tor 2009-02-12 klockan 12:30 +1300 skrev Amos Jeffries: > Overriding the underlying OS, which admin may understand, with behavior > they may not. Can cause them to enact less secure workarounds; I have > seen squid effective-user'd to the root UID not long ago.
cache_effective_user root is not allowed by Squid unless the user patches Squid to remove this restriction (save for bugs..). But we normally keep uid 0 as a saved uid for -k reconfigure. not sure about cache_effective_group root, but on most systems that's no security problem even if used as the root group does not have any special powers. Still a +/- 0 from me. Vendors wrongly patching better grow up. Users using it for the wrong purpose just creates more work for themselves, just as when other directives are used wrongly. The documentation is pretty clear on this directive. Users using it for the right purpose exists. One such kind of setup is with Squid running on an user-account (started as non-root) but restricted to only one gid of that user. But most can indeed do just fine without the directive. Also keep in mind that most setups start Squid as root without using the chroot directive.. that's a bigger one which we should look into. Regards Henrik