Search squid archive

Re: protect squid.conf file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 22 July 2016 at 21:53:31, Yuri Voinov wrote:

> The simplest way I see is:
> 
> - Write you own custom squid's startup script (with bash/any shell you
> want).
> 
> - This script will decrypt squid.conf before any
> startup/shutdown/reconfigure operation then encrypt config again.
> 
> - Therefore squid.conf will stored encrypted most time on fs.

How does this help?

A root-privileged user can see the decryption process and run it for 
themselves, thus getting the plain text.

A non-root-privileged user cannot read an unencrypted squid.conf if it is 
chmod 600 and owned by user squid.

Therefore making squid.conf owned by the squid user (who has no login shell) 
and readable only by that user, as recommended by several people so far, is a 
far simpler and very effective solution.


If you do not trust people with root access to your machine:

a) you have lost control

b) you shouldn't allow them root access

c) you probably have more important things to worry about than your Squid 
configuration file.


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux