snap-keystone/patches/drop-nginx-setgroups.patch

Description: Drop code where nginx drops privileges for worker
  processes. While setuid is covered by the browser-support plug,
  setgroups isn't covered by any plugs. This code isn't required
  because in strict mode we run worker processes as root:root.
  The seccomp violation follows:
  = Seccomp =
  Time: Jun 16 01:13:15
  Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx"
       exe="/snap/keystone/x1/usr/sbin/nginx" sig=31 arch=c000003e
       116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0
  Syscall: setgroups
  Suggestion:
  * adjust program to not use 'setgroups' until per-snap user/groups
    are supported (https://launchpad.net/bugs/1446748)
Author: Corey Bryant <corey.bryant@canonical.com>
Forwarded: no

---
 src/os/unix/ngx_process_cycle.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 1710ea8..c428673 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
         }
     }
 
-    if (geteuid() == 0) {
-        if (setgid(ccf->group) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "setgid(%d) failed", ccf->group);
-            /* fatal */
-            exit(2);
-        }
-
-        if (initgroups(ccf->username, ccf->group) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "initgroups(%s, %d) failed",
-                          ccf->username, ccf->group);
-        }
-
-        if (setuid(ccf->user) == -1) {
-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
-                          "setuid(%d) failed", ccf->user);
-            /* fatal */
-            exit(2);
-        }
-    }
-
     if (worker >= 0) {
         cpu_affinity = ngx_get_cpu_affinity(worker);
 
-- 
2.7.4