1VMOD_UNIX(3)                                                      VMOD_UNIX(3)
2
3
4

NAME

6       vmod_unix - Utilities for Unix domain sockets
7

SYNOPSIS

9          import unix [as name] [from "path"]
10
11          STRING user()
12
13          STRING group()
14
15          INT uid()
16
17          INT gid()
18

DESCRIPTION

20       This  VMOD  provides  information  about  the  credentials  of the peer
21       process (user and group of the process owner) that is  connected  to  a
22       Varnish listener via a Unix domain socket, if the platform supports it.
23
24       Examples:
25
26          import unix;
27
28          sub vcl_recv {
29                # Return "403 Forbidden" if the connected peer is
30                # not running as the user "trusteduser".
31                if (unix.user() != "trusteduser") {
32                        return( synth(403) );
33                }
34
35                # Require the connected peer to run in the group
36                # "trustedgroup".
37                if (unix.group() != "trustedgroup") {
38                        return( synth(403) );
39                }
40
41                # Require the connected peer to run under a specific numeric
42                # user id.
43                if (unix.uid() != 4711) {
44                        return( synth(403) );
45                }
46
47                # Require the connected peer to run under a numeric group id.
48                if (unix.gid() != 815) {
49                        return( synth(403) );
50                }
51          }
52
53       Obtaining  the peer credentials is possible on a platform that supports
54       one of the following:
55
56       • getpeereid(3) (such as FreeBSD and other BSD-derived systems)
57
58       • the socket option SO_PEERCRED for getsockopt(2) (Linux)
59
60       • getpeerucred(3C) (SunOS and descendants)
61
62       On SunOS and friends, the PRIV_PROC_INFO privilege set is added to  the
63       Varnish child process while the VMOD is loaded, see setppriv(2).
64
65       On  most  platforms,  the value returned is the effective user or group
66       that was valid when the peer process initiated the connection.
67
68   STRING user()
69       Return the user name of the peer process owner.
70
71   STRING group()
72       Return the group name of the peer process owner.
73
74   INT uid()
75       Return the numeric user id of the peer process owner.
76
77   INT gid()
78       Return the numeric group id of the peer process owner.
79

ERRORS

81       All functions in this VMOD are subject to the following constraints:
82
83       • None of them may be called in vcl_init{} or  vcl_fini{}.  If  one  of
84         them is called in vcl_init{}, then the VCL program will fail to load,
85         with an error message from the VMOD.
86
87       • If called on a platform that is not supported, then  VCL  failure  is
88         invoked.  An  error message is written to the log (with the VCL_Error
89         tag), and for all VCL subroutines except for vcl_synth{}, control  is
90         directed  immediately to vcl_synth{}, with the response status set to
91         503 and the reason string set to "VCL failed".
92
93         If  the  failure  occurs  during  vcl_synth{},  then  vcl_synth{}  is
94         aborted, and the the response line "503 VCL failed" is sent.
95
96       • If  the  current  listener is not a Unix domain socket, or if the at‐
97         tempt to read credentials fails, then a VCL_Error message is  written
98         to  the  log. The STRING functions (unix.user() and unix.group()) re‐
99         turn NULL, while the INT functions (unix.uid() and unix.gid()) return
100         -1.
101

SEE ALSO

103varnishd(1)
104
105vcl(7)
106
107       • getpeereid(3)
108
109getsockopt(2)
110
111       • getpeerucred(3C)
112
113       • setppriv(2)
114
116          This document is licensed under the same conditions as Varnish itself.
117          See LICENSE for details.
118
119          Authors: Geoffrey Simmons <geoffrey.simmons@uplex.de>
120
121
122
123
124                                                                  VMOD_UNIX(3)
Impressum