Re: [RFC] obsoleting cache_effective_group from 3.2

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Feb 2009 12:30:11 +1300 (NZDT)

> ons 2009-02-11 klockan 14:56 +1300 skrev Amos Jeffries:
>
>> WHY:
>> * it's a security breach.
>
> Why?

Overriding the underlying OS, which admin may understand, with behavior
they may not. Can cause them to enact less secure workarounds; I have
seen squid effective-user'd to the root UID not long ago.

>
>> * it's the source of many permissions annoyances.
>
> Yes.
>
>> * the setting is still widely recommended in online how-to's
>
> Yes, and often for the wrong reasons.
>
>> * current Squid-3+ are perfectly capable of pulling correct user/group
>> pairs from the OS or being built with a distro preferred user other than
>> 'none'.
>
> Yes.
>
>> HISTORY:
>> If I recall correctly, the only holdback we had last time this was
>> discussed was that certain setups and winbind needed it to work.
>
> Not sure.
>
>> That has since changed with the information about the winbind priv group
>> being available to Squid.
>
> ?
>
>> DESIRED OUTCOME:
>> I'd like to obsolete it in 3.2 unless there is another compelling
>> reason to keep it?
>
> I don't see why it should be dropped.
>
>> Failing that, I'd like to come up with a setup of parameters we can
>> detect and severely restrict its usage. Makign noisy log and startup
>> warnings when abused.
>
> How is this directive abused?

You answered that yourself with: online how-to's recommending it for the
wrong reasons.

Those distro's which still patch it to a fixed value in their packages
(this at least is fixable since --with-default-user).

>
> If you set it to something then you don't get the benefit of multiple
> group membership of the user account.
>
>
> A +/- 0 from me.
>
> Regards
> Henrik
>
>
Received on Wed Feb 11 2009 - 23:30:16 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 12 2009 - 12:00:04 MST