Merge remote-tracking branch 'nixpkgs/master' into master

16 files changed, 462 insertions, 8 deletions

diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index d5da6df8d68..252365098dd 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -39,6 +39,7 @@ stdenv.mkDerivation rec {
   prePatch = ''
     sed -i config.layout -e "s|installbuilddir:.*|installbuilddir: $dev/share/build|"
     sed -i support/apachectl.in -e 's|@LYNX_PATH@|${lynx}/bin/lynx|'
+    sed -i support/apachectl.in -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|'
   '';
 
   # Required for ‘pthread_cancel’.
diff --git a/pkgs/servers/http/apache-modules/mod_ca/default.nix b/pkgs/servers/http/apache-modules/mod_ca/default.nix
new file mode 100644
index 00000000000..37f2a397ae6
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_ca/default.nix
@@ -0,0 +1,35 @@
+{ stdenv, fetchurl, pkgconfig, apacheHttpd, openssl, openldap }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_ca";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "1pxapjrzdsk2s25vhgvf56fkakdqcbn9hjncwmqh0asl1pa25iic";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ apacheHttpd openssl openldap ];
+
+  # Note that configureFlags and installFlags are inherited by
+  # the various submodules.
+  #
+  configureFlags = [
+    "--with-apxs=${apacheHttpd.dev}/bin/apxs"
+  ];
+
+  installFlags = [
+    "INCLUDEDIR=${placeholder ''out''}/include"
+    "LIBEXECDIR=${placeholder ''out''}/modules"
+  ];
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service module";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_crl/default.nix b/pkgs/servers/http/apache-modules/mod_crl/default.nix
new file mode 100644
index 00000000000..54c0de1c701
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_crl/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_crl";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "0k6iqn5a4bqdz3yx6d53f1r75c21jnwhxmmcq071zq0361xjzzj6";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  meta = with stdenv.lib; {
+    description = "RedWax module for Certificate Revocation Lists";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_csr/default.nix b/pkgs/servers/http/apache-modules/mod_csr/default.nix
new file mode 100644
index 00000000000..60f97d2f361
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_csr/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_csr";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "01sdvv07kchdd6ssrmd2cbhj50qh2ibp5g5h6jy1jqbzp0b3j9ja";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  # After openssl-1.0.2t, starting in  openssl-1.1.0l
+  # parts of the OpenSSL struct API was replaced by
+  # getters - but some setters where forgotten.
+  #
+  # It is expected that these are back/retrofitted in version
+  # openssl-1.1.1d -- but while fixing this it was found
+  # that there were quite a few other setters missing and
+  # that some of the memory management needed was at odds
+  # with the principles used sofar.
+  #
+  # See https://github.com/openssl/openssl/pull/10563
+  #
+  # So as a stopgap - use a minimalist compat. layer
+  # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h
+  #
+  preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h";
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service module to handle Certificate Signing Requests";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h
new file mode 100644
index 00000000000..a2a9e0f7a18
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h
@@ -0,0 +1,66 @@
+/* Licensed to Stichting The Commons Conservancy (TCC) under one or more
+ * contributor license agreements.  See the AUTHORS file distributed with
+ * this work for additional information regarding copyright ownership.
+ * TCC licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c
+// and the private header files for that. They are needed as
+// starting with OpenSSL 1.1.0 the X509_req structure became
+// private; and got some get0 functions to access its internals.
+// But no getter's until post 1.1.1 (PR#10563). So this is a
+// stopgap for these lacking releases.
+//
+// Testest against: 
+//   openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile)
+//   openssl-1.1.0l 0x0101000cfL (needs it)
+//   openssl-1.1.1d 0x01010104fL (last version that needs it)
+//   openssl-1.1.1-dev		 (should not need it - post PR#10563).
+//
+/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L &&  OPENSSL_VERSION_NUMBER  <= 0x01010104fL */
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L 
+#include "openssl/x509.h"
+
+#define HAS_OPENSSL_PR10563_WORK_AROUND
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          
+    ASN1_INTEGER *version;     
+    X509_NAME *subject;       
+    X509_PUBKEY *pubkey;     
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+struct X509_req_st {
+    X509_REQ_INFO req_info; 
+    X509_ALGOR sig_alg;       
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+# ifndef OPENSSL_NO_SM2
+    ASN1_OCTET_STRING *sm2_id;
+# endif
+};
+
+
+static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg)
+{
+    if (req->sig_alg.algorithm)
+        ASN1_OBJECT_free(req->sig_alg.algorithm);
+    if (req->sig_alg.parameter)
+        ASN1_TYPE_free(req->sig_alg.parameter);
+    req->sig_alg = *palg;
+}
+#endif
diff --git a/pkgs/servers/http/apache-modules/mod_ocsp/default.nix b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix
new file mode 100644
index 00000000000..6730ca16f10
