[squid-users] Running Squid fully as root
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 7 23:11:20 UTC 2018
On 8/10/18 7:09 AM, reinerotto wrote:
> At least, I have a good reason: Running squid on openwrt, where usually all
> processes are root.
That does not sound right to me. OpenWRT is a Linux based operating
system. The security model in Linux systems is to *not* run processes as
root user unless absolutely necessary.
The Squid master process is started *by* root because it must be
assigned some SUID privileges to special network sockets and to
sub-assign regular privileges to the worker and helper processes that do
the actual networking I/O stuff.
> And external acl-helpers will not work, when started as nobody and trying to
> run other processes.
> Any answer to the original question ?
>
The Squid worker and helper processes handle raw I/O from remote network
locations which cannot be trusted. It is extremely unsafe to run any
process handling such I/O with root level privileges.
Helpers do not have to be started as "nobody". They can be run as any
low-privilege account. "root" account is not low-privilege enough.
So the simple answer to your question is "no". But your problem may not
be what you think it is. Is there anything you can provide about any
error you are seeing when starting Squid?
Amos
More information about the squid-users
mailing list