Varnish has its own mechanism for dropping privs, and will not work if

started with su as rc.subr wants.  If we unset varnishd_{user,group}
before calling run_rc_command, rc.subr won't see them, but we can still
use them to specify which user and group Varnish should use.

1 files changed, 11 insertions, 2 deletions

diff --git a/www/varnish/files/varnishd.in b/www/varnish/files/varnishd.in
index fcbf3bd3f012..90195b126d5e 100644
--- a/www/varnish/files/varnishd.in
+++ b/www/varnish/files/varnishd.in
@@ -18,7 +18,9 @@
 #varnishd_config="%%PREFIX%%/etc/varnish/default.vcl"
 #varnishd_telnet="localhost:6082"
 #varnishd_storage="file,/tmp,50%"
-#varnishd_flags="-P ${pidfile} -a ${varnishd_listen} -f ${varnishd_config} -T ${varnishd_telnet} -s ${varnishd_storage}"
+#varnishd_user="www"
+#varnishd_group="www"
+#varnishd_flags="-P ${pidfile} -a ${varnishd_listen} -f ${varnishd_config} -T ${varnishd_telnet} -s ${varnishd_storage} -u ${varnishd_user} -g ${varnishd_group}"
 #
 # See varnishd(1) for a detailed overview of command-line options.
 #
@@ -38,6 +40,13 @@ load_rc_config ${name}
 : ${varnishd_config="%%PREFIX%%/etc/varnish/default.vcl"}
 : ${varnishd_telnet="localhost:6082"}
 : ${varnishd_storage="file,/tmp,50%"}
-: ${varnishd_flags="-P ${pidfile} -a ${varnishd_listen} -f ${varnishd_config} -T ${varnishd_telnet} -s ${varnishd_storage}"}
+: ${varnishd_user="www"}
+: ${varnishd_group="www"}
+: ${varnishd_flags="-P ${pidfile} -a ${varnishd_listen} -f ${varnishd_config} -T ${varnishd_telnet} -s ${varnishd_storage} -u ${varnishd_user} -g ${varnishd_group}"}
+
+# If we leave these set, rc.subr will su to them before starting
+# varnishd, which is not what we want.
+unset varnishd_user
+unset varnishd_group
 
 run_rc_command "$1"