Hi phk, testing the new sandbox code I noticed that the tmpdir should be owned by mgt_param.uid, otherwise unlinking the compiled .so will fail when setuid(mgt_param.uid) succeeds.
Nils On 08/ 2/12 06:53 PM, Nils Goroll wrote: > Hi Phk, > >> I have committed part 1, and generalized the idea in part 3 but >> not attempted to implement the solaris sandbox with it, but I >> hope it makes it easier to do so for you guys. > > Thanks for the refactoring, as always, your version of the same idea is > cleaner. :) > > Here's a patch for the solaris sandbox, which also fixes a nit in > mgt_sandbox.c > > Thanks, Nils > > > > _______________________________________________ > varnish-dev mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
>From b8b4c488e256d12ab769bad4c552908647a53a5e Mon Sep 17 00:00:00 2001 From: Nils Goroll <[email protected]> Date: Thu, 2 Aug 2012 20:02:58 +0200 Subject: [PATCH] give away the tmpdir to the privilege seperation user --- bin/varnishd/mgt/mgt_main.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 7b42437..38aaf0c 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -45,6 +45,7 @@ #include "mgt/mgt.h" #include "common/heritage.h" +#include "common/params.h" #include "hash/hash_slinger.h" #include "vav.h" @@ -577,6 +578,15 @@ main(int argc, char * const *argv) dirname, strerror(errno)); exit(1); } + /* + * XXX compiling with privilege seperation requires that the working dir + * be writable by the user we setuid to, but with least privileges + * in effect, the following checks could fail if the user varnish + * is started with can run setuid, but does now have super cow powers + * on files (solaris: file_dac_write) + * + */ + (void)chown(dirname, mgt_param.uid, mgt_param.gid); if (chdir(dirname) < 0) { fprintf(stderr, "Cannot change to working directory '%s': %s\n", -- 1.5.6.5
_______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
