Hi All
It's occured to me that it's difficult to set Squid up in a way
that allows someone to edit the squid.conf without giving them root.
Let's say that I admin a machine. I have root, but I want someone
else to be able to change (say) refresh patterns. To let them
do this, however, I need to give them permission to edit the
squid.conf, and once they have this permission they can probably
gain root access.
Consider the following squid.conf option. Try start Squid as root
and see what happens (this is similar to the Sendmail problem a
while ago...)
acl temp time "/etc/shadow"
Things would be a lot safer if Squid got it's effective_user and
effective_group from the command line. Squid would change uid
immediately (before even reading the config files and acls.)
This is a fairly major change from the admin's point of view,
since if they upgrade to the new squid then they have to change
their startup scripts.
Even with this change they can still be malicious, but I don't think
that there is as big a problem. If they add a redirector that does
things as the "squid" or "nobody" users, at least it's not going
to get them root.
Perhaps a warning at the top of the squid.conf would suffice.
Oskar
Received on Tue Jul 29 2003 - 13:15:58 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:08 MST