Thinking about sandboxing (take #2)

Nils Goroll slink at
Thu Feb 12 13:57:23 CET 2015

On 12/02/15 11:22, Poul-Henning Kamp wrote:
> Varnishd can be started four different ways:

I'd need to wrap my head around the details, but the two additional 'least
privileges' ways to start varnish (on solaris today and why-not on Linux in
future) are:

5) Starting from a privilege aware process or classical 'root' with uid/gid

	ppriv -e -s \
	A=basic,sys_resource,proc_setid,net_privaddr,!proc_info,!proc_session \
	varnishd -u $user -g $group # *1)

   The user starting varnish with these privileges does not need to (but can)
   be root. It only needs to possess the privileges specified by A=... above.

   sandboxes will waive all privileges they don't need and will run as

   Sample Remaining privset for a worker:

   37003:  /tmp/sbin/varnishd -a -b
   flags = PRIV_AWARE
        E: file_read,file_write,net_access
        I: none
        P: file_read,file_write,net_access,sys_resource
        L: file_read,file_write,net_access,sys_resource

6) Same without uid/gid switching (avoiding the SNOCD thing):

   Same, but without proc_setid and -u / -g identical to the user starting

On 12/02/15 11:22, Poul-Henning Kamp wrote:
> This is under further consideration for side-effects (storage
> files etc.)

Yes, and there is further complication from vmods - so we might need to make the
worker privset user-configurable to allow for vmods requiring elevated privileges.


*1) Using A= is actaully a cheap simplification here, the minimum required
privset is even smaller

More information about the varnish-dev mailing list