[master] 3d0030d document jails

Fri Mar 13 15:37:47 CET 2015

commit 3d0030db04e179549cfa845524d98a9e92906925
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Fri Mar 13 15:37:20 2015 +0100

    document jails

diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c
index 9493fe2..4ebc6b3 100644
--- a/bin/varnishd/mgt/mgt_main.c
+++ b/bin/varnishd/mgt/mgt_main.c
@@ -154,6 +154,10 @@ usage(void)
 	fprintf(stderr, FMT, "", "  -h classic,<buckets>");
 	fprintf(stderr, FMT, "-i identity", "Identity of varnish instance");
 	fprintf(stderr, FMT, "-j jail[,jailoptions]", "Jail specification");
+#ifdef HAVE_SETPPRIV
+	fprintf(stderr, FMT, "", "  -j solaris");
+#endif
+	fprintf(stderr, FMT, "", "  -j unix[,user=<user>][,ccgroup=<group>]");
 	fprintf(stderr, FMT, "", "  -j none");
 	fprintf(stderr, FMT, "-l shl,free,fill", "Size of shared memory file");
 	fprintf(stderr, FMT, "", "  shl: space for SHL records [80m]");
diff --git a/doc/sphinx/reference/varnishd.rst b/doc/sphinx/reference/varnishd.rst
index 1856bcb..c75d32e 100644
--- a/doc/sphinx/reference/varnishd.rst
+++ b/doc/sphinx/reference/varnishd.rst
@@ -70,6 +70,44 @@ OPTIONS
             Specify the identity of the Varnish server.  This can be accessed using server.identity
             from VCL
 
+-j jail[,jailoptions]
+            Specify the jailing technology to use.
+
+            Jails generalize over various options to reduce the
+            privileges of varnish sub-processes. They may have
+            specific options and may be platform specific. Available
+            jails are:
+
+            * -j solaris
+
+              Reduce privileges(5) for varnishd and sub-process to the
+              minimally required set. Only available on platforms
+              which have the setppriv(2) call.
+
+            * -j unix[,user=<user>][,ccgroup=<group>]
+
+              Default on all other platforms if `varnishd` is either
+              started with an effective uid of 0 (e.g. as root) or as
+              user ``varnish``.
+
+              With the ``unix`` jail technology activated, varnish
+              will switch to an alternative user for subprocesses and
+              change the effective uid of the master process whenever
+              possible.
+
+              The optional `user` argument specifies which alternative
+              user to use. It defauls to ``varnish``
+
+              The optional `ccgroup` argument specifies a group to add
+              to varnish subprocesses requiring access to a
+              c-compiler. There is no default.
+
+            * -j none
+
+              last resort jail choice: With jail technology ``none``,
+              varnish will run all processes with the privileges it
+              was started with.
+
 -l shl[,free[,fill]]
             Specifies size of shmlog file. shl is the store for the
             shared memory log records [80M], free is the store for other
@@ -293,7 +331,7 @@ The varnishd daemon was developed by Poul-Henning Kamp in cooperation
 with Verdens Gang AS and Varnish Software.
 
 This manual page was written by Dag-Erling Smørgrav with updates by
-Stig Sandbeck Mathisen <ssm at debian.org>.
+Stig Sandbeck Mathisen <ssm at debian.org> and others.
 
 
 COPYRIGHT

