Re: [squid-users] Squid 2.4 into a chroot jail

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 1 Sep 2002 02:16:32 +0200

On Saturday 31 August 2002 07.39, Geffrey VT wrote:
> Hi friends,
>
> How can I run Squid 2.4 into a chroot jail? Please send me your
> experiences...

Yes

One thing to keep in mind is that the Squid configuration parser does
not yet know about the effect of chroot_dir so any paths listed in
squid.conf needs to be reachable both from outside the jail and
within the jail. I usually deal with this by having all paths
starting with /squid (the path of my chroot jail and prefix of the
Squid installation), and having a symbolic link "squid -> ." within
the jail.

Other than this the requirements are fairly standard. You will need
the standard device nodes (especially /dev/null and /dev/zero) within
the jail, and if your Squid needs to run any helpers then you will
need all libraries and configuratioin files used by these helpers
within the jail.

Having syslog opening a /dev/log socket within the jail is also
advised, as usual when it comes to chrooted services.. See the syslog
documentation on the details how to add additional syslog sockets to
your system.

Also, you won't be able to "squid -k reconfigure" a Squid chrooted via
the chroot_dir directive, but instead you will gain security. To
reconfigure you will need restart squid. A small price to pay for the
added security.

Regards
Henrik
Received on Sat Aug 31 2002 - 18:27:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:54 MST