[stunnel-users] stunnel HUP bug

• Previous message (by thread): [stunnel-users] stunnel HUP bug
• Next message (by thread): [stunnel-users] stunnel HUP bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stefan Behte wrote:
> AFAIK other products like apache solve this problem
> by running a main process as root and dropping privileges/capabilities
in
> subprocesses/threads that handle the connections. If you want to kill
-HUP
> apache, you send it to the main process, not a process running with
lower
> privileges.
> 
> To be honest, I do not like the way stunnel currently handles this, when
I
> send a -HUP, I expect it to reload my config, without exceptions. Well,
it
> is a design decision, a workaround exists and it's documented, but
still...

It's a good idea, but quite tough to implement.  It would require passing
socket descriptors, configuration file, certificates, private keys, CRLs,
and possibly other stuff between processes with different permissions.

I have updated my TODO list:
    http://www.stunnel.org/?page=sdf_todo

Alternatively I could just drop support for setuid and chroot, as my
budget is much smaller than the budget of Apache Foundation:
http://www.apache.org/foundation/records/minutes/2010/board_minutes_2010_04_21.txt

Mike

• Previous message (by thread): [stunnel-users] stunnel HUP bug
• Next message (by thread): [stunnel-users] stunnel HUP bug
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]