Polish "Security first" rst

01908a71 · Nils Goroll · 051aa94f · 01908a71
Unverified Commit 01908a71 authored Oct 13, 2023 by Nils Goroll
Hide whitespace changes
Inline Side-by-side

Showing with 63 additions and 60 deletions

run_security.rst doc/sphinx/users-guide/run_security.rst +63 -60

No files found.
--- a/doc/sphinx/users-guide/run_security.rst
+++ b/doc/sphinx/users-guide/run_security.rst
@@ -52,52 +52,52 @@ CLI interface access
 The command line interface can be accessed in three ways.
-`varnishd` can be told to listen and offer CLI connections
+:ref:`varnishd(1)` can be told to listen and offer CLI connections on
-on a TCP socket. You can bind the socket to pretty
+a TCP socket. You can bind the socket to pretty much anything the
-much anything the kernel will accept::
+kernel will accept::
 	-T 127.0.0.1:631
 	-T localhost:9999
 	-T 192.168.1.1:34
 	-T '[fe80::1]:8082'
-The default is ``-T localhost:0`` which will pick a random
+The default is ``-T localhost:0`` which will pick a random port
-port number, which `varnishadm(8)` can learn from the shared
+number, which :ref:`varnishadm(1)` can learn from the shared memory.
-memory.
-By using a "localhost" address, you restrict CLI access
+By using a ``localhost`` address, you restrict CLI access to the local
-to the local machine.
+machine.
 You can also bind the CLI port to an IP address reachable across
 the net, and let other machines connect directly.
-This gives you no secrecy, i.e. the CLI commands will
+This gives you no secrecy, i.e. the CLI commands will go across the
-go across the network as ASCII text with no encryption, but
+network as ASCII text with no encryption, but the ``-S`` / pre shared
-the -S/PSK authentication requires the remote end to know
+key (`PSK`_) authentication requires the remote end to know the shared
-the shared secret.
+secret.
-Alternatively you can bind the CLI port to a 'localhost' address,
+Alternatively you can bind the CLI port to a ``localhost`` address,
 and give remote users access via a secure connection to the local
 machine, using ssh/VPN or similar.
-If you use `ssh` you can restrict which commands each user can execute
+If you use `ssh(1)` you can restrict which commands each user can
-to just `varnishadm`, or even use a wrapper scripts around `varnishadm`
+execute to just :ref:`varnishadm(1)`, or even use a wrapper scripts
-to allow specific CLI commands.
+around :ref:`varnishadm(1)` to allow specific CLI commands.
-It is also possible to configure `varnishd` for "reverse mode", using
+It is also possible to configure :ref:`varnishd(1)` for "reverse
-the '-M' argument.  In that case `varnishd` will attempt to open a
+mode", using the ``-M`` argument.  In that case :ref:`varnishd(1)`
-TCP connection to the specified address, and initiate a CLI connection
+will attempt to open a TCP connection to the specified address, and
-to your central Varnish management facility.
+initiate a CLI connection to your central Varnish management facility.
 .. XXX:Maybe a sample command here with a brief explanation? benc
 The connection in this case is also without encryption, but
-the remote end must still authenticate using -S/PSK.
+the remote end must still authenticate using ``-S``\ /`PSK`_.
-Finally, if you run varnishd with the '-d' option, you get a CLI
+Finally, if you run varnishd with the ``-d`` option, you get a CLI
-command on stdin/stdout, but since you started the process, it
+command on stdin/stdout, but since you started the process, it would
-would be hard to prevent you getting CLI access, wouldn't it ?
+be hard to prevent you getting CLI access, wouldn't it ?
+.. _PSK:
 CLI interface authentication
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -106,37 +106,38 @@ By default the CLI interface is protected with a simple, yet powerful
 "Pre Shared Key" authentication method, which do not provide secrecy
 (ie: The CLI commands and responses are not encrypted).
-The way -S/PSK works is really simple:  During startup a file is
+The way ``-S``\ /PSK works is really simple: During startup a file is
-created with a random content and the file is only accessible to
+created with a random content and the file is only accessible to the
-the user who started `varnishd` (or the superuser).
+user who started :ref:`varnishd(1)` (or the superuser).
 To authenticate and use a CLI connection, you need to know the
-contents of that file, in order to answer the cryptographic
+contents of that file, in order to answer the cryptographic challenge
-challenge `varnishd` issues, see :ref:`ref_psk_auth`.
+:ref:`varnishd(1)` issues, see :ref:`ref_psk_auth`.
-`varnishadm` uses all of this to restrict access, it will only function,
+:ref:`varnishadm(1)` uses all of this to restrict access, it will only
-provided it can read the secret file.
+function, provided it can read the secret file.
-If you want to allow other users, local or remote, to be able to access
