r1482 - trunk/varnish-cache/bin/varnishd
Dag-Erling Smørgrav
des at linpro.no
Thu May 31 15:00:24 CEST 2007
des at projects.linpro.no writes:
> Log:
> Add two run-time parameters, "user" and "group", which specify an unprivileged
> user and group to which the child process will switch immediately after fork()
> returns, before it starts accepting connections. The default values are
> "nobody" and "nogroup" (they should probably be tweakable at compile time...)
>
> Note that this does not provide full privilege separation, as there are still
> channels between the parent and child processes which need to be monitored,
> but it is an improvement on the previous situation.
These settings should be documented (and tweakable) in varnish.default
etc. Depending on the distribution, there may be more appropriate
default values for user and group (e.g. "www-data" on Debian)
DES
--
Dag-Erling Smørgrav
Senior Software Developer
Linpro AS - www.linpro.no
More information about the varnish-dist
mailing list