Re: [squid-users] Re: Squid 3 doesn't overwrite/replace cached objects(?)

From: Antony Stone <Antony.Stone_at_squid.open.source.it>
Date: Tue, 3 Sep 2013 16:40:55 +0200

On Tuesday 03 September 2013 at 16:31:25, uners wrote:

> My question regarding different process owners remains: Why runs the parent
> squid process as root and the child as user proxy? Is that normal? Is it
> best practice? Should I chmod or chown cache directory?

It is completely normal for a great many applications providing network
services, and yes, it is best practice. In fact some will not *allow* you to
run them as root, without an unprivileged user to run the main process as.

The reasoning is simple:

1. You need root privileges to do certain things when you start an application
(such as bind to a network socket, open a log file, perhaps read a configuration
file), therefore it starts as root.

2. Any application might contain bugs which lead to security vulnerabilities,
which can be remotely exploited through the network connection, and until the
bugs are fixed, you at least want to minimise the risk presented by them.

3. Therefore as soon as you've done all the things involved in (1) above, you
drop the privilege level of the application, and/or spawn a child process with
reduced privilege, so that it still runs and does everything you need, but if
a vulnerability is exploited, it no longer has root privilege and therefore
cannot cause as much damage as it might have done.

4. Some applicatons also kill off the child/ren from time to time, and restart
new ones, usually in an attempt to avoid memory leaks consuming all available
RAM. Whether this works depends on the nature of the memory leak and the
effectiveness of the operating system's garbage collection facilities.

Hope this helps,

Antony.

-- 
Most people are aware that the Universe is big.
 - Paul Davies, Professor of Theoretical Physics
                                                     Please reply to the list;
                                                           please don't CC me.
Received on Tue Sep 03 2013 - 14:41:04 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 05 2013 - 12:00:04 MDT