Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Misc

varnish security

 

 

Varnish misc RSS feed   Index | Next | Previous | View Threaded


checker at d6

Jul 12, 2010, 1:28 AM

Post #1 of 9 (1182 views)
Permalink
varnish security

It looks like all users can access the log shared memory for varnishd
(so they can run varnishlog, varnishstat, varnishncsa, etc.). Is there
a way to prevent that? It's not a huge priority for my current setup,
but I was just surprised.

I noticed there was a thread about the vcl.load interface on
securityfocus as well:

http://www.securityfocus.com/archive/1/510360

Chris



_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


phk at phk

Jul 12, 2010, 1:37 AM

Post #2 of 9 (1167 views)
Permalink
Re: varnish security [In reply to]

In message <4C3AD22C.6010709 [at] d6>, Chris Hecker writes:

>It looks like all users can access the log shared memory for varnishd
>(so they can run varnishlog, varnishstat, varnishncsa, etc.). Is there
>a way to prevent that? It's not a huge priority for my current setup,
>but I was just surprised.

Yes: Protect the directory you specify with the -n argument.

>I noticed there was a thread about the vcl.load interface on
>securityfocus as well:
>
>http://www.securityfocus.com/archive/1/510360

I pressume you also bothered to read the vendor response ?

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


checker at d6

Jul 12, 2010, 2:01 AM

Post #3 of 9 (1176 views)
Permalink
Re: varnish security [In reply to]

> Yes: Protect the directory you specify with the -n argument.

Ah, okay, thanks. Is that just created with the umask of root or
something on startup? Maybe the docs for varnishd should mention this?
I tried searching for various terms "permissions", "security", etc. in
the docs

> I pressume you also bothered to read the vendor response ?

Of course. I was just pointing out the related thread.

Maybe a wiki page on varnish-cache.org on securing varnish would be
useful here. It could contain the thing about the file permissions
above, a short discussion of the CLI, etc. That would help, and
couldn't hurt.

The Husqvarna analogy is slightly flawed since most people can't run

yum install husqvarna

and have one magically appear at their feet, gassed and ready to go. :)

Chris



On 2010/07/12 01:37, Poul-Henning Kamp wrote:
> In message<4C3AD22C.6010709 [at] d6>, Chris Hecker writes:
>
>> It looks like all users can access the log shared memory for varnishd
>> (so they can run varnishlog, varnishstat, varnishncsa, etc.). Is there
>> a way to prevent that? It's not a huge priority for my current setup,
>> but I was just surprised.
>
> Yes: Protect the directory you specify with the -n argument.
>
>> I noticed there was a thread about the vcl.load interface on
>> securityfocus as well:
>>
>> http://www.securityfocus.com/archive/1/510360
>
> I pressume you also bothered to read the vendor response ?
>

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


phk at phk

Jul 12, 2010, 3:20 AM

Post #4 of 9 (1163 views)
Permalink
Re: varnish security [In reply to]

In message <4C3AD9F6.8020307 [at] d6>, Chris Hecker writes:

>> I pressume you also bothered to read the vendor response ?
>
>Of course. I was just pointing out the related thread.

Uhm, no, you pointed to the message with the bogo-advisory and
I do not seem to be able to find any ensuing discussion from there ?

>Maybe a wiki page on varnish-cache.org on securing varnish would be
>useful here. It could contain the thing about the file permissions
>above, a short discussion of the CLI, etc. That would help, and
>couldn't hurt.

Yeah, our docs need work...

>The Husqvarna analogy is slightly flawed since most people can't run
>yum install husqvarna
>and have one magically appear at their feet, gassed and ready to go. :)

That argument would be much more convincing, if sites like this
did not exist:

http://www.baileysonline.com/search.asp?SKW=HVF%20390XP&catID=11443

Poul-Henning

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


checker at d6

Jul 12, 2010, 12:05 PM

Post #5 of 9 (1147 views)
Permalink
Re: varnish security [In reply to]

> Uhm, no, you pointed to the message with the bogo-advisory and I do
> not seem to be able to find any ensuing discussion from there ?

Scroll down? Search for "Vendor Response", it's got your complete
email/rant. :)

Chris


On 2010/07/12 03:20, Poul-Henning Kamp wrote:
> In message<4C3AD9F6.8020307 [at] d6>, Chris Hecker writes:
>
>>> I pressume you also bothered to read the vendor response ?
>>
>> Of course. I was just pointing out the related thread.
>
> Uhm, no, you pointed to the message with the bogo-advisory and
> I do not seem to be able to find any ensuing discussion from there ?
>
>> Maybe a wiki page on varnish-cache.org on securing varnish would be
>> useful here. It could contain the thing about the file permissions
>> above, a short discussion of the CLI, etc. That would help, and
>> couldn't hurt.
>
> Yeah, our docs need work...
>
>> The Husqvarna analogy is slightly flawed since most people can't run
>> yum install husqvarna
>> and have one magically appear at their feet, gassed and ready to go. :)
>
> That argument would be much more convincing, if sites like this
> did not exist:
>
> http://www.baileysonline.com/search.asp?SKW=HVF%20390XP&catID=11443
>
> Poul-Henning
>

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


phk at phk

Jul 13, 2010, 1:03 AM

Post #6 of 9 (1145 views)
Permalink
Re: varnish security [In reply to]

In message <4C3B6787.4000703 [at] d6>, Chris Hecker writes:
>
>> Uhm, no, you pointed to the message with the bogo-advisory and I do
>> not seem to be able to find any ensuing discussion from there ?
>
>Scroll down? Search for "Vendor Response", it's got your complete
>email/rant. :)

Yes, but you indicated a further discussion ?


--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


checker at d6

Jul 13, 2010, 10:03 AM

Post #7 of 9 (1150 views)
Permalink
Re: varnish security [In reply to]

> Yes, but you indicated a further discussion ?

No, I just meant the "thread" on that page, the advisory, followup, your
response, etc.

Chris



On 2010/07/13 01:03, Poul-Henning Kamp wrote:
> In message<4C3B6787.4000703 [at] d6>, Chris Hecker writes:
>>
>>> Uhm, no, you pointed to the message with the bogo-advisory and I do
>>> not seem to be able to find any ensuing discussion from there ?
>>
>> Scroll down? Search for "Vendor Response", it's got your complete
>> email/rant. :)
>
> Yes, but you indicated a further discussion ?
>
>

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


phk at phk

Jul 13, 2010, 11:20 AM

Post #8 of 9 (1149 views)
Permalink
Re: varnish security [In reply to]

In message <4C3C9C62.1060706 [at] d6>, Chris Hecker writes:
>
>> Yes, but you indicated a further discussion ?
>
>No, I just meant the "thread" on that page, the advisory, followup, your
>response, etc.

Ahh ok. Sorry for my misunderstanding then.

Poul-Henning

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk [at] FreeBSD | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
http://lists.varnish-cache.org/mailman/listinfo/varnish-misc


kacperw at gmail

Oct 3, 2012, 10:21 AM

Post #9 of 9 (597 views)
Permalink
Re: Varnish Security [In reply to]

On Mon, Oct 1, 2012 at 10:22 PM, Vladimir Efros
<vladimir.efros [at] gmail> wrote:

> but /etc/varnish/security/build/variables.vcl is not included into the git.
> I commented it out, and it is working fine but where can I get
> /etc/varnish/security/build/variables.vcl?

run 'make' in the vcl/ directory to build the variables.vcl file.

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

Varnish misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.