RE: How to launch squid from Larmour, Jonathan on 1997-10-09 (squid-users)

From: Larmour, Jonathan <Jonathan.Larmour@dont-contact.us>
Date: Thu, 9 Oct 1997 15:36:45 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: adb@geac.com
Sent: 09 October 1997 14:58
To: squid-users@nlanr.net
Subject: Re: How to launch squid

I've been playing with a RunCache-replacement I wrote that puts squid
in
a chroot-jail in /usr/local/squid and starts squid itself as the
unpriviledged squid user rather than as root; various bits of
operating
system need to get copied to places like /usr/local/squid/etc and
/usr/local/squid/lib and it gets a bit hairy and system-dependent.
It's
not allowed to modify its own binaries or config files in the bin and
etc
subdirectories. IMHO this is the way to go if you might be thinking
about running squid as a firewall proxy.

If you are interested, I have already done this for Linux 2.0.30.
Details available if anyone wants! Also be warned that chrooting in
itself is not sufficient to guarantee security. e.g. if hacked, the
hacker can call mknod() to provide access to any device on the system
- - most relevantly, hard disks. Similarly you can mount() /proc in a
chrooted area, and have access to all memory as well!

Also note that the chroot command as supplied does not change
directory to one inside the chrooted area, so depending where you ran
it, you can still access any file in that directory. The secure
solution is to either ensure you always do a cd after the chroot, or
it is probably safer to change the directory in the kernel after a
chroot.

I patched my kernel to prevent mounting, unmounting, mknod's,
accessing the cwd after a chroot, and changing IP firewall/forwarding
rules from within a chrooted area. The mods are very simple, and I'll
provide them if anyone wants, but be warned its not strictly correct
Unix (not that anything _should_ mind).

Jonathan L.
Origin, 323 Cambridge Science Park,Cambridge,UK. Tel:+44 (1223)
423355
---[ It is impossible to enjoy idling thoroughly unless one has ]---
------------[ plenty of work to do - Jerome K. Jerome ]-------------
Fight spam! http://spam.abuse.ne
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNDzq2YYLUv2rigzBEQKy2ACfVLsG2we7N4Psr/Pbg5bsaygTsI4AoN6/
9F8Qz8V/KuhG9pqLWD3yUM8Z
=+JFP
-----END PGP SIGNATURE-----
Received on Thu Oct 09 1997 - 07:40:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:16 MST