Search squid archive

Re: Re: Squid 3 doesn't overwrite/replace cached objects(?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/09/2013 2:40 a.m., Antony Stone wrote:
Why runs the parent
>squid process as root and the child as user proxy? Is that normal? Is it
>best practice? Should I chmod or chown cache directory?
It is completely normal for a great many applications providing network
services, and yes, it is best practice.  In fact some will not*allow*  you to
run them as root, without an unprivileged user to run the main process as.

The reasoning is simple:

1. You need root privileges to do certain things when you start an application
(such as bind to a network socket, open a log file, perhaps read a configuration
file), therefore it starts as root.

2. Any application might contain bugs which lead to security vulnerabilities,
which can be remotely exploited through the network connection, and until the
bugs are fixed, you at least want to minimise the risk presented by them.

3. Therefore as soon as you've done all the things involved in (1) above, you
drop the privilege level of the application, and/or spawn a child process with
reduced privilege, so that it still runs and does everything you need, but if
a vulnerability is exploited, it no longer has root privilege and therefore
cannot cause as much damage as it might have done.

4. Some applicatons also kill off the child/ren from time to time, and restart
new ones, usually in an attempt to avoid memory leaks consuming all available
RAM.  Whether this works depends on the nature of the memory leak and the
effectiveness of the operating system's garbage collection facilities.

Thank you for a very clear explanation Anthony. This has been a missing piece of the FAQ for a while. I am taking the liberty of moving this to the official FAQs and moulding a small description of Squid behaviour around it.
http://wiki.squid-cache.org/SquidFaq/OperatingSquid#Why_do_I_need_to_run_Squid_as_root.3F_why_can.27t_I_just_use_cache_effective_user_root.3F

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux