5 files changed, 91 insertions, 6 deletions

diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index d5da6df8d68..252365098dd 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -39,6 +39,7 @@ stdenv.mkDerivation rec {
   prePatch = ''
     sed -i config.layout -e "s|installbuilddir:.*|installbuilddir: $dev/share/build|"
     sed -i support/apachectl.in -e 's|@LYNX_PATH@|${lynx}/bin/lynx|'
+    sed -i support/apachectl.in -e 's|$HTTPD -t|$HTTPD -t -f /etc/httpd/httpd.conf|'
   '';
 
   # Required for ‘pthread_cancel’.
diff --git a/pkgs/servers/http/jetty/default.nix b/pkgs/servers/http/jetty/default.nix
index 8d2340647cb..4a3a3f2da01 100644
--- a/pkgs/servers/http/jetty/default.nix
+++ b/pkgs/servers/http/jetty/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "jetty";
-  version = "9.4.24.v20191120";
+  version = "9.4.25.v20191220";
   src = fetchurl {
     url = "https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${version}/jetty-distribution-${version}.tar.gz";
     name = "jetty-distribution-${version}.tar.gz";
-    sha256 = "072vr8gfly2xdwxx1c771yymf145l8nv0j31liwqrih8zqvvhsd4";
+    sha256 = "1jnx4hnvd2krsdisqwpws1qd1r0f8gm9a4sx4a8c7zqrmfd2zx1a";
   };
 
   phases = [ "unpackPhase" "installPhase" ];
diff --git a/pkgs/servers/http/lwan/default.nix b/pkgs/servers/http/lwan/default.nix
index f692832e882..9cd9a6b7fec 100644
--- a/pkgs/servers/http/lwan/default.nix
+++ b/pkgs/servers/http/lwan/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "lwan";
-  version = "0.1";
+  version = "0.2";
 
   src = fetchFromGitHub {
     owner = "lpereira";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1mckryzb06smky0bx2bkqwqzpnq4pb8vlgmmwsvqmwi4mmw9wmi1";
+    sha256 = "1z1g6bmdsf7zj809sq6jqkpzkdnx1jch84kk67h0v2x6lxhdpv5r";
   };
 
   nativeBuildInputs = [ cmake pkgconfig ];
diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix
index d210fcefc85..c3af0d55543 100644
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@@ -18,16 +18,21 @@
 with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  version = "1.13.0";
+  version = "1.14.0";
   pname = "unit";
 
   src = fetchFromGitHub {
     owner = "nginx";
     repo = "unit";
     rev = version;
-    sha256 = "1b5il05isq5yvnx2qpnihsrmj0jliacvhrm58i87d48anwpv1k8q";
+    sha256 = "01anczfcdwd22hb0y4zw647f86ivk5zq8lcd13xfxjvkmnsnbj9w";
   };
 
+  patches = [
+    # https://github.com/nginx/unit/issues/357
+    ./drop_cap.patch
+  ];
+
   nativeBuildInputs = [ which ];
 
   buildInputs = [ ]
diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch
new file mode 100644
index 00000000000..87caf77904e
--- /dev/null
+++ b/pkgs/servers/http/unit/drop_cap.patch
@@ -0,0 +1,79 @@
+diff -r ed17ce89119f src/nxt_capability.c
+--- a/src/nxt_capability.c      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.c      Mon Dec 09 23:23:00 2019 +0000
+@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t *
+     return NXT_OK;
+ }
+ 
++
++nxt_int_t
++nxt_capability_drop_all(nxt_task_t *task)
++{
++    struct __user_cap_header_struct hdr;
++    struct __user_cap_data_struct data[2];
++
++    hdr.version = nxt_capability_linux_get_version();
++    hdr.pid = nxt_pid;
++
++    nxt_memset(data, 0, sizeof(data));
++
++    if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) {
++        nxt_alert(task, "failed to drop capabilities %E", nxt_errno);
++        return NXT_ERROR;
++    }
++
++    return NXT_OK;
++}
++
+ #else
+ 
+ static nxt_int_t
+diff -r ed17ce89119f src/nxt_capability.h
+--- a/src/nxt_capability.h      Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_capability.h      Mon Dec 09 23:23:00 2019 +0000
+@@ -14,4 +14,6 @@ typedef struct {
+ NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task,
+     nxt_capabilities_t *cap);
+ 
++NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task);
++
+ #endif /* _NXT_CAPABILITY_INCLUDED_ */
+diff -r ed17ce89119f src/nxt_process.c
+--- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000
++++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000
+@@ -264,7 +264,7 @@ cleanup:
+ static void
+ nxt_process_start(nxt_task_t *task, nxt_process_t *process)
+ {
+-    nxt_int_t                    ret, cap_setid;
++    nxt_int_t                    ret, cap_setid, drop_caps;
+     nxt_port_t                   *port, *main_port;
+     nxt_thread_t                 *thread;
+     nxt_runtime_t                *rt;
+@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+ 
+     cap_setid = rt->capabilities.setid;
+ 
++    drop_caps = cap_setid;
++
+ #if (NXT_HAVE_CLONE_NEWUSER)
+-    if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) {
++    if (NXT_CLONE_USER(init->isolation.clone.flags)) {
+         cap_setid = 1;
++        drop_caps = 0;
+     }
+ #endif
+ 
+@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_
+         if (nxt_slow_path(ret != NXT_OK)) {
+             goto fail;
+         }
++
++#if (NXT_HAVE_LINUX_CAPABILITY)
++        if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) {
++            goto fail;
++        }
++#endif
+     }
+ 
+     rt->type = init->type;
\ No newline at end of file