[Varnish] #628: Least privileges for Varnish: no privileges

Varnish varnish-bugs at projects.linpro.no
Fri Jan 22 20:15:44 CET 2010


#628: Least privileges for Varnish: no privileges
-------------------------+--------------------------------------------------
 Reporter:  slink        |       Owner:  phk
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:     
Component:  varnishd     |     Version:  2.0
 Severity:  normal       |    Keywords:     
-------------------------+--------------------------------------------------
 I've implemented a very simple change so Varnish "worker children" will
 waive all privileges on Solaris, which can help to minimize to
 hypothetical impact of attacks against Varnish as the children are
 handling client connections.

 I don't think a varnish worker child should need any privileges, so I have
 implemented just that, but one might want to add config options to specify
 the privilege sets.

 Please note that I consider this patch experimental still, though I
 haven't noted any negative side effects.

 With this patch, running ppriv on the varnish control process and its
 child looks nice:

 {{{
 25477:    /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p
 rush_exponent=6
 flags = <none>
     E:
 file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
     I:
 file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
     P:
 file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
     L:
 file_link_any,net_privaddr,proc_exec,proc_fork,proc_lock_memory,proc_setid
 25478:    /tmp/sbin/varnishd -a 0.0.0.0:80 -T localhost:6082 -p
 rush_exponent=6
 flags = PRIV_AWARE
     E: none
     I: none
     P: none
     L: none
 }}}

 The patch is for 2.0.3 but should be easily applicable to other versions
 as well. Note that you need to run autoconf & autoheader to apply
 configure.ac changes

-- 
Ticket URL: <http://varnish.projects.linpro.no/ticket/628>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator


More information about the varnish-bugs mailing list