diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-01-26 22:39:25 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-01-26 22:39:25 +0000 |
commit | bd2ad77e38991af0d7a3a5d82bd3f41a077ce401 (patch) | |
tree | d1e26d039eb5004eb7c836aafff259cc198626d4 /pkgs/servers/http | |
parent | e5d8381542a8d084371d26013fab199f52474be7 (diff) | |
parent | ad3f0d9829119b611350a9be1c226fb625f1f310 (diff) | |
download | nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar.gz nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar.bz2 nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar.lz nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar.xz nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.tar.zst nixpkgs-bd2ad77e38991af0d7a3a5d82bd3f41a077ce401.zip |
Merge remote-tracking branch 'nixpkgs/master' into master
Diffstat (limited to 'pkgs/servers/http')
-rw-r--r-- | pkgs/servers/http/apache-httpd/2.4.nix | 1 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_ca/default.nix | 35 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_crl/default.nix | 24 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_csr/default.nix | 41 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h | 66 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_ocsp/default.nix | 24 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_pkcs12/default.nix | 24 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_scep/default.nix | 41 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h | 66 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_spkac/default.nix | 24 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_timestamp/default.nix | 24 | ||||
-rw-r--r-- | pkgs/servers/http/apache-modules/mod_wsgi/default.nix | 4 | ||||
-rw-r--r-- | pkgs/servers/http/jetty/default.nix | 4 | ||||
-rw-r--r-- | pkgs/servers/http/lwan/default.nix | 4 | ||||
-rw-r--r-- | pkgs/servers/http/unit/default.nix | 9 | ||||
-rw-r--r-- | pkgs/servers/http/unit/drop_cap.patch | 79 |
16 files changed, 462 insertions, 8 deletions
diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix index d5da6df8d68..252365098dd 100644 --- a/pkgs/servers/http/apache-httpd/2.4.nix +++ b/pkgs/servers/http/apache-httpd/2.4.nix @@ -39,6 +39,7 @@ stdenv.mkDerivation rec { prePatch = '' sed -i config.layout -e "s|installbuilddir:.*|installbuilddir: $dev/share/build|" sed -i support/apachectl.in -e 's|@LYNX_PATH@|${lynx}/bin/lynx|' + sed -i support/apachectl.in -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|' ''; # Required for ‘pthread_cancel’. diff --git a/pkgs/servers/http/apache-modules/mod_ca/default.nix b/pkgs/servers/http/apache-modules/mod_ca/default.nix new file mode 100644 index 00000000000..37f2a397ae6 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_ca/default.nix @@ -0,0 +1,35 @@ +{ stdenv, fetchurl, pkgconfig, apacheHttpd, openssl, openldap }: + +stdenv.mkDerivation rec { + pname = "mod_ca"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "1pxapjrzdsk2s25vhgvf56fkakdqcbn9hjncwmqh0asl1pa25iic"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ apacheHttpd openssl openldap ]; + + # Note that configureFlags and installFlags are inherited by + # the various submodules. + # + configureFlags = [ + "--with-apxs=${apacheHttpd.dev}/bin/apxs" + ]; + + installFlags = [ + "INCLUDEDIR=${placeholder ''out''}/include" + "LIBEXECDIR=${placeholder ''out''}/modules" + ]; + + meta = with stdenv.lib; { + description = "RedWax CA service module"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_crl/default.nix b/pkgs/servers/http/apache-modules/mod_crl/default.nix new file mode 100644 index 00000000000..54c0de1c701 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_crl/default.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_crl"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "0k6iqn5a4bqdz3yx6d53f1r75c21jnwhxmmcq071zq0361xjzzj6"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + meta = with stdenv.lib; { + description = "RedWax module for Certificate Revocation Lists"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_csr/default.nix b/pkgs/servers/http/apache-modules/mod_csr/default.nix new file mode 100644 index 00000000000..60f97d2f361 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_csr/default.nix @@ -0,0 +1,41 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_csr"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "01sdvv07kchdd6ssrmd2cbhj50qh2ibp5g5h6jy1jqbzp0b3j9ja"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + # After openssl-1.0.2t, starting in openssl-1.1.0l + # parts of the OpenSSL struct API was replaced by + # getters - but some setters where forgotten. + # + # It is expected that these are back/retrofitted in version + # openssl-1.1.1d -- but while fixing this it was found + # that there were quite a few other setters missing and + # that some of the memory management needed was at odds + # with the principles used sofar. + # + # See https://github.com/openssl/openssl/pull/10563 + # + # So as a stopgap - use a minimalist compat. layer + # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h + # + preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h"; + + meta = with stdenv.lib; { + description = "RedWax CA service module to handle Certificate Signing Requests"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h new file mode 100644 index 00000000000..a2a9e0f7a18 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_csr/openssl_setter_compat.h @@ -0,0 +1,66 @@ +/* Licensed to Stichting The Commons Conservancy (TCC) under one or more + * contributor license agreements. See the AUTHORS file distributed with + * this work for additional information regarding copyright ownership. + * TCC licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c +// and the private header files for that. They are needed as +// starting with OpenSSL 1.1.0 the X509_req structure became +// private; and got some get0 functions to access its internals. +// But no getter's until post 1.1.1 (PR#10563). So this is a +// stopgap for these lacking releases. +// +// Testest against: +// openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile) +// openssl-1.1.0l 0x0101000cfL (needs it) +// openssl-1.1.1d 0x01010104fL (last version that needs it) +// openssl-1.1.1-dev (should not need it - post PR#10563). +// +/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L && OPENSSL_VERSION_NUMBER <= 0x01010104fL */ +#if OPENSSL_VERSION_NUMBER >= 0x010100000L +#include "openssl/x509.h" + +#define HAS_OPENSSL_PR10563_WORK_AROUND + +struct X509_req_info_st { + ASN1_ENCODING enc; + ASN1_INTEGER *version; + X509_NAME *subject; + X509_PUBKEY *pubkey; + STACK_OF(X509_ATTRIBUTE) *attributes; +}; + +typedef _Atomic int CRYPTO_REF_COUNT; + +struct X509_req_st { + X509_REQ_INFO req_info; + X509_ALGOR sig_alg; + ASN1_BIT_STRING *signature; /* signature */ + CRYPTO_REF_COUNT references; + CRYPTO_RWLOCK *lock; +# ifndef OPENSSL_NO_SM2 + ASN1_OCTET_STRING *sm2_id; +# endif +}; + + +static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg) +{ + if (req->sig_alg.algorithm) + ASN1_OBJECT_free(req->sig_alg.algorithm); + if (req->sig_alg.parameter) + ASN1_TYPE_free(req->sig_alg.parameter); + req->sig_alg = *palg; +} +#endif diff --git a/pkgs/servers/http/apache-modules/mod_ocsp/default.nix b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix new file mode 100644 index 00000000000..6730ca16f10 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_ocsp/default.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_ocsp"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "1vwgai56krdf8knb0mgy07ni9mqxk82bcb4gibwpnxvl6qwgv2i0"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + meta = with stdenv.lib; { + description = "RedWax CA service modules of OCSP Online Certificate Validation"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix new file mode 100644 index 00000000000..2bcf3b1d9c2 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_pkcs12/default.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_pkcs12"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "0by4qfjs3a8q0amzwazfq8ii6ydv36v2mjga0jzc9i6xyl4rs6ai"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + meta = with stdenv.lib; { + description = "RedWax CA service modules for PKCS#12 format files"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_scep/default.nix b/pkgs/servers/http/apache-modules/mod_scep/default.nix new file mode 100644 index 00000000000..98703659c35 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_scep/default.nix @@ -0,0 +1,41 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_scep"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "14l8v6y6kx5dg8avb5ny95qdcgrw40ss80nqrgmw615mk7zcj81f"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + # After openssl-1.0.2t, starting in