Re: [squid-users] chrooting: why and how?

From: Joe Cooper <joe@dont-contact.us>
Date: Tue, 31 Aug 2004 05:04:41 -0500

Boniforti Flavio wrote:
> Hello all!
> I noticed that there's the option to "chroot" my squid.
> Now, which benefits could I get from this configuration?
> What should I be doing/configuring for getting "chroot" to work in squid?
>
> Thank you all again...

chrooting Squid gives the same benefits as chrooting any service, namely
that if an exploit is discovered in Squid and your Squid gets exploited,
the attacker only has access to the contents of the chroot environment.
  This minimizes the damage an attacker can do to your system, and the
data they can get access to.

You'll need a mini-system directory where Squid will live...It will
include Squid's log directory, the cache partitions, and the
configuration file. It will also need to include all of the helper
programs that you use, and it might need any shared libraries and system
configuration files (like resolve.conf) that Squid relies on (it could
be that shared libraries are pulled in before Squid chroots, and so they
might not be needed--Henrik wrote the chroot code I think, or at least
maintains it now, maybe he'll chime in with clarification).

Squid is historically among the more secure network server daemons
(thank everyones favorite developers for that), with only a few rapidly
corrected exploitable conditions in recent memory, so the feature
doesn't get much discussion. But it is a worthwhile process, if your
server provides other services or contains data that you take seriously.
  On a dedicated caching machine, it may be an unnecessary hassle.
Received on Tue Aug 31 2004 - 04:05:27 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:03 MDT