..
.. NB:  This file is machine generated, DO NOT EDIT!
..
.. Edit vmod.vcc and run make instead
..

.. role:: ref(emphasis)

.. _vmod_unix(3):

=========
vmod_unix
=========

---------------------------------
utilities for Unix domain sockets
---------------------------------

:Manual section: 3

SYNOPSIS
========


::

   import unix [from "path"] ;
   
   STRING user()
  
   STRING group()
  
   INT uid()
  
   INT gid()
  




CONTENTS
========

* :ref:`func_gid`
* :ref:`func_group`
* :ref:`func_uid`
* :ref:`func_user`



DESCRIPTION
===========

This VMOD provides information about the credentials of the peer
process (user and group of the process owner) that is connected to a
Varnish listener via a Unix domain socket, if the platform supports
it.

Examples::

  import unix;

  sub vcl_recv {
	# Return "403 Forbidden" if the connected peer is
	# not running as the user "trusteduser".
	if (unix.user() != "trusteduser") {
		return( synth(403) );
	}

	# Require the connected peer to run in the group
	# "trustedgroup".
	if (unix.group() != "trustedgroup") {
		return( synth(403) );
	}

	# Require the connected peer to run under a specific numeric
	# user id.
	if (unix.uid() != 4711) {
		return( synth(403) );
	}

	# Require the connected peer to run under a numeric group id.
	if (unix.gid() != 815) {
		return( synth(403) );
	}
  }

Obtaining the peer credentials is possible on a platform that supports
one of the following:

* ``getpeereid(3)`` (such as FreeBSD and other BSD-derived systems)

* the socket option ``SO_PEERCRED`` for ``getsockopt(2)`` (Linux)

On most platforms, the value returned is the effective user or group
that was valid when the peer process initiated the connection.


.. _func_user:

STRING user()
-------------

Return the user name of the peer process owner.


.. _func_group:

STRING group()
--------------

Return the group name of the peer process owner.


.. _func_uid:

INT uid()
---------

Return the numeric user id of the peer process owner.


.. _func_gid:

INT gid()
---------

Return the numeric group id of the peer process owner.

ERRORS
======

All functions in this VMOD are subject to the following constraints:

* None of them may be called in ``vcl_init`` or ``vcl_fini``. If one
  of them is called in ``vcl_init``, then the VCL program will fail to
  load, with an error message from the VMOD.

* If called on a platform that is not supported, then VCL failure is
  invoked. An error message is written to the log (with the
  ``VCL_Error`` tag), and for all VCL subroutines except for
  ``vcl_synth``, control is directed immediately to ``vcl_synth``,
  with the response status set to 503 and the reason string set to
  "VCL failed".

  If the failure occurs during ``vcl_synth``, then ``vcl_synth`` is
  aborted, and the the response line "503 VCL failed" is sent.

* If the current listener is not a Unix domain socket, or if the
  attempt to read credentials fails, then a ``VCL_Error`` message is
  written to the log. The STRING functions (``vmod_user`` and
  ``vmod_group``) return NULL, while the INT functions (``vmod_uid``
  and ``vmod_gid``) return -1.

SEE ALSO
========

* :ref:`varnishd(1)`
* :ref:`vcl(7)`
* ``getpeereid(3)``
* ``getsockopt(2)``


COPYRIGHT
=========

::

  This document is licensed under the same conditions as Varnish itself.
  See LICENSE for details.
 
  Authors: Geoffrey Simmons <geoffrey.simmons@uplex.de>
 
