[RFC] obsoleting cache_effective_group from 3.2

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 11 Feb 2009 14:56:23 +1300

I'm opening this old discussion up again.

WHY:
  * it's a security breach.
  * it's the source of many permissions annoyances.
  * the setting is still widely recommended in online how-to's without
reference to the security problems playing with it causes.
  * current Squid-3+ are perfectly capable of pulling correct user/group
pairs from the OS or being built with a distro preferred user other than
'none'.

HISTORY:
  If I recall correctly, the only holdback we had last time this was
discussed was that certain setups and winbind needed it to work.

That has since changed with the information about the winbind priv group
being available to Squid.

DESIRED OUTCOME:
  I'd like to obsolete it in 3.2 unless there is another compelling
reason to keep it?

Failing that, I'd like to come up with a setup of parameters we can
detect and severely restrict its usage. Makign noisy log and startup
warnings when abused.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Wed Feb 11 2009 - 01:56:20 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 12 2009 - 12:00:04 MST