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_ocsp";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "1vwgai56krdf8knb0mgy07ni9mqxk82bcb4gibwpnxvl6qwgv2i0";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service modules of OCSP Online Certificate Validation";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix
new file mode 100644
index 00000000000..2bcf3b1d9c2
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_pkcs12";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "0by4qfjs3a8q0amzwazfq8ii6ydv36v2mjga0jzc9i6xyl4rs6ai";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service modules for PKCS#12 format files";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_scep/default.nix b/pkgs/servers/http/apache-modules/mod_scep/default.nix
new file mode 100644
index 00000000000..98703659c35
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_scep/default.nix
@@ -0,0 +1,41 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_scep";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "14l8v6y6kx5dg8avb5ny95qdcgrw40ss80nqrgmw615mk7zcj81f";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  # After openssl-1.0.2t, starting in  openssl-1.1.0l
+  # parts of the OpenSSL struct API was replaced by
+  # getters - but some setters where forgotten.
+  #
+  # It is expected that these are back/retrofitted in version
+  # openssl-1.1.1d -- but while fixing this it was found
+  # that there were quite a few other setters missing and
+  # that some of the memory management needed was at odds
+  # with the principles used sofar.
+  #
+  # See https://github.com/openssl/openssl/pull/10563
+  #
+  # So as a stopgap - use a minimalist compat. layer
+  # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h
+  #
+  preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h";
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service modules for SCEP (Automatic ceritifcate issue/renewal)";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h
new file mode 100644
index 00000000000..a2a9e0f7a18
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h
@@ -0,0 +1,66 @@
+/* Licensed to Stichting The Commons Conservancy (TCC) under one or more
+ * contributor license agreements.  See the AUTHORS file distributed with
+ * this work for additional information regarding copyright ownership.
+ * TCC licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c
+// and the private header files for that. They are needed as
+// starting with OpenSSL 1.1.0 the X509_req structure became
+// private; and got some get0 functions to access its internals.
+// But no getter's until post 1.1.1 (PR#10563). So this is a
+// stopgap for these lacking releases.
+//
+// Testest against: 
+//   openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile)
+//   openssl-1.1.0l 0x0101000cfL (needs it)
+//   openssl-1.1.1d 0x01010104fL (last version that needs it)
+//   openssl-1.1.1-dev		 (should not need it - post PR#10563).
+//
+/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L &&  OPENSSL_VERSION_NUMBER  <= 0x01010104fL */
+#if OPENSSL_VERSION_NUMBER >= 0x010100000L 
+#include "openssl/x509.h"
+
+#define HAS_OPENSSL_PR10563_WORK_AROUND
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          
+    ASN1_INTEGER *version;     
+    X509_NAME *subject;       
+    X509_PUBKEY *pubkey;     
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+struct X509_req_st {
+    X509_REQ_INFO req_info; 
+    X509_ALGOR sig_alg;       
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+# ifndef OPENSSL_NO_SM2
+    ASN1_OCTET_STRING *sm2_id;
+# endif
+};
+
+
+static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg)
+{
+    if (req->sig_alg.algorithm)
+        ASN1_OBJECT_free(req->sig_alg.algorithm);
+    if (req->sig_alg.parameter)
+        ASN1_TYPE_free(req->sig_alg.parameter);
+    req->sig_alg = *palg;
+}
+#endif
diff --git a/pkgs/servers/http/apache-modules/mod_spkac/default.nix b/pkgs/servers/http/apache-modules/mod_spkac/default.nix
new file mode 100644
index 00000000000..72e0d521e3b
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_spkac/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_spkac";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "0x6ia9qcr7lx2awpv9cr4ndic5f4g8yqzmp2hz66zpzkmk2b2pyz";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service module for handling the Netscape keygen requests. ";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_timestamp/default.nix b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix
new file mode 100644
index 00000000000..139da289078
--- /dev/null
+++ b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }:
+
+stdenv.mkDerivation rec {
+  pname = "mod_timestamp";
+  version = "0.2.1";
+
+  src = fetchurl {
+    url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz";
+    sha256 = "0j4b04dbdwn9aff3da9m0lnqi0qbw6c6hhi81skl15kyc3vzp67f";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ mod_ca apr aprutil ];
+  inherit (mod_ca) configureFlags installFlags;
+
+  meta = with stdenv.lib; {
+    description = "RedWax CA service module for issuing signed timestamps";
+
+    homepage = "https://redwax.eu";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ dirkx ];
+  };
+}
diff --git a/pkgs/servers/http/apache-modules/mod_wsgi/default.nix b/pkgs/servers/http/apache-modules/mod_wsgi/default.nix
index 461ab1e297e..c0e4cefa40a 100644
--- a/pkgs/servers/http/apache-modules/mod_wsgi/default.nix
+++ b/pkgs/servers/http/apache-modules/mod_wsgi/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "mod_wsgi";
-  version = "4.6.8";
+  version = "4.7.0";
 
   src = fetchurl {
     url = "https://github.com/GrahamDumpleton/mod_wsgi/archive/${version}.tar.gz";
-    sha256 = "0xym7i3iaxqi23dayacv2llhi0klxcb4ldll5cjxv6lg9v5r88x2";
+    sha256 = "079f4py20jd6n3d7djak5l9j8p6hfq96lf577iir6qpfsk2p0k3n";
   };
 
   buildInputs = [ apacheHttpd python ncurses ];
diff --git a/pkgs/servers/http/jetty/default.nix b/pkgs/servers/http/jetty/default.nix
index 8d2340647cb..4a3a3f2da01 100644
--- a/pkgs/servers/http/jetty/default.nix
+++ b/pkgs/servers/http/jetty/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "jetty";
-  version = "9.4.24.v20191120";
+  version = "9.4.25.v20191220";
   src = fetchurl {
     url = "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${version}/jetty-distribution-${version}.tar.gz";
     name = "jetty-distribution-${version}.tar.gz";
-    sha256 = "072vr8gfly2xdwxx1c771yymf145l8nv0j31liwqrih8zqvvhsd4";
+    sha256 = "1jnx4hnvd2krsdisqwpws1qd1r0f8gm9a4sx4a8c7zqrmfd2zx1a";
   };
 
   phases = [ "unpackPhase" "installPhase" ];
diff --git a/pkgs/servers/http/lwan/default.nix b/pkgs/servers/http/lwan/default.nix
index f692832e882..9cd9a6b7fec 100644
--- a/pkgs/servers/http/lwan/default.nix
+++ b/pkgs/servers/http/lwan/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "lwan";
-  version = "0.1";
+  version = "0.2";
 
   src = fetchFromGitHub {
     owner = "lpereira";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1mckryzb06smky0bx2bkqwqzpnq4pb8vlgmmwsvqmwi4mmw9wmi1";
+    sha256 = "1z1g6bmdsf7zj809sq6jqkpzkdnx1jch84kk67h0v2x6lxhdpv5r";
   };
 
   nativeBuildInputs = [ cmake pkgconfig ];
diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix
index d210fcefc85..c3af0d55543 100644
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@@ -18,16 +18,21 @@
 with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  version = "1.13.0";
+  version = "1.14.0";
   pname = "unit";
 
   src = fetchFromGitHub {
     owner = "nginx";
     repo = "unit";
     rev = version;
-    sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q";
+    sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w";
   };
 
+  patches = [
+    # https://github.com/nginx/unit/issues/357
+    ./drop_cap.patch
+  ];
+
   nativeBuildInputs = [ which ];
 
   buildInputs = [ ]
diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch
new file mode 100644
index 00000000000..87caf77904e
--- /dev/null
+++ b/pkgs/servers/http/unit/drop_cap.patch
@@ -0,0 +1,79 @@
+diff -r ed17ce89119f src/nxt_capability.c
+--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
+@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
+     return NXT_OK;
+ }
+ 
++
++nxt_int_t
++nxt_capability_drop_all(nxt_task_t *task)
++{
++    struct __user_cap_header_struct hdr;
++    struct __user_cap_data_struct data[2];
++
++    hdr.version = nxt_capability_linux_get_version();
++    hdr.pid = nxt_pid;
++
++    nxt_memset(data, 0, sizeof(data));
++
++    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
++        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
++        return NXT_ERROR;
++    }
++
++    return NXT_OK;
++}
++
+ #else
+ 
+ static nxt_int_t
+diff -r ed17ce89119f src/nxt_capability.h
+--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
+@@ -14,4 +14,6 @@ typedef struct {
+ NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+     nxt_capabilities_t *cap);
+ 
++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
++
+ #endif /* _NXT_CAPABILITY_INCLUDED_ */
+diff -r ed17ce89119f src/nxt_process.c
+--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
+@@ -264,7 +264,7 @@ cleanup:
+ static void
+ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+ {
+-    nxt_int_t                    ret, cap_setid;
++    nxt_int_t                    ret, cap_setid, drop_caps;
+     nxt_port_t                   *port, *main_port;
+     nxt_thread_t                 *thread;
+     nxt_runtime_t                *rt;
+@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+ 
+     cap_setid = rt->capabilities.setid;
+ 
++    drop_caps = cap_setid;
++
+ #if (NXT_HAVE_CLONE_NEWUSER)
+-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
++    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
+         cap_setid = 1;
++        drop_caps = 0;
+     }
+ #endif
+ 
+@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+         if (nxt_slow_path(ret != NXT_OK)) {
+             goto fail;
+         }
++
++#if (NXT_HAVE_LINUX_CAPABILITY)
++        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
++            goto fail;
++        }
++#endif
+     }
+ 
+     rt->type = init->type;
\ No newline at end of file