Mailing List Archive: Varnish: Dev

[PATCHES] Fix build errors and sandbox bugs in the Solaris port

Index | Next | Previous | View Threaded

geoff at uplex

Jul 19, 2012, 5:47 AM

Post #1 of 9 (538 views)
Permalink

[PATCHES] Fix build errors and sandbox bugs in the Solaris port

Hello all,

The three enclosed patches from slink (who sends his best wishes)
correct build errors and sandbox (privilege separation) bugs in the
Solaris port, to be applied to the current master branch.

0001: Fixes a compile error (incorrect signature for SES_Delete() in
cache_waiter_ports.c)

0002: portable cast from thread_id to (void *) in varnishreplay.c

0003: implements Solaris privilege separation for running vcc/cc
(without which the VCL-/C-Compiler was failing)

With these patches, I get all of make check except for v00017 to pass.

Best,
Geoff
--
** * * UPLEX - Nils Goroll Systemoptimierung

Schwanenwik 24
22087 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de

Attachments:

0001-adjust-to-new-signature-of-SES_Delete.patch (1.21 KB)

0002-portable-cast-from-thread_id-to-void.patch (1.44 KB)

0003-since-vcc-cc-are-running-with-privilege-seperation-n.patch (7.34 KB)

signature.asc (0.88 KB)

slink at schokola

Jul 24, 2012, 10:37 AM

Post #2 of 9 (489 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

Could we please get these in before we need to duplicate work due to the master
diverging?

Thanks, Nils (back from holidays)

On 07/19/12 02:47 PM, Geoff Simmons wrote:
> The three enclosed patches from slink (who sends his best wishes)
> correct build errors and sandbox (privilege separation) bugs in the
> Solaris port, to be applied to the current master branch.

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

phk at phk

Jul 30, 2012, 8:10 AM

Post #3 of 9 (480 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

In message <500801FD.2030403 [at] uplex>, Geoff Simmons writes:

>Hello all,
>
>The three enclosed patches from slink (who sends his best wishes)
>correct build errors and sandbox (privilege separation) bugs in the
>Solaris port, to be applied to the current master branch.

Hi Geoff & Slink

I have committed part 1, and generalized the idea in part 3 but
not attempted to implement the solaris sandbox with it, but I
hope it makes it easier to do so for you guys.

Tollef promised to do part 2

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

phk at phk

Jul 30, 2012, 9:46 AM

Post #4 of 9 (475 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

In message <500EDD62.3030406 [at] schokola>, Nils Goroll writes:

Hi Niels,

I'm also back from vacation, we're working on it :-)

Poul-Henning

>Could we please get these in before we need to duplicate work due to the master
>diverging?
>
>Thanks, Nils (back from holidays)
>
>On 07/19/12 02:47 PM, Geoff Simmons wrote:
>> The three enclosed patches from slink (who sends his best wishes)
>> correct build errors and sandbox (privilege separation) bugs in the
>> Solaris port, to be applied to the current master branch.
>

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

slink at schokola

Aug 2, 2012, 9:53 AM

Post #5 of 9 (463 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

Hi Phk,

> I have committed part 1, and generalized the idea in part 3 but
> not attempted to implement the solaris sandbox with it, but I
> hope it makes it easier to do so for you guys.

Thanks for the refactoring, as always, your version of the same idea is cleaner. :)

Here's a patch for the solaris sandbox, which also fixes a nit in mgt_sandbox.c

Thanks, Nils

Attachments:

0001-since-vcc-cc-are-running-with-privilege-seperation-n.patch (8.33 KB)

slink at schokola

Aug 2, 2012, 11:06 AM

Post #6 of 9 (465 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

Hi phk,

testing the new sandbox code I noticed that the tmpdir should be owned by
mgt_param.uid, otherwise unlinking the compiled .so will fail when
setuid(mgt_param.uid) succeeds.

