Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, Stig Sandbeck Mathisen writes: >On Tue, 15 Apr 2008 00:01:17 -0700, Ricardo Newbery <[EMAIL PROTECTED]> said: > >> In Varnish, does the less-privileged user need access to anything? > >After it has dropped root privileges, it needs at least: > >* Open new network connections (no problem unless you use MAC or a > uid-matching firewall) No, it accepts them only. >* Read access to where you store your VCL files No, the vcl files are read by the master process which does not drop priviledge. >* Execute a C compiler Same. >* Write access to its cache directory, to store the compiled > configuration Same. Please figure out how varnish really works before you acuse us of being incompetent. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, "Mich ael S. Fischer" writes: >> Varnish for instance assumes that the administrator is not a total >> madman, who would do something as patently stupid as you prospose >> above, under the general assumption that if he were, varnish would >> be the least of his troubles. > >I'm not saying that they would; I'm just saying that you can't count >on user 'nobody' having the precise role that a security-conscious >sysadmin would want. Which is why there is a -u argument, for people who muck up the configuration that has been standard on all decent UNIX'es for the last 15 years. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Tue, 15 Apr 2008 00:01:17 -0700, Ricardo Newbery <[EMAIL PROTECTED]> said: > In Varnish, does the less-privileged user need access to anything? After it has dropped root privileges, it needs at least: * Open new network connections (no problem unless you use MAC or a uid-matching firewall) * Read access to where you store your VCL files * Execute a C compiler * Write access to its cache directory, to store the compiled configuration * Write core dumps ...possibly more. -- Stig Sandbeck Mathisen, Linpro ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Tue, Apr 15, 2008 at 1:16 AM, Poul-Henning Kamp <[EMAIL PROTECTED]> wrote: > >Well-engineered software doesn't make potentially false assumptions > >about the environment in which it runs. > > And they don't. > > Varnish for instance assumes that the administrator is not a total > madman, who would do something as patently stupid as you prospose > above, under the general assumption that if he were, varnish would > be the least of his troubles. I'm not saying that they would; I'm just saying that you can't count on user 'nobody' having the precise role that a security-conscious sysadmin would want. Perhaps the sysadmin might create a 'varnishd' user instead that also has limited access, and, hence, the -u option is quite useful. Assuming that the nonprivileged user is named 'nobody' could well be false. I was simply providing the most extreme example to demonstrate a point. Best regards, --Michael ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Current stable version?
Hi we are currently running varnish-1.0.4-3el4.i386.rpm ( with a small patch ) We were planning to hold out for the next release, but our need for per-host purging is growing rapidly... Is it possible to say anything about how far off a release might be, or is there a particular SVN revision that is recommended in the meantime? Gaute -- Programmerer - Pixelhospitalet AS Tørkoppveien 10, 1570 Dilling Tlf. 24 12 97 81 - 9074 7344 ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Error compiling last revision from trunk
<[EMAIL PROTECTED]> writes: > storage_malloc.c:46: error: SIZE_T_MAX undeclared here (not in a function)" this should be SIZE_MAX. Bad phk, no cookie! DES -- Dag-Erling Smørgrav Senior Software Developer Linpro AS - www.linpro.no ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Error compiling last revision from trunk
I compiled the latest revision from trunk (2629) and received this when I tried to start varnish: "./bin.XXObuUCq: undefined symbol: VRT_init_dir_simple" I then tried to recompile varnish and noticed this when I ran "make": "Making all in varnishd make[3]: Entering directory `/home/tvswe/varnish/trunk/varnish-cache/bin/varnishd' gcc -DHAVE_CONFIG_H -I. -I../.. -I../../include -DVARNISH_STATE_DIR='"/usr/local/var/varnish"' -g -O2 -MT varnishd-storage_malloc.o -MD -MP -MF .deps/varnishd-storage_malloc.Tpo -c -o varnishd-storage_malloc.o `test -f 'storage_malloc.c' || echo './'`storage_malloc.c storage_malloc.c:46: error: SIZE_T_MAX undeclared here (not in a function)" / Erik ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, "Mich ael S. Fischer" writes: >On Tue, Apr 15, 2008 at 12:25 AM, Ricardo Newbery ><[EMAIL PROTECTED]> wrote: >> Assuming that "nobody" is an available user on your system, then is >> the "-u user" option for varnishd superfluous? > >Who's to say that "nobody" is an unprivileged user? > >/etc/passwd: > >nobody:*:0:0:alias for root:... > >Well-engineered software doesn't make potentially false assumptions >about the environment in which it runs. And they don't. Varnish for instance assumes that the administrator is not a total madman, who would do something as patently stupid as you prospose above, under the general assumption that if he were, varnish would be the least of his troubles. Can we be a bit serious here ? Thanks. