[experimental-ims] 19a9743 -r option for read only parameters

Per Buer perbu at varnish-software.com
Thu Dec 18 10:27:45 CET 2014

commit 19a97432827c29a6fdc63101494ca72b109c8df2
Author: Per Buer <perbu at varnish-software.com>
Date:   Mon Apr 30 09:48:56 2012 +0200

    -r option for read only parameters

diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index f0647b3..b75bbb0 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -23,7 +23,7 @@ varnishd [-a address[:port]] [-b host[:port]] [-d] [-F] [-f config]
 	 [-g group] [-h type[,options]] [-i identity]
 	 [-l shmlogsize] [-n name] [-P file] [-p param=value] 
 	 [-s type[,options]] [-T address[:port]] [-t ttl]
-	 [-u user] [-V] 
+	 [-r param[,param...]] [-u user] [-V] 
@@ -110,6 +110,13 @@ OPTIONS
             documents.  This is a shortcut for specifying the
             default_ttl run-time parameter.
+-r param[,param...]  
+            Specifies a list of parameters that are read only. In a
+            very secure environment you want to consider setting
+            parameters such as *user*, *group*, *cc_command*,
+            *vcc_allow_inline_c* to read only as these can potentially
+            be used to escalate privileges.
 -u user     Specifies the name of an unprivileged user to which the child
             process should switch before it starts accepting
             connections.  This is a shortcut for specifying the user

More information about the varnish-commit mailing list