vmod_unix - Man Page

Utilities for Unix domain sockets

Synopsis

import unix [as name] [from "path"]

STRING user()

STRING group()

INT uid()

INT gid()

Description

This VMOD provides information about the credentials of the peer process (user and group of the process owner) that is connected to a Varnish listener via a Unix domain socket, if the platform supports it.

Examples:

import unix;

sub vcl_recv {
      # Return "403 Forbidden" if the connected peer is
      # not running as the user "trusteduser".
      if (unix.user() != "trusteduser") {
              return( synth(403) );
      }

      # Require the connected peer to run in the group
      # "trustedgroup".
      if (unix.group() != "trustedgroup") {
              return( synth(403) );
      }

      # Require the connected peer to run under a specific numeric
      # user id.
      if (unix.uid() != 4711) {
              return( synth(403) );
      }

      # Require the connected peer to run under a numeric group id.
      if (unix.gid() != 815) {
              return( synth(403) );
      }
}

Obtaining the peer credentials is possible on a platform that supports one of the following:

On SunOS and friends, the PRIV_PROC_INFO privilege set is added to the Varnish child process while the VMOD is loaded, see setppriv(2).

On most platforms, the value returned is the effective user or group that was valid when the peer process initiated the connection.

STRING user()

Return the user name of the peer process owner.

Restricted to: client, backend.

STRING group()

Return the group name of the peer process owner.

Restricted to: client, backend.

INT uid()

Return the numeric user id of the peer process owner.

Restricted to: client, backend.

INT gid()

Return the numeric group id of the peer process owner.

Restricted to: client, backend.

Errors

All functions in this VMOD are subject to the following constraints:

See Also