[Pkg-varnish-devel] umask problem in init.d script
Jan Carreras
inedit00 at gmail.com
Tue Jan 24 20:04:43 UTC 2012
I've detected what I suspect that is a bug in debian varnishd package
(3.0.2-1) installed with aptitude.
I like to have my system secured, and that's why I have all my users
with "umask 077". The problem here, is that varnishd creates a file as
root suspecting that the permissions will be wordly readable. When
tries to read the file again using the user "varnish" instead of
"root", error happens. I understand that this is a problem of the
script /etc/init.d/varnish since it does not provide the expected
enviroment to the deamon. If I'm wrong, please let me know.
How to reproduce it:
root# echo "umask 077" >> ~/.bashrc
root# source ~/.bashrh
root# sudo /etc/init.d/varnish start
Starting HTTP accelerator: varnishd.
root# tail -8 /var/log/syslog
Jan 24 20:11:10 tpad varnishd[22788]: Platform:
Linux,3.1.0-1-amd64,x86_64,-smalloc,-smalloc,-hcritbit
Jan 24 20:11:10 tpad varnishd[22788]: child (22789) Started
Jan 24 20:11:10 tpad varnishd[22788]: Pushing vcls
failed:#012dlopen(./vcl.KbVBPEoY.so): ./vcl.KbVBPEoY.so: cannot open
shared object file: Permission denied
Jan 24 20:11:10 tpad varnishd[22788]: Stopping Child
Jan 24 20:11:10 tpad varnishd[22788]: Child (22789) said Child starts
Jan 24 20:11:10 tpad varnishd[22788]: Child (22789) said Child dies
Jan 24 20:11:10 tpad varnishd[22788]: Child (22789) died status=1
Jan 24 20:11:10 tpad varnishd[22788]: Child cleanup complete
root# find / -name "vcl.KbVBPEoY.so"
/var/lib/varnish/tpad/vcl.KbVBPEoY.so
root# ls -l
-rwx------ 1 root root 22517 Jan 24 20:21 /var/lib/varnish/tpad/vcl.KbVBPEoY.so
As we can see, this file has only permisions to "root". If "permission
denied" happens it's because we are trying to read the file with
"varnish" user.
One solution to this problem is addiding to the file
/etc/init.d/varnish in the line 25:
umask 022
This will fix the problem by giving the file the proper permissions
(755) when is created. It looks like this is a common solution since
I've seen it in another packages such as ssh, bootlogd, urandom, rc,
umountfs, etc...
Regards, Jan Carreras.
More information about the Pkg-varnish-devel
mailing list