patch received from Nils Goroll <nils.goroll@uplex.de>

- [e0ee2a2e] adds the file_read
  privilege needed for onnv_140 and newer (see #912), but we also need
  the file_write privilege for stevedore access.

- If available, keep sys_resource in the permitted/limited set to
  allow cache_waiter_ports to raise the process.max-port-events
  resource control (feature to be added later).

- When starting varnish with euid 0 on Solaris, privilege seperation
  prohibited preserving additional privileges (in excess of the basic
  set) in the child, because, for a non privilege aware process,
  setuid() resets the effective, inheritable and permitted sets to the
  basic set.

  To achieve interoperability between solaris privileges and
  setuid()/setgid(), we now make the varnish child privilege aware
  before calling setuid() by trying to add all privileges we will need
  plus proc_setid.

- On solaris, check for proc_setid rather than checking the euid as a
  prerequisite for changing the uid/gid and only change the uid/gid if
  we need to (for a privilege aware process, [ers]uid 0 loose their
  magic powers).

  Note that setuid() will always set SNOCD on Solaris, which will
  prevent core dumps from being written, unless setuid core dumps are
  explicitly enabled using coreadm(1M).

  To avoid setuid() (and the SNOCD flag, consequently), start varnish
  as the user you intend to run the child as, but with additional
  privileges, e.g. using

  ppriv -e -s A=basic,net_privaddr,sys_resource varnishd ...

- setppriv(PRIV_SET, ...) failed when the privileges to be applied
  were not available in the permitted set.

  We change the logic to only clear the privileges which are not
  needed by inverting the sets and removing all unneeded privileges
  using setppriv(PRIV_OFF, ...).

  So the child might end up with less privileges than given initially,

instead of asserting.

Inspired by:	Patch from DocWilco

Fixes: #912

Solaris puts the ncurses header in /usr/include/ncurses, and we need
that to compile with -Werror.

Fixes: #889

It used to be that we'd call http processing on a filedescriptor and
then that was that.  Then we added keywords to do new accepts in the
server and suddenly the calling code closes a wrong filedesc which
belongs to somebody else and things get really inconvenient fast.

This made all test-cases which use the "accept" server directive flakey.

test failures seems to be timeouts on stressed machines.

Teport timeouts more clearly.

two separate timestamps just happen to be the same, just make them
the same.

VSL record.  Still not quite sure how they happen, but we shouldn't hang
no matter what.

the same address again, even with hinting.

pretend nothing else happened.

this should solve issues where the c2-v1 connection times out before
it ever got used.

fd's early in the case of a timeout.

Fixes	#1023