varnish security

Poul-Henning Kamp phk at phk.freebsd.dk
Mon Jul 12 10:37:23 CEST 2010


In message <4C3AD22C.6010709 at d6.com>, Chris Hecker writes:

>It looks like all users can access the log shared memory for varnishd 
>(so they can run varnishlog, varnishstat, varnishncsa, etc.).  Is there 
>a way to prevent that?  It's not a huge priority for my current setup, 
>but I was just surprised.

Yes: Protect the directory you specify with the -n argument.

>I noticed there was a thread about the vcl.load interface on 
>securityfocus as well:
>
>http://www.securityfocus.com/archive/1/510360

I pressume you also bothered to read the vendor response ?

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list