Re: [squid-users] Re: Why squid -z

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 01 Mar 2008 23:14:30 +1300

RW wrote:
> On Tue, 26 Feb 2008 12:25:06 +0200
> Angela Williams <angie@eoh.co.za> wrote:
>
>> On Tuesday 26 February 2008, Ric wrote:
>>> I'm wondering why we require "squid -z" before starting up Squid for
>>> the first time. Is there some reason why Squid shouldn't do this
>>> automatically when necessary?
>> Just a simple scenario?
>> I use a separate cache file system for all my many squid boxes.
>> Now for some reason one of the boxes get bounced and my squid cache
>> filesystem fails to mount but squid comes up happily and say Oh look
>> I don't have any cache directory structure so let me make one! Root
>> filesystem is limited in space and then this dirty great big
>> directory structure is created and then gets used by squid. In the
>> twinkling of an eye the root filesystem is full!
>
> I don't think this could actually happen unless the admin does
> something perverse.
>
> If squid is run under it's own user, it would own the mounted
> filesystem, but the mountpoint should still belong to root, operator or
> whatever. The squid daemon wouldn't be able to write the cache
> directories under the mountpoint unless the admin had explicitly given
> it write permission or changed the ownership of the mountpoint to
> the squid user (even though squid doesn't do the mounting).
>
> OTOH when you run squid as root (which you probably shouldn't do
> anyway)

To do most of what squid is expected to do these days:
   net-load routing, fastest-path detection, transparency, acceleration
(reverse-proxy), pmtu alteration, other kernel-level socket operations.

It _requires_ starting as root and dropping its own privileges down to
effective-user when no longer needed.

> the cache directory needs to be owned by
> "cache_effective_user" for squid to use it.
>

It does anyway, root-started or non-root.
Are you willing to require all squid users to have another layer of
directory structure chown'd to effective-user just for your feature?

Adrian has already made the offer to commit the code if you write it.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Sat Mar 01 2008 - 03:14:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT