Date: Wed, 1 Aug 2001 17:13:00 +0400 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: Mike Silbersack <silby@silby.com> Cc: "Karsten W. Rohrbach" <karsten@rohrbach.de>, security@FreeBSD.ORG Subject: Re[2]: accounting with ipfw (gid, uid riles) Message-ID: <79100794374.20010801171300@internethelp.ru> In-Reply-To: <20010731175236.A58983-100000@achilles.silby.com> References: <20010731175236.A58983-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Mike, Wednesday, August 01, 2001, 2:54:18 AM, you wrote: MS> On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote: >> > If squid runs the listen as root, all sockets created from that listen >> > socket will also be accounted to root. Same problem as the above. I do >> > not know how natd would affect connections in terms of uid accounting. >> >> squid's standard ports are higher than 1024, so it should not be a >> problem to start it with a uid wrapper (setuidgid from daemontools >> or similar), shouldn't it? then the socket belongs to the squid user >> i think... >> >> /k MS> I'm not familiar with how squid acts, but your idea sounds good to me. MS> Tell us how it works. :) MS> Mike "Silby" Silbersack I fell that my first post was partly misunderstood: squid is running uid nobody on my host, which is not a problem at all - in my configuration file, it is said to be the default settings. this is from squid.conf: ;------------------------------------------------------------------ # TAG: cache_effective_user # TAG: cache_effective_group # # If the cache is run as root, it will change its effective/real # UID/GID to the UID/GID specified below. The default is to # change to UID to nobody and GID to nogroup. # # If Squid is not started as root, the default is to keep the # current UID/GID. Note that if Squid is not started as root then # you cannot set http_port to a value lower than 1024. # #cache_effective_user nobody #cache_effective_group nogroup ;------------------------------------------------------------------ the problem was: why the summary number of bytes shown by the rules 01010 count ip from any to 212.113.112.145 uid nobody via rl0 01010 count ip from 212.113.112.145 to any uid nobody via rl0 is less, than the number reported by squid itself. Why? ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79100794374.20010801171300>