Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Varnish>
  3. Misc
chroot or/and none root user
benny.kjellgren at trig
Oct 4, 2006, 7:39 AM
Post #1 of 7 (1240 views)
Permalink
Hi,

I have started to test Varnish on Debian (and Archlinux) and the
first thing I was looking for is to how to run Varnish as a none
root user (eg www-data) and/or put it in a jail (chroot).

Is it possible to do that ?

--
Benny Kjellgren
chroot or/and none root user [ In reply to ]
phk at phk
Oct 4, 2006, 1:20 PM
Post #2 of 7 (1207 views)
Permalink
In message <20061004143906.GA11126 at trig.com>, "Benny Kjellgren (TRIG/adocca)" write
s:
>Hi,
>
>I have started to test Varnish on Debian (and Archlinux) and the
>first thing I was looking for is to how to run Varnish as a none
>root user (eg www-data) and/or put it in a jail (chroot).
>
>Is it possible to do that ?

If you don't use a priviledged listen port, it should just work.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
chroot or/and none root user [ In reply to ]
ingvar at linpro
Oct 5, 2006, 12:27 AM
Post #3 of 7 (1210 views)
Permalink
* Benny Kjellgren
>> I have started to test Varnish on Debian (and Archlinux) and the
>> first thing I was looking for is to how to run Varnish as a none
>> root user (eg www-data) and/or put it in a jail (chroot).
>>
>> Is it possible to do that ?

* Poul-Henning Kamp
> If you don't use a priviledged listen port, it should just work.

Any plans to use the model used by eg apache or squid, with a
dispatching process running in priviledged mode, and process children
running with a non privilegded user?

One might think that this model makes privilege escalation harder, or at
least, less intrusive, in case there should be any exploitable bugs in
varnish (but of course, there would never be any such thing 8-) .

Ingvar

--
When everything else fails: Symlink
chroot or/and none root user [ In reply to ]
benny.kjellgren at trig
Oct 5, 2006, 12:53 AM
Post #4 of 7 (1213 views)
Permalink
> Any plans to use the model used by eg apache or squid, with a
> dispatching process running in priviledged mode, and process children
> running with a non privilegded user?

An other example is Pound
http://www.apsis.ch/pound/
In Pound you can set "User", "Group" and "RootJail".

--
Benny Kjellgren
chroot or/and none root user [ In reply to ]
benny.kjellgren at trig
Oct 5, 2006, 2:18 AM
Post #5 of 7 (1213 views)
Permalink
> If you don't use a priviledged listen port, it should just work.

FYI
I solved it by running varnishd as user="varnish" and listen
on port 8080 and added a iptables NAT rule that redirect
port 80 to port 8080. Works fine. (Debian)

--
Benny Kjellgren
chroot or/and none root user [ In reply to ]
phk at phk
Oct 5, 2006, 2:38 AM
Post #6 of 7 (1212 views)
Permalink
In message <4524B3EE.3060505 at linpro.no>, Ingvar Hagelund writes:
>* Benny Kjellgren
>>> I have started to test Varnish on Debian (and Archlinux) and the
>>> first thing I was looking for is to how to run Varnish as a none
>>> root user (eg www-data) and/or put it in a jail (chroot).
>>>
>>> Is it possible to do that ?
>
>* Poul-Henning Kamp
>> If you don't use a priviledged listen port, it should just work.
>
>Any plans to use the model used by eg apache or squid, with a
>dispatching process running in priviledged mode, and process children
>running with a non privilegded user?

We could do that, having the management process run as root and
he child as some other user.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
SV: chroot or/and none root user [ In reply to ]
Anders.Berg at vg
Oct 5, 2006, 2:40 AM
Post #7 of 7 (1215 views)
Permalink
If you feel it makes sense Poul-Henning, I certainly do.

Anders Berg

> -----Opprinnelig melding-----
> Fra: varnish-misc-bounces at projects.linpro.no
> [mailto:varnish-misc-bounces at projects.linpro.no] P? vegne av
> Poul-Henning Kamp
> Sendt: 5. oktober 2006 11:38
> Til: varnish-misc at projects.linpro.no
> Emne: Re: chroot or/and none root user
>
> In message <4524B3EE.3060505 at linpro.no>, Ingvar Hagelund writes:
> >* Benny Kjellgren
> >>> I have started to test Varnish on Debian (and Archlinux) and the
> >>> first thing I was looking for is to how to run Varnish as a none
> >>> root user (eg www-data) and/or put it in a jail (chroot).
> >>>
> >>> Is it possible to do that ?
> >
> >* Poul-Henning Kamp
> >> If you don't use a priviledged listen port, it should just work.
> >
> >Any plans to use the model used by eg apache or squid, with a
> >dispatching process running in priviledged mode, and process
> children
> >running with a non privilegded user?
>
> We could do that, having the management process run as root
> and he child as some other user.
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk at FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by
> incompetence.
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc
>

*****************************************************************
Denne fotnoten bekrefter at denne e-postmeldingen ble
skannet av MailSweeper og funnet fri for virus.
*****************************************************************
This footnote confirms that this email message has been swept by
MailSweeper for the presence of computer viruses.
*****************************************************************

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal