You can change the owner of the config files to another user (root?) and if you're not using clustering, ATS will just complain a little inside traffic.out on start.
On Mar 10, 2013, at 4:52 AM, Reindl Harald <[email protected]> wrote: > > > Am 10.03.2013 12:42, schrieb Jan-Frode Myklebust: >> On Sun, Mar 10, 2013 at 12:01:27PM +0100, Reindl Harald wrote: >>> why is trafficcserver doing this? >>> >>> i had as example empty lines between the config blocks >>> to make the file more readable which are gone and >>> generally dislike this _1 files and touching my config >> >> Very much agree. I manage the *.config files trough puppet, and every >> time puppet changes something, ATS will make one additional changes to >> the files (possibly only change timestamps), and cause a second service >> reload. >> >> Daemons shouldn't have write access to it's configuration files, as >> that opens them to attacks. A remote file write vulnerability as the >> ATS-user is automatically a remote root shell since it can f.ex. change >> the proxy.config.proxy_binary in records.config... >> >> Unfortunately I don't expect this to change.. since ATS includes some >> cluster management where the configuration is supposed to be replicated >> between the nodes.. > > > but with "LOCAL proxy.local.cluster.type INT 3" it should not touch anything >
