void mgt_sandbox_init(void) { struct passwd *pwd; struct group *grp; struct vsb *sb; unsigned subs; /* Pick a sandbox */ #ifdef HAVE_SETPPRIV mgt_sandbox = mgt_sandbox_solaris; #else mgt_sandbox = mgt_sandbox_unix; #endif /* Test it */ sb = VSB_new_auto(); subs = VSUB_run(sb, run_sandbox_test, NULL, "SANDBOX-test", 10); VSB_delete(sb); if (subs) { MGT_complain(C_SECURITY, "Platform-specific sandbox failed - sandboxing disabled"); MGT_complain(C_SECURITY, "Varnish runs with elevated privileges"); mgt_sandbox = mgt_sandbox_null; } MCF_AddParams(mgt_parspec_sandbox); /* * If we have nobody/nogroup, use them as defaults for sandboxes, * else fall back to whoever we run as. */ if (getpwnam("nobody") != NULL) { MCF_SetDefault("user", "nobody"); } else { pwd = getpwuid(getuid()); if (pwd == NULL) ARGV_ERR("Neither user 'nobody' or my uid (%jd)" " found in password database.\n", (intmax_t)getuid()); MCF_SetDefault("user", pwd->pw_name); } endpwent(); if (getgrnam("nogroup") != NULL) { MCF_SetDefault("group", "nogroup"); } else { grp = getgrgid(getgid()); if (grp == NULL) ARGV_ERR("Neither group 'nogroup' or my gid (%jd)" " found in password database.\n", (intmax_t)getgid()); MCF_SetDefault("group", grp->gr_name); } endgrent(); }
void MCF_TcpParams(void) { #ifdef HAVE_TCP_KEEP MCF_AddParams(mgt_parspec_tcp_keep); tcp_keep_probes(); #endif }