[master] c483147 Minor repairs
phk at FreeBSD.org
Mon Feb 16 15:45:55 CET 2015
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Mon Feb 16 14:45:39 2015 +0000
diff --git a/doc/sphinx/users-guide/run_security.rst b/doc/sphinx/users-guide/run_security.rst
index 5fe3890..72f7bda 100644
@@ -13,11 +13,11 @@ partitioned along administrative lines, you need to think about
Varnish provides four levels of authority, roughly related to
-how and where the command comes into Varnish:
+how and where control comes into Varnish:
- * the command line arguments,
+ * The command line arguments,
- * the CLI interface,
+ * The CLI interface,
* VCL programs, and
@@ -26,7 +26,9 @@ how and where the command comes into Varnish:
Command line arguments
-The top level security decisions is decided and defined when starting Varnish in the form of command line arguments, we use this strategy in order to make them invulnerable to subsequent manipulation.
+The top level security decisions is decided and defined when starting
+Varnish in the form of command line arguments, we use this strategy
+in order to make them invulnerable to subsequent manipulation.
The important decisions to make are:
@@ -38,6 +40,8 @@ The important decisions to make are:
#. If/how VMODs will be restricted?
+#. How child processes will be jailed?
CLI interface access
@@ -152,8 +156,8 @@ interface.
Pretty much any parameter can be used to totally mess up your
HTTP service, but a few can do more damage than others:
-:ref:`ref_param_user` and :ref:`ref_param_group`
- Access to local system via VCL
+.. XXX :ref:`ref_param_user` and :ref:`ref_param_group`
+.. XXX Access to local system via VCL
Trojan other TCP sockets, like `ssh`
More information about the varnish-commit