On Apr 14, 2008, at 11:25 PM, Florian Engelhardt wrote: > On Mon, 14 Apr 2008 23:20:11 -0700 > Ricardo Newbery <[EMAIL PROTECTED]> wrote: > >> >> On Apr 14, 2008, at 11:03 PM, Per Andreas Buer wrote: >> >>> Ricardo Newbery skrev: >>>> I'm trying to understand the purpose of the "-u user" option for >>>> varnishd. It appears that even when starting up as root, and the >>>> child process dropping to "nobody", Varnish is still saving and >>>> serving from cache even though "nobody" doesn't have read/write >>>> access >>>> to the storage file owned by root. >>> >>> In Unix, if you drop privileges, you still have access to all your >>> open >>> files. Access control happens when you open files. That should >>> answer the rest of your questions too, I believe. >> >> Hmm... maybe I'm missing something but this doesn't seem to answer >> the main question. If, as you seem to imply, Varnish is opening any >> files it needs while it's still "root", then what is the purpose of >> the "-u user" option? > > Thats the same thing in apache, mysql, ... > Open every filehandle you need, then drop privileges. In case the > software is beeing hacked, it can not damage the system, only the > opened file pointers and everything the user can do. If the daemon > would run as root, the hacker could do everything with your computer. > > /Flo
Please reread my question. I know why privileges are dropped. That is not the question. Ric _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
