Date: Wed, 1 Aug 2001 18:01:55 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Mike Silbersack <silby@silby.com> Cc: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>, security@FreeBSD.ORG Subject: Re: accounting with ipfw (gid, uid riles) Message-ID: <20010801180155.A24106@mail.webmonster.de> In-Reply-To: <20010731175236.A58983-100000@achilles.silby.com>; from silby@silby.com on Tue, Jul 31, 2001 at 05:54:18PM -0500 References: <20010731180828.I92506@mail.webmonster.de> <20010731175236.A58983-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.07.31 17:54:18 +0000: >=20 > On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote: >=20 > > > If squid runs the listen as root, all sockets created from that listen > > > socket will also be accounted to root. Same problem as the above. I= do > > > not know how natd would affect connections in terms of uid accounting. > > > > squid's standard ports are higher than 1024, so it should not be a > > problem to start it with a uid wrapper (setuidgid from daemontools > > or similar), shouldn't it? then the socket belongs to the squid user > > i think... > > > > /k >=20 > I'm not familiar with how squid acts, but your idea sounds good to me. > Tell us how it works. :) eh? AFAIK the entity that creates the socket owns it.=20 to bind ports <1024 this entity has to be root. therefor the daemon gets started as root, does the socket magic and suids to whatever. the bound socket is still owned by root, right? this magic has been implemented to bind to ports <1024 but it is not necessary for binding unprivileged ports (squid's standard is 3128 i think for binding the tcp port, the icp port should be 3130/udp). so here's what i would do: cd /usr/ports/sysutils/daemontools && make install clean cd /usr/ports/www/squidXX && make install clean vipw # add users 'squid', 'log' vi /etc/group # add groups 'squid', 'log' mkdir -p /var/service/squid cat >/var/service/squid/run <<EOF #!/bin/sh ## run file for squid process PATH=3D/usr/local/bin:/usr/bin:/bin export PATH exec 2>&1 exec setuidgid squid /where/ever/squid -YN EOF chmod 0700 /var/service/squid mkdir -p /var/service/squid/log/squid cat >/var/service/squid/log/run <<EOF #!/bin/sh ## run file for squid stderr/stdout logging process PATH=3D/usr/local/bin:/usr/bin:/bin export PATH exec setuidgid log multilog t ./squid EOF chown log:log /var/service/squid/log/squid chmod +t /var/service/squid mkdir /service cat >/usr/local/etc/rc.d/svscan.sh <<EOF ## svscan startup script env - PATH=3D/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin \ csh -cf \ 'svscan /service | setuidgid log multilog t /var/log/svscan &' EOF mkdir -p /var/log/svscan chown log:log /var/log/svscan sh /usr/local/etc/rc.d/svscan.sh # configure squid now to listen to ports >1024 etc... cd /service ln -s /var/service/squid DO NOT CUT & PASTE, it could kill your cat, i just typed this in ;-) squid should now run, bind to 3128 as the uid it was started with from setuidgid squid (uid=3Dsquid, gid=3Dsquid).=20 did i miss something? have fun /k >=20 > Mike "Silby" Silbersack >=20 --=20 > Q: What do you get when you cross Dracula with a used car dealer? > A: autoexec.bat KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7aCfzM0BPTilkv0YRAoZOAJ46fTJJQVM3NLjETJswUYzVwqY11gCfWxvG Y1KI7yRDoVcSPbzYBh7FROU= =3rc4 -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010801180155.A24106>