We talked about the overall security model during bugwash today and
while trimming the hedges I had the following idea:
Today the fundamental authentication to open a CLI port is that
that you have access to the exact and entire contents of the "secret"
file and can generate a proof of this.
We keep that, but...
1. We allow varnishd to have multiple secret files.
When a CLI connection attempts to authenticate, varnishd tries
them all.
2. Secret files can be "old style" or "new style", in both
cases the "proof" uses the entire content of the secret file,
byte for byte.
3. "New style" secret files have the following syntax:
Lines which start with '#' are comments and are ignored.
First line:
"secret: " NL
Then any number of rules:
("permit: " | "deny: ") NL
varnishd always appends a "deny: ." rule at the end of the
list of rules.
All submitted CLI commands are tested against these rules in
the order they appear in the secret file, and the search
terminates when one of them matches.
A trivial example of a secret file could be:
secret: swordfish
deny: vcl
deny: stop
# Note: Do not name a backend "kanban"
deny: ban
Random notes:
* Ideally the help command output is also filtered through the rules.
* Varnishd should identify itself (-i/-n) in the 107 message so that the
client can pick which secret file to use if it has access to multiple.
* Varnishadm could look for secret files in ~/.varnish/${-i/-n arg}
Comments ?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
p...@freebsd.org | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-dev mailing list
varnish-dev@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
