[plug] Another (Possibly) Redhat specific squid tip

Christian again at earth.global.net.au
Sun Nov 22 17:02:15 WST 1998



On Sat, 21 Nov 1998, David Buddrige wrote:

> 1. Security is not a major issue, since I dial-out for a couple of hours 
> at a time.
> 2. A couldn't be bothered creating another user.
> 
> I decided to simply enable user nobody.  Prior to that, user nobody was 
> entirely disabled on my system.  This (apparently) worked.  I am still a 
> bit of a newbie when it comes to squid, so at present I am still trying 
> different things trying to get it to work at maximum efficiency.
> My understanding at present is that by defining a given user as the 
> cache_effective_user, you are effectively telling SQUID which user it 
> appears as to the net.  Given that understanding, it would make sense to 
> me that SQUID would have problems if that particular user was disabled.  
> However, you may be able to enlighten me as to the exact meaning of 
> cache_effective_user, in which case, please do.

I think the point that John, I and others have been trying to make is that
whether the account is enabled or not is irrelevant.  For instance, if you
gave user "nobody" a password, how did you let squid know what that
password was?  As I mentioned, the squid program starts as root and then
makes a system call named "seteuid()" (set effective user id).  This
changes the euid (effective user id) of the running program to the uid
specified.  This is the same thing as when you run the su command.  For
example, if an ordinary user attempts to su (switch user) to root then
they naturally must enter root's password.  If the same user su's to
another ordinary user then the same thing happens.  However if root su's
to any user they are not prompted for a password (since they are the super
user - they can do what they like).  Try it yourself and see.

So squid, when it starts as root, is effectively su'ing to whatever user
you specify in cache_effective_user.  Since it's running as root it
doesn't need to give a password and, thus, it doesn't matter if the
account has an enabled password or not.

In summary, the nobody (or squid) account can be disabled and this does
not matter.  Because a login isn't actually happening, just a call to
seteuid() and the call is being made by a process running as root.

As I said, try it yourself with su.  You'll get a result like below:
daisy:~# grep nobody /etc/passwd
nobody:*:65534:100:nobody:/dev/null:
daisy:~# su nobody
daisy:/root$ whoami
nobody
daisy:/root$ 

As you can see, the account is locked but I can still su to that account
and obtain that identity. (effective uid).

Hope this clears it up a bit for you.

Regards,

Christian.



More information about the plug mailing list