+If you want to allow other users, local or remote, to be able to
-CLI connections, you must create your own secret file and make it possible
+access CLI connections, you must create your own secret file and make
-for (only!) these users to read it.
+it possible for (only!) these users to read it.
 A good way to create the secret file is::
 	dd if=/dev/random of=/etc/varnish_secret count=1
-When you start `varnishd`, you specify the filename with '-S', and
+When you start :ref:`varnishd(1)`, you specify the filename with '-S',
-it goes without saying that the `varnishd` master process needs
+and it goes without saying that the :ref:`varnishd(1)` master process
-to be able to read the file too.
+needs to be able to read the file too.
-You can change the contents of the secret file while `varnishd`
+You can change the contents of the secret file while
-runs, it is read every time a CLI connection is authenticated.
+:ref:`varnishd(1)` runs, it is read every time a CLI connection is
+authenticated.
-On the local system, `varnishadm` can retrieve the filename from
+On the local system, :ref:`varnishadm(1)` can retrieve the filename
-shared memory, but on remote systems, you need to give `varnishadm`
+from shared memory, but on remote systems, you need to give
-a copy of the secret file, with the -S argument.
+:ref:`varnishadm(1)` a copy of the secret file, with the -S argument.
-If you want to disable -S/PSK authentication, use an ``-S none``
+If you want to disable ``-S``\ /PSK authentication, use an ``-S none``
 argument to varnishd::
 	varnishd [...] -S none [...]
@@ -155,7 +156,8 @@ HTTP service, but a few can do more damage than others:
 	Execute arbitrary programs
 :ref:`ref_param_vcc_allow_inline_c`
-        Allow inline C in VCL, which would allow any C code from VCL to be executed by Varnish.
+	Allow inline C in VCL, which would allow any C code from VCL
+	to be executed by Varnish.
 Furthermore you may want to look at and lock down:
@@ -163,12 +165,13 @@ Furthermore you may want to look at and lock down:
 	Log all CLI commands to `syslog(8)`, so you know what goes on.
 :ref:`ref_param_vcc_unsafe_path`
-	Restrict VCL/VMODs to :ref:`ref_param_vcl_path` and :ref:`ref_param_vmod_path`
+	Restrict VCL/VMODs to :ref:`ref_param_vcl_path` and
+	:ref:`ref_param_vmod_path`
 :ref:`ref_param_vmod_path`
-        The directory (or colon separated list of directories) where
+	The directory (or colon separated list of directories) where
-        Varnish will look for modules. This could potentially be
+	Varnish will look for modules. This could potentially be
-        used to load rogue modules into Varnish.
+	used to load rogue modules into Varnish.
 The CLI interface
 -----------------
@@ -181,12 +184,11 @@ As described above, some of the damage can be limited by restricting
 certain parameters, but that will only protect the local filesystem,
 and operating system, it will not protect your HTTP service.
-We do not currently have a way to restrict specific CLI commands
+We do not currently have a way to restrict specific CLI commands to
-to specific CLI connections. One way to get such an effect is to
+specific CLI connections. One way to get such an effect is to "wrap"
-"wrap" all CLI access in pre-approved scripts which use `varnishadm(1)`
+all CLI access in pre-approved scripts which use :ref:`varnishadm(1)`
+to submit the sanitized CLI commands, and restrict a remote user to
-to submit the sanitized CLI commands, and restrict a remote user
+only those scripts, for instance using sshd(8)'s configuration.
-to only those scripts, for instance using sshd(8)'s configuration.
 VCL programs
 ------------
@@ -198,11 +200,13 @@ Both of these mechanisms allow execution of arbitrary code and will
 thus allow a person to get access to the machine, with the
 privileges of the child process.
-If `varnishd` is started as root/superuser, we sandbox the child
+If :ref:`varnishd(1)` is started as root/superuser, we sandbox the
-process, using whatever facilities are available on the operating
+child process, using whatever facilities are available on the
-system, but if `varnishd` is not started as root/superuser, this is
+operating system, but if :ref:`varnishd(1)` is not started as
-not possible. No, don't ask me why you have to be superuser to
+root/superuser, this is not possible. No, don't ask me why you have to
-lower the privilege of a child process...
+be superuser to lower the privilege of a child process...
+.. XXX the above is not correct for the solaris jail
 Inline-C is disabled by default since Varnish version 4, so unless
 you enable it, you don't have to worry about it.
@@ -229,4 +233,3 @@ to various kinds of attacks and subversive activities.
 If you have "administrative" HTTP requests, for instance PURGE
 requests, we strongly recommend that you restrict them to trusted
 IP numbers/nets using VCL's :ref:`vcl_syntax_acl`.