[master] a693b44 Implment Doc "The American" Wilco's suggestion and restrict shared memory access to require root or varnish group membership.

Wed Apr 15 23:21:31 CEST 2015

commit a693b444719ff845449f8a75b7a3cedcf3e732f7
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Wed Apr 15 21:20:33 2015 +0000

    Implment Doc "The American" Wilco's suggestion and restrict
    shared memory access to require root or varnish group membership.

diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index 410439e..86fcdee 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -86,7 +86,7 @@ typedef int jail_init_f(char **);
 typedef void jail_master_f(enum jail_master_e);
 typedef void jail_subproc_f(enum jail_subproc_e);
 typedef void jail_make_dir_f(const char *dname);
-typedef void jail_storage_file_f(int fd);
+typedef void jail_fixfile_f(int fd);
 
 struct jail_tech {
 	unsigned		magic;
@@ -97,7 +97,8 @@ struct jail_tech {
 	jail_subproc_f		*subproc;
 	jail_make_dir_f		*make_workdir;
 	jail_make_dir_f		*make_vcldir;
-	jail_storage_file_f	*storage_file;
+	jail_fixfile_f		*vsm_file;
+	jail_fixfile_f		*storage_file;
 };
 
 void VJ_Init(const char *j_arg);
@@ -105,7 +106,8 @@ void VJ_master(enum jail_master_e jme);
 void VJ_subproc(enum jail_subproc_e jse);
 void VJ_make_workdir(const char *dname);
 void VJ_make_vcldir(const char *dname);
-void VJ_storage_file(int fd);
+void VJ_fix_vsm_file(int fd);
+void VJ_fix_storage_file(int fd);
 
 extern const struct jail_tech jail_tech_unix;
 extern const struct jail_tech jail_tech_solaris;
diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c
index 260e6f6..d75cc3b 100644
--- a/bin/varnishd/mgt/mgt_jail.c
+++ b/bin/varnishd/mgt/mgt_jail.c
@@ -181,10 +181,19 @@ VJ_make_vcldir(const char *dname)
 }
 
 void
-VJ_storage_file(int fd)
+VJ_fix_storage_file(int fd)
 {
 
 	CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC);
 	if (vjt->storage_file != NULL)
 		vjt->storage_file(fd);
 }
+
+void
+VJ_fix_vsm_file(int fd)
+{
+
+	CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC);
+	if (vjt->vsm_file != NULL)
+		vjt->vsm_file(fd);
+}
diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c
index 58eae00..f800ffd 100644
--- a/bin/varnishd/mgt/mgt_jail_unix.c
+++ b/bin/varnishd/mgt/mgt_jail_unix.c
@@ -235,7 +235,17 @@ vju_make_vcldir(const char *dname)
 	AZ(seteuid(vju_uid));
 }
 
-static void
+
+static void __match_proto__(jail_fixfile_f)
+vju_vsm_file(int fd)
+{
+	/* Called under JAIL_MASTER_FILE */
+
+	AZ(fchmod(fd, 0640));
+	AZ(fchown(fd, 0, vju_gid));
+}
+
+static void __match_proto__(jail_fixfile_f)
 vju_storage_file(int fd)
 {
 	/* Called under JAIL_MASTER_STORAGE */
@@ -250,6 +260,7 @@ const struct jail_tech jail_tech_unix = {
 	.init =		vju_init,
 	.master =	vju_master,
 	.make_vcldir =	vju_make_vcldir,
+	.vsm_file =	vju_vsm_file,
 	.storage_file =	vju_storage_file,
 	.subproc =	vju_subproc,
 };
diff --git a/bin/varnishd/mgt/mgt_shmem.c b/bin/varnishd/mgt/mgt_shmem.c
index 7ac8a53..89a7935 100644
--- a/bin/varnishd/mgt/mgt_shmem.c
+++ b/bin/varnishd/mgt/mgt_shmem.c
@@ -151,12 +151,13 @@ vsm_zerofile(const char *fn, ssize_t size)
 	int fd;
 	int flags;
 
-	fd = flopen(fn, O_RDWR | O_CREAT | O_EXCL | O_NONBLOCK, 0644);
+	fd = flopen(fn, O_RDWR | O_CREAT | O_EXCL | O_NONBLOCK, 0640);
 	if (fd < 0) {
 		fprintf(stderr, "Could not create %s: %s\n",
 		    fn, strerror(errno));
 		return (-1);
 	}
+	VJ_fix_vsm_file(fd);
 	flags = fcntl(fd, F_GETFL);
 	assert(flags != -1);
 	flags &= ~O_NONBLOCK;
diff --git a/bin/varnishd/storage/stevedore_utils.c b/bin/varnishd/storage/stevedore_utils.c
index 80840cb..e5b727d 100644
--- a/bin/varnishd/storage/stevedore_utils.c
+++ b/bin/varnishd/storage/stevedore_utils.c
@@ -95,7 +95,7 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx)
 	VJ_master(JAIL_MASTER_STORAGE);
 	fd = open(fn, O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE, 0600);
 	if (fd >= 0) {
-		VJ_storage_file(fd);
+		VJ_fix_storage_file(fd);
 		*fdp = fd;
 		*fnp = fn;
 		VJ_master(JAIL_MASTER_LOW);
@@ -134,7 +134,7 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx)
 		    ctx, fn);
 
 	*fdp = fd;
-	VJ_storage_file(fd);
+	VJ_fix_storage_file(fd);
 	VJ_master(JAIL_MASTER_LOW);
 	return (retval);
 }

