[3.0] 5cc9462 Solaris sandbox changes.

Tollef Fog Heen tfheen at varnish-cache.org
Wed Oct 26 14:58:53 CEST 2011 

commit 5cc94622da8df18349a47d259d6ac7b80c86648b
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Wed Oct 12 08:29:41 2011 +0000

    Solaris sandbox changes.
    
    Submitted by:	Nils Goroll
    
    Conflicts:
    
    	bin/varnishd/mgt_sandbox_solaris.c

diff --git a/bin/varnishd/mgt.h b/bin/varnishd/mgt.h
index 24293c2..578fcad 100644
--- a/bin/varnishd/mgt.h
+++ b/bin/varnishd/mgt.h
@@ -75,6 +75,7 @@ void mgt_sandbox(void);
 #ifdef HAVE_SETPPRIV
 void mgt_sandbox_solaris_init(void);
 void mgt_sandbox_solaris_fini(void);
+void mgt_sandbox_solaris_privsep(void);
 #endif
 
 /* mgt_shmem.c */
diff --git a/bin/varnishd/mgt_sandbox.c b/bin/varnishd/mgt_sandbox.c
index 94f9f4d..f092bf2 100644
--- a/bin/varnishd/mgt_sandbox.c
+++ b/bin/varnishd/mgt_sandbox.c
@@ -62,17 +62,17 @@
 void
 mgt_sandbox(void)
 {
-
 #ifdef HAVE_SETPPRIV
 	mgt_sandbox_solaris_init();
-#endif
-
+	mgt_sandbox_solaris_privsep();
+#else
 	if (geteuid() == 0) {
 		XXXAZ(setgid(params->gid));
 		XXXAZ(setuid(params->uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
+#endif
 
 	/* On Linux >= 2.4, you need to set the dumpable flag
 	   to get core dumps after you have done a setuid. */
diff --git a/bin/varnishd/mgt_sandbox_solaris.c b/bin/varnishd/mgt_sandbox_solaris.c
index 15b7c95..5da880a 100644
--- a/bin/varnishd/mgt_sandbox_solaris.c
+++ b/bin/varnishd/mgt_sandbox_solaris.c
@@ -42,6 +42,10 @@
 #ifdef HAVE_PRIV_H
 #include <priv.h>
 #endif
+#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
 
 #include "mgt.h"
 #include "heritage.h"
@@ -154,6 +158,20 @@ mgt_sandbox_solaris_init(void)
 	priv_freeset(priv_all);
 }
 
+void
+mgt_sandbox_solaris_privsep(void)
+{
+	if (priv_ineffect(PRIV_PROC_SETID)) {
+                if (getgid() != params->gid)
+                        XXXAZ(setgid(params->gid));
+                if (getuid() != params->uid)
+                        XXXAZ(setuid(params->uid));
+        } else {
+                REPORT(LOG_INFO, "Privilege %s missing, will not change uid/gid",
+		    PRIV_PROC_SETID);
+        }
+}
+
 /* 
  * Waive most privileges in the child
  *

More information about the varnish-commit mailing list