r5226 - trunk/varnish-cache/bin/varnishd
phk at varnish-cache.org
phk at varnish-cache.org
Tue Sep 21 19:04:24 CEST 2010
Author: phk
Date: 2010-09-21 19:04:23 +0200 (Tue, 21 Sep 2010)
New Revision: 5226
Modified:
trunk/varnish-cache/bin/varnishd/mgt_child.c
Log:
Fix/Update for Solaris priv_set().
Fixes #670
Fixes #671
Modified: trunk/varnish-cache/bin/varnishd/mgt_child.c
===================================================================
--- trunk/varnish-cache/bin/varnishd/mgt_child.c 2010-09-21 16:58:30 UTC (rev 5225)
+++ trunk/varnish-cache/bin/varnishd/mgt_child.c 2010-09-21 17:04:23 UTC (rev 5226)
@@ -287,23 +287,30 @@
{
#ifdef HAVE_SETPPRIV
- priv_set_t *empty;
+ priv_set_t *empty, *minimal;
- if (!(empty = priv_allocset())) {
+ if (!(empty = priv_allocset()) ||
+ !(minimal = priv_allocset())) {
perror("priv_allocset_failed");
return;
}
priv_emptyset(empty);
+ priv_emptyset(minimal);
+ /* new privilege, silently ignore any errors if it doesn't exist */
+ priv_addset(minimal, "net_access");
+
#define SETPPRIV(which, set) \
if (setppriv(PRIV_SET, which, set)) \
perror("Waiving privileges failed on " #which)
- SETPPRIV(PRIV_LIMIT, empty);
+ /* need to set I after P to avoid SNOCD being set */
+ SETPPRIV(PRIV_LIMIT, minimal);
+ SETPPRIV(PRIV_PERMITTED, minimal); /* implies PRIV_EFFECTIVE */
SETPPRIV(PRIV_INHERITABLE, empty);
- SETPPRIV(PRIV_PERMITTED, empty); /* implies PRIV_EFFECTIVE */
priv_freeset(empty);
+ priv_freeset(minimal);
#else
return;
#endif
More information about the varnish-commit
mailing list