Date: Wed, 1 Sep 2010 12:46:26 -0700 From: Rob Farmer <rfarmer@predatorlabs.net> To: Ed Flecko <edflecko@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Should a "squid" user have a shell? Message-ID: <AANLkTi=FTZauyHM8hcXVO2ev62JZDemPD-CJrYv6MxB=@mail.gmail.com> In-Reply-To: <AANLkTinhBFNNfYXFBWphyDD-zg0V0oiUfePqp01cWZmA@mail.gmail.com> References: <AANLkTinEdd4701=ua16EeyFNy83Phva5rLEed4hhAhCU@mail.gmail.com> <AANLkTinhBFNNfYXFBWphyDD-zg0V0oiUfePqp01cWZmA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 1, 2010 at 12:38 PM, Rob Farmer <rfarmer@predatorlabs.net> wrote: > On Wed, Sep 1, 2010 at 9:02 AM, Ed Flecko <edflecko@gmail.com> wrote: >> Hi folks, >> I'm looking in some documentation for Squid, which I'm installing on a >> FBSD 8.1 server, and it says I need to create a squid user and a squid >> group because I'm building/installing from source. >> >> I see to create the squid user, I user the (of course) "adduser" >> command (there isn't a default squid user with the base install, is >> there?). >> >> 1.) When I use the adduser command, from a security perspective, >> should the squid user have a shell? What should it be? >> >> 2.) How do I create a squid group and add the squid user to it? >> >> 3.) Since the squid user needs full access to the squid directory and >> all of its files, what the easiest way to give the appropriate >> permissions? > > Service accounts shouldn't have a password (their password field > should be "starred out") and should have a shell of /usr/sbin/nologin > (this program logs any attempt to run it and exits). > > The port using the following commands to set this up: > > pw groupadd squid -g 100 -q > pw useradd -q -n squid -u 100 -g squid -c "Squid caching-proxy psuedo > user" -d "/var/squid" -s "/usr/sbin/nologin" -h - Addendum: the "-q" flag suppresses output/errors - good for a script, but you probably want to remove it for interactive use. -- Rob Farmer > > This assumes data is in /var/squid. You can create this directory and > use chmod/chown to give the user and group necessary permissions. > > The UID and GID (100 and 100 in this case) come from the lists in > /usr/ports and are reserved for squid to avoid conflicts. > > -- > Rob Farmer > >> >> Thank you, >> Ed >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=FTZauyHM8hcXVO2ev62JZDemPD-CJrYv6MxB=>