[master] 1a80a01 Solaris sandbox changes.

Poul-Henning Kamp phk at varnish-cache.org
Wed Oct 12 10:30:16 CEST 2011


commit 1a80a0197d49b231d4fd97d9b01609c187db569b
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Wed Oct 12 08:29:41 2011 +0000

    Solaris sandbox changes.
    
    Submitted by:	Nils Goroll

diff --git a/bin/varnishd/mgt.h b/bin/varnishd/mgt.h
index 2b17052..1656af8 100644
--- a/bin/varnishd/mgt.h
+++ b/bin/varnishd/mgt.h
@@ -70,6 +70,7 @@ void mgt_sandbox(void);
 #ifdef HAVE_SETPPRIV
 void mgt_sandbox_solaris_init(void);
 void mgt_sandbox_solaris_fini(void);
+void mgt_sandbox_solaris_privsep(void);
 #endif
 
 /* mgt_shmem.c */
diff --git a/bin/varnishd/mgt_sandbox.c b/bin/varnishd/mgt_sandbox.c
index 3aba7cc..8ac827d 100644
--- a/bin/varnishd/mgt_sandbox.c
+++ b/bin/varnishd/mgt_sandbox.c
@@ -63,17 +63,17 @@
 void
 mgt_sandbox(void)
 {
-
 #ifdef HAVE_SETPPRIV
 	mgt_sandbox_solaris_init();
-#endif
-
+	mgt_sandbox_solaris_privsep();
+#else
 	if (geteuid() == 0) {
 		XXXAZ(setgid(params->gid));
 		XXXAZ(setuid(params->uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
+#endif
 
 	/* On Linux >= 2.4, you need to set the dumpable flag
 	   to get core dumps after you have done a setuid. */
diff --git a/bin/varnishd/mgt_sandbox_solaris.c b/bin/varnishd/mgt_sandbox_solaris.c
index 5c50c83..534f609 100644
--- a/bin/varnishd/mgt_sandbox_solaris.c
+++ b/bin/varnishd/mgt_sandbox_solaris.c
@@ -40,6 +40,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <syslog.h>
+#include <unistd.h>
 
 #include "mgt.h"
 
@@ -153,6 +154,20 @@ mgt_sandbox_solaris_init(void)
 	priv_freeset(priv_all);
 }
 
+void
+mgt_sandbox_solaris_privsep(void)
+{
+	if (priv_ineffect(PRIV_PROC_SETID)) {
+                if (getgid() != params->gid)
+                        XXXAZ(setgid(params->gid));
+                if (getuid() != params->uid)
+                        XXXAZ(setuid(params->uid));
+        } else {
+                REPORT(LOG_INFO, "Privilege %s missing, will not change uid/gid",
+		    PRIV_PROC_SETID);
+        }
+}
+
 /* 
  * Waive most privileges in the child
  *



More information about the varnish-commit mailing list