Re: [squid-users] chrooting: why and how?

[Rick G. Kilgore]

	I was able to leave the squid.conf and executable on my regular volume 
and use the squid chroot directive to chroot squid (thanks to help from 
this forum). I did notice that the mime.conf files will need to be on 
the chroot volume, but you should be able to leave the squid.conf and 
executable off the chroot volume.

Joe Cooper wrote:
Boniforti Flavio wrote:
Hello all!
I noticed that there's the option to "chroot" my squid.
Now, which benefits could I get from this configuration?
What should I be doing/configuring for getting "chroot" to work in squid?
Thank you all again...

chrooting Squid gives the same benefits as chrooting any service, namely 
that if an exploit is discovered in Squid and your Squid gets exploited, 
the attacker only has access to the contents of the chroot environment. 
 This minimizes the damage an attacker can do to your system, and the 
data they can get access to.

You'll need a mini-system directory where Squid will live...It will 
include Squid's log directory, the cache partitions, and the 
configuration file.  It will also need to include all of the helper 
programs that you use, and it might need any shared libraries and system 
configuration files (like resolve.conf) that Squid relies on (it could 
be that shared libraries are pulled in before Squid chroots, and so they 
might not be needed--Henrik wrote the chroot code I think, or at least 
maintains it now, maybe he'll chime in with clarification).

Squid is historically among the more secure network server daemons 
(thank everyones favorite developers for that), with only a few rapidly 
corrected exploitable conditions in recent memory, so the feature 
doesn't get much discussion.  But it is a worthwhile process, if your 
server provides other services or contains data that you take seriously. 
 On a dedicated caching machine, it may be an unnecessary hassle.


--
Hoy es: viernes julio veintedos  des miles y cuatro
fase del dia ----> coma esta usted --- how are you
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete 
the original.
Any other use of the email by you is prohibited.

Este mensaje esta' para el recipiente sen~alado solamente y puede contener 
la informacio'n privilegiada, propietaria, o de otra manera privada. Si 
usted lo ha recibido en error, notifique por favor el remitente 
inmediatamente y suprima la original. Cualquier otro uso del email de 
usted se prohi'be.

Rick G. Kilgore
State of Colorado Department of Revenue IT/CSTARS (DDP/CCR/RWOC)
E-Mail: [EMAIL PROTECTED]
Phone: (303) 205-5659
Fax: (303) 205-5715