Unprivileged user?

Poul-Henning Kamp phk at phk.freebsd.dk
Wed Apr 16 08:56:37 CEST 2008


In message <7xd4oqe4c2.fsf at iostat.linpro.no>, Stig Sandbeck Mathisen writes:
>On Tue, 15 Apr 2008 00:01:17 -0700, Ricardo Newbery <ric at digitalmarbles.com> said:
>
>> In Varnish, does the less-privileged user need access to anything?
>
>After it has dropped root privileges, it needs at least:
>
>* Open new network connections (no problem unless you use MAC or a
>  uid-matching firewall)

No, it accepts them only.

>* Read access to where you store your VCL files

No, the vcl files are read by the master process which does not
drop priviledge.

>* Execute a C compiler

Same.

>* Write access to its cache directory, to store the compiled
>  configuration

Same.

Please figure out how varnish really works before you acuse us of
being incompetent.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list