[squid-users] protect squid.conf file
Antony Stone
Antony.Stone at squid.open.source.it
Fri Jul 22 20:04:59 UTC 2016
On Friday 22 July 2016 at 21:53:31, Yuri Voinov wrote:
> The simplest way I see is:
>
> - Write you own custom squid's startup script (with bash/any shell you
> want).
>
> - This script will decrypt squid.conf before any
> startup/shutdown/reconfigure operation then encrypt config again.
>
> - Therefore squid.conf will stored encrypted most time on fs.
How does this help?
A root-privileged user can see the decryption process and run it for
themselves, thus getting the plain text.
A non-root-privileged user cannot read an unencrypted squid.conf if it is
chmod 600 and owned by user squid.
Therefore making squid.conf owned by the squid user (who has no login shell)
and readable only by that user, as recommended by several people so far, is a
far simpler and very effective solution.
If you do not trust people with root access to your machine:
a) you have lost control
b) you shouldn't allow them root access
c) you probably have more important things to worry about than your Squid
configuration file.
Antony.
--
"The future is already here. It's just not evenly distributed yet."
- William Gibson
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list