[PATCH] tailored assertions for priv_addset and setppriv

Nils Goroll slink at schokola.de
Tue Oct 30 09:13:23 CET 2012

On 10/29/12 10:02 PM, Poul-Henning Kamp wrote:
> Niels, can't we find some way to assert that we get the privs
> which are supported ?

The attached patch asserts that priv_addset either succeeds, or fails with 
EINVAL. I've taken VTCP_Assert as a template.

Consequently, I have added the same check for three setppriv calls.

> I'm sort of paranoid about silent priv-sep issues, because they have
> a tendency to become security exploits...

I second your point in general, but this is not the place where this risk lives:

In mgt_sandbox_solaris_waive, we construct the privilege sets of the privileges 
we intend to use. These are then inverted and the inverse is removed from the 
active privilege sets. If the latter fails, the SETPPRIV macro logs a warning.

So if adding a privilege failed, we end up with less privileges rather than more.

We could, however, consider to assert in SETPPRIV that setppriv(PRIV_OFF, ...) 
succeeds rather than only throwing a warning if it fails, because this implies 
that we may be running with more privileges than we intended to.

The attached patch does not contain this change yet.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-tailored-assertions-for-priv_addset-and-setppriv.patch
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20121030/f41b03ed/attachment.ksh>

More information about the varnish-dev mailing list