Solaris sandbox changes.

Submitted by: Nils Goroll

Solaris sandbox changes.
Submitted by: Nils Goroll
1a80a019 · Poul-Henning Kamp · 3b73cf0e · 1a80a019 · 1a80a019 · 1a80a019
Commit 1a80a019 authored Oct 12, 2011 by Poul-Henning Kamp
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

mgt.h bin/varnishd/mgt.h +1 -0

mgt_sandbox.c bin/varnishd/mgt_sandbox.c +3 -3

mgt_sandbox_solaris.c bin/varnishd/mgt_sandbox_solaris.c +15 -0

No files found.
--- a/bin/varnishd/mgt.h
+++ b/bin/varnishd/mgt.h
@@ -70,6 +70,7 @@ void mgt_sandbox(void);
 #ifdef HAVE_SETPPRIV
 void mgt_sandbox_solaris_init(void);
 void mgt_sandbox_solaris_fini(void);
+void mgt_sandbox_solaris_privsep(void);
 #endif

 /* mgt_shmem.c */

--- a/bin/varnishd/mgt_sandbox.c
+++ b/bin/varnishd/mgt_sandbox.c
@@ -63,17 +63,17 @@
 void
 mgt_sandbox(void)
 {
-
 #ifdef HAVE_SETPPRIV
 	mgt_sandbox_solaris_init();
-#endif
-
+	mgt_sandbox_solaris_privsep();
+#else
 	if (geteuid() == 0) {
 		XXXAZ(setgid(params->gid));
 		XXXAZ(setuid(params->uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
+#endif

 	/* On Linux >= 2.4, you need to set the dumpable flag
 	   to get core dumps after you have done a setuid. */

--- a/bin/varnishd/mgt_sandbox_solaris.c
+++ b/bin/varnishd/mgt_sandbox_solaris.c
@@ -40,6 +40,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <syslog.h>
+#include <unistd.h>

 #include "mgt.h"

@@ -153,6 +154,20 @@ mgt_sandbox_solaris_init(void)
 	priv_freeset(priv_all);
 }

+void
+mgt_sandbox_solaris_privsep(void)
+{
+	if (priv_ineffect(PRIV_PROC_SETID)) {
+                if (getgid() != params->gid)
+                        XXXAZ(setgid(params->gid));
+                if (getuid() != params->uid)
+                        XXXAZ(setuid(params->uid));
+        } else {
+                REPORT(LOG_INFO, "Privilege %s missing, will not change uid/gid",
+		    PRIV_PROC_SETID);
+        }
+}
+
 /* 
 * Waive most privileges in the child
 *