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Apr 15, 2008, at 12:31 AM, Michael S. Fischer wrote: > On Tue, Apr 15, 2008 at 12:25 AM, Ricardo Newbery > <[EMAIL PROTECTED]> wrote: >> Assuming that "nobody" is an available user on your system, then is >> the "-u user" option for varnishd superfluous? > > Who's to say that "nobody" is an unprivileged user? > > /etc/passwd: > > nobody:*:0:0:alias for root:... > > Well-engineered software doesn't make potentially false assumptions > about the environment in which it runs. > > --Michael Geez Michael... this is unnecessarily snarky. Anyone that redefines "nobody" in this way is just asking for trouble. But in any case, I'm not suggesting that this option is superfluous in the general case. I'm just trying to find out whether, in the ordinary scenario, I need to concern myself with the access privileges of the less-privileged user -- as is the case in many other apps that do this, like Apache or Varnish. Ric ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Apr 15, 2008, at 12:35 AM, Poul-Henning Kamp wrote: > In message [EMAIL PROTECTED]>, Ricardo N > ewbery writes: > >> Assuming that "nobody" is an available user on your system, then is >> the "-u user" option for varnishd superfluous? > > Yes. Cool, thanks PHK. That's really all I wanted to know. Ric ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, Ricardo N ewbery writes: >Assuming that "nobody" is an available user on your system, then is >the "-u user" option for varnishd superfluous? Yes. You can confirm the uid nobody is used with the ps(1) command. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Tue, Apr 15, 2008 at 12:25 AM, Ricardo Newbery <[EMAIL PROTECTED]> wrote: > Assuming that "nobody" is an available user on your system, then is > the "-u user" option for varnishd superfluous? Who's to say that "nobody" is an unprivileged user? /etc/passwd: nobody:*:0:0:alias for root:... Well-engineered software doesn't make potentially false assumptions about the environment in which it runs. --Michael ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Apr 15, 2008, at 12:15 AM, Poul-Henning Kamp wrote: > Ricardo Newbery writes: > >> I'm trying to understand the purpose of the "-u user" option for >> varnishd. It appears that even when starting up as root, and the >> child process dropping to "nobody", Varnish is still saving and >> serving from cache even though "nobody" doesn't have read/write >> access >> to the storage file owned by root. > > The file is opened before the cache process drops to nobody, and in > UNIX the access check is performed at open time and not at read/write > time. I must not be making myself clear. Let me try again... Assuming that "nobody" is an available user on your system, then is the "-u user" option for varnishd superfluous? Ric ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, Ricardo N ewbery writes: >I'm trying to understand the purpose of the "-u user" option for >varnishd. It appears that even when starting up as root, and the >child process dropping to "nobody", Varnish is still saving and >serving from cache even though "nobody" doesn't have read/write access >to the storage file owned by root. The file is opened before the cache process drops to nobody, and in UNIX the access check is performed at open time and not at read/write time. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Apr 14, 2008, at 11:25 PM, Per Andreas Buer wrote: > Ricardo Newbery skrev: > >> Hmm... maybe I'm missing something but this doesn't seem to answer >> the >> main question. If, as you seem to imply, Varnish is opening any >> files >> it needs while it's still "root", then what is the purpose of the "-u >> user" option? > > I'm guessing Varnish (like most Unix daemons) opens the file as root > and > then drops its privileges. That way, when Varnish deals with the > untrusted data coming from the network it runs as an unprivileged > user. > > So, I there is a buffer overflow in Varnish, the code won't run with > root privileges. > > Per. Again, this is *not* my question. Of course dropping privileges is a standard practice for daemons that need temporary elevated privileges. But this does not explain the purpose that the "-u user" option serves in the Varnish case... other than perhaps to provide another option in case the standard default "nobody" is not available for some reason. In Apache, the less-privileged user still needs read access to the files it serves. In Squid, the less-privileged user still needs write access to the cache directory in order to create the cache storage. In Varnish, does the less-privileged user need access to anything? Ric ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc