Fixed capabilities version.

Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3.  With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted.  As a
result, random stack memory was accessed and random capabilities were requested
by the worker.  This sometimes caused capset() errors.  Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead.  This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).

1 files changed, 1 insertions, 1 deletions

diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 9b0e0421e..5817a2c23 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -865,7 +865,7 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
             ngx_memzero(&header, sizeof(struct __user_cap_header_struct));
             ngx_memzero(&data, sizeof(struct __user_cap_data_struct));
 
-            header.version = _LINUX_CAPABILITY_VERSION_3;
+            header.version = _LINUX_CAPABILITY_VERSION_1;
             data.effective = CAP_TO_MASK(CAP_NET_RAW);
             data.permitted = data.effective;