Nils

On 08/ 2/12 06:53 PM, Nils Goroll wrote:
> Hi Phk,
>
>> I have committed part 1, and generalized the idea in part 3 but
>> not attempted to implement the solaris sandbox with it, but I
>> hope it makes it easier to do so for you guys.
>
> Thanks for the refactoring, as always, your version of the same idea is cleaner. :)
>
> Here's a patch for the solaris sandbox, which also fixes a nit in mgt_sandbox.c
>
> Thanks, Nils
>
>
>
> _______________________________________________
> varnish-dev mailing list
> varnish-dev [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

Attachments:

0002-give-away-the-tmpdir-to-the-privilege-seperation-use.patch (1.24 KB)

phk at phk

Aug 6, 2012, 1:29 AM

Post #7 of 9 (437 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

In message <501AB0A0.30503 [at] schokola>, Nils Goroll writes:

>Thanks for the refactoring, as always, your version of the same idea is cleaner. :)
>
>Here's a patch for the solaris sandbox, which also fixes a nit in mgt_sandbox.c

Committed.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

geoff at uplex

Aug 6, 2012, 1:54 AM

Post #8 of 9 (441 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/ 6/12 10:29 AM, Poul-Henning Kamp wrote:
> In message <501AB0A0.30503 [at] schokola>, Nils Goroll writes:
>
>> Thanks for the refactoring, as always, your version of the same
>> idea is cleaner. :)
>>
>> Here's a patch for the solaris sandbox, which also fixes a nit in
>> mgt_sandbox.c
>
> Committed.

It's working on my machine.

$ uname -a
SunOS gsimmons 5.11 snv_134 i86pc i386 i86pc Solaris

- --
** * * UPLEX - Nils Goroll Systemoptimierung

Scheffelstra�e 32 (ACHTUNG: neue Adresse)
22301 Hamburg

Tel +49 40 2880 5731
Mob +49 176 636 90917
Fax +49 40 42949753

http://uplex.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (SunOS)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJQH4ZRAAoJEOUwvh9pJNURy1UP/0VJ8QeVm9fGvSrzAjAAyRNM
LqjsmGQfqBHemZ7mOPGriXH/QkQ+ybXPz6mst2cHp952PHnxPUrQ49CZHMWitEfL
kdLrjAuYSvNOcvs2Sauj74yRe6X0n2H8rGOyhXM/2RRJ8EFuj89xph2PTLhiU1f0
eQ/pbO+onx4Zbh425kcE4GcknVtmCrcyLm7uP/m8RN2dd5Bn99dxaexkVPlqkhGY
7W8OuUDVJXGDrj7yEZHXOl1qHmw6r1JxYshf6nB4yhA8KF3dgI0BfrXaYFJeSHpP
vnoMYPF1iB6QiqyeYrr9dXlntdG1Nfyx3Fyfe6K8VaKrUy6CpDd+29UrUuc+v9mK
OGo80lKBCTQzl5tW5f1XHG9YT7aqTh2En5aUx/Tx1gAa9nVPWbao8J+sfeuO026P
O1LgYlLHRXAdkW+RuQQkJ/aIHKkRwLbIv6sXFP8rdEeTaNwRjQukNlolO04jZ4+g
saAZteGXvU7E+6VCm0cmCQLY1DbRyzc6Zrt22Xw4kFMS1ZgXt/jzXT/kErULMLK6
Xn6uYzyvgFhPq7IGxNCoX6pReGL5XFGoVcV930jKgM7hD3SbXU/VSPlCY3z6RgD8
MmosTkgRo7B51N1OSOToyBpMzazW+LKUAVGfQUf3y75jifZXWgyDSrVZKy9eVJT5
9S/M62JyaYYqXDyodvji
=Vbg4
-----END PGP SIGNATURE-----

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

phk at phk

Aug 6, 2012, 2:35 AM

Post #9 of 9 (440 views)
Permalink

Re: [PATCHES] Fix build errors and sandbox bugs in the Solaris port [In reply to]

In message <501AC1C1.2040303 [at] schokola>, Nils Goroll writes:

>testing the new sandbox code I noticed that the tmpdir should be owned by
>mgt_param.uid, otherwise unlinking the compiled .so will fail when
>setuid(mgt_param.uid) succeeds.

I'm not sure I follow ?

The .so file is unlinked from the mgt process with full privs, isn't it ?

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-dev mailing list
varnish-dev [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads