Thinking about sandboxing (take #2)
Nils Goroll
slink at schokola.de
Thu Feb 12 13:57:23 CET 2015
On 12/02/15 11:22, Poul-Henning Kamp wrote:
> Varnishd can be started four different ways:
I'd need to wrap my head around the details, but the two additional 'least
privileges' ways to start varnish (on solaris today and why-not on Linux in
future) are:
5) Starting from a privilege aware process or classical 'root' with uid/gid
switching
ppriv -e -s \
A=basic,sys_resource,proc_setid,net_privaddr,!proc_info,!proc_session \
varnishd -u $user -g $group # *1)
The user starting varnish with these privileges does not need to (but can)
be root. It only needs to possess the privileges specified by A=... above.
sandboxes will waive all privileges they don't need and will run as
$user:$group
Sample Remaining privset for a worker:
37003: /tmp/sbin/varnishd -a 127.0.0.1:81 -b 127.0.0.1:80
flags = PRIV_AWARE
E: file_read,file_write,net_access
I: none
P: file_read,file_write,net_access,sys_resource
L: file_read,file_write,net_access,sys_resource
6) Same without uid/gid switching (avoiding the SNOCD thing):
Same, but without proc_setid and -u / -g identical to the user starting
varnishd
On 12/02/15 11:22, Poul-Henning Kamp wrote:
> This is under further consideration for side-effects (storage
> files etc.)
Yes, and there is further complication from vmods - so we might need to make the
worker privset user-configurable to allow for vmods requiring elevated privileges.
Nils
*1) Using A= is actaully a cheap simplification here, the minimum required
privset is even smaller
More information about the varnish-dev
mailing list