Thanks for your answer. The idea is to use the user and group setting in the config file and initially start it as root as you described. So it is about the user the process is handed over to after starting pound.
Regards Philipp ___________________________ Philipp Reichmuth e-Mail: [email protected] ___________________________ > Am 21.07.2017 um 15:53 schrieb Alexander Kolodziej > <[email protected]>: > > Do you intend to _not_ let pound change user? > > If you start it as the root user, it will read conf, open sockets and write > pid file as the root user, before it changes to whetever you set User/Group > to in the conf. > > But if you want to start it as an unprivileged user from the very start, then > at least that user must be able to open the socket(s), which might be a > problem if you want to user 80/443 since they are below 1024. > > About writing to log files, it does that via syslog, so i dont think it needs > any access to the log dir. Syslog must have access to write its log files > though, of course... > > / alex > > > -- > Alexander Kolodziej > Pattern Matchician, Tactel AB > Phone: +46761452104 > Email: [email protected] > >> On 2017-07-20 23:17, Philipp Reichmuth wrote: >> Well, that helps a bit, but is still pretty confuse. >> >> Does that mean the user to run pound only needs following privileges: >> ro to /etc/pound/pound.cfg (/usr/local/etc/ is empty in the container) >> ro to the zertificate pem-files >> ro to /var/log/ (/var/log/messages does not exist (yet), probably cause I >> have not been able to start pound yet.) >> rw to /var/run/pound.pid >> >> (What I forgot in my former e-mail, inside the lx-contianer Debian 8 Jessie >> is running.) >> >> Confirmation or correction would be greatly appreciated. >> >> Regards >> Philipp >> >> >>> Am 20.Juli.2017 um 22:01 schrieb Wohl, Grant <[email protected]>: >>> >>> From the pound man page: "In general, Pound does not read or write to the >>> hard-disk. The exceptions are reading the configuration file and (possibly) >>> the server certificate file(s) and error message(s), which are opened >>> read-only on startup, read, and closed, and the pid file which is opened on >>> start-up, written to and immediately closed. Following this there is no >>> disk access whatsoever, so using a RootJail directive is only for extra >>> security bonus points." >>> >>> See the rest of the man page (man pound or >>> <https://linux.die.net/man/8/pound>) and possibly these other sites for >>> more details on using the RootJail option: >>> <https://fossies.org/linux/Pound/FAQ>, >>> <http://www.project-open.com/en/howto-pound-https-configuration>. I do not >>> use the RootJail myself but I can tell you that the /etc/resolv.conf and >>> /etc/hosts are for DNS resolution and the /dev/urandom is needed for >>> OpenSSL. >>> >>> >>> -----Original Message----- >>> From: Philipp Reichmuth [mailto:[email protected]] >>> Sent: Thursday, July 20, 2017 2:17 PM >>> To: [email protected] >>> Subject: [Pound Mailing List] Privileges for unprivileged user to run Pound >>> proxy server >>> >>> Hello >>> >>> Since this is the primary source for support according to the pound >>> homepage, I am asking the question here. After searching the internet for >>> more than an hour, I could not find a clear answer. >>> >>> I am trying to install Pound in an lxc-container on my Qnap NAS. Therefore >>> I need to create the unprivileged user to run pound manually. Hence, I need >>> to know what privileges this user needs, what files he needs to access with >>> read and which with write privileges. >>> >>> In case Pound is runned in a rootjail, how do the privileges of the user >>> change? Is the rootjail the only path the user needs access in this case? >>> >>> Thanks, regards >>> Philipp >>> -- >>> To unsubscribe send an email with subject unsubscribe to [email protected]. >>> Please contact [email protected] for questions. >>> >>> -- >>> To unsubscribe send an email with subject unsubscribe to [email protected]. >>> Please contact [email protected] for questions. >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions.
