Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Aug 2001 18:01:55 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        Mike Silbersack <silby@silby.com>
Cc:        "Nickolay A.Kritsky" <nkritsky@internethelp.ru>, security@FreeBSD.ORG
Subject:   Re: accounting with ipfw (gid, uid riles)
Message-ID:  <20010801180155.A24106@mail.webmonster.de>
In-Reply-To: <20010731175236.A58983-100000@achilles.silby.com>; from silby@silby.com on Tue, Jul 31, 2001 at 05:54:18PM -0500
References:  <20010731180828.I92506@mail.webmonster.de> <20010731175236.A58983-100000@achilles.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--oyUTqETQ0mS9luUI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Mike Silbersack(silby@silby.com)@2001.07.31 17:54:18 +0000:
>=20
> On Tue, 31 Jul 2001, Karsten W. Rohrbach wrote:
>=20
> > > If squid runs the listen as root, all sockets created from that listen
> > > socket will also be accounted to root.  Same problem as the above.  I=
 do
> > > not know how natd would affect connections in terms of uid accounting.
> >
> > squid's standard ports are higher than 1024, so it should not be a
> > problem to start it with a uid wrapper (setuidgid from daemontools
> > or similar), shouldn't it? then the socket belongs to the squid user
> > i think...
> >
> > /k
>=20
> I'm not familiar with how squid acts, but your idea sounds good to me.
> Tell us how it works. :)

eh?

AFAIK the entity that creates the socket owns it.=20
to bind ports <1024 this entity has to be root.
therefor the daemon gets started as root, does the socket magic and
suids to whatever. the bound socket is still owned by root, right?
this magic has been implemented to bind to ports <1024 but it is not
necessary for binding unprivileged ports (squid's standard is 3128 i
think for binding the tcp port, the icp port should be 3130/udp).

so here's what i would do:

cd /usr/ports/sysutils/daemontools && make install clean
cd /usr/ports/www/squidXX && make install clean
vipw 			# add users 'squid', 'log'
vi /etc/group 		# add groups 'squid', 'log'
mkdir -p /var/service/squid
cat >/var/service/squid/run <<EOF
#!/bin/sh
## run file for squid process
PATH=3D/usr/local/bin:/usr/bin:/bin
export PATH
exec 2>&1
exec setuidgid squid /where/ever/squid -YN
EOF
chmod 0700 /var/service/squid
mkdir -p /var/service/squid/log/squid
cat >/var/service/squid/log/run <<EOF
#!/bin/sh
## run file for squid stderr/stdout logging process
PATH=3D/usr/local/bin:/usr/bin:/bin
export PATH
exec setuidgid log multilog t ./squid
EOF
chown log:log /var/service/squid/log/squid
chmod +t /var/service/squid
mkdir /service
cat >/usr/local/etc/rc.d/svscan.sh <<EOF
## svscan startup script
env - PATH=3D/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin \
  csh -cf \
  'svscan /service | setuidgid log multilog t /var/log/svscan &'
EOF
mkdir -p /var/log/svscan
chown log:log /var/log/svscan
sh /usr/local/etc/rc.d/svscan.sh
# configure squid now to listen to ports >1024 etc...
cd /service
ln -s /var/service/squid

DO NOT CUT & PASTE, it could kill your cat, i just typed this in ;-)

squid should now run, bind to 3128 as the uid it was started with from
setuidgid squid (uid=3Dsquid, gid=3Dsquid).=20
did i miss something?

have fun
/k


>=20
> Mike "Silby" Silbersack
>=20

--=20
> Q: What do you get when you cross Dracula with a used car dealer?
> A: autoexec.bat
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 B=
F46
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x

--oyUTqETQ0mS9luUI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7aCfzM0BPTilkv0YRAoZOAJ46fTJJQVM3NLjETJswUYzVwqY11gCfWxvG
Y1KI7yRDoVcSPbzYBh7FROU=
=3rc4
-----END PGP SIGNATURE-----

--oyUTqETQ0mS9luUI--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010801180155.A24106>