Re: chrooting squid..

From: Jonathan Larmour <>
Date: Mon, 16 Dec 1996 14:09:29 +0000

At 14:03 12/12/96 GMT, John Saunders wrote:
>Squid doesn't run normally as root. It changes to a less trusted user
>for most functions. But it keeps the saved uid of root so that it can
>change back for short periods of time to do things that need root access.
>While this isn't perfect, it's a whole lot better than running as root
>for the duration. It at least need root access to bind to port 80, so I
>doubt it would be possible to use some chrootuid wrapper without major
>changes to get bound to port 80 before squid starts. I don't know what
>squid uses root for now, in 1.0.x it used it for getting passwords. With
>proper permissions it should (in theory) be able to entirely drop root
>once it has bound to port 80.

Well, what you could easily do is run a small program like the fwtk's
plug-gw on port 80, probably in daemon mode, which will then accept
connections and pass them on to squid on the normal unprivileged port 3128.
You only need port 80 in httpd accelerator mode too, so don't use it for
squid if you don't!

Personally, I made squid setuid "squid" and setgid "daemon", and then
allowed only read access for group "daemon" to /usr/local/squid (thus
preventing "normal" users running squid). I made sure the squid.conf also
tries to change to user squid, and then the setuid won't fail. With other
files, (/dev/null, resolv.conf, shared libs, etc.), and some booby traps coz
I'm like that :-), I can chroot squid without difficulty.

Oh, if you can hack squid, and get it to do something as root, you are in
trouble. Getting root in squid if squid was started as root is easy if we
find an appropriate bug e.g. a stack smash, even when not as root, that
calls the "enter_suid()" function, and then some nasty code.

The next step could be calling the mknod() lib call. From there a hacker has
access to all your disks. The only solution is hardening your kernel by hand
to stop this. You may also want to ensure that your chroot program does a
chdir() to the new root, otherwise there's no guarantee you have left the
current directory. Also you may want to prevent root doing a
mount()/umount() from within a chroot'ed directory.

If you don't have source code for your OS, you're stuffed :-). I've done it
in Linux, if anyone wants to know how.

I have hardened my kernel, _and_ made squid setuid a non-priveleged user
_and_ chroot'ed it. You can never be too paranoid :-).

Jonathan L.
Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
----------------------[ she may have got him. -Anon ]-----------------------
Help fight spam! These opinions are all my own fault
Received on Mon Dec 16 1996 - 06:19:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:54 MST