From owner-freebsd-questions@FreeBSD.ORG Wed Sep 1 19:38:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F2CD10656B6 for ; Wed, 1 Sep 2010 19:38:35 +0000 (UTC) (envelope-from rfarmer@predatorlabs.net) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id E7EBA8FC0A for ; Wed, 1 Sep 2010 19:38:34 +0000 (UTC) Received: by vws7 with SMTP id 7so7901583vws.13 for ; Wed, 01 Sep 2010 12:38:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.158.11 with SMTP id d11mr4121676vcx.231.1283369913860; Wed, 01 Sep 2010 12:38:33 -0700 (PDT) Received: by 10.220.200.8 with HTTP; Wed, 1 Sep 2010 12:38:33 -0700 (PDT) X-Originating-IP: [71.1.133.114] In-Reply-To: References: Date: Wed, 1 Sep 2010 12:38:33 -0700 Message-ID: From: Rob Farmer To: Ed Flecko Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: Should a "squid" user have a shell? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2010 19:38:35 -0000 On Wed, Sep 1, 2010 at 9:02 AM, Ed Flecko wrote: > Hi folks, > I'm looking in some documentation for Squid, which I'm installing on a > FBSD 8.1 server, and it says I need to create a squid user and a squid > group because I'm building/installing from source. > > I see to create the squid user, I user the (of course) "adduser" > command (there isn't a default squid user with the base install, is > there?). > > 1.) When I use the adduser command, from a security perspective, > should the squid user have a shell? What should it be? > > 2.) How do I create a squid group and add the squid user to it? > > 3.) Since the squid user needs full access to the squid directory and > all of its files, what the easiest way to give the appropriate > permissions? Service accounts shouldn't have a password (their password field should be "starred out") and should have a shell of /usr/sbin/nologin (this program logs any attempt to run it and exits). The port using the following commands to set this up: pw groupadd squid -g 100 -q pw useradd -q -n squid -u 100 -g squid -c "Squid caching-proxy psuedo user" -d "/var/squid" -s "/usr/sbin/nologin" -h - This assumes data is in /var/squid. You can create this directory and use chmod/chown to give the user and group necessary permissions. The UID and GID (100 and 100 in this case) come from the lists in /usr/ports and are reserved for squid to avoid conflicts. -- Rob Farmer > > Thank you, > Ed > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >