Re: chrooting squid..

From: Nigel Metheringham <Nigel.Metheringham@dont-contact.us>
Date: Thu, 12 Dec 1996 09:45:15 +0000

} We are running squid on our firewall systems, and
} we have a policy of running proxy programs under a chroot whenever
} possible in hopes of protecting ourselves against abuse of possible
} bugs in the proxy software (whether it be squid or anything else). I
} believe this is fairly common firewall practice, though the efficacy
} of this protection can surely be debated, as can the degree of risk of
} such an attack.

I wondered about doing this on our systems and decided against it for now
due to problems with allocation of disk space....

I have the executables on a (potentially) read-only partition.
Manoevering the cache space into a position where I can chroot the whole
lot seemed like more trouble than it was worth.... [I don't have loopback
mounts available]

A compromise where squid starts running, reads the config, opens its log
files, forks off the children (which chroot themselves) and then chroots
would be useful - less secure than the big chroot solution, but with
better security that we would otherwise have. However with this setup a
few things would not work quite as expected - basically the responses to
many of the signals.

        Nigel.

-- 
[ Nigel.Metheringham@theplanet.net   - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House          Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK.      Fax : +44 113 2345656  ]
Received on Thu Dec 12 1996 - 01:52:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:52 MST