I was able to leave the squid.conf and executable on my regular volume
and use the squid chroot directive to chroot squid (thanks to help from
this forum). I did notice that the mime.conf files will need to be on
the chroot volume, but you should be able to leave the squid.conf and
executable off the chroot volume.
Joe Cooper wrote:
> Boniforti Flavio wrote:
>
>> Hello all!
>> I noticed that there's the option to "chroot" my squid.
>> Now, which benefits could I get from this configuration?
>> What should I be doing/configuring for getting "chroot" to work in squid?
>>
>> Thank you all again...
>
>
> chrooting Squid gives the same benefits as chrooting any service, namely
> that if an exploit is discovered in Squid and your Squid gets exploited,
> the attacker only has access to the contents of the chroot environment.
> This minimizes the damage an attacker can do to your system, and the
> data they can get access to.
>
> You'll need a mini-system directory where Squid will live...It will
> include Squid's log directory, the cache partitions, and the
> configuration file. It will also need to include all of the helper
> programs that you use, and it might need any shared libraries and system
> configuration files (like resolve.conf) that Squid relies on (it could
> be that shared libraries are pulled in before Squid chroots, and so they
> might not be needed--Henrik wrote the chroot code I think, or at least
> maintains it now, maybe he'll chime in with clarification).
>
> Squid is historically among the more secure network server daemons
> (thank everyones favorite developers for that), with only a few rapidly
> corrected exploitable conditions in recent memory, so the feature
> doesn't get much discussion. But it is a worthwhile process, if your
> server provides other services or contains data that you take seriously.
> On a dedicated caching machine, it may be an unnecessary hassle.
>
-- Hoy es: viernes julio veintedos des miles y cuatro fase del dia ----> coma esta usted --- how are you This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Este mensaje esta' para el recipiente sen~alado solamente y puede contener la informacio'n privilegiada, propietaria, o de otra manera privada. Si usted lo ha recibido en error, notifique por favor el remitente inmediatamente y suprima la original. Cualquier otro uso del email de usted se prohi'be. Rick G. Kilgore State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC) E-Mail: rgk@valhall4.dor.state.co.us Phone: (303) 205-5659 Fax: (303) 205-5715Received on Tue Aug 31 2004 - 06:27:33 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:03 MDT