Changeset f837fb


Ignore:
Timestamp:
2011-09-30 14:30:43 (3 years ago)
Author:
Poul-Henning Kamp <phk@…>
Branches:
master, 4.0, experimental-ims
Children:
009eb1
Parents:
5fc5c4
git-author:
Poul-Henning Kamp <phk@…> (2011-09-30 14:30:43)
git-committer:
Poul-Henning Kamp <phk@…> (2011-09-30 14:30:43)
Message:

Split solaris sandboxing out to a separate source file, and apply
patch received from Nils Goroll <nils.goroll@…>

  • If available, keep sys_resource in the permitted/limited set to allow cache_waiter_ports to raise the process.max-port-events resource control (feature to be added later).
  • When starting varnish with euid 0 on Solaris, privilege seperation prohibited preserving additional privileges (in excess of the basic set) in the child, because, for a non privilege aware process, setuid() resets the effective, inheritable and permitted sets to the basic set.

To achieve interoperability between solaris privileges and
setuid()/setgid(), we now make the varnish child privilege aware
before calling setuid() by trying to add all privileges we will need
plus proc_setid.

  • On solaris, check for proc_setid rather than checking the euid as a prerequisite for changing the uid/gid and only change the uid/gid if we need to (for a privilege aware process, [ers]uid 0 loose their magic powers).

Note that setuid() will always set SNOCD on Solaris, which will
prevent core dumps from being written, unless setuid core dumps are
explicitly enabled using coreadm(1M).

To avoid setuid() (and the SNOCD flag, consequently), start varnish
as the user you intend to run the child as, but with additional
privileges, e.g. using

ppriv -e -s A=basic,net_privaddr,sys_resource varnishd ...

  • setppriv(PRIV_SET, ...) failed when the privileges to be applied were not available in the permitted set.

We change the logic to only clear the privileges which are not
needed by inverting the sets and removing all unneeded privileges
using setppriv(PRIV_OFF, ...).

So the child might end up with less privileges than given initially,

Location:
bin/varnishd
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • bin/varnishd/Makefile.am

    r761d0c rf837fb  
    6161        mgt_pool.c \ 
    6262        mgt_sandbox.c \ 
     63        mgt_sandbox_solaris.c \ 
    6364        mgt_shmem.c \ 
    6465        mgt_vcc.c \ 
  • bin/varnishd/mgt.h

    r69e5bd5 rf837fb  
    7272void mgt_sandbox(void); 
    7373 
     74/* mgt_sandbox_solaris.c */ 
     75#ifdef HAVE_SETPPRIV 
     76void mgt_sandbox_solaris_init(void) 
     77void mgt_sandbox_solaris_fini(void) 
     78#endif 
     79 
    7480/* mgt_shmem.c */ 
    7581void mgt_SHM_Init(const char *arg); 
  • bin/varnishd/mgt_sandbox.c

    re0ee2a rf837fb  
    4949#include <unistd.h> 
    5050 
    51 #ifdef HAVE_PRIV_H 
    52 #include <priv.h> 
    53 #endif 
    54  
    5551#ifdef __linux__ 
    5652#include <sys/prctl.h> 
     
    6763mgt_sandbox(void) 
    6864{ 
     65 
     66#ifdef HAVE_SETPPRIV 
     67        mgt_sandbox_solaris_init(); 
     68#endif 
    6969 
    7070        if (geteuid() == 0) { 
     
    8585 
    8686#ifdef HAVE_SETPPRIV 
    87         priv_set_t *empty, *minimal; 
    88  
    89         if (!(empty = priv_allocset()) || 
    90             !(minimal = priv_allocset())) { 
    91                 REPORT0(LOG_ERR, "priv_allocset_failed"); 
    92         } else { 
    93                 priv_emptyset(empty); 
    94                 priv_emptyset(minimal); 
    95  
    96                 /* 
    97                  * new privilege, 
    98                  * silently ignore any errors if it doesn't exist 
    99                  */ 
    100                 priv_addset(minimal, "net_access"); 
    101                 priv_addset(minimal, "file_read"); 
    102  
    103 #define SETPPRIV(which, set)                                            \ 
    104                 if (setppriv(PRIV_SET, which, set))                     \ 
    105                         REPORT0(LOG_ERR,                                \ 
    106                             "Waiving privileges failed on " #which) 
    107  
    108                 /* need to set I after P to avoid SNOCD being set */ 
    109                 SETPPRIV(PRIV_LIMIT, minimal); 
    110                 SETPPRIV(PRIV_PERMITTED, minimal); /* implies PRIV_EFFECTIVE */ 
    111                 SETPPRIV(PRIV_INHERITABLE, empty); 
    112  
    113                 priv_freeset(empty); 
    114                 priv_freeset(minimal); 
    115         } 
     87        mgt_sandbox_solaris_fini(); 
    11688#endif 
    11789 
Note: See TracChangeset for help on using the changeset viewer.