4.2 User IDs

Previous page
Table of content
Next page
 <  Day Day Up  >  

4.2 User IDs

As you probably know, Unix processes and files have user and group ownership attributes. You need to select a user and group for Squid. This user and group combination must have read and write access to most of the Squid- related files and directories.

I highly recommend creating a dedicated squid user and group. This minimizes the chance that someone can exploit Squid to read other files on the system. If more than one person has administrative authority over Squid, you can add them to the squid group.

Unix processes inherit their parent process' ownership attributes. That is, if you start Squid as user joe , Squid also runs as user joe . If you don't want Squid to run as joe , you need to change your user ID beforehand. This is typically accomplished with the su command. For example: 

 joe% su - squid squid% /usr/local/squid/sbin/squid

Unfortunately, running Squid isn't always so simple. In some cases, you may need to start Squid as root , depending on your configuration. For example, only root can bind a TCP socket to privileged ports like port 80. If you need to start Squid as root , you must set the cache_effective_user directive. It tells Squid which user to become after performing the tasks that require special privileges. For example: 

 cache_effective_user squid

The name that you provide must be a valid user (i.e., in the /etc/passwd file). Furthermore, note that this directive is used only when you start Squid as root . Only root has the ability to become another user. If you start Squid as joe , it can't switch to user squid .

You might be tempted to just run Squid as root without setting cache_effective_user . If you try, you'll find that Squid refuses to run. This, again, is due to security concerns. If an outsider were somehow able to compromise or exploit Squid, he could gain full access to your system. Although we strive to make Squid secure and bug-free, this requirement provides some extra insurance, just in case.

If you start Squid as root without setting cache_effective_user , Squid uses nobody as the default value. Whatever user ID you choose for Squid, make sure it has read access to the files installed in $prefix/etc , $prefix/libexec , and $prefix/share . The user ID must also have write access to the log files and cache directory.

Squid also has a cache_effective_group directive, but you probably don't need to set it. By default, Squid uses the cache_effective_user 's default group (from the password file).

 <  Day Day Up  >  

Previous page
Table of content
Next page
Squid
Squid: The Definitive Guide
ISBN: 0596001622
EAN: 2147483647
Year: 2004
Pages: 401
Authors: Duane Wessels
BUY ON AMAZON
Adobe After Effects 7.0 Studio Techniques
Managing Enterprise Systems with the Windows Script Host
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
InDesign Type: Professional Typography with Adobe InDesign CS2
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy