} We are running squid on our firewall systems, and
} we have a policy of running proxy programs under a chroot whenever
} possible in hopes of protecting ourselves against abuse of possible
} bugs in the proxy software (whether it be squid or anything else). I
} believe this is fairly common firewall practice, though the efficacy
} of this protection can surely be debated, as can the degree of risk of
} such an attack.
I wondered about doing this on our systems and decided against it for now
due to problems with allocation of disk space....
I have the executables on a (potentially) read-only partition.
Manoevering the cache space into a position where I can chroot the whole
lot seemed like more trouble than it was worth.... [I don't have loopback
mounts available]
A compromise where squid starts running, reads the config, opens its log
files, forks off the children (which chroot themselves) and then chroots
would be useful - less secure than the big chroot solution, but with
better security that we would otherwise have. However with this setup a
few things would not work quite as expected - basically the responses to
many of the signals.
Nigel.
-- [ Nigel.Metheringham@theplanet.net - Unix Applications Engineer ] [ *Views expressed here are personal and not supported by PLAnet* ] [ PLAnet Online : The White House Tel : +44 113 251 6012 ] [ Melbourne Street, Leeds LS2 7PS UK. Fax : +44 113 2345656 ]Received on Thu Dec 12 1996 - 01:52:24 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:52 MST