On Mon, 14 Apr 2008 23:20:11 -0700 Ricardo Newbery <[EMAIL PROTECTED]> wrote:
> > On Apr 14, 2008, at 11:03 PM, Per Andreas Buer wrote: > > > Ricardo Newbery skrev: > >> I'm trying to understand the purpose of the "-u user" option for > >> varnishd. It appears that even when starting up as root, and the > >> child process dropping to "nobody", Varnish is still saving and > >> serving from cache even though "nobody" doesn't have read/write > >> access > >> to the storage file owned by root. > > > > In Unix, if you drop privileges, you still have access to all your > > open > > files. Access control happens when you open files. That should > > answer the rest of your questions too, I believe. > > Hmm... maybe I'm missing something but this doesn't seem to answer > the main question. If, as you seem to imply, Varnish is opening any > files it needs while it's still "root", then what is the purpose of > the "-u user" option? Thats the same thing in apache, mysql, ... Open every filehandle you need, then drop privileges. In case the software is beeing hacked, it can not damage the system, only the opened file pointers and everything the user can do. If the daemon would run as root, the hacker could do everything with your computer. /Flo _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
