Unprivileged user?

Anders Nordby anders at fupp.net
Wed Apr 16 12:44:22 CEST 2008


On Tue, Apr 15, 2008 at 07:35:20AM +0000, Poul-Henning Kamp wrote:
>>Assuming that "nobody" is an available user on your system, then is  
>>the "-u user" option for varnishd superfluous?
> Yes.
> You can confirm the uid nobody is used with the ps(1) command.

I disagree.

Suppose you have another process on your system that runs as nobody,
like Apache. And people have access to run CGIs and other types of
scripts through this user. Would you want them to be able to do naughty
things to your Varnish process (they might be able to if Apache and
Varnish both run as nobody) as well?

An option to specify which user to change to is something people want,
to control which user a process runs as. There are perfectly valid
reasons to run as a different user than the standard, especially in
multi-user/non-dedicated setups.

Thanks! :)



More information about the varnish-misc mailing list