On Thu, 13 Nov 1997, P. Paprok wrote:
> $ cd /usr/local/squid
> $ bin/squid -z
> 97/11/13 16:40:27| Creating Swap Directories
> FATAL: Failed to make swap directory /usr/local/squid/cache:
> (13) Permission denied
> Squid Cache (Version 1.1.18): Terminated abnormally.
> CPU Usage: user 0 sys 0
> Maximum Resident Size: 6640 KB
> Page faults with physical i/o: 0
>
> I believe that permissions was set properly (like squid want)
> during make install. Now I should change some permissions,
> but I would like to not create some security mistake.
You need to be sure that cache_effective_user is set to whatever you want
to run squid as. Then do a `chown -R <cache_effective_user> <cachedir>/*`
and a maybe a chgrp too. Squid needs to have read/write permission for the
cache directory and everything beneath it, as well as read/write for its
logs and its PID file if you are using that.
> - what to do to let create cache properly without creating
> some security hole? Some chmod, chown,...?
There was discussion about this on the list a while back. Some people
mentioned running Squid in some kind of wrapper (can't remember what it
was called... chroot?). Make sure to leave the ACLs in the config file
that tell squid which ports to use and which are dangerous. Other than
that Squid seems to be pretty secure -- at least I havn't had any problems
with it (cross fingers :-).
> Like root I cannot squid run and I get of course:
> # bin/squid -z
> 97/11/13 16:41:38| Squid is not safe to run as root! If you must
> 97/11/13 16:41:38| start Squid as root, then you must configure
> 97/11/13 16:41:38| it to run as a non-priveledged user with the
> 97/11/13 16:41:38| 'cache_effective_user' option in the config file.
> FATAL: Don't run Squid as root, set 'cache_effective_user'!
> Squid Cache (Version 1.1.18): Terminated abnormally.
> CPU Usage: user 0 sys 0
> Maximum Resident Size: 6608 KB
> Page faults with physical i/o: 0
You need to run Squid with a non-root cache_effective_user. This was added
sometime around 1.1.8 or so (a LONG time ago ;-) for security reasons.
-Bill
Received on Thu Nov 13 1997 - 09:30:56 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:31 MST