Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
53bd4aeb
Commit
53bd4aeb
authored
Feb 18, 2015
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move creation of workdir into jail code, and use the master HIGH/LOW
around socket operations which may be on reserved ports.
parent
ab37c418
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
50 additions
and
5 deletions
+50
-5
mgt_child.c
bin/varnishd/mgt/mgt_child.c
+2
-0
mgt_cli.c
bin/varnishd/mgt/mgt_cli.c
+2
-0
mgt_jail_unix.c
bin/varnishd/mgt/mgt_jail_unix.c
+46
-5
No files found.
bin/varnishd/mgt/mgt_child.c
View file @
53bd4aeb
...
@@ -229,6 +229,7 @@ MGT_open_sockets(void)
...
@@ -229,6 +229,7 @@ MGT_open_sockets(void)
struct
listen_sock
*
ls
;
struct
listen_sock
*
ls
;
int
good
=
0
;
int
good
=
0
;
VJ_master
(
JAIL_MASTER_HIGH
);
VTAILQ_FOREACH
(
ls
,
&
heritage
.
socks
,
list
)
{
VTAILQ_FOREACH
(
ls
,
&
heritage
.
socks
,
list
)
{
if
(
ls
->
sock
>=
0
)
{
if
(
ls
->
sock
>=
0
)
{
good
++
;
good
++
;
...
@@ -242,6 +243,7 @@ MGT_open_sockets(void)
...
@@ -242,6 +243,7 @@ MGT_open_sockets(void)
good
++
;
good
++
;
}
}
VJ_master
(
JAIL_MASTER_LOW
);
if
(
!
good
)
if
(
!
good
)
return
(
1
);
return
(
1
);
return
(
0
);
return
(
0
);
...
...
bin/varnishd/mgt/mgt_cli.c
View file @
53bd4aeb
...
@@ -535,7 +535,9 @@ mgt_cli_telnet(const char *T_arg)
...
@@ -535,7 +535,9 @@ mgt_cli_telnet(const char *T_arg)
vsb
=
VSB_new_auto
();
vsb
=
VSB_new_auto
();
XXXAN
(
vsb
);
XXXAN
(
vsb
);
for
(
i
=
0
;
i
<
n
;
++
i
)
{
for
(
i
=
0
;
i
<
n
;
++
i
)
{
VJ_master
(
JAIL_MASTER_HIGH
);
sock
=
VSS_listen
(
ta
[
i
],
10
);
sock
=
VSS_listen
(
ta
[
i
],
10
);
VJ_master
(
JAIL_MASTER_LOW
);
if
(
sock
<
0
)
if
(
sock
<
0
)
continue
;
continue
;
VTCP_myname
(
sock
,
abuf
,
sizeof
abuf
,
pbuf
,
sizeof
pbuf
);
VTCP_myname
(
sock
,
abuf
,
sizeof
abuf
,
pbuf
,
sizeof
pbuf
);
...
...
bin/varnishd/mgt/mgt_jail_unix.c
View file @
53bd4aeb
...
@@ -31,11 +31,13 @@
...
@@ -31,11 +31,13 @@
#include "config.h"
#include "config.h"
#include <pwd.h>
#include <pwd.h>
#include <fcntl.h>
#include <grp.h>
#include <grp.h>
#include <string.h>
#include <string.h>
#include <stdio.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdlib.h>
#include <unistd.h>
#include <unistd.h>
#include <sys/stat.h>
#include "mgt/mgt.h"
#include "mgt/mgt.h"
...
@@ -100,6 +102,8 @@ vju_init(char **args)
...
@@ -100,6 +102,8 @@ vju_init(char **args)
return
(
1
);
return
(
1
);
if
(
vju_getuid
(
JAIL_USER
))
if
(
vju_getuid
(
JAIL_USER
))
return
(
1
);
return
(
1
);
AZ
(
setegid
(
vju_gid
));
AZ
(
seteuid
(
vju_uid
));
return
(
0
);
return
(
0
);
}
}
...
@@ -108,17 +112,15 @@ vju_init(char **args)
...
@@ -108,17 +112,15 @@ vju_init(char **args)
for
(;
*
args
!=
NULL
;
args
++
)
{
for
(;
*
args
!=
NULL
;
args
++
)
{
if
(
!
strncmp
(
*
args
,
"user="
,
5
))
{
if
(
!
strncmp
(
*
args
,
"user="
,
5
))
{
if
(
vju_getuid
((
*
args
)
+
5
))
{
if
(
vju_getuid
((
*
args
)
+
5
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
(
*
args
)
+
5
);
(
*
args
)
+
5
);
}
continue
;
continue
;
}
}
if
(
!
strncmp
(
*
args
,
"ccgroup="
,
8
))
{
if
(
!
strncmp
(
*
args
,
"ccgroup="
,
8
))
{
if
(
vju_getccgid
((
*
args
)
+
8
))
{
if
(
vju_getccgid
((
*
args
)
+
8
))
ARGV_ERR
(
"Unix jail: %s group not found.
