Varnish jails, priv-sep, packaging etc.
Rogier 'DocWilco' Mulhuijzen
varnish at bsdchicks.com
Wed Apr 15 18:20:25 CEST 2015
On Wed, Apr 15, 2015 at 6:18 AM Poul-Henning Kamp <phk at phk.freebsd.dk>
wrote:
> That would make gid=varnish the general restrictor for acces, such that
> it could also be used for VCL files etc.
>
Yup, I think it's a very reasonable yet safe restriction.
> You can put the secret file wherever you like (and have as many copies
> as you like) this is only about when people do not give a -S.
>
> I think keeping it in the -n directory makes sense, and giving it the
> same privs (uid/gid) as varnishd was started with is a good place to start.
>
Yeah, I was thinking it might work well as a default, but if we go with
gid=varnish being needed for the tools, scratch making the default
something else.
So 640 + vadmin:varnish ? (_.vsm)
>
Yes.
That would be consistent, but what does everybody else say ?
>
Quite. Anyone? :)
Dridi's suggestion of "vcache" is better than my "vrun".
>
I agree. It's way more recognizable as being varnish related than "vrun" or
"vworker".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150415/24b9d295/attachment.html>
More information about the varnish-dev
mailing list