[Varnish] #628: Least privileges for Varnish: no privileges
Varnish
varnish-bugs at projects.linpro.no
Fri Jan 22 20:15:44 CET 2010
#628: Least privileges for Varnish: no privileges
-------------------------+--------------------------------------------------
Reporter: slink | Owner: phk
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: 2.0
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
I've implemented a very simple change so Varnish "worker children" will
waive all privileges on Solaris, which can help to minimize to
hypothetical impact of attacks against Varnish as the children are
handling client connections.
I don't think a varnish worker child should need any privileges, so I have
implemented just that, but one might want to add config options to specify
the privilege sets.
Please note that I consider this patch experimental still, though I
haven't noted any negative side effects.
With this patch, running ppriv on the varnish control process and its
child looks nice:
{{{
25477: /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p
rush_exponent=6
flags = <none>
E:
file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
I:
file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
P:
file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
L:
file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
25478: /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p
rush_exponent=6
flags = PRIV_AWARE
E: none
I: none
P: none
L: none
}}}
The patch is for 2.0.3 but should be easily applicable to other versions
as well. Note that you need to run autoconf & autoheader to apply
configure.ac changes
--
Ticket URL: <http://varnish.projects.linpro.no/ticket/628>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list