Idea for multi-level CLI access control

Poul-Henning Kamp phk at
Mon Jun 26 18:38:47 UTC 2023

We talked about the overall security model during bugwash today and
while trimming the hedges I had the following idea:

Today the fundamental authentication to open a CLI port is that
that you have access to the exact and entire contents of the "secret"
file and can generate a proof of this.

We keep that, but...

1.  We allow varnishd to have multiple secret files.
    When a CLI connection attempts to authenticate, varnishd tries
    them all.

2.  Secret files can be "old style" or "new style", in both
    cases the "proof" uses the entire content of the secret file,
    byte for byte.

3.  "New style" secret files have the following syntax:

    Lines which start with '#' are comments and are ignored.

    First line:

	"secret: " <any number of characters in [0x20…0x7e]> NL

    Then any number of rules:

        ("permit: " | "deny: ") <regexp> NL

    varnishd always appends a "deny: ." rule at the end of the
    list of rules.

    All submitted CLI commands are tested against these rules in
    the order they appear in the secret file, and the search
    terminates when one of them matches.

    A trivial example of a secret file could be:

	secret: swordfish
        deny: vcl
        deny: stop
        # Note: Do not name a backend "kanban"
        deny: ban

Random notes:

* Ideally the help command output is also filtered through the rules.

* Varnishd should identify itself (-i/-n) in the 107 message so that the
  client can pick which secret file to use if it has access to multiple.

* Varnishadm could look for secret files in ~/.varnish/${-i/-n arg}

Comments ?

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

More information about the varnish-dev mailing list