-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 23.07.2016 2:04, Antony Stone пишет: > On Friday 22 July 2016 at 21:53:31, Yuri Voinov wrote: > >> The simplest way I see is: >> >> - Write you own custom squid's startup script (with bash/any shell you >> want). >> >> - This script will decrypt squid.conf before any >> startup/shutdown/reconfigure operation then encrypt config again. >> >> - Therefore squid.conf will stored encrypted most time on fs. > > How does this help? Yes, this is idiotic idea :) > > > A root-privileged user can see the decryption process and run it for > themselves, thus getting the plain text. > > A non-root-privileged user cannot read an unencrypted squid.conf if it is > chmod 600 and owned by user squid. > > Therefore making squid.conf owned by the squid user (who has no login shell) > and readable only by that user, as recommended by several people so far, is a > far simpler and very effective solution. > > > If you do not trust people with root access to your machine: > > a) you have lost control Root must be only one (c) :) As I've said. > > > b) you shouldn't allow them root access > > c) you probably have more important things to worry about than your Squid > configuration file. > > > Antony. > BTW, what secrets can be in squid.conf? :) ACL's? Just interesting. Custom binary code is another thing, but config(s)?! Hmmmmmmmmmm........ Wrong something in the state of Denmark ..... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXkn6rAAoJENNXIZxhPexGr5QH/2dJslmNd/fwmWFuf4ZKElaa yED0mIqzFyoWT4sEC6tgtdj1vnInOENZHmbBUdm6FiHs0eLhugsMFCdQ0m+g8cY8 mc+o+4SbxPJ6EpbOVNn+5OpCsQ5ApMI/12m+jZkXoGFQgehM3Lf7eyj9a9gYcw7a 6zaHd84zAPT+kNKdXQC/beFhUZ7a1QL+dEY4UyBVjmSBwbuydV4JqVCOojAM1Qp1 GwJ6BFtOpJerKOwLH+Uw5AZbCD6rhV5hZpCA0U+Yv4s/pPClP//PupWN/ZUZVhQj DGSMJZg8EaDpN4xZ814VJ0A0ugYmEeBlURNuXZnz2pRe8aRywCTNWTw/UaAgQ68= =e+B1 -----END PGP SIGNATURE-----
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
