Jail, outstanding details

Poul-Henning Kamp phk at phk.freebsd.dk
Fri Feb 20 12:14:48 CET 2015


--------
In message <CANTn4crhs9tgaG9oXkEwYcfjQ4MM5NBdgyvnC+5Cxh70skiMDg at mail.gmail.com>
, Martin Blix Grydeland writes:
>--001a114031a08be765050f6e0046
>Content-Type: text/plain; charset=UTF-8
>
>On 18 February 2015 at 20:19, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote:
>
>> In message <E1YOA12-0001ej-54 at project.varnish-software.com>, Poul-Henning
>> Kamp
>> writes:
>>
>> >    Move creation of workdir into jail code, and use the master HIGH/LOW
>> >    around socket operations which may be on reserved ports.
>>
>> This is all presuming jail=unix which means Varnish was started as root.
>>
>> I am uncertain if creating/opening the storage files should be done
>> at "MASTER_HIGH" (= root) or "MASTER_LOW" (= varnish user) privilege
>> level.
>
>We've been looking at the option of having block device as storage instead
>of going through the filesystem. These devices usually have special rules
>setting up the permissions and such on each boot [...]

Yes, that's one of the many reasons why I think that storage files
belong in the "command line domain", and neither CLI users nor anybody
else should needs or can beneficially use access to the storage files
"out of band".

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-dev mailing list