEANUP: removed obsolete examples an move a few to better places 2019-06-15 21:25:06 +02:00
SOCKS4.protocol.txt MEDIUM: connection: Upstream SOCKS4 proxy support 2019-05-31 17:24:06 +02:00
SPOE.txt DOC: fix typos 2019-05-25 07:34:24 +02:00
WURFL-device-detection.txt DOC: fix typos 2019-05-25 07:34:24 +02:00