On 4/09/2013 2:40 a.m., Antony Stone wrote:
>> Why runs the parent
>> >squid process as root and the child as user proxy? Is that normal? Is it
>> >best practice? Should I chmod or chown cache directory?
> It is completely normal for a great many applications providing network
> services, and yes, it is best practice. In fact some will not*allow* you to
> run them as root, without an unprivileged user to run the main process as.
>
> The reasoning is simple:
>
> 1. You need root privileges to do certain things when you start an application
> (such as bind to a network socket, open a log file, perhaps read a configuration
> file), therefore it starts as root.
>
> 2. Any application might contain bugs which lead to security vulnerabilities,
> which can be remotely exploited through the network connection, and until the
> bugs are fixed, you at least want to minimise the risk presented by them.
>
> 3. Therefore as soon as you've done all the things involved in (1) above, you
> drop the privilege level of the application, and/or spawn a child process with
> reduced privilege, so that it still runs and does everything you need, but if
> a vulnerability is exploited, it no longer has root privilege and therefore
> cannot cause as much damage as it might have done.
>
> 4. Some applicatons also kill off the child/ren from time to time, and restart
> new ones, usually in an attempt to avoid memory leaks consuming all available
> RAM. Whether this works depends on the nature of the memory leak and the
> effectiveness of the operating system's garbage collection facilities.
Thank you for a very clear explanation Anthony. This has been a missing
piece of the FAQ for a while.
I am taking the liberty of moving this to the official FAQs and moulding
a small description of Squid behaviour around it.
http://wiki.squid-cache.org/SquidFaq/OperatingSquid#Why_do_I_need_to_run_Squid_as_root.3F_why_can.27t_I_just_use_cache_effective_user_root.3F
Amos
Received on Thu Sep 05 2013 - 06:05:07 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 05 2013 - 12:00:04 MDT