openssl-1.1.0l + # parts of the OpenSSL struct API was replaced by + # getters - but some setters where forgotten. + # + # It is expected that these are back/retrofitted in version + # openssl-1.1.1d -- but while fixing this it was found + # that there were quite a few other setters missing and + # that some of the memory management needed was at odds + # with the principles used sofar. + # + # See https://github.com/openssl/openssl/pull/10563 + # + # So as a stopgap - use a minimalist compat. layer + # https://source.redwax.eu/projects/RS/repos/mod_csr/browse/openssl_setter_compat.h + # + preBuild = "cp ${./openssl_setter_compat.h} openssl_setter_compat.h"; + + meta = with stdenv.lib; { + description = "RedWax CA service modules for SCEP (Automatic ceritifcate issue/renewal)"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h new file mode 100644 index 00000000000..a2a9e0f7a18 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_scep/openssl_setter_compat.h @@ -0,0 +1,66 @@ +/* Licensed to Stichting The Commons Conservancy (TCC) under one or more + * contributor license agreements. See the AUTHORS file distributed with + * this work for additional information regarding copyright ownership. + * TCC licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These routines are copies from OpenSSL/1.1.1 its x509/x509_req.c +// and the private header files for that. They are needed as +// starting with OpenSSL 1.1.0 the X509_req structure became +// private; and got some get0 functions to access its internals. +// But no getter's until post 1.1.1 (PR#10563). So this is a +// stopgap for these lacking releases. +// +// Testest against: +// openssl-1.0.2t 0x01000214fL (does not need it, privates still accessile) +// openssl-1.1.0l 0x0101000cfL (needs it) +// openssl-1.1.1d 0x01010104fL (last version that needs it) +// openssl-1.1.1-dev (should not need it - post PR#10563). +// +/* #if OPENSSL_VERSION_NUMBER >= 0x010100000L && OPENSSL_VERSION_NUMBER <= 0x01010104fL */ +#if OPENSSL_VERSION_NUMBER >= 0x010100000L +#include "openssl/x509.h" + +#define HAS_OPENSSL_PR10563_WORK_AROUND + +struct X509_req_info_st { + ASN1_ENCODING enc; + ASN1_INTEGER *version; + X509_NAME *subject; + X509_PUBKEY *pubkey; + STACK_OF(X509_ATTRIBUTE) *attributes; +}; + +typedef _Atomic int CRYPTO_REF_COUNT; + +struct X509_req_st { + X509_REQ_INFO req_info; + X509_ALGOR sig_alg; + ASN1_BIT_STRING *signature; /* signature */ + CRYPTO_REF_COUNT references; + CRYPTO_RWLOCK *lock; +# ifndef OPENSSL_NO_SM2 + ASN1_OCTET_STRING *sm2_id; +# endif +}; + + +static void _X509_REQ_set1_signature(X509_REQ *req, X509_ALGOR *palg) +{ + if (req->sig_alg.algorithm) + ASN1_OBJECT_free(req->sig_alg.algorithm); + if (req->sig_alg.parameter) + ASN1_TYPE_free(req->sig_alg.parameter); + req->sig_alg = *palg; +} +#endif diff --git a/pkgs/servers/http/apache-modules/mod_spkac/default.nix b/pkgs/servers/http/apache-modules/mod_spkac/default.nix new file mode 100644 index 00000000000..72e0d521e3b --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_spkac/default.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_spkac"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "0x6ia9qcr7lx2awpv9cr4ndic5f4g8yqzmp2hz66zpzkmk2b2pyz"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + meta = with stdenv.lib; { + description = "RedWax CA service module for handling the Netscape keygen requests. "; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_timestamp/default.nix b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix new file mode 100644 index 00000000000..139da289078 --- /dev/null +++ b/pkgs/servers/http/apache-modules/mod_timestamp/default.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, pkgconfig, mod_ca, apr, aprutil }: + +stdenv.mkDerivation rec { + pname = "mod_timestamp"; + version = "0.2.1"; + + src = fetchurl { + url = "https://redwax.eu/dist/rs/${pname}-${version}.tar.gz"; + sha256 = "0j4b04dbdwn9aff3da9m0lnqi0qbw6c6hhi81skl15kyc3vzp67f"; + }; + + nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ mod_ca apr aprutil ]; + inherit (mod_ca) configureFlags installFlags; + + meta = with stdenv.lib; { + description = "RedWax CA service module for issuing signed timestamps"; + + homepage = "https://redwax.eu"; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ dirkx ]; + }; +} diff --git a/pkgs/servers/http/apache-modules/mod_wsgi/default.nix