headers
ming.zym@gmail.com | 22 Jul 2012 15:24
Picon
Gravatar

trafficserver and raw disk access in FreeBSD

Apache Traffic Server may use raw disk for caching, and for privilege
elevation, the worker process(traffic_server) will setuid to nobody, my
question is, how to make traffic_server access the /dev/ada*?

in linux, disk permitting is root:disk 0660, we can go with:
1, setup a new user 'ats', and put it into 'disk' group
2, after setuid, run initgroups() to complete the groups evn.

we need a safe and easy to implement way for raw disk access in
FreeBSD. 

thanks for you help

--

-- 
zym, Zhao Yongming.
aka: yonghao  <at>  taobao.com
Permalink | Reply |
headers
Wojciech Puchar | 22 Jul 2012 17:03
Picon

Re: trafficserver and raw disk access in FreeBSD

> Apache Traffic Server may use raw disk for caching, and for privilege
> elevation, the worker process(traffic_server) will setuid to nobody, my
> question is, how to make traffic_server access the /dev/ada*?
>
> in linux, disk permitting is root:disk 0660, we can go with:
> 1, setup a new user 'ats', and put it into 'disk' group
> 2, after setuid, run initgroups() to complete the groups evn.

devfs.conf
_______________________________________________
freebsd-hackers <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe <at> freebsd.org"
Permalink | Reply |
headers
ming.zym@gmail.com | 23 Jul 2012 03:47
Picon
Gravatar

Re: trafficserver and raw disk access in FreeBSD

yeah, rules in devfs always work. and it may introduce more challenge on
operation management, is there any way that we can do it more clean?

should we set the permission for :operator g+w on disks and partitions?
then we can put a dedicate user for trafficserver into operator group.

在 2012-07-22日的 17:03 +0200,Wojciech Puchar写道:
> > Apache Traffic Server may use raw disk for caching, and for privilege
> > elevation, the worker process(traffic_server) will setuid to nobody, my
> > question is, how to make traffic_server access the /dev/ada*?
> >
> > in linux, disk permitting is root:disk 0660, we can go with:
> > 1, setup a new user 'ats', and put it into 'disk' group
> > 2, after setuid, run initgroups() to complete the groups evn.
> 
> devfs.conf

--

-- 
zym, Zhao Yongming.
aka: yonghao  <at>  taobao.com
Permalink | Reply |
headers
Daniel O'Connor | 23 Jul 2012 03:54
Picon
Favicon

Re: trafficserver and raw disk access in FreeBSD


On 23/07/2012, at 11:17, ming.zym <at> gmail.com wrote:
> yeah, rules in devfs always work. and it may introduce more challenge on
> operation management, is there any way that we can do it more clean?
> 
> should we set the permission for :operator g+w on disks and partitions?
> then we can put a dedicate user for trafficserver into operator group.

I would change the ownership of the disk you want to use to trafficserver.

This does mean you have double configuration (ie in devfs and ATS) but I think it's more sensible than giving
operator write perms.

AFAIK operator has read access so it can run dump.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
Permalink | Reply |
headers
Wojciech Puchar | 23 Jul 2012 09:41
Picon

Re: trafficserver and raw disk access in FreeBSD

> yeah, rules in devfs always work. and it may introduce more challenge on
> operation management, is there any way that we can do it more clean?

what challenges?

>
> should we set the permission for :operator g+w on disks and partitions?

you still may just do chown/chmod

> then we can put a dedicate user for trafficserver into operator group.
>
>
> ? 2012-07-22?? 17:03 +0200?Wojciech Puchar???
>>> Apache Traffic Server may use raw disk for caching, and for privilege
>>> elevation, the worker process(traffic_server) will setuid to nobody, my
>>> question is, how to make traffic_server access the /dev/ada*?
>>>
>>> in linux, disk permitting is root:disk 0660, we can go with:
>>> 1, setup a new user 'ats', and put it into 'disk' group
>>> 2, after setuid, run initgroups() to complete the groups evn.
>>
>> devfs.conf
>
> -- 
> zym, Zhao Yongming.
> aka: yonghao  <at>  taobao.com
>
_______________________________________________
freebsd-hackers <at> freebsd.org mailing list
(Continue reading)

Permalink | Reply |

Gmane