On Mar 1, 2008, at 2:14 AM, Amos Jeffries wrote:
> RW wrote:
>> On Tue, 26 Feb 2008 12:25:06 +0200
>> Angela Williams <angie@eoh.co.za> wrote:
>>> On Tuesday 26 February 2008, Ric wrote:
>>>> I'm wondering why we require "squid -z" before starting up Squid
>>>> for
>>>> the first time. Is there some reason why Squid shouldn't do this
>>>> automatically when necessary?
>>> Just a simple scenario?
>>> I use a separate cache file system for all my many squid boxes.
>>> Now for some reason one of the boxes get bounced and my squid cache
>>> filesystem fails to mount but squid comes up happily and say Oh look
>>> I don't have any cache directory structure so let me make one! Root
>>> filesystem is limited in space and then this dirty great big
>>> directory structure is created and then gets used by squid. In the
>>> twinkling of an eye the root filesystem is full!
>> I don't think this could actually happen unless the admin does
>> something perverse.
>> If squid is run under it's own user, it would own the mounted
>> filesystem, but the mountpoint should still belong to root,
>> operator or
>> whatever. The squid daemon wouldn't be able to write the cache
>> directories under the mountpoint unless the admin had explicitly
>> given
>> it write permission or changed the ownership of the mountpoint to
>> the squid user (even though squid doesn't do the mounting). OTOH
>> when you run squid as root (which you probably shouldn't do
>> anyway)
>
> To do most of what squid is expected to do these days:
> net-load routing, fastest-path detection, transparency,
> acceleration (reverse-proxy), pmtu alteration, other kernel-level
> socket operations.
>
> It _requires_ starting as root and dropping its own privileges down
> to effective-user when no longer needed.
>
>> the cache directory needs to be owned by
>> "cache_effective_user" for squid to use it.
>
> It does anyway, root-started or non-root.
> Are you willing to require all squid users to have another layer of
> directory structure chown'd to effective-user just for your feature?
>
> Adrian has already made the offer to commit the code if you write it.
>
> Amos
To be fair to RW, I don't think he was asking for this feature. I was.
RW was just offering an opinion on the technical merits of Angela's
argument. In any case, this argument is moot since a config flag that
defaults to "off" seems acceptable to all.
Ric
Received on Sat Mar 01 2008 - 04:44:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT