[squid-users] protect squid.conf file
Yuri Voinov
yvoinov at gmail.com
Fri Jul 22 20:14:36 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
23.07.2016 2:04, Antony Stone пишет:
> On Friday 22 July 2016 at 21:53:31, Yuri Voinov wrote:
>
>> The simplest way I see is:
>>
>> - Write you own custom squid's startup script (with bash/any shell you
>> want).
>>
>> - This script will decrypt squid.conf before any
>> startup/shutdown/reconfigure operation then encrypt config again.
>>
>> - Therefore squid.conf will stored encrypted most time on fs.
>
> How does this help?
Yes, this is idiotic idea :)
>
>
> A root-privileged user can see the decryption process and run it for
> themselves, thus getting the plain text.
>
> A non-root-privileged user cannot read an unencrypted squid.conf if it is
> chmod 600 and owned by user squid.
>
> Therefore making squid.conf owned by the squid user (who has no login
shell)
> and readable only by that user, as recommended by several people so
far, is a
> far simpler and very effective solution.
>
>
> If you do not trust people with root access to your machine:
>
> a) you have lost control
Root must be only one (c) :) As I've said.
>
>
> b) you shouldn't allow them root access
>
> c) you probably have more important things to worry about than your Squid
> configuration file.
>
>
> Antony.
>
BTW, what secrets can be in squid.conf? :) ACL's? Just interesting.
Custom binary code is another thing, but config(s)?! Hmmmmmmmmmm........
Wrong something in the state of Denmark .....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXkn6rAAoJENNXIZxhPexGr5QH/2dJslmNd/fwmWFuf4ZKElaa
yED0mIqzFyoWT4sEC6tgtdj1vnInOENZHmbBUdm6FiHs0eLhugsMFCdQ0m+g8cY8
mc+o+4SbxPJ6EpbOVNn+5OpCsQ5ApMI/12m+jZkXoGFQgehM3Lf7eyj9a9gYcw7a
6zaHd84zAPT+kNKdXQC/beFhUZ7a1QL+dEY4UyBVjmSBwbuydV4JqVCOojAM1Qp1
GwJ6BFtOpJerKOwLH+Uw5AZbCD6rhV5hZpCA0U+Yv4s/pPClP//PupWN/ZUZVhQj
DGSMJZg8EaDpN4xZ814VJ0A0ugYmEeBlURNuXZnz2pRe8aRywCTNWTw/UaAgQ68=
=e+B1
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160723/a37027c5/attachment.key>
More information about the squid-users
mailing list