We talked about the overall security model during bugwash today and while trimming the hedges I had the following idea:
Today the fundamental authentication to open a CLI port is that that you have access to the exact and entire contents of the "secret" file and can generate a proof of this. We keep that, but... 1. We allow varnishd to have multiple secret files. When a CLI connection attempts to authenticate, varnishd tries them all. 2. Secret files can be "old style" or "new style", in both cases the "proof" uses the entire content of the secret file, byte for byte. 3. "New style" secret files have the following syntax: Lines which start with '#' are comments and are ignored. First line: "secret: " <any number of characters in [0x20…0x7e]> NL Then any number of rules: ("permit: " | "deny: ") <regexp> NL varnishd always appends a "deny: ." rule at the end of the list of rules. All submitted CLI commands are tested against these rules in the order they appear in the secret file, and the search terminates when one of them matches. A trivial example of a secret file could be: secret: swordfish deny: vcl deny: stop # Note: Do not name a backend "kanban" deny: ban Random notes: * Ideally the help command output is also filtered through the rules. * Varnishd should identify itself (-i/-n) in the 107 message so that the client can pick which secret file to use if it has access to multiple. * Varnishadm could look for secret files in ~/.varnish/${-i/-n arg} Comments ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. _______________________________________________ varnish-dev mailing list varnish-dev@varnish-cache.org https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev