Re: chrooting squid..

From: Nigel Metheringham <Nigel.Metheringham@dont-contact.us>
Date: Thu, 12 Dec 1996 10:52:14 +0000

} > Oh. Good question. We are running squid on our firewall systems, and
} > we have a policy of running proxy programs under a chroot whenever
} > possible in hopes of protecting ourselves against abuse of possible
} > bugs in the proxy software (whether it be squid or anything else). I
} > believe this is fairly common firewall practice, though the efficacy
} > of this protection can surely be debated, as can the degree of risk of
} > such an attack.
}
} But squid is still running as root isn't it?

Probably not. If I were setting this up in a chrooted area I would use
the chrootuid wrapper in place of the system chroot command so that the
chroot and setuid were done before squid ever started.

Alternatively you can use the internal squid config parameters to change
the uid and gid on startup.

Squid normally has no reason for requiring root privaledge.

} What if someone tries to
} attack the ICP connection by shutting down the proper parent or
} sibling and start to attack squid by exploring the possibility of a
} buffer overflow condition that might occur when squid receives a
} ICP_OP_HIT_OBJ (in icp.c i think). Normally a webserver starts as root
} but changes user to nobody. The problem about contaminating the cache is
} mentioned in the end of the ICP RFC.

Contaminated cache is a problem, but in the sense of your www service is
compromised. If there is a buffer overrun problem that needs to be
addressed since it could cause squid to crash - in which case most bets
are off - but if it has setuid-ed to something fairly harmless then the
damage is limited. Again if it is running chrooted the damage is limited
to the chrooted area - ie the squid service itself, unless there is a way
of pulling yourself out of the chroot on that OS - this can be done on
some systems (SunOS) using fchroot iff you have / opened on an fd.
Combining the 2 methods (chroot and uid) should make you reasonably safe
unless of course the kernel knows different :-).

        Nigel.

-- 
[ Nigel.Metheringham@theplanet.net   - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House          Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK.      Fax : +44 113 2345656  ]
Received on Thu Dec 12 1996 - 03:06:29 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:53 MST