b/pkgs/servers/http/apache-modules/mod_wsgi/default.nix index 461ab1e297e..c0e4cefa40a 100644 --- a/pkgs/servers/http/apache-modules/mod_wsgi/default.nix +++ b/pkgs/servers/http/apache-modules/mod_wsgi/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "mod_wsgi"; - version = "4.6.8"; + version = "4.7.0"; src = fetchurl { url = "https://github.com/GrahamDumpleton/mod_wsgi/archive/${version}.tar.gz"; - sha256 = "0xym7i3iaxqi23dayacv2llhi0klxcb4ldll5cjxv6lg9v5r88x2"; + sha256 = "079f4py20jd6n3d7djak5l9j8p6hfq96lf577iir6qpfsk2p0k3n"; }; buildInputs = [ apacheHttpd python ncurses ]; diff --git a/pkgs/servers/http/jetty/default.nix b/pkgs/servers/http/jetty/default.nix index 8d2340647cb..4a3a3f2da01 100644 --- a/pkgs/servers/http/jetty/default.nix +++ b/pkgs/servers/http/jetty/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "jetty"; - version = "9.4.24.v20191120"; + version = "9.4.25.v20191220"; src = fetchurl { url = "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${version}/jetty-distribution-${version}.tar.gz"; name = "jetty-distribution-${version}.tar.gz"; - sha256 = "072vr8gfly2xdwxx1c771yymf145l8nv0j31liwqrih8zqvvhsd4"; + sha256 = "1jnx4hnvd2krsdisqwpws1qd1r0f8gm9a4sx4a8c7zqrmfd2zx1a"; }; phases = [ "unpackPhase" "installPhase" ]; diff --git a/pkgs/servers/http/lwan/default.nix b/pkgs/servers/http/lwan/default.nix index f692832e882..9cd9a6b7fec 100644 --- a/pkgs/servers/http/lwan/default.nix +++ b/pkgs/servers/http/lwan/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "lwan"; - version = "0.1"; + version = "0.2"; src = fetchFromGitHub { owner = "lpereira"; repo = pname; rev = "v${version}"; - sha256 = "1mckryzb06smky0bx2bkqwqzpnq4pb8vlgmmwsvqmwi4mmw9wmi1"; + sha256 = "1z1g6bmdsf7zj809sq6jqkpzkdnx1jch84kk67h0v2x6lxhdpv5r"; }; nativeBuildInputs = [ cmake pkgconfig ]; diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index d210fcefc85..c3af0d55543 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -18,16 +18,21 @@ with stdenv.lib; stdenv.mkDerivation rec { - version = "1.13.0"; + version = "1.14.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q"; + sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w"; }; + patches = [ + # https://github.com/nginx/unit/issues/357 + ./drop_cap.patch + ]; + nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch new file mode 100644 index 00000000000..87caf77904e --- /dev/null +++ b/pkgs/servers/http/unit/drop_cap.patch @@ -0,0 +1,79 @@ +diff -r ed17ce89119f src/nxt_capability.c +--- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 +@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * + return NXT_OK; + } + ++ ++nxt_int_t ++nxt_capability_drop_all(nxt_task_t *task) ++{ ++ struct __user_cap_header_struct hdr; ++ struct __user_cap_data_struct data[2]; ++ ++ hdr.version = nxt_capability_linux_get_version(); ++ hdr.pid = nxt_pid; ++ ++ nxt_memset(data, 0, sizeof(data)); ++ ++ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { ++ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); ++ return NXT_ERROR; ++ } ++ ++ return NXT_OK; ++} ++ + #else + + static nxt_int_t +diff -r ed17ce89119f src/nxt_capability.h +--- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 +@@ -14,4 +14,6 @@ typedef struct { + NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, + nxt_capabilities_t *cap); + ++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); ++ + #endif /* _NXT_CAPABILITY_INCLUDED_ */ +diff -r ed17ce89119f src/nxt_process.c +--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 ++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 +@@ -264,7 +264,7 @@ cleanup: + static void + nxt_process_start(nxt_task_t *task, nxt_process_t *process) + { +- nxt_int_t ret, cap_setid; ++ nxt_int_t ret, cap_setid, drop_caps; + nxt_port_t *port, *main_port; + nxt_thread_t *thread; + nxt_runtime_t *rt; +@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + + cap_setid = rt->capabilities.setid; + ++ drop_caps = cap_setid; ++ + #if (NXT_HAVE_CLONE_NEWUSER) +- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { ++ if (NXT_CLONE_USER(init->isolation.clone.flags)) { + cap_setid = 1; ++ drop_caps = 0; + } + #endif + +@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ + if (nxt_slow_path(ret != NXT_OK)) { + goto fail; + } ++ ++#if (NXT_HAVE_LINUX_CAPABILITY) ++ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { ++ goto fail; ++ } ++#endif + } + + rt->type = init->type; \ No newline at end of file |