graphene-os-server-infrastructure

Git-Mirrors/graphene-os-server-infrastructure

mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-07-06 19:12:47 +00:00

History

Daniel Micay 8ac489c9aa allow nginx master process to use CAP_CHOWN This is required for it to create the /var directories it uses when the master process is running as root. It would be possible to run the nginx master process as non-root but it doesn't drop ambient capabilities when it spawns the workers so running the master process as non-root will end up giving the workers higher privileges due to them ending up getting the CAP_NET_BIND_SERVICE capability passed through.	2023-07-06 05:30:35 -04:00
..
local.conf	allow nginx master process to use CAP_CHOWN	2023-07-06 05:30:35 -04:00

Daniel Micay 8ac489c9aa allow nginx master process to use CAP_CHOWN

This is required for it to create the /var directories it uses when the
master process is running as root. It would be possible to run the nginx
master process as non-root but it doesn't drop ambient capabilities when
it spawns the workers so running the master process as non-root will end
up giving the workers higher privileges due to them ending up getting
the CAP_NET_BIND_SERVICE capability passed through.

2023-07-06 05:30:35 -04:00

local.conf

allow nginx master process to use CAP_CHOWN

2023-07-06 05:30:35 -04:00