Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
10920122
Unverified
Commit
10920122
authored
Jun 02, 2020
by
Nils Goroll
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Solaris jail: Allow to pass a privilege specification for the worker
parent
72a92760
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
32 additions
and
7 deletions
+32
-7
mgt_jail_solaris.c
bin/varnishd/mgt/mgt_jail_solaris.c
+18
-3
varnishd.rst
doc/sphinx/reference/varnishd.rst
+14
-4
No files found.
bin/varnishd/mgt/mgt_jail_solaris.c
View file @
10920122
...
...
@@ -323,12 +323,24 @@ vjs_alloc(void)
static
int
v_matchproto_
(
jail_init_f
)
vjs_init
(
char
**
args
)
{
priv_set_t
**
sets
,
*
permitted
,
*
inheritable
;
priv_set_t
**
sets
,
*
permitted
,
*
inheritable
,
*
user
=
NULL
;
const
char
*
e
;
int
vj
,
vs
;
if
(
args
!=
NULL
&&
*
args
!=
NULL
)
{
ARGV_ERR
(
"-jsolaris takes no arguments.
\n
"
);
return
(
0
);
for
(;
*
args
!=
NULL
;
args
++
)
{
if
(
!
strncmp
(
*
args
,
"worker="
,
7
))
{
user
=
priv_str_to_set
((
*
args
)
+
7
,
","
,
&
e
);
if
(
user
==
NULL
)
ARGV_ERR
(
"-jsolaris: parsing worker= "
"argument failed near %s.
\n
"
,
e
);
continue
;
}
ARGV_ERR
(
"-jsolrais: unknown sub-argument '%s'
\n
"
,
*
args
);
}
}
permitted
=
vjs_alloc
();
...
...
@@ -372,6 +384,9 @@ vjs_init(char **args)
#define PRIV(name, mask, priv) vjs_add(vjs_sets[JAIL_ ## name], mask, priv);
#include "mgt_jail_solaris_tbl.h"
if
(
user
!=
NULL
)
priv_union
(
user
,
vjs_sets
[
JAIL_SUBPROC_WORKER
][
VJS_EFFECTIVE
]);
/* mask by available privs */
for
(
vj
=
0
;
vj
<
JAIL_LIMIT
;
vj
++
)
{
sets
=
vjs_sets
[
vj
];
...
...
doc/sphinx/reference/varnishd.rst
View file @
10920122
...
...
@@ -392,11 +392,21 @@ Varnish jails are a generalization over various platform specific
methods to reduce the privileges of varnish processes. They may have
specific options. Available jails are:
-j
solaris
-j
<solaris[,worker=`privspec`]>
Reduce privileges(5) for `varnishd` and sub-process to the minimally
required set. Only available on platforms which have the setppriv(2)
call.
Reduce `privileges(5)` for `varnishd` and sub-process to the
minimally required set. Only available on platforms which have the
`setppriv(2)` call.
The optional `worker` argument can be used to pass a
privilege-specification (see `ppriv(1)`) by which to extend the
effective set of the varnish worker process. While extended
privileges may be required by custom vmods, it is always the more
secure to *not* use the `worker` option.
Example to grant basic privileges to the worker process::
-j solaris,worker=basic
-j <unix[,user=`user`][,ccgroup=`group`][,workuser=`user`]>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment