Re: [RFC] obsoleting cache_effective_group from 3.2

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Wed, 11 Feb 2009 23:12:06 +0100

ons 2009-02-11 klockan 14:56 +1300 skrev Amos Jeffries:

> WHY:
> * it's a security breach.

Why?

> * it's the source of many permissions annoyances.

Yes.

> * the setting is still widely recommended in online how-to's

Yes, and often for the wrong reasons.

> * current Squid-3+ are perfectly capable of pulling correct user/group
> pairs from the OS or being built with a distro preferred user other than
> 'none'.

Yes.

> HISTORY:
> If I recall correctly, the only holdback we had last time this was
> discussed was that certain setups and winbind needed it to work.

Not sure.

> That has since changed with the information about the winbind priv group
> being available to Squid.

?

> DESIRED OUTCOME:
> I'd like to obsolete it in 3.2 unless there is another compelling
> reason to keep it?

I don't see why it should be dropped.

> Failing that, I'd like to come up with a setup of parameters we can
> detect and severely restrict its usage. Makign noisy log and startup
> warnings when abused.

How is this directive abused?

If you set it to something then you don't get the benefit of multiple
group membership of the user account.

A +/- 0 from me.

Regards
Henrik
Received on Wed Feb 11 2009 - 22:12:14 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 12 2009 - 12:00:04 MST