[plug] Another (Possibly) Redhat specific squid tip

Christian christian at global.net.au
Sat Nov 21 18:24:17 WST 1998 

At 17:58 21/11/98 +0800, you wrote:

I believe that's what I was saying.  Slight confusion in who wrote what
here due to you replying to a reply.

>On Sat, 21 Nov 1998, Christian wrote:
>> At 13:49 21/11/98 +0800, you wrote:
>> >Just noticed that my user "nobody" was disabled from a default redhat
>> >5.1 install...... so I enabled the nobody user, and gave
>> >it a password for security reasons.
>I cannot imagine _what_ security reasons you would give it a password for.
>For security reasons, replace the password field in /etc/passwd and/or 
>/etc/shadow with an '*', or whatever is the local policy.
>There is no reason for anyone to log in as nobody.

With regard to the below, since I've never had to install squid I didn't
realise that Debian used a separate user for this although of course this
makes perfect sense.  My point was still that the change to the particular
uid it runs as doesn't require the program to know the password of that
account, regardless of whether the account has a valid password or not.
The change of uid will be done by seteuid() somewhere along the line, most
probably by squid itself I would say.  What I was saying when I said that
squid would be started as root was that it would be started by an boot up
script running as root and not that it *had* to be started as root to bind
to a privilege port.  So since these accounts do not have passwords and
cannot be logged into (and since you want the process to be automated)
squid will start as root and seteuid() to the appropriate uid specified in
it's configuration file.

And of course, as you point out and I implied, these accounts such as
nobody et al should not have an enabled password.

>> Knowing very little about squid I'm reticient to open my mouth but,
>> wouldn't squid be started as root and then seteuid() to nobody? (ie, the
>> same way most web servers do).  
>Not necessarily. Web servers do that because they need to bind to port 80.
>The ports below 1024 are considered privileged and can only be bound to by
>root. Thus the webserver will grab port 80 before giving up root
>priveleges.
>Squid does not necessarily bind to a privileged port (the default is 3128)
>so it does not have to be started as root. Starting it as nobody is a
>better idea, but your distribution really ought provide a seperate userid
>for squid to operate as. (assuming you installed the squid from your
>distro)

More information about the plug mailing list