[MediaWiki-commits] [Gerrit] operations...varnish4[debian-wmf]: [untested] keep CAP_SYS_NICE in varnishd worker child proc

BBlack (Code Review) Mon, 24 Apr 2017 06:45:47 -0700

BBlack has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/349956 )


Change subject: [untested] keep CAP_SYS_NICE in varnishd worker child proc
......................................................................

[untested] keep CAP_SYS_NICE in varnishd worker child proc

Also requires linking against libcap2 (-lcap)

Change-Id: I69ed1f069ad731e0befb886a0d5d472e190d3bb1
---
M bin/varnishd/mgt/mgt_jail_unix.c
1 file changed, 33 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/varnish4 
refs/changes/56/349956/1

diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c
index 3c9f658..df05f7b 100644
--- a/bin/varnishd/mgt/mgt_jail_unix.c
+++ b/bin/varnishd/mgt/mgt_jail_unix.c
@@ -44,6 +44,7 @@
 
 #ifdef __linux__
 #include <sys/prctl.h>
+#include <sys/capability.h>
 #endif
 
 static gid_t vju_mgr_gid;
@@ -217,13 +218,43 @@
                AZ(setgroups(i, gid_list));
        }
 
-       if (vju_wrkuser != NULL &&
-           (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) {
+       if (vju_wrkuser != NULL && jse == JAIL_SUBPROC_VCLLOAD) {
                AZ(setuid(vju_wrkuid));
        } else {
                AZ(setuid(vju_uid));
        }
 
+       if (jse == JAIL_SUBPROC_WORKER) {
+#ifdef __linux__
+               // This restricts our root privs down to just setuid + nice
+               const cap_value_t caps_nice_setuid[] = {
+                       CAP_SYS_NICE,
+                       CAP_SETUID,
+               };
+               cap_t caps_pre = cap_init();
+               assert(caps_pre != NULL);
+               AZ(cap_set_flag(caps_pre, CAP_PERMITTED, 2, caps_nice_setuid, 
CAP_SET));
+               AZ(cap_set_flag(caps_pre, CAP_EFFECTIVE, 2, caps_nice_setuid, 
CAP_SET));
+               AZ(cap_set_proc(caps_pre));
+               AZ(cap_free(caps_pre));
+               AZ(prctl(PR_SET_KEEPCAPS, 1)); // keep caps across setuid()
+#endif
+               if (vju_wrkuser != NULL) {
+                       AZ(setuid(vju_wrkuid));
+               } else {
+                       AZ(setuid(vju_uid));
+               }
+#ifdef __linux__
+               // Post-setuid, we restrict ourselves further to just nice
+               cap_t caps_post = cap_init();
+               assert(caps_post != NULL);
+               AZ(cap_set_flag(caps_post, CAP_PERMITTED, 1, cap_nice_setuid, 
CAP_SET));
+               AZ(cap_set_flag(caps_post, CAP_EFFECTIVE, 1, cap_nice_setuid, 
CAP_SET));
+               AZ(cap_set_proc(caps_post));
+               AZ(cap_free(caps_post));
+#endif
+       }
+
 #ifdef __linux__
        /*
         * On linux mucking about with uid/gid disables core-dumps,

-- 
To view, visit https://gerrit.wikimedia.org/r/349956
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I69ed1f069ad731e0befb886a0d5d472e190d3bb1
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/varnish4
Gerrit-Branch: debian-wmf
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...varnish4[debian-wmf]: [untested] keep CAP_SYS_NICE in varnishd worker child proc

Reply via email to