Ticket #628 (closed enhancement: fixed)
Least privileges for Varnish: no privileges
| Reported by: | slink | Owned by: | phk |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | varnishd | Version: | 2.0 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I've implemented a very simple change so Varnish "worker children" will waive all privileges on Solaris, which can help to minimize to hypothetical impact of attacks against Varnish as the children are handling client connections.
I don't think a varnish worker child should need any privileges, so I have implemented just that, but one might want to add config options to specify the privilege sets.
Please note that I consider this patch experimental still, though I haven't noted any negative side effects.
With this patch, running ppriv on the varnish control process and its child looks nice:
25477: /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p rush_exponent=6
flags = <none>
E: file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
I: file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
P: file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
L: file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
25478: /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p rush_exponent=6
flags = PRIV_AWARE
E: none
I: none
P: none
L: none
The patch is for 2.0.3 but should be easily applicable to other versions as well. Note that you need to run autoconf & autoheader to apply configure.ac changes
Attachments
-
varnish_least_privilege.patch
(1.8 KB) - added by slink
7 weeks ago.
