Re: Unprivileged user?
On Wed, 16 Apr 2008 06:56:37 +, "Poul-Henning Kamp" <[EMAIL PROTECTED]> said: > In message <[EMAIL PROTECTED]>, Stig Sandbeck Mathisen writes: >> * Read access to where you store your VCL files > No, the vcl files are read by the master process which does not drop > priviledge. >> * Execute a C compiler > Same. >> * Write access to its cache directory, to store the compiled >> configuration > Same. In other words, I mixed up the parent and child process regarding configuration file handling and compiling. :/ -- Stig Sandbeck Mathisen, Linpro Any sufficiently advanced incompetence is indistinguishable from malice. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
"Poul-Henning Kamp" <[EMAIL PROTECTED]> writes: > "Michael S. Fischer" <[EMAIL PROTECTED]> writes: > > I'm not saying that they would; I'm just saying that you can't count > > on user 'nobody' having the precise role that a security-conscious > > sysadmin would want. > Which is why there is a -u argument, for people who muck up the > configuration that has been standard on all decent UNIX'es for > the last 15 years. It is also for people who have a little bit of sense and understand that different daemons should use different unprivileged users when they drop their root privileges. DES -- Dag-Erling Smørgrav Senior Software Developer Linpro AS - www.linpro.no ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
"Poul-Henning Kamp" <[EMAIL PROTECTED]> writes: > Stig Sandbeck Mathisen <[EMAIL PROTECTED]> writes: > > After it has dropped root privileges, it needs at least: > > > > * Open new network connections (no problem unless you use MAC or a > > uid-matching firewall) > No, it accepts them only. wrong, it initiates new connections to the backend servers. > Please figure out how varnish really works before you acuse us of > being incompetent. That was completely uncalled for. DES -- Dag-Erling Smørgrav Senior Software Developer Linpro AS - www.linpro.no ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
On Tue, Apr 15, 2008 at 11:53 PM, Poul-Henning Kamp <[EMAIL PROTECTED]> wrote: > In message <[EMAIL PROTECTED]>, "Mich > > ael S. Fischer" writes: > > >> Varnish for instance assumes that the administrator is not a total > >> madman, who would do something as patently stupid as you prospose > >> above, under the general assumption that if he were, varnish would > >> be the least of his troubles. > > > >I'm not saying that they would; I'm just saying that you can't count > >on user 'nobody' having the precise role that a security-conscious > >sysadmin would want. > > Which is why there is a -u argument, for people who muck up the > configuration that has been standard on all decent UNIX'es for > the last 15 years. Thus answering OP's question. QED. :-) --Michael ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Current stable version?
Gaute Amundsen <[EMAIL PROTECTED]> writes: > we are currently running varnish-1.0.4-3el4.i386.rpm > ( with a small patch ) 1.1.2 has been out for, eh, four months now... DES -- Dag-Erling Smørgrav Senior Software Developer Linpro AS - www.linpro.no ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
Hi, On Tue, Apr 15, 2008 at 07:35:20AM +, Poul-Henning Kamp wrote: >>Assuming that "nobody" is an available user on your system, then is >>the "-u user" option for varnishd superfluous? > Yes. > > You can confirm the uid nobody is used with the ps(1) command. I disagree. Suppose you have another process on your system that runs as nobody, like Apache. And people have access to run CGIs and other types of scripts through this user. Would you want them to be able to do naughty things to your Varnish process (they might be able to if Apache and Varnish both run as nobody) as well? An option to specify which user to change to is something people want, to control which user a process runs as. There are perfectly valid reasons to run as a different user than the standard, especially in multi-user/non-dedicated setups. Thanks! :) Bye, -- Anders. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
In message <[EMAIL PROTECTED]>, Per Andreas Buer writes: >Poul-Henning Kamp skrev: >>> * Open new network connections (no problem unless you use MAC or a >>> uid-matching firewall) >> >> No, it accepts them only. > >Does the privilegded prosess talk to the origin servers? No. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
RE: Re: Error compiling last revision from trunk
>Sorry, I forgot to submit this change, done now. Thank you ;) ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Error compiling last revision from trunk
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: >>this should be SIZE_MAX. > >Could you fix this please? Sorry, I forgot to submit this change, done now. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Error compiling last revision from trunk
>this should be SIZE_MAX. Could you fix this please? or can I make subversion to download a specific revision? / Erik ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc
Re: Unprivileged user?
Poul-Henning Kamp skrev: > In message <[EMAIL PROTECTED]>, Stig Sandbeck Mathisen writes: >> On Tue, 15 Apr 2008 00:01:17 -0700, Ricardo Newbery <[EMAIL PROTECTED]> said: >> >>> In Varnish, does the less-privileged user need access to anything? >> After it has dropped root privileges, it needs at least: >> >> * Open new network connections (no problem unless you use MAC or a >> uid-matching firewall) > > No, it accepts them only. Does the privilegded prosess talk to the origin servers? > (..) > > Please figure out how varnish really works before you acuse us of > being incompetent. Please figure out who is calling you incompetent before you start accusing people of accusing you of being incompetent (puh!). ssm was only trying to be helpful - all though I can see he probably failed in being that. :-) Per. ___ varnish-misc mailing list varnish-misc@projects.linpro.no http://projects.linpro.no/mailman/listinfo/varnish-misc