des at projects.linpro.no writes:
> Log:
> Add two run-time parameters, "user" and "group", which specify an unprivileged
> user and group to which the child process will switch immediately after fork()
> returns, before it starts accepting connections. The default values are
> "nobody" and "nogroup" (they should probably be tweakable at compile time...)
>
> Note that this does not provide full privilege separation, as there are still
> channels between the parent and child processes which need to be monitored,
> but it is an improvement on the previous situation.
These settings should be documented (and tweakable) in varnish.default
etc. Depending on the distribution, there may be more appropriate
default values for user and group (e.g. "www-data" on Debian)
DES
--
Dag-Erling Sm?rgrav
Senior Software Developer
Linpro AS - www.linpro.no
> Log:
> Add two run-time parameters, "user" and "group", which specify an unprivileged
> user and group to which the child process will switch immediately after fork()
> returns, before it starts accepting connections. The default values are
> "nobody" and "nogroup" (they should probably be tweakable at compile time...)
>
> Note that this does not provide full privilege separation, as there are still
> channels between the parent and child processes which need to be monitored,
> but it is an improvement on the previous situation.
These settings should be documented (and tweakable) in varnish.default
etc. Depending on the distribution, there may be more appropriate
default values for user and group (e.g. "www-data" on Debian)
DES
--
Dag-Erling Sm?rgrav
Senior Software Developer
Linpro AS - www.linpro.no