[master] db1a7ca Introduce a "workuser" subargument to -junix, which makes it possible to run the varnishd worker process as a different user than the VCC and CC subprocesses.

Poul-Henning Kamp phk at FreeBSD.org
Tue Apr 14 22:48:22 CEST 2015 

commit db1a7ca80340dc17a3924437c1e76f45124ba7d9
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Apr 14 20:46:11 2015 +0000

    Introduce a "workuser" subargument to -junix, which makes it possible
    to run the varnishd worker process as a different user than the VCC
    and CC subprocesses.
    
    It is mandatory that the workuser has the same login group as the user
    subparamter.
    
    Recommended values for packaging:
    
    	-junix,user=varnish	"varnish" user has login group "varnish"
    	-junix,workuser=vrun	"vrun" user has login group "varnish"

diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c
index 8b989a8..7afc364 100644
--- a/bin/varnishd/mgt/mgt_jail_unix.c
+++ b/bin/varnishd/mgt/mgt_jail_unix.c
@@ -51,6 +51,11 @@ static gid_t vju_mgr_gid;
 static uid_t vju_uid;
 static gid_t vju_gid;
 static const char *vju_user;
+
+static uid_t vju_wrkuid;
+static gid_t vju_wrkgid;
+static const char *vju_wrkuser;
+
 static gid_t vju_cc_gid;
 static int vju_cc_gid_set;
 
@@ -79,6 +84,22 @@ vju_getuid(const char *arg)
 }
 
 static int
+vju_getwrkuid(const char *arg)
+{
+	struct passwd *pw;
+
+	pw = getpwnam(arg);
+	if (pw != NULL) {
+		vju_wrkuser = strdup(arg);
+		AN(vju_wrkuser);
+		vju_wrkuid = pw->pw_uid;
+		vju_wrkgid = pw->pw_gid;
+	}
+	endpwent();
+	return (pw == NULL ? -1 : 0);
+}
+
+static int
 vju_getccgid(const char *arg)
 {
 	struct group *gr;
@@ -121,6 +142,12 @@ vju_init(char **args)
 				    (*args) + 5);
 			continue;
 		}
+		if (!strncmp(*args, "workuser=", 9)) {
+			if (vju_getwrkuid((*args) + 9))
+				ARGV_ERR("Unix jail: %s user not found.\n",
+				    (*args) + 5);
+			continue;
+		}
 		if (!strncmp(*args, "ccgroup=", 8)) {
 			if (vju_getccgid((*args) + 8))
 				ARGV_ERR("Unix jail: %s group not found.\n",
@@ -158,8 +185,14 @@ vju_subproc(enum jail_subproc_e jse)
 	gid_t gid_list[NGID];
 
 	AZ(seteuid(0));
-	AZ(setgid(vju_gid));
-	AZ(initgroups(vju_user, vju_gid));
+	if (vju_wrkuser != NULL &&
+	    (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) {
+		AZ(setgid(vju_wrkgid));
+		AZ(initgroups(vju_wrkuser, vju_wrkgid));
+	} else {
+		AZ(setgid(vju_gid));
+		AZ(initgroups(vju_user, vju_gid));
+	}
 
 	if (jse == JAIL_SUBPROC_CC && vju_cc_gid_set) {
 		/* Add the optional extra group for the C-compiler access */
@@ -169,7 +202,12 @@ vju_subproc(enum jail_subproc_e jse)
 		AZ(setgroups(i, gid_list));
 	}
 
-	AZ(setuid(vju_uid));
+	if (vju_wrkuser != NULL &&
+	    (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) {
+		AZ(setuid(vju_wrkuid));
+	} else {
+		AZ(setuid(vju_uid));
+	}
 
 #ifdef __linux__
 	/*
diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c
index f350614..4ee4fc7 100644
--- a/bin/varnishd/mgt/mgt_vcc.c
+++ b/bin/varnishd/mgt/mgt_vcc.c
@@ -172,7 +172,7 @@ run_cc(void *priv)
 		VSB_putc(sb, '%');
 	AZ(VSB_finish(sb));
 
-	(void)umask(077);
+	(void)umask(027);
 	(void)execl("/bin/sh", "/bin/sh", "-c", VSB_data(sb), (char*)0);
 	VSB_delete(sb);				// For flexelint
 }
@@ -227,7 +227,7 @@ mgt_vcc_touchfile(const char *fn, struct vsb *sb)
 {
 	int i;
 
-	i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0600);
+	i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0640);
 	if (i < 0) {
 		VSB_printf(sb, "Failed to create %s: %s", fn, strerror(errno));
 		return (2);
diff --git a/bin/varnishtest/tests/j00001.vtc b/bin/varnishtest/tests/j00001.vtc
new file mode 100644
index 0000000..25e6f3b
--- /dev/null
+++ b/bin/varnishtest/tests/j00001.vtc
@@ -0,0 +1,24 @@
+varnishtest "Run worker with different uid in UNIX jail"
+
+# The "vrun" user must have login group "varnish"
+
+feature user_varnish
+feature user_vrun
+feature group_varnish
+feature root
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 \
+	-jail "-junix,user=varnish,ccgroup=varnish,workuser=vrun" \
+	-vcl+backend {
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
diff --git a/bin/varnishtest/tests/j00002.vtc b/bin/varnishtest/tests/j00002.vtc
new file mode 100644
index 0000000..34165a5
--- /dev/null
+++ b/bin/varnishtest/tests/j00002.vtc
@@ -0,0 +1,8 @@
+varnishtest "-junix bad subarg handling"
+
+feature root
+
+err_shell "unknown sub-argument" "${varnishd} -junix,bla=foo 2>&1"
+err_shell "user not found" "${varnishd} -junix,user=/// 2>&1"
+err_shell "user not found" "${varnishd} -junix,workuser=/// 2>&1"
+err_shell "group not found" "${varnishd} -junix,ccgroup=/// 2>&1"
diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c
index c4c9fd5..89719e8 100644
--- a/bin/varnishtest/vtc.c
+++ b/bin/varnishtest/vtc.c
@@ -573,6 +573,10 @@ cmd_feature(CMD_ARGS)
 		    getpwnam("varnish") != NULL)
 			continue;
 
+		if (!strcmp(av[i], "user_vrun") &&
+		    getpwnam("vrun") != NULL)
+			continue;
+
 		if (!strcmp(av[i], "group_varnish") &&
 		    getgrnam("varnish") != NULL)
 			continue;

More information about the varnish-commit mailing list