Re: ACCESS.LOG:13

From: Henrik Nordstrom <[email protected]>
Date: Sun, 20 Jun 1999 16:29:20 +0000

Reuben Farrelly wrote:

> You will also need to look in your squid.conf file for the entries for
> cache_effective_user and cache_effective_group and ensure that these
> settings, your cache, and the binary are all the same.

Only the cache and log directories should be owned by this user. The
binaries and configuration files should be owned by a administrative
user (like root).

The squid user (cache_effective_user/group) needs to have execure
permission on binaries and all Squid directories and parent directories.
It also requires read permission to all files in squid/etc/.

My recommendations:

1. Create a squid daemon user and group. (the squid user should be
blocked from logins, like any other daemon users)
2. Change permissions to give the squid user write access only to the
cache and log directories
3. Thighten the permissions so non-squid users does not have access to
other than the bin directory. Configuration and cache may contain
sensitive information like passwords, and most sites considers the logs
sensitive.

mkdir /usr/local/squid/cache /usr/local/squid/logs
chown -R root /usr/local/squid/.
chgrp -R squid /usr/local/squid/.
chmod -R go= /usr/local/squid/.
chmod -R ug+r /usr/local/squid/.
chmod 755 /usr/local/squid/. /usr/local/squid/bin/.
/usr/local/squid/bin/*
chown -R squid /usr/local/squid/cache/. /usr/local/squid/logs/.
find /usr/local/squid/. -type d -print | xargs chmod ug+rx
chmod o+x /usr/local

After this /usr/local/squid should look like this:

[root@henrik squid]# ls -ld . *
drwxr-xr-x 6 root squid 1024 Jun 19 19:35 .
drwxr-xr-x 2 root squid 1024 Jun 7 20:51 bin
drwxr-x--- 6 squid squid 1024 Jun 20 17:42 cache
drwxr-x--- 4 root squid 1024 Jun 20 16:42 etc
drwxr-x--- 2 squid squid 1024 Jun 20 17:42 logs

4. Add yourself to the squid group to have read access to configuration
and other Squid files if needed.

(the above list of commands makes close to no assumptions on the current
state of permissions on your Squid directories, hence the lenght of the
list).

--
Henrik Nordstrom
Spare time Squid hacker
Received on Sun Jun 20 1999 - 10:33:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:56 MST