> > I'm just currently listening to a talk by Jerry > > Carter about winbind > > (Andrew Bartlett is also, probably....Andrew, I'm > > the guy with the red > > shirt wandering around with a laptop and a big > > Debian logo on > > it).....and he explicitely said that this directory > > should be 0750 > > (and it was setup this way on his laptop). I don't > > remember the > > reasons though, but certainly security-related. > > Right, the folks at squid told me the same thing and > suggest to adjust the effective_group in squid. Should > it be root?
The correct way to handle this is to have a 'winbind_priv' group, put squid and any other apps (apache for mod_ntlm_winbind?) you must have access the winbind pipe in it, and set that group on the directory. In squid, you do *not* specify the effective group id, instead you ensure the primary and supplementary groups for squid are squid (primary) and winbind_priv (secondary). At startup, squid will initgroups() to get the right privileges. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
