Re: Unprivileged user?

2008-04-16 Thread Stig Sandbeck Mathisen
On Wed, 16 Apr 2008 06:56:37 +, "Poul-Henning Kamp" <[EMAIL PROTECTED]> 
said:

> In message <[EMAIL PROTECTED]>, Stig Sandbeck Mathisen writes:

>> * Read access to where you store your VCL files

> No, the vcl files are read by the master process which does not drop
> priviledge.

>> * Execute a C compiler

> Same.

>> * Write access to its cache directory, to store the compiled
>> configuration

> Same.

In other words, I mixed up the parent and child process regarding
configuration file handling and compiling.  :/

-- 
Stig Sandbeck Mathisen, Linpro

Any sufficiently advanced incompetence is indistinguishable from malice.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Dag-Erling Smørgrav
"Poul-Henning Kamp" <[EMAIL PROTECTED]> writes:
> "Michael S. Fischer" <[EMAIL PROTECTED]> writes:
> > I'm not saying that they would; I'm just saying that you can't count
> > on user 'nobody' having the precise role that a security-conscious
> > sysadmin would want.
> Which is why there is a -u argument, for people who muck up the
> configuration that has been standard on all decent UNIX'es for
> the last 15 years.

It is also for people who have a little bit of sense and understand that
different daemons should use different unprivileged users when they drop
their root privileges.

DES
-- 
Dag-Erling Smørgrav
Senior Software Developer
Linpro AS - www.linpro.no
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Dag-Erling Smørgrav
"Poul-Henning Kamp" <[EMAIL PROTECTED]> writes:
> Stig Sandbeck Mathisen <[EMAIL PROTECTED]> writes:
> > After it has dropped root privileges, it needs at least:
> >
> > * Open new network connections (no problem unless you use MAC or a
> >   uid-matching firewall)
> No, it accepts them only.

wrong, it initiates new connections to the backend servers.

> Please figure out how varnish really works before you acuse us of
> being incompetent.

That was completely uncalled for.

DES
-- 
Dag-Erling Smørgrav
Senior Software Developer
Linpro AS - www.linpro.no
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Michael S. Fischer
On Tue, Apr 15, 2008 at 11:53 PM, Poul-Henning Kamp <[EMAIL PROTECTED]> wrote:
> In message <[EMAIL PROTECTED]>, "Mich
>
> ael S. Fischer" writes:
>
>  >>  Varnish for instance assumes that the administrator is not a total
>  >>  madman, who would do something as patently stupid as you prospose
>  >>  above, under the general assumption that if he were, varnish would
>  >>  be the least of his troubles.
>  >
>  >I'm not saying that they would; I'm just saying that you can't count
>  >on user 'nobody' having the precise role that a security-conscious
>  >sysadmin would want.
>
>  Which is why there is a -u argument, for people who muck up the
>  configuration that has been standard on all decent UNIX'es for
>  the last 15 years.

Thus answering OP's question.  QED.  :-)

--Michael
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Current stable version?

2008-04-16 Thread Dag-Erling Smørgrav
Gaute Amundsen <[EMAIL PROTECTED]> writes:
> we are currently running varnish-1.0.4-3el4.i386.rpm
> ( with a small patch )

1.1.2 has been out for, eh, four months now...

DES
-- 
Dag-Erling Smørgrav
Senior Software Developer
Linpro AS - www.linpro.no
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Anders Nordby
Hi,

On Tue, Apr 15, 2008 at 07:35:20AM +, Poul-Henning Kamp wrote:
>>Assuming that "nobody" is an available user on your system, then is  
>>the "-u user" option for varnishd superfluous?
> Yes.
> 
> You can confirm the uid nobody is used with the ps(1) command.

I disagree.

Suppose you have another process on your system that runs as nobody,
like Apache. And people have access to run CGIs and other types of
scripts through this user. Would you want them to be able to do naughty
things to your Varnish process (they might be able to if Apache and
Varnish both run as nobody) as well?

An option to specify which user to change to is something people want,
to control which user a process runs as. There are perfectly valid
reasons to run as a different user than the standard, especially in
multi-user/non-dedicated setups.

Thanks! :)

Bye,

-- 
Anders.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Poul-Henning Kamp
In message <[EMAIL PROTECTED]>, Per Andreas Buer writes:
>Poul-Henning Kamp skrev:

>>> * Open new network connections (no problem unless you use MAC or a
>>>  uid-matching firewall)
>> 
>> No, it accepts them only.
>
>Does the privilegded prosess talk to the origin servers?

No.

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
[EMAIL PROTECTED] | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


RE: Re: Error compiling last revision from trunk

2008-04-16 Thread duja
>Sorry, I forgot to submit this change, done now.

Thank you ;)

___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Error compiling last revision from trunk

2008-04-16 Thread Poul-Henning Kamp
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes:
>>this should be SIZE_MAX.
>
>Could you fix this please?

Sorry, I forgot to submit this change, done now.

-- 
Poul-Henning Kamp   | UNIX since Zilog Zeus 3.20
[EMAIL PROTECTED] | TCP/IP since RFC 956
FreeBSD committer   | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Error compiling last revision from trunk

2008-04-16 Thread duja
>this should be SIZE_MAX.

Could you fix this please?

or can I make subversion to download a specific revision?

/ Erik

___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc


Re: Unprivileged user?

2008-04-16 Thread Per Andreas Buer
Poul-Henning Kamp skrev:
> In message <[EMAIL PROTECTED]>, Stig Sandbeck Mathisen writes:
>> On Tue, 15 Apr 2008 00:01:17 -0700, Ricardo Newbery <[EMAIL PROTECTED]> said:
>>
>>> In Varnish, does the less-privileged user need access to anything?
>> After it has dropped root privileges, it needs at least:
>>
>> * Open new network connections (no problem unless you use MAC or a
>>  uid-matching firewall)
> 
> No, it accepts them only.

Does the privilegded prosess talk to the origin servers?

> (..)
> 
> Please figure out how varnish really works before you acuse us of
> being incompetent.

Please figure out who is calling you incompetent before you start 
accusing people of accusing you of being incompetent (puh!). ssm was 
only trying to be helpful - all though I can see he probably failed in 
being that.  :-)


Per.
___
varnish-misc mailing list
varnish-misc@projects.linpro.no
http://projects.linpro.no/mailman/listinfo/varnish-misc