RE: How to launch squid from Larmour, Jonathan on 1997-10-09 (squid-users)

From: Larmour, Jonathan <Jonathan.Larmour@dont-contact.us>
Date: Thu, 9 Oct 1997 17:05:34 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: adb@geac.com
Sent: 09 October 1997 16:51
To: squid-users@nlanr.net
Subject: Re: RE: How to launch squid

Jonathan Larmour <jonathan.larmour@uk.origin-it.com> writes:
> ... Also be warned that chrooting in
> itself is not sufficient to guarantee security. e.g. if hacked, ...

Well, it _should_ go without saying that if a cracker can gain root
inside the chroot environment on a conventional Unix system, it's
game-over.

Really? With the kernel mods I've made, and a sufficiently good
incoming _and_ outgoing packet filter, I'm not sure how you could.
One thing could be with loading kernel modules, but a secure system
probably shouldn't do this, and be monolithic instead. Or if it is
wanted, then you can do the same trick as I have already done with
other system calls.

The next two syscalls in a decent chroot wrapper are
chdir("/") to make sure you're actually inside, and setuid(nonzero)
to
shed root priviledge.

Absolutely, but I have heard of bugs on some platform(s) that allowed
a hacker to get root if the app was started as root, but did
setuid(), seteuid(), setresuid() or something like that. I would
prefer to be sure. Firewall maintainers must be paranoid!

Admittedly, the changes I made were not just for squid (which starts
as an unprivileged user), but for other apps, some needing to bind to
ports <1024, and so need to be root. chroot'ing "solves" the security
problem.

However, on the Squid list, we should probably stick to the specifics
of
running Squid in such an environment and not go on too deep a kernel-
dive.

Agreed, hence me saying details available on request :-). However,
your wrapper looks quite useful. If Duane's still around (haven't
heard from him much recently), it would be good if he could put it in
the contrib/ directory of the squid distribution.

Jonathan L.
Origin, 323 Cambridge Science Park,Cambridge,UK. Tel:+44 (1223)
423355
---[ It is impossible to enjoy idling thoroughly unless one has ]---
------------[ plenty of work to do - Jerome K. Jerome ]-------------
Fight spam! http://spam.abuse.net/ T
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNDz/qYYLUv2rigzBEQIdqQCgqxsbQ/453l5DLy/g2H6A3SJkEE4An04C
rELuXeqzA/Uu3jt4fTgNezuj
=ahj8
-----END PGP SIGNATURE-----
Received on Thu Oct 09 1997 - 09:16:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:16 MST