Introduce a "workuser" subargument to -junix, which makes it possible

to run the varnishd worker process as a different user than the VCC
and CC subprocesses.

It is mandatory that the workuser has the same login group as the user
subparamter.

Recommended values for packaging:

	-junix,user=varnish	"varnish" user has login group "varnish"
	-junix,workuser=vrun	"vrun" user has login group "varnish"

bin/varnishd/mgt/mgt_jail_unix.c

@@ -51,6 +51,11 @@ static gid_t vju_mgr_gid;
 static uid_t vju_uid;
 static gid_t vju_gid;
 static const char *vju_user;
+
+static uid_t vju_wrkuid;
+static gid_t vju_wrkgid;
+static const char *vju_wrkuser;
+
 static gid_t vju_cc_gid;
 static int vju_cc_gid_set;
 
@@ -78,6 +83,22 @@ vju_getuid(const char *arg)
 	return (pw == NULL ? -1 : 0);
 }
 
+static int
+vju_getwrkuid(const char *arg)
+{
+	struct passwd *pw;
+
+	pw = getpwnam(arg);
+	if (pw != NULL) {
+		vju_wrkuser = strdup(arg);
+		AN(vju_wrkuser);
+		vju_wrkuid = pw->pw_uid;
+		vju_wrkgid = pw->pw_gid;
+	}
+	endpwent();
+	return (pw == NULL ? -1 : 0);
+}
+
 static int
 vju_getccgid(const char *arg)
 {
@@ -121,6 +142,12 @@ vju_init(char **args)
 				    (*args) + 5);
 			continue;
 		}
+		if (!strncmp(*args, "workuser=", 9)) {
+			if (vju_getwrkuid((*args) + 9))
+				ARGV_ERR("Unix jail: %s user not found.\n",
+				    (*args) + 5);
+			continue;
+		}
 		if (!strncmp(*args, "ccgroup=", 8)) {
 			if (vju_getccgid((*args) + 8))
 				ARGV_ERR("Unix jail: %s group not found.\n",
@@ -158,8 +185,14 @@ vju_subproc(enum jail_subproc_e jse)
 	gid_t gid_list[NGID];
 
 	AZ(seteuid(0));
-	AZ(setgid(vju_gid));
-	AZ(initgroups(vju_user, vju_gid));
+	if (vju_wrkuser != NULL &&
+	    (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) {
+		AZ(setgid(vju_wrkgid));
+		AZ(initgroups(vju_wrkuser, vju_wrkgid));
+	} else {
+		AZ(setgid(vju_gid));
+		AZ(initgroups(vju_user, vju_gid));
+	}
 
 	if (jse == JAIL_SUBPROC_CC && vju_cc_gid_set) {
 		/* Add the optional extra group for the C-compiler access */
@@ -169,7 +202,12 @@ vju_subproc(enum jail_subproc_e jse)
 		AZ(setgroups(i, gid_list));
 	}
 
-	AZ(setuid(vju_uid));
+	if (vju_wrkuser != NULL &&
+	    (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) {
+		AZ(setuid(vju_wrkuid));
+	} else {
+		AZ(setuid(vju_uid));
+	}
 
 #ifdef __linux__
 	/*

bin/varnishd/mgt/mgt_vcc.c

@@ -172,7 +172,7 @@ run_cc(void *priv)
 		VSB_putc(sb, '%');
 	AZ(VSB_finish(sb));
 
-	(void)umask(077);
+	(void)umask(027);
 	(void)execl("/bin/sh", "/bin/sh", "-c", VSB_data(sb), (char*)0);
 	VSB_delete(sb);				// For flexelint
 }
@@ -227,7 +227,7 @@ mgt_vcc_touchfile(const char *fn, struct vsb *sb)
 {
 	int i;
 
-	i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0600);
+	i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0640);
 	if (i < 0) {
 		VSB_printf(sb, "Failed to create %s: %s", fn, strerror(errno));
 		return (2);

bin/varnishtest/tests/j00001.vtc

+varnishtest "Run worker with different uid in UNIX jail"
+
+# The "vrun" user must have login group "varnish"
+
+feature user_varnish
+feature user_vrun
+feature group_varnish
+feature root
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 \
+	-jail "-junix,user=varnish,ccgroup=varnish,workuser=vrun" \
+	-vcl+backend {
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run

bin/varnishtest/tests/j00002.vtc

+varnishtest "-junix bad subarg handling"
+
+feature root
+
+err_shell "unknown sub-argument" "${varnishd} -junix,bla=foo 2>&1"
+err_shell "user not found" "${varnishd} -junix,user=/// 2>&1"
+err_shell "user not found" "${varnishd} -junix,workuser=/// 2>&1"
+err_shell "group not found" "${varnishd} -junix,ccgroup=/// 2>&1"

bin/varnishtest/vtc.c

@@ -573,6 +573,10 @@ cmd_feature(CMD_ARGS)
 		    getpwnam("varnish") != NULL)
 			continue;
 
+		if (!strcmp(av[i], "user_vrun") &&
+		    getpwnam("vrun") != NULL)
+			continue;
+
 		if (!strcmp(av[i], "group_varnish") &&
 		    getgrnam("varnish") != NULL)
 			continue;