commit 10920122713844aa2df46fac1d71900cb7574ad5
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Tue Jun 2 15:26:43 2020 +0200
Solaris jail: Allow to pass a privilege specification for the worker
diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index 3a50b572e..fb118cfd6 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -323,12 +323,24 @@ vjs_alloc(void)
static int v_matchproto_(jail_init_f)
vjs_init(char **args)
{
- priv_set_t **sets, *permitted, *inheritable;
+ priv_set_t **sets, *permitted, *inheritable, *user = NULL;
+ const char *e;
int vj, vs;
if (args != NULL && *args != NULL) {
- ARGV_ERR("-jsolaris takes no arguments.\n");
- return (0);
+ for (;*args != NULL; args++) {
+ if (!strncmp(*args, "worker=", 7)) {
+ user = priv_str_to_set((*args) + 7, ",", &e);
+ if (user == NULL)
+ ARGV_ERR(
+ "-jsolaris: parsing worker= "
+ "argument failed near %s.\n",
+ e);
+ continue;
+ }
+ ARGV_ERR("-jsolrais: unknown sub-argument '%s'\n",
+ *args);
+ }
}
permitted = vjs_alloc();
@@ -372,6 +384,9 @@ vjs_init(char **args)
#define PRIV(name, mask, priv) vjs_add(vjs_sets[JAIL_ ## name], mask, priv);
#include "mgt_jail_solaris_tbl.h"
+ if (user != NULL)
+ priv_union(user, vjs_sets[JAIL_SUBPROC_WORKER][VJS_EFFECTIVE]);
+
/* mask by available privs */
for (vj = 0; vj < JAIL_LIMIT; vj++) {
sets = vjs_sets[vj];
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index dd01fbeba..3c4a1d931 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -392,11 +392,21 @@ Varnish jails are a generalization over various platform specific
methods to reduce the privileges of varnish processes. They may have
specific options. Available jails are:
--j solaris
+-j <solaris[,worker=`privspec`]>
- Reduce privileges(5) for `varnishd` and sub-process to the minimally
- required set. Only available on platforms which have the setppriv(2)
- call.
+ Reduce `privileges(5)` for `varnishd` and sub-process to the
+ minimally required set. Only available on platforms which have the
+ `setppriv(2)` call.
+
+ The optional `worker` argument can be used to pass a
+ privilege-specification (see `ppriv(1)`) by which to extend the
+ effective set of the varnish worker process. While extended
+ privileges may be required by custom vmods, it is always the more
+ secure to *not* use the `worker` option.
+
+ Example to grant basic privileges to the worker process::
+
+ -j solaris,worker=basic
-j <unix[,user=`user`][,ccgroup=`group`][,workuser=`user`]>
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Tue Jun 2 15:26:43 2020 +0200
Solaris jail: Allow to pass a privilege specification for the worker
diff --git a/bin/varnishd/mgt/mgt_jail_solaris.c b/bin/varnishd/mgt/mgt_jail_solaris.c
index 3a50b572e..fb118cfd6 100644
--- a/bin/varnishd/mgt/mgt_jail_solaris.c
+++ b/bin/varnishd/mgt/mgt_jail_solaris.c
@@ -323,12 +323,24 @@ vjs_alloc(void)
static int v_matchproto_(jail_init_f)
vjs_init(char **args)
{
- priv_set_t **sets, *permitted, *inheritable;
+ priv_set_t **sets, *permitted, *inheritable, *user = NULL;
+ const char *e;
int vj, vs;
if (args != NULL && *args != NULL) {
- ARGV_ERR("-jsolaris takes no arguments.\n");
- return (0);
+ for (;*args != NULL; args++) {
+ if (!strncmp(*args, "worker=", 7)) {
+ user = priv_str_to_set((*args) + 7, ",", &e);
+ if (user == NULL)
+ ARGV_ERR(
+ "-jsolaris: parsing worker= "
+ "argument failed near %s.\n",
+ e);
+ continue;
+ }
+ ARGV_ERR("-jsolrais: unknown sub-argument '%s'\n",
+ *args);
+ }
}
permitted = vjs_alloc();
@@ -372,6 +384,9 @@ vjs_init(char **args)
#define PRIV(name, mask, priv) vjs_add(vjs_sets[JAIL_ ## name], mask, priv);
#include "mgt_jail_solaris_tbl.h"
+ if (user != NULL)
+ priv_union(user, vjs_sets[JAIL_SUBPROC_WORKER][VJS_EFFECTIVE]);
+
/* mask by available privs */
for (vj = 0; vj < JAIL_LIMIT; vj++) {
sets = vjs_sets[vj];
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index dd01fbeba..3c4a1d931 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -392,11 +392,21 @@ Varnish jails are a generalization over various platform specific
methods to reduce the privileges of varnish processes. They may have
specific options. Available jails are:
--j solaris
+-j <solaris[,worker=`privspec`]>
- Reduce privileges(5) for `varnishd` and sub-process to the minimally
- required set. Only available on platforms which have the setppriv(2)
- call.
+ Reduce `privileges(5)` for `varnishd` and sub-process to the
+ minimally required set. Only available on platforms which have the
+ `setppriv(2)` call.
+
+ The optional `worker` argument can be used to pass a
+ privilege-specification (see `ppriv(1)`) by which to extend the
+ effective set of the varnish worker process. While extended
+ privileges may be required by custom vmods, it is always the more
+ secure to *not* use the `worker` option.
+
+ Example to grant basic privileges to the worker process::
+
+ -j solaris,worker=basic
-j <unix[,user=`user`][,ccgroup=`group`][,workuser=`user`]>
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit