[plug] Another (Possibly) Redhat specific squid tip

Greg Mildenhall greg at networx.net.au
Sat Nov 21 17:58:15 WST 1998 

On Sat, 21 Nov 1998, Christian wrote:
> At 13:49 21/11/98 +0800, you wrote:
> >Just noticed that my user "nobody" was disabled from a default redhat
> >5.1 install...... so I enabled the nobody user, and gave
> >it a password for security reasons.
I cannot imagine _what_ security reasons you would give it a password for.
For security reasons, replace the password field in /etc/passwd and/or 
/etc/shadow with an '*', or whatever is the local policy.
There is no reason for anyone to log in as nobody.

> Knowing very little about squid I'm reticient to open my mouth but,
> wouldn't squid be started as root and then seteuid() to nobody? (ie, the
> same way most web servers do).  
Not necessarily. Web servers do that because they need to bind to port 80.
The ports below 1024 are considered privileged and can only be bound to by
root. Thus the webserver will grab port 80 before giving up root
priveleges.
Squid does not necessarily bind to a privileged port (the default is 3128)
so it does not have to be started as root. Starting it as nobody is a
better idea, but your distribution really ought provide a seperate userid
for squid to operate as. (assuming you installed the squid from your
distro)
For instance, a Debian system will create:

assassin at live:~$f squid
Login: squid                            Name: Proxy Cache
Directory: /usr/local/squid             Shell: /bin/false
Never logged in.
No mail.
No Plan.
assassin at live:~$

The problem with "nobody" is that you only want to run one service as
a given user, to limit the damage if one of your non-root services is
compromised. Hence, you will want, for instance, a user "squid", a user
"apache" or "www-data", a user "ftp", and so on, to keep all of your
services nicely segregated.
Of course, all worthwhile distributions will do this for you, which would 
be why you do not have (or even want) a nobody on the system.

All of which leads on to discussions of the frontpage server's efforts
(or lack thereof) to segregate users.... but I assume we will be given
that warning by the battle-hardened when the time arises.

-Greg Mildenhall

More information about the plug mailing list