void
mgt_sandbox_init(void)
{
struct passwd *pwd;
struct group *grp;
struct vsb *sb;
unsigned subs;
/* Pick a sandbox */
#ifdef HAVE_SETPPRIV
mgt_sandbox = mgt_sandbox_solaris;
#else
mgt_sandbox = mgt_sandbox_unix;
#endif
/* Test it */
sb = VSB_new_auto();
subs = VSUB_run(sb, run_sandbox_test, NULL, "SANDBOX-test", 10);
VSB_delete(sb);
if (subs) {
MGT_complain(C_SECURITY,
"Platform-specific sandbox failed - sandboxing disabled");
MGT_complain(C_SECURITY,
"Varnish runs with elevated privileges");
mgt_sandbox = mgt_sandbox_null;
}
MCF_AddParams(mgt_parspec_sandbox);
/*
* If we have nobody/nogroup, use them as defaults for sandboxes,
* else fall back to whoever we run as.
*/
if (getpwnam("nobody") != NULL) {
MCF_SetDefault("user", "nobody");
} else {
pwd = getpwuid(getuid());
if (pwd == NULL)
ARGV_ERR("Neither user 'nobody' or my uid (%jd)"
" found in password database.\n",
(intmax_t)getuid());
MCF_SetDefault("user", pwd->pw_name);
}
endpwent();
if (getgrnam("nogroup") != NULL) {
MCF_SetDefault("group", "nogroup");
} else {
grp = getgrgid(getgid());
if (grp == NULL)
ARGV_ERR("Neither group 'nogroup' or my gid (%jd)"
" found in password database.\n",
(intmax_t)getgid());
MCF_SetDefault("group", grp->gr_name);
}
endgrent();
}
static void
tcp_probe(int sock, int nam, const char *param, unsigned def)
{
int i;
socklen_t l;
unsigned u;
char buf[10];
const char *p;
l = sizeof u;
i = getsockopt(sock, IPPROTO_TCP, nam, &u, &l);
if (i < 0 || u == 0)
u = def;
bprintf(buf, "%u", u);
p = strdup(buf);
AN(p);
MCF_SetDefault(param, p);
}
