Solaris sandbox changes.

Submitted by: Nils Goroll Conflicts: bin/varnishd/mgt_sandbox_solaris.c
varnish · Oct 18, 2011 · 5cc9462 · 5cc9462
1 parent 66ba62e
commit 5cc9462
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/bin/varnishd/mgt.h b/bin/varnishd/mgt.h
@@ -75,6 +75,7 @@ void mgt_sandbox(void);
 #ifdef HAVE_SETPPRIV
 void mgt_sandbox_solaris_init(void);
 void mgt_sandbox_solaris_fini(void);
+void mgt_sandbox_solaris_privsep(void);
 #endif
 
 /* mgt_shmem.c */

diff --git a/bin/varnishd/mgt_sandbox.c b/bin/varnishd/mgt_sandbox.c
@@ -62,17 +62,17 @@
 void
 mgt_sandbox(void)
 {
-
 #ifdef HAVE_SETPPRIV
 	mgt_sandbox_solaris_init();
-#endif
-
+	mgt_sandbox_solaris_privsep();
+#else
 	if (geteuid() == 0) {
 		XXXAZ(setgid(params->gid));
 		XXXAZ(setuid(params->uid));
 	} else {
 		REPORT0(LOG_INFO, "Not running as root, no priv-sep");
 	}
+#endif
 
 	/* On Linux >= 2.4, you need to set the dumpable flag
 	   to get core dumps after you have done a setuid. */

diff --git a/bin/varnishd/mgt_sandbox_solaris.c b/bin/varnishd/mgt_sandbox_solaris.c
@@ -42,6 +42,10 @@
 #ifdef HAVE_PRIV_H
 #include <priv.h>
 #endif
+#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
 
 #include "mgt.h"
 #include "heritage.h"
@@ -154,6 +158,20 @@ mgt_sandbox_solaris_init(void)
 	priv_freeset(priv_all);
 }
 
+void
+mgt_sandbox_solaris_privsep(void)
+{
+	if (priv_ineffect(PRIV_PROC_SETID)) {
+                if (getgid() != params->gid)
+                        XXXAZ(setgid(params->gid));
+                if (getuid() != params->uid)
+                        XXXAZ(setuid(params->uid));
+        } else {
+                REPORT(LOG_INFO, "Privilege %s missing, will not change uid/gid",
+		    PRIV_PROC_SETID);
+        }
+}
+
 /* 
  * Waive most privileges in the child
  *