Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
81868df7
Commit
81868df7
authored
Apr 15, 2015
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Adopt Dridi's suggestion to call the worker process uid "vcache".
Also look for it automatically.
parent
a693b444
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
50 additions
and
38 deletions
+50
-38
mgt_jail_unix.c
bin/varnishd/mgt/mgt_jail_unix.c
+46
-34
j00001.vtc
bin/varnishtest/tests/j00001.vtc
+2
-2
vtc.c
bin/varnishtest/vtc.c
+2
-2
No files found.
bin/varnishd/mgt/mgt_jail_unix.c
View file @
81868df7
...
@@ -59,8 +59,12 @@ static const char *vju_wrkuser;
...
@@ -59,8 +59,12 @@ static const char *vju_wrkuser;
static
gid_t
vju_cc_gid
;
static
gid_t
vju_cc_gid
;
static
int
vju_cc_gid_set
;
static
int
vju_cc_gid_set
;
#ifndef JAIL_USER
#ifndef VARNISH_USER
#define JAIL_USER "varnish"
#define VARNISH_USER "varnish"
#endif
#ifndef VCACHE_USER
#define VCACHE_USER "vcache"
#endif
#endif
#ifndef NGID
#ifndef NGID
...
@@ -123,46 +127,54 @@ vju_init(char **args)
...
@@ -123,46 +127,54 @@ vju_init(char **args)
/* Autoconfig */
/* Autoconfig */
if
(
geteuid
()
!=
0
)
if
(
geteuid
()
!=
0
)
return
(
1
);
return
(
1
);
if
(
vju_getuid
(
JAIL
_USER
))
if
(
vju_getuid
(
VARNISH
_USER
))
return
(
1
);
return
(
1
);
AZ
(
setegid
(
vju_gid
));
}
else
{
AZ
(
seteuid
(
vju_uid
));
return
(
0
);
if
(
geteuid
()
!=
0
)
ARGV_ERR
(
"Unix Jail: Must be root.
\n
"
);
for
(;
*
args
!=
NULL
;
args
++
)
{
if
(
!
strncmp
(
*
args
,
"user="
,
5
))
{
if
(
vju_getuid
((
*
args
)
+
5
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
(
*
args
)
+
5
);
continue
;
}
if
(
!
strncmp
(
*
args
,
"workuser="
,
9
))
{
if
(
vju_getwrkuid
((
*
args
)
+
9
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
(
*
args
)
+
9
);
continue
;
}
if
(
!
strncmp
(
*
args
,
"ccgroup="
,
8
))
{
if
(
vju_getccgid
((
*
args
)
+
8
))
ARGV_ERR
(
"Unix jail: %s group not found.
\n
"
,
(
*
args
)
+
8
);
continue
;
}
ARGV_ERR
(
"Unix jail: unknown sub-argument '%s'
\n
"
,
*
args
);
}
if
(
vju_user
==
NULL
&&
vju_getuid
(
VARNISH_USER
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
VARNISH_USER
);
}
}
if
(
geteuid
()
!=
0
)
AN
(
vju_user
);
ARGV_ERR
(
"Unix Jail: Must be root.
\n
"
);
vju_mgr_gid
=
getgid
();
vju_mgr_gid
=
getgid
();
for
(;
*
args
!=
NULL
;
args
++
)
{
if
(
vju_wrkuser
==
NULL
)
if
(
!
strncmp
(
*
args
,
"user="
,
5
))
{
(
void
)
vju_getwrkuid
(
VCACHE_USER
);
if
(
vju_getuid
((
*
args
)
+
5
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
(
*
args
)
+
5
);
continue
;
}
if
(
!
strncmp
(
*
args
,
"workuser="
,
9
))
{
if
(
vju_getwrkuid
((
*
args
)
+
9
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
(
*
args
)
+
5
);
continue
;
}
if
(
!
strncmp
(
*
args
,
"ccgroup="
,
8
))
{
if
(
vju_getccgid
((
*
args
)
+
8
))
ARGV_ERR
(
"Unix jail: %s group not found.
\n
"
,
(
*
args
)
+
8
);
continue
;
}
ARGV_ERR
(
"Unix jail: unknown sub-argument '%s'
\n
"
,
*
args
);
}
if
(
vju_user
==
NULL
&&
vju_getuid
(
JAIL_USER
))
ARGV_ERR
(
"Unix jail: %s user not found.
\n
"
,
JAIL_USER
);
if
(
vju_wrkuser
!=
NULL
&&
vju_wrkgid
!=
vju_gid
)
if
(
vju_wrkuser
!=
NULL
&&
vju_wrkgid
!=
vju_gid
)
ARGV_ERR
(
"Unix jail:
%s and %s have different login groups
\n
"
,
ARGV_ERR
(
"Unix jail:
user %s and %s have "
vju_user
,
vju_wrkuser
);
"different login groups
\n
"
,
vju_user
,
vju_wrkuser
);
/* Do an explicit JAIL_MASTER_LOW */
/* Do an explicit JAIL_MASTER_LOW */
AZ
(
setegid
(
vju_gid
));
AZ
(
setegid
(
vju_gid
));
...
...
bin/varnishtest/tests/j00001.vtc
View file @
81868df7
...
@@ -3,7 +3,7 @@ varnishtest "Run worker with different uid in UNIX jail"
...
@@ -3,7 +3,7 @@ varnishtest "Run worker with different uid in UNIX jail"
# The "vrun" user must have login group "varnish"
# The "vrun" user must have login group "varnish"
feature user_varnish
feature user_varnish
feature user_v
run
feature user_v
cache
feature group_varnish
feature group_varnish
feature root
feature root
...
@@ -13,7 +13,7 @@ server s1 {
...
@@ -13,7 +13,7 @@ server s1 {
} -start
} -start
varnish v1 \
varnish v1 \
-jail "-junix,user=varnish,ccgroup=varnish,workuser=v
run
" \
-jail "-junix,user=varnish,ccgroup=varnish,workuser=v
cache
" \
-vcl+backend {
-vcl+backend {
} -start
} -start
...
...
bin/varnishtest/vtc.c
View file @
81868df7
...
@@ -573,8 +573,8 @@ cmd_feature(CMD_ARGS)
...
@@ -573,8 +573,8 @@ cmd_feature(CMD_ARGS)
getpwnam
(
"varnish"
)
!=
NULL
)
getpwnam
(
"varnish"
)
!=
NULL
)
continue
;
continue
;
if
(
!
strcmp
(
av
[
i
],
"user_v
run
"
)
&&
if
(
!
strcmp
(
av
[
i
],
"user_v
cache
"
)
&&
getpwnam
(
"v
run
"
)
!=
NULL
)
getpwnam
(
"v
cache
"
)
!=
NULL
)
continue
;
continue
;
if
(
!
strcmp
(
av
[
i
],
"group_varnish"
)
&&
if
(
!
strcmp
(
av
[
i
],
"group_varnish"
)
&&
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment