<div dir="ltr"><div class="markdown-here-wrapper" style><p style="margin:1.2em 0px!important">On Mon, Apr 13, 2015 at 12:58 PM Poul-Henning Kamp <a href="http://mailto:phk@phk.freebsd.dk">phk@phk.freebsd.dk</a> wrote:</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">But the possesed worker could just continously scan the -n directory<br>
and jump in when a VCL compilation was happening and corrupt the result.<br>
This limits the opportunities somewhat, but it doesn't close the hole.<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">Yup, that is indeed scary. </p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This argues strongly for a separate uid for the worker process.<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">Totally agreed. </p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The worker should certainly not have access to this file and<br>
should absolutely not be able to write or replace it, which it can today<br>
because the -n directory is varnish:varnish.<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">Oh cripes, I hadn’t thought of that at all.</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> -n directory root:varnish 755<br>
We cannot make it 750, because then admins<br>
with wheel group can not get to the secret/vsm files.<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">There’s a case to be made for adding those admins to the varnish group, but I don’t think it’s a big deal, as long as we nail down things within the directory.</p>
<p style="margin:1.2em 0px!important">On the other hand, we could move the secret out of the directory, and use -n + <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">_secret</code> instead of -n + <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">/_secret</code>.</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
_.secret root:wheel 440<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">We write this before dropping privs, and don’t need to read it at all, right?</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
_.vsm vadmin:varnish 644<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">While we’re on the subject of security, I don’t think _.vsm should be world readable. There can be a ton of very valuable information in the VSM, like <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">Cookie</code> headers. Most of your email talks about the worker getting compromised, but you mentioned <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">nobody</code>. And there are possibly other processes running that are exposed to the outside world. Either because they talk to the network, or they are exposed through the world through Varnish. </p>
<p style="margin:1.2em 0px!important">Requiring users to be part of the <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">varnish</code> group to be able to use VSM consuming utilities isn’t a stretch of the imagination.</p>
<p style="margin:1.2em 0px!important">And if we do that, making the directory 750 makes a little more sense too, since they already need to be in the group to do much useful things with Varnish.</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">What should we call the users ?<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">insert 2 hard things in software joke here</p>
<p style="margin:1.2em 0px!important"></p><div class="markdown-here-exclude"><p></p><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The vadmin one could simply be "varnish", but what do we call the<br>
vrun user ? I think we have to respect the historical 7-char limit<br>
so "varnish-run" is out of reach, and "vrun" is only logical to VTLA<br>
afficionadios like us.<br></blockquote><p></p></div><p style="margin:1.2em 0px!important"></p>
<p style="margin:1.2em 0px!important">I like using <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">varnish</code> for the vadmin part. Less change from a packaging/sysadmin perspective. </p>
<p style="margin:1.2em 0px!important">As for vrun, <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">vworker</code> comes to mind. Or maybe <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">vunpriv</code></p>
<p style="margin:1.2em 0px!important">But I suck at naming, so I hope someone has brilliant ideas.</p>
<p style="margin:1.2em 0px!important">Cheers,</p>
<p style="margin:1.2em 0px!important"> Doc</p>
<div title="MDH:PGRpdiBjbGFzcz0ibWFya2Rvd24taGVyZS13cmFwcGVyIiBkYXRhLW1kLXVybD0iaW5ib3guZ29v
Z2xlLmNvbSIgc3R5bGU9IiIgbWFya2Rvd24taGVyZS13cmFwcGVyLWNvbnRlbnQtbW9kaWZpZWQ9
InRydWUiPjxwIHN0eWxlPSJtYXJnaW46IDEuMmVtIDBweCAhaW1wb3J0YW50OyI+T24gTW9uLCBB
cHIgMTMsIDIwMTUgYXQgMTI6NTggUE0gUG91bC1IZW5uaW5nIEthbXAgJmx0O3Boa0BwaGsuZnJl
ZWJzZC5kayZndDsgd3JvdGU6PGJyPjwvcD48ZGl2IGNsYXNzPSJtYXJrZG93bi1oZXJlLXdyYXBw
ZXIiIGRhdGEtbWQtdXJsPSJpbmJveC5nb29nbGUuY29tIiBzdHlsZT0iIiBtYXJrZG93bi1oZXJl
LXdyYXBwZXItY29udGVudC1tb2RpZmllZD0idHJ1ZSI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUi
PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4
O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDoxZXg7Ij5CdXQgdGhlIHBv
c3Nlc2VkIHdvcmtlciBjb3VsZCBqdXN0IGNvbnRpbm91c2x5IHNjYW4gdGhlIC1uIGRpcmVjdG9y
eTxicj4KYW5kIGp1bXAgaW4gd2hlbiBhIFZDTCBjb21waWxhdGlvbiB3YXMgaGFwcGVuaW5nIGFu
ZCBjb3JydXB0IHRoZSByZXN1bHQuPGJyPgpUaGlzIGxpbWl0cyB0aGUgb3Bwb3J0dW5pdGllcyBz
b21ld2hhdCwgYnV0IGl0IGRvZXNuJ3QgY2xvc2UgdGhlIGhvbGUuPGJyPjwvYmxvY2txdW90ZT48
ZGl2Pjxicj48L2Rpdj48ZGl2Pll1cCwgdGhhdCBpcyBpbmRlZWQgc2NhcnkuJm5ic3A7PC9kaXY+
PGRpdj4mbmJzcDs8L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJt
YXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2NjYyBzb2xpZDtwYWRkaW5nLWxlZnQ6
MWV4OyI+VGhpcyBhcmd1ZXMgc3Ryb25nbHkgZm9yIGEgc2VwYXJhdGUgdWlkIGZvciB0aGUgd29y
a2VyIHByb2Nlc3MuPGJyPjwvYmxvY2txdW90ZT48ZGl2Pjxicj48L2Rpdj48ZGl2PlRvdGFsbHkg
YWdyZWVkLiZuYnNwOzwvZGl2PjxkaXY+Jm5ic3A7PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9Imdt
YWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mg
c29saWQ7cGFkZGluZy1sZWZ0OjFleDsiPlRoZSB3b3JrZXIgc2hvdWxkIGNlcnRhaW5seSBub3Qg
aGF2ZSBhY2Nlc3MgdG8gdGhpcyBmaWxlIGFuZDxicj4Kc2hvdWxkIGFic29sdXRlbHkgbm90IGJl
IGFibGUgdG8gd3JpdGUgb3IgcmVwbGFjZSBpdCwgd2hpY2ggaXQgY2FuIHRvZGF5PGJyPgpiZWNh
dXNlIHRoZSAtbiBkaXJlY3RvcnkgaXMgdmFybmlzaDp2YXJuaXNoLjxicj48L2Jsb2NrcXVvdGU+
PGRpdj48YnI+PC9kaXY+PGRpdj5PaCBjcmlwZXMsIEkgaGFkbid0IHRob3VnaHQgb2YgdGhhdCBh
dCBhbGwuPC9kaXY+PGRpdj4mbmJzcDs8L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVv
dGUiIHN0eWxlPSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2NjYyBzb2xpZDtw
YWRkaW5nLWxlZnQ6MWV4OyI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IC1uIGRpcmVjdG9y
eSZuYnNwOyAmbmJzcDsgcm9vdDp2YXJuaXNoIDc1NTxicj4KJm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm
bmJzcDsgV2UgY2Fubm90IG1ha2UgaXQgNzUwLCBiZWNhdXNlIHRoZW4gYWRtaW5zPGJyPgombmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyB3aXRoIHdoZWVsIGdyb3VwIGNhbiBub3QgZ2V0IHRvIHRo
ZSBzZWNyZXQvdnNtIGZpbGVzLjxicj48L2Jsb2NrcXVvdGU+PGRpdj48YnI+PC9kaXY+PGRpdj5U
aGVyZSdzIGEgY2FzZSB0byBiZSBtYWRlIGZvciBhZGRpbmcgdGhvc2UgYWRtaW5zIHRvIHRoZSB2
YXJuaXNoIGdyb3VwLCBidXQgSSBkb24ndCB0aGluayBpdCdzIGEgYmlnIGRlYWwsIGFzIGxvbmcg
YXMgd2UgbmFpbCBkb3duIHRoaW5ncyB3aXRoaW4gdGhlIGRpcmVjdG9yeS48L2Rpdj48ZGl2PiZu
YnNwOzwvZGl2PjxkaXY+T24gdGhlIG90aGVyIGhhbmQsIHdlIGNvdWxkIG1vdmUgdGhlIHNlY3Jl
dCBvdXQgb2YgdGhlIGRpcmVjdG9yeSwgYW5kIHVzZSAtbiZuYnNwOysgYF9zZWNyZXRgIGluc3Rl
YWQgb2YgLW4mbmJzcDsrIGAvX3NlY3JldGAuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGJsb2NrcXVv
dGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxl
ZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleDsiPgombmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgXy5zZWNyZXQmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgcm9vdDp3aGVlbCA0
NDA8YnI+PC9ibG9ja3F1b3RlPjxkaXY+PGJyPjwvZGl2PjxkaXY+V2Ugd3JpdGUgdGhpcyBiZWZv
cmUgZHJvcHBpbmcgcHJpdnMsIGFuZCBkb24ndCBuZWVkIHRvIHJlYWQgaXQgYXQgYWxsLCByaWdo
dD88L2Rpdj48ZGl2PiZuYnNwOzwvZGl2PjxibG9ja3F1b3RlIGNsYXNzPSJnbWFpbF9xdW90ZSIg
c3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRp
bmctbGVmdDoxZXg7Ij4KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IF8udnNtJm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt2YWRtaW46dmFybmlzaCA2NDQ8YnI+PC9i
bG9ja3F1b3RlPjxkaXY+PGJyPjwvZGl2PjxkaXY+V2hpbGUgd2UncmUgb24gdGhlIHN1YmplY3Qg
b2Ygc2VjdXJpdHksIEkgZG9uJ3QgdGhpbmsgXy52c20gc2hvdWxkIGJlIHdvcmxkIHJlYWRhYmxl
LiBUaGVyZSBjYW4gYmUgYSB0b24gb2YgdmVyeSB2YWx1YWJsZSBpbmZvcm1hdGlvbiBpbiB0aGUg
VlNNLCBsaWtlIGBDb29raWVgIGhlYWRlcnMuIE1vc3Qgb2YgeW91ciBlbWFpbCB0YWxrcyBhYm91
dCB0aGUgd29ya2VyIGdldHRpbmcgY29tcHJvbWlzZWQsIGJ1dCB5b3UgbWVudGlvbmVkIGBub2Jv
ZHlgLiBBbmQgdGhlcmUgYXJlIHBvc3NpYmx5IG90aGVyIHByb2Nlc3NlcyBydW5uaW5nIHRoYXQg
YXJlIGV4cG9zZWQgdG8gdGhlIG91dHNpZGUgd29ybGQuIEVpdGhlciBiZWNhdXNlIHRoZXkgdGFs
ayB0byB0aGUgbmV0d29yaywgb3IgdGhleSBhcmUgZXhwb3NlZCB0aHJvdWdoIHRoZSB3b3JsZCB0
aHJvdWdoIFZhcm5pc2guJm5ic3A7PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5SZXF1aXJpbmcg
dXNlcnMgdG8gYmUgcGFydCBvZiB0aGUgYHZhcm5pc2hgIGdyb3VwIHRvIGJlIGFibGUgdG8gdXNl
IFZTTSBjb25zdW1pbmcgdXRpbGl0aWVzIGlzbid0IGEgc3RyZXRjaCBvZiB0aGUgaW1hZ2luYXRp
b24uPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5BbmQgaWYgd2UgZG8gdGhhdCwgbWFraW5nIHRo
ZSBkaXJlY3RvcnkgNzUwIG1ha2VzIGEgbGl0dGxlIG1vcmUgc2Vuc2UgdG9vLCBzaW5jZSB0aGV5
IGFscmVhZHkgbmVlZCB0byBiZSBpbiB0aGUgZ3JvdXAgdG8gZG8gbXVjaCB1c2VmdWwgdGhpbmdz
IHdpdGggVmFybmlzaC48L2Rpdj48ZGl2Pjxicj48L2Rpdj48YmxvY2txdW90ZSBjbGFzcz0iZ21h
aWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2NjYyBz
b2xpZDtwYWRkaW5nLWxlZnQ6MWV4OyI+V2hhdCBzaG91bGQgd2UgY2FsbCB0aGUgdXNlcnMgPzxi
cj48L2Jsb2NrcXVvdGU+PGRpdj48YnI+PC9kaXY+PGRpdj5pbnNlcnQgMiBoYXJkIHRoaW5ncyBp
biBzb2Z0d2FyZSBqb2tlIGhlcmU8L2Rpdj48ZGl2PiZuYnNwOzwvZGl2PjxibG9ja3F1b3RlIGNs
YXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowIDAgMCAuOGV4O2JvcmRlci1sZWZ0OjFw
eCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDoxZXg7Ij4KVGhlIHZhZG1pbiBvbmUgY291bGQgc2lt
cGx5IGJlICJ2YXJuaXNoIiwgYnV0IHdoYXQgZG8gd2UgY2FsbCB0aGU8YnI+CnZydW4gdXNlciA/
Jm5ic3A7IEkgdGhpbmsgd2UgaGF2ZSB0byByZXNwZWN0IHRoZSBoaXN0b3JpY2FsIDctY2hhciBs
aW1pdDxicj4Kc28gInZhcm5pc2gtcnVuIiBpcyBvdXQgb2YgcmVhY2gsIGFuZCAidnJ1biIgaXMg
b25seSBsb2dpY2FsIHRvIFZUTEE8YnI+CmFmZmljaW9uYWRpb3MgbGlrZSB1cy48YnI+PC9ibG9j
a3F1b3RlPjxkaXY+Jm5ic3A7PC9kaXY+PGRpdj5JIGxpa2UgdXNpbmcgYHZhcm5pc2hgIGZvciB0
aGUgdmFkbWluIHBhcnQuIExlc3MgY2hhbmdlIGZyb20gYSBwYWNrYWdpbmcvc3lzYWRtaW4gcGVy
c3BlY3RpdmUuJm5ic3A7PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5BcyBmb3IgdnJ1biwgYHZ3
b3JrZXJgIGNvbWVzIHRvIG1pbmQuIE9yIG1heWJlIGB2dW5wcml2YDwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+QnV0IEkgc3VjayBhdCBuYW1pbmcsIHNvIEkgaG9wZSBzb21lb25lIGhhcyBicmls
bGlhbnQgaWRlYXMuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5DaGVlcnMsPC9kaXY+PGRpdj48
YnI+PC9kaXY+PGRpdj4mbmJzcDsgJm5ic3A7RG9jPC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0"></div></div></div>