Jeg har et lidt hyperaktivt sarkasme-gen, men takket være slangeolie-sælgerne i "sikkerhedsbranchen" er det slet ikke noget problem for mig.
Det starter f.eks med at Varnish kommer i pressen, som da David Recordon fra Facebook på OSBC sagde:
We rely on the Varnish project. Varnish is an incredible open source cache, Billions of requests are served through Varnish everyday around the world on Facebook.
Den slags udløser næsten per garanti en email fra en eller anden "security researcher" som hverken jeg eller Google har hørt om før.
Når vi laver et nyt release virker det som "tripple-word-score" i Scrabble: nu er vi pludselige en "day-zero" kandidat for alt hvad folk har haft liggende og simre i skuffen fordi der ikke rigtig var noget kød på.
Igår aftes modtog jeg en sådan "draft advisory", den fik følgende svar:
Here is my official vendor response, which I request you include verbatim, if you release this "security-advisory": This "security-advisory" is mostly bunk and pointless speculation, and may not even have anything to do with Varnish. Let me explain why that is: Varnish is a tool for professionals, and as such it contains very powerful bits and sharp edges, because it is designed to move data at wire-speed, no matter how much money you spent on your hardware. If it helps the reader get into the right frame of mind, think of Varnish as "Husqvarna Extreme Logging Chainsaw" as opposed to "Toys'R'Us Plastic Saw For Babies". It is the Varnish users responsibility to aim and apply these powerful bits and sharp edges wisely: Towards purposeful application and away from harm. If that is not possible, the user should be intelligent enough to not enable these features in the first place. In accordance with my personal version of the Principle Of Least Astonishment, these features, in particular the CLI, are disabled by default in Varnish: It takes explicit command line arguments to enable them. If the people who distribute Varnish as packages decide otherwise, and enable the CLI by default, they supposedly to know what they are doing, and presumably also why. Furthermore, Varnish is written to not need root priviledge to run. The typical reason to run Varnish as root anyway, is that the OS/kernel requires this priviledge to bind to TCP port 80. All qualified observers find this requirement a serious security flaw in the POSIX standard. (You have _no_ idea how much I wish I could fix that.) The long litany of speculation, in this so-called "security advisory", about what you can do with the Varnish CLI in various circumstances, if it is enabled, is therefore fundamentally misguided and pointless, in the same way an enumerated list of which pieces of household furniture a Husqvarna chainsaw can possibly cut through, once you start it, would be. If you start Varnish as root, and tell it to format your disks through the CLI or in-line C-code, it will, by design, faithfully attempt to follow your instructions and format your disk. If you do not want Varnish to format your disk, then you should not ask it to. From this it is immediately obvious to any casual observer, that if you do not protect access to the Varnish CLI, or send unwise commands to it, you will be screwed. If this was news or a surprise to you, you should step away from the keyboard and start growing cabbage instead. The only reason I do not declare this so-called "security advisory" totally bunk, is that it may contain one tiny fig-leaf of substance: If somebody, who distributes software in package format, unwisely selects a non-POLA-compliant configuration as default, the users of that package may get screwed. This is truth in the absolute sense, not just for Varnish, but for all possible software. To the extent this "security advisory" document such an inconsistent application of POLA, relative to some specific distribution channels packaging of Varnish, it would have a valid point. But I don't see that point being made, much less clearly documented, anywhere in the text. The closest we get is the sentence: "Note that whilst on Debian and Fedora, the master process is only bound to localhost," But no attempt is made to compare this fact to the respective and expected POLA guidelines for these distributions ? Instead, the above factual observation is immediately followed by totally vacuous speculation: "in other cases, it may be possible for an attacker to connect directly to the master process over the network [...]" Which is as informative and helpful as the statement: "Chain-saws could conceiveably hurt people". And thus, in conclusion, I can't help but wonder, how much better off we would all be, if "security researchers" tried to design security into software, rather than to waste time, theirs and ours, on pointless security-advisory trophy hunts. Poul-Henning Kamp, aka: [phk@FreeBSD.org](mailto:phk@FreeBSD.org), aka: Author of Varnish, And not at all amused.
Nu burde jeg og mit sarkasme-gen kunne klare os til pinse.
... hvis vi da får fred så længe.