Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Bugs

#912: Vanish lacks the file_read privilege on recent OpenSolaris

 

 

Varnish bugs RSS feed   Index | Next | Previous | View Threaded


varnish-bugs at varnish-cache

May 6, 2011, 12:59 PM

Post #1 of 5 (401 views)
Permalink
#912: Vanish lacks the file_read privilege on recent OpenSolaris

#912: Vanish lacks the file_read privilege on recent OpenSolaris
--------------------+-------------------------------------------------------
Reporter: mamash | Type: defect
Status: new | Priority: normal
Milestone: | Component: varnishd
Version: 2.1.5 | Severity: major
Keywords: |
--------------------+-------------------------------------------------------
The waive_privileges code does not work properly on recent OpenSolaris OS,
snv_140 and newer (also Illumos/OpenIndiana). In addition to 'net_access',
'file_read' is also needed, otherwise the VCL shared object cannot be
opened by the child process:

{{{
Pushing vcls failed: dlopen(./vcl.ORk8t3RP.so): ld.so.1: varnishd: fatal:
./vcl.ORk8t3RP.so: Permission denied
}}}

I believe this remains a problem in the trunk too.

More information here:

[http://webcache.googleusercontent.com/search?q=cache:EIzTALnLxX4J:bugs.opensolaris.org/bugdatabase/view_bug.do%3Fbug_id%3D6440298+bug+6440298&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com
Bug 6440298 (Google Cache)][[BR]]
[http://mail.opensolaris.org/pipermail/opensolaris-
arc/2009-July/016660.html Mail list discussion]

--
Ticket URL: <http://varnish-cache.org/trac/ticket/912>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

May 9, 2011, 2:53 AM

Post #2 of 5 (376 views)
Permalink
Re: #912: Vanish lacks the file_read privilege on recent OpenSolaris [In reply to]

#912: Vanish lacks the file_read privilege on recent OpenSolaris
--------------------------+-------------------------------------------------
Reporter: mamash | Owner: slink
Type: defect | Status: new
Priority: normal | Milestone:
Component: port:solaris | Version: 2.1.5
Severity: major | Keywords:
--------------------------+-------------------------------------------------
Changes (by phk):

* owner: => slink
* component: varnishd => port:solaris


--
Ticket URL: <http://www.varnish-cache.org/trac/ticket/912#comment:1>
Varnish <http://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Sep 21, 2011, 4:52 AM

Post #3 of 5 (287 views)
Permalink
Re: #912: Vanish lacks the file_read privilege on recent OpenSolaris [In reply to]

#912: Vanish lacks the file_read privilege on recent OpenSolaris
--------------------------+-------------------------------------------------
Reporter: mamash | Owner: slink
Type: defect | Status: closed
Priority: normal | Milestone:
Component: port:solaris | Version: 2.1.5
Severity: major | Resolution: fixed
Keywords: |
--------------------------+-------------------------------------------------
Changes (by Tollef Fog Heen <tfheen@…>):

* status: new => closed
* resolution: => fixed


Comment:

(In [e0ee2a2e69654a9df74aaf3dcadc9639659cf42b]) Add file_read to the
privilege set we need on Solaris

Fixes: #912

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/912#comment:2>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Sep 22, 2011, 5:04 AM

Post #4 of 5 (293 views)
Permalink
Re: #912: Vanish lacks the file_read privilege on recent OpenSolaris [In reply to]

#912: Vanish lacks the file_read privilege on recent OpenSolaris
--------------------------+-------------------------------------------------
Reporter: mamash | Owner: slink
Type: defect | Status: closed
Priority: normal | Milestone:
Component: port:solaris | Version: 2.1.5
Severity: major | Resolution: fixed
Keywords: |
--------------------------+-------------------------------------------------

Comment(by Tollef Fog Heen <tfheen@…>):

(In [00566769df8606de4bfeac6fac18986b93aaf168]) Add file_read to the
privilege set we need on Solaris

Fixes: #912

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/912#comment:3>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs


varnish-bugs at varnish-cache

Sep 30, 2011, 6:32 AM

Post #5 of 5 (270 views)
Permalink
Re: #912: Vanish lacks the file_read privilege on recent OpenSolaris [In reply to]

#912: Vanish lacks the file_read privilege on recent OpenSolaris
--------------------------+-------------------------------------------------
Reporter: mamash | Owner: slink
Type: defect | Status: closed
Priority: normal | Milestone:
Component: port:solaris | Version: 2.1.5
Severity: major | Resolution: fixed
Keywords: |
--------------------------+-------------------------------------------------

Comment(by Poul-Henning Kamp <phk@…>):

(In [f837fbca893cc09458482c5283456bf8990aeee6]) Split solaris sandboxing
out to a separate source file, and apply
patch received from Nils Goroll <nils.goroll [at] uplex>

- [e0ee2a2e69654a9df74aaf3dcadc9639659cf42b] adds the file_read
privilege needed for onnv_140 and newer (see #912), but we also need
the file_write privilege for stevedore access.

- If available, keep sys_resource in the permitted/limited set to
allow cache_waiter_ports to raise the process.max-port-events
resource control (feature to be added later).

- When starting varnish with euid 0 on Solaris, privilege seperation
prohibited preserving additional privileges (in excess of the basic
set) in the child, because, for a non privilege aware process,
setuid() resets the effective, inheritable and permitted sets to the
basic set.

To achieve interoperability between solaris privileges and
setuid()/setgid(), we now make the varnish child privilege aware
before calling setuid() by trying to add all privileges we will need
plus proc_setid.

- On solaris, check for proc_setid rather than checking the euid as a
prerequisite for changing the uid/gid and only change the uid/gid if
we need to (for a privilege aware process, [ers]uid 0 loose their
magic powers).

Note that setuid() will always set SNOCD on Solaris, which will
prevent core dumps from being written, unless setuid core dumps are
explicitly enabled using coreadm(1M).

To avoid setuid() (and the SNOCD flag, consequently), start varnish
as the user you intend to run the child as, but with additional
privileges, e.g. using

ppriv -e -s A=basic,net_privaddr,sys_resource varnishd ...

- setppriv(PRIV_SET, ...) failed when the privileges to be applied
were not available in the permitted set.

We change the logic to only clear the privileges which are not
needed by inverting the sets and removing all unneeded privileges
using setppriv(PRIV_OFF, ...).

So the child might end up with less privileges than given initially,

--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/912#comment:4>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

_______________________________________________
varnish-bugs mailing list
varnish-bugs [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs

Varnish bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.