\n
"
,
ARGV_ERR
(
"Unix jail: %s group not found.
\n
"
,
(
*
args
)
+
8
);
(
*
args
)
+
8
);
}
continue
;
continue
;
}
}
ARGV_ERR
(
"Unix jail: unknown sub-argument '%s'
\n
"
,
*
args
);
ARGV_ERR
(
"Unix jail: unknown sub-argument '%s'
\n
"
,
*
args
);
...
@@ -127,13 +129,19 @@ vju_init(char **args)
...
@@ -127,13 +129,19 @@ vju_init(char **args)
if
(
vju_user
==
NULL
&&
vju_getuid
(
JAIL_USER
))
if
(
vju_user
==
NULL
&&
vju_getuid
(
JAIL_USER
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
JAIL_USER
);
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
JAIL_USER
);
/* Do an explicit JAIL_MASTER_LOW */
AZ
(
setegid
(
vju_gid
));
AZ
(
seteuid
(
vju_uid
));
return
(
0
);
return
(
0
);
}
}
static
void
__match_proto__
(
jail_master_f
)
static
void
__match_proto__
(
jail_master_f
)
vju_master
(
enum
jail_master_e
jme
)
vju_master
(
enum
jail_master_e
jme
)
{
{
(
void
)
jme
;
if
(
jme
==
JAIL_MASTER_HIGH
)
AZ
(
seteuid
(
0
));
else
AZ
(
seteuid
(
vju_uid
));
}
}
static
void
__match_proto__
(
jail_subproc_f
)
static
void
__match_proto__
(
jail_subproc_f
)
...
@@ -142,6 +150,7 @@ vju_subproc(enum jail_subproc_e jse)
...
@@ -142,6 +150,7 @@ vju_subproc(enum jail_subproc_e jse)
int
i
;
int
i
;
gid_t
gid_list
[
NGID
];
gid_t
gid_list
[
NGID
];
AZ
(
seteuid
(
0
));
AZ
(
setgid
(
vju_gid
));
AZ
(
setgid
(
vju_gid
));
AZ
(
initgroups
(
vju_user
,
vju_gid
));
AZ
(
initgroups
(
vju_user
,
vju_gid
));
...
@@ -166,10 +175,42 @@ vju_subproc(enum jail_subproc_e jse)
...
@@ -166,10 +175,42 @@ vju_subproc(enum jail_subproc_e jse)
#endif
#endif
}
}
static
void
vju_make_workdir
(
const
char
*
dname
)
{
int
fd
;
AZ
(
seteuid
(
0
));
if
(
mkdir
(
dname
,
0755
)
<
0
&&
errno
!=
EEXIST
)
ARGV_ERR
(
"Cannot create working directory '%s': %s
\n
"
,
dname
,
strerror
(
errno
));
if
(
chown
(
dname
,
vju_uid
,
vju_gid
)
<
0
)
ARGV_ERR
(
"Cannot set owner/group on working directory '%s': %s
\n
"
,
dname
,
strerror
(
errno
));
if
(
chdir
(
dname
)
<
0
)
ARGV_ERR
(
"Cannot change to working directory '%s': %s
\n
"
,
dname
,
strerror
(
errno
));
AZ
(
seteuid
(
vju_uid
));
fd
=
open
(
"_.testfile"
,
O_RDWR
|
O_CREAT
|
O_EXCL
,
0600
);
if
(
fd
<
0
)
ARGV_ERR
(
"Error: Cannot create test-file in %s (%s)
\n
"
"Check permissions (or delete old directory)
\n
"
,
dname
,
strerror
(
errno
));
AZ
(
close
(
fd
));
AZ
(
unlink
(
"_.testfile"
));
}
const
struct
jail_tech
jail_tech_unix
=
{
const
struct
jail_tech
jail_tech_unix
=
{
.
magic
=
JAIL_TECH_MAGIC
,
.
magic
=
JAIL_TECH_MAGIC
,
.
name
=
"unix"
,
.
name
=
"unix"
,
.
init
=
vju_init
,
.
init
=
vju_init
,
.
master
=
vju_master
,
.
master
=
vju_master
,
.
make_workdir
=
vju_make_workdir
,
.
subproc
=
vju_subproc
,
.
subproc
=
vju_subproc
,
};
};
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment