r5281 - in branches/2.1: . varnish-cache/bin/varnishd varnish-cache/bin/varnishtest/tests varnish-cache/doc/sphinx/phk varnish-cache/include varnish-cache/lib/libvarnish varnish-cache/lib/libvcl
tfheen at varnish-cache.org
tfheen at varnish-cache.org
Mon Sep 27 14:17:14 CEST 2010
Author: tfheen
Date: 2010-09-27 14:17:13 +0200 (Mon, 27 Sep 2010)
New Revision: 5281
Added:
branches/2.1/varnish-cache/doc/sphinx/phk/barriers.rst
Modified:
branches/2.1/
branches/2.1/varnish-cache/bin/varnishd/cache_backend.h
branches/2.1/varnish-cache/bin/varnishd/cache_backend_cfg.c
branches/2.1/varnish-cache/bin/varnishd/vparam.h
branches/2.1/varnish-cache/bin/varnishtest/tests/c00019.vtc
branches/2.1/varnish-cache/bin/varnishtest/tests/r00325.vtc
branches/2.1/varnish-cache/bin/varnishtest/tests/r00416.vtc
branches/2.1/varnish-cache/bin/varnishtest/tests/v00011.vtc
branches/2.1/varnish-cache/doc/sphinx/phk/index.rst
branches/2.1/varnish-cache/include/vct.h
branches/2.1/varnish-cache/include/vev.h
branches/2.1/varnish-cache/lib/libvarnish/tcp.c
branches/2.1/varnish-cache/lib/libvarnish/vev.c
branches/2.1/varnish-cache/lib/libvcl/vcc_dir_random.c
Log:
Merge r4987: Explain the security-barriers influence on Varnish' design.
Property changes on: branches/2.1
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk:4637,4640,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk:4637,4640,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishd/cache_backend.h
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishd/cache_backend.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishd/cache_backend.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishd/cache_backend_cfg.c
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishd/cache_backend_cfg.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishd/cache_backend_cfg.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishd/vparam.h
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishd/vparam.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishd/vparam.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishtest/tests/c00019.vtc
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishtest/tests/c00019.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishtest/tests/c00019.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishtest/tests/r00325.vtc
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishtest/tests/r00325.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishtest/tests/r00325.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishtest/tests/r00416.vtc
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishtest/tests/r00416.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishtest/tests/r00416.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/bin/varnishtest/tests/v00011.vtc
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/bin/varnishtest/tests/v00011.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/bin/varnishtest/tests/v00011.vtc:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Copied: branches/2.1/varnish-cache/doc/sphinx/phk/barriers.rst (from rev 4987, trunk/varnish-cache/doc/sphinx/phk/barriers.rst)
===================================================================
--- branches/2.1/varnish-cache/doc/sphinx/phk/barriers.rst (rev 0)
+++ branches/2.1/varnish-cache/doc/sphinx/phk/barriers.rst 2010-09-27 12:17:13 UTC (rev 5281)
@@ -0,0 +1,124 @@
+.. _phk_barriers:
+
+============================
+Security barriers in Varnish
+============================
+
+Security is a very important design driver in Varnish, more likely than not,
+if you find yourself thinking "Why did he do _that_ ? the answer has to
+do with security.
+
+The Varnish security model is based on some very crude but easy to understand
+barriers between the various components::
+
+ .-->- provides ->---------------------------------------.
+ | | |
+ (ADMIN)--+-->- runs ----->---. | |
+ | | | |
+ |-->- cli_req -->---| v v
+ '--<- cli_resp -<---| VCL MODULE
+ | | |
+ (OPER) | |reads |
+ | | | |
+ |runs | | |
+ | .-<- create -<-. | .->- fork ->-. v |
+ v |->- check -->-|-- MGR --| |-- VCC <- loads -|
+ VSM |-<- write --<-' | '-<- wait -<-' | |
+ TOOLS | | | |
+ ^ | .-------------' | |
+ | | | |writes |
+ |reads | |->- fork ----->-. | |
+ | | |->- cli_req -->-| | |
+ VSM ----' |-<- cli_resp -<-| v |
+ | '-<- wait -----<-| VCL.SO |
+ | | | |
+ | | | |
+ |---->----- inherit --->------|--<-- loads -------' |
+ |---->----- reads ---->------| |
+ '----<----- writes ----<------|--<-- loads --------------------'
+ |
+ |
+ |
+ .--->-- http_req --->--. | .-->-- http_req --->--.
+ (ANON) --| |-- CLD --| |-- (BACKEND)
+ '---<-- http_resp --<--' '--<-- http_resp --<--'
+
+(ASCII-ART rules!)
+
+The really Important Barrier
+============================
+
+The central actor in Varnish is the Manager process, "MGR", which is the
+proces the administrator "(ADMIN)" starts to get web-cache service.
+
+Having been there myself, I do not subscribe to the "I feel cool and important
+when I get woken up at 3AM to restart a dead process" school of thought, in
+fact, I think that is a clear sign of mindless stupidity: If we cannot
+get a computer to restart a dead process, why do we even have them ?
+
+The task of the Manager process is therefore not cache web content,
+but to make sure there always is a process which does that, the
+Child "CLD" process.
+
+That is the major barrier in Varnish: All management happens in
+one process all actual movement of traffic happens in another, and
+the Manager process does not trust the Child process at all.
+
+The Child process is in a the totally unprotected domain: Any
+computer on the InterNet "(ANON)" can connect to the Child process
+and ask for some web-object.
+
+If John D. Criminal manages to exploit a security hole in Varnish, it is
+the Child process he subverts. If he carries out a DoS attack, it is
+the Child process he tries to fell.
+
+Therefore the Manager starts the Child with as low priviledge as practically
+possible, and we close all filedescriptors it should not have access to and
+so on.
+
+There are only three channels of communication back to the Manager
+process: An exit code, a CLI response or writing stuff into the
+shared memory file "VSM" used for statistics and logging, all of
+these are well defended by the Manager process.
+
+The Admin/Oper Barrier
+======================
+
+If you look at the top left corner of the diagram, you will see that Varnish
+operates with separate Administrator "(ADMIN)" and Operator "(OPER)" roles.
+
+The Administrator does things, changes stuff etc. The Operator keeps an
+eye on things to make sure they are as they should be.
+
+These days Operators are often scripts and data collection tools, and
+there is no reason to assume they are bugfree, so Varnish does not
+trust the Operator role, that is a pure one-way relationship.
+
+(Trick: If the Child process us run under user "nobody", you can
+allow marginally trusted operations personel access to the "nobody"
+account (for instance using .ssh/authorized_keys2), and they will
+be able to kill the Child process, prompting the Manager process to
+restart it again with the same parameters and settings.)
+
+The Administrator has the final say, and of course, the administrator
+can decide under which circumstances that authority will be shared.
+
+Needless to say, if the system on which Varnish runs is not properly
+secured, the Administators monopoly of control will be compromised.
+
+All the other barriers
+======================
+
+There are more barriers, you can spot them by following the arrows in
+the diagram, but they are more sort of "technical" than "political" and
+generally try to guard against programming flaws as much as security
+compromise.
+
+For instance the VCC compiler runs in a separate child process, to make
+sure that a memory leak or other flaw in the compiler does not accumulate
+trouble for the Manager process.
+
+Hope this explanation helps understand why Varnish is not just a single
+process like all other server programs.
+
+Poul-Henning, 2010-06-28
Modified: branches/2.1/varnish-cache/doc/sphinx/phk/index.rst
===================================================================
--- branches/2.1/varnish-cache/doc/sphinx/phk/index.rst 2010-09-27 12:12:23 UTC (rev 5280)
+++ branches/2.1/varnish-cache/doc/sphinx/phk/index.rst 2010-09-27 12:17:13 UTC (rev 5281)
@@ -8,6 +8,7 @@
.. toctree::
+ barriers.rst
thoughts.rst
autocrap.rst
sphinx.rst
Property changes on: branches/2.1/varnish-cache/include/vct.h
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/include/vct.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/include/vct.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/include/vev.h
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/include/vev.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/include/vev.h:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/lib/libvarnish/tcp.c
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/lib/libvarnish/tcp.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/lib/libvarnish/tcp.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/lib/libvarnish/vev.c
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/lib/libvarnish/vev.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/lib/libvarnish/vev.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
Property changes on: branches/2.1/varnish-cache/lib/libvcl/vcc_dir_random.c
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk/varnish-cache/lib/libvcl/vcc_dir_random.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986,4989,5016,5048,5162,5170
+ /trunk/varnish-cache/lib/libvcl/vcc_dir_random.c:4637,4643-4650,4654-4670,4686,4689-4690,4696-4702,4706,4712,4715-4719,4729-4731,4747,4749-4750,4754,4757-4758,4762,4781-4787,4789-4790,4792-4793,4810,4818,4823,4826,4828-4829,4842,4852-4853,4856,4858-4870,4874-4876,4878-4881,4888-4889,4912,4922-4923,4946-4950,4967-4968,4971,4973-4975,4977,4979-4981,4986-4987,4989,5016,5048,5162,5170
More information about the varnish-commit
mailing list