Hi, As explained in ticket #1663, currently varnish needs the fowner kernel capability, because it first fchowns the compiled policy module and then chmods it to 0755. This is most likely caused by a reconsideration of ticket's #1072 discussions.
This is a problem for systems running selinux, as it will deny that capability unless it gets explicitely allowed by policy. Attached is a patch to remove the chown, since the compiled module is already owned by the unprivileged user. Please let me know what you think of this. With kind regards, Patrick Uiterwijk
From 42610801bd1ea72833b6ddc247df6f3a49520153 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk <[email protected]> Date: Wed, 21 Jan 2015 19:41:16 +0100 Subject: [PATCH] Remove the chown, since the file is already owned by the unprivileged user. --- bin/varnishd/mgt/mgt_vcc.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index f18fe41..57f9fe2 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -306,16 +306,6 @@ mgt_run_cc(const char *vcl, struct vsb *sb, int C_flag, unsigned *status) if (!subs) subs = VSUB_run(sb, run_dlopen, of, "dlopen", 10); - /* Ensure the file is readable to the unprivileged user */ - if (!subs) { - i = chmod(of, 0755); - if (i) { - VSB_printf(sb, "Failed to set permissions on %s: %s", - of, strerror(errno)); - subs = 2; - } - } - if (subs) { (void)unlink(of); *status = subs; -- 2.1.0
pgpnVV0qebUPx.pgp
Description: PGP signature
_______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
