varnish security

Chris Hecker checker at d6.com
Mon Jul 12 11:01:42 CEST 2010


> Yes: Protect the directory you specify with the -n argument.

Ah, okay, thanks.  Is that just created with the umask of root or 
something on startup?  Maybe the docs for varnishd should mention this? 
  I tried searching for various terms "permissions", "security", etc. in 
the docs

> I pressume you also bothered to read the vendor response ?

Of course.  I was just pointing out the related thread.

Maybe a wiki page on varnish-cache.org on securing varnish would be 
useful here.  It could contain the thing about the file permissions 
above, a short discussion of the CLI, etc.  That would help, and 
couldn't hurt.

The Husqvarna analogy is slightly flawed since most people can't run

yum install husqvarna

and have one magically appear at their feet, gassed and ready to go.  :)

Chris



On 2010/07/12 01:37, Poul-Henning Kamp wrote:
> In message<4C3AD22C.6010709 at d6.com>, Chris Hecker writes:
>
>> It looks like all users can access the log shared memory for varnishd
>> (so they can run varnishlog, varnishstat, varnishncsa, etc.).  Is there
>> a way to prevent that?  It's not a huge priority for my current setup,
>> but I was just surprised.
>
> Yes: Protect the directory you specify with the -n argument.
>
>> I noticed there was a thread about the vcl.load interface on
>> securityfocus as well:
>>
>> http://www.securityfocus.com/archive/1/510360
>
> I pressume you also bothered to read the vendor response ?
>



More information about the varnish-misc mailing list