squid needs chmod 644 /dev/pf ?

K

kvi

Hi,

I am trying to run Squid 3.3.8 as a transparent proxy. I use pf as my firewall. I had huge problems getting it to work and I usually ended up getting this kind of lines to my cache.log:

Code: 
2013/07/27 22:51:37 kid1| PF open failed: (13) Permission denied

After fighting with Squid for a day I finally decided to try chmod 640 /dev/pf. Didn't solve the problem, but running chmod 644 /dev/pf did solve it.

I don't know if this can lead to security issues? I am the only one having an account to the system.

Anyway, after a reboot the permissions of /dev/pf was set back to 600. Should I make a bootscript for setting permissions to 644 or does someone have a better solution after having this similar problem?
 
kvi said:
After fighting with squid for a day I finally decided to try chmod 640 /dev/pf. Didn't solve the problem, but running chmod 644 /dev/pf did solve it.

I don't know if this can lead to security issues? I am the only one having an account to the system.
Click to expand...
Well; you and the web server, the proxy server, your mail server and don't forget the optional DNS server. All of those also have an account on your system.

Yes, this could turn into quite the security issue because you just gave everyone on your system access to this device. So if you host websites on this server and people are allowed to run their own scripts you have a potential security risk, since they can now also inquire the state of your firewall (and perhaps even alter it, I'm not sure there though).

I'd suggest that you use groups instead. Most likely the device is owned by root:wheel, and obviously running a proxy server as a member of the wheel group is a bad idea. But you can easily create a new group, make the proxy server account a member of this group and then provide the required access bits to /dev/pf, but only to the group.

That way you'd still open the firewall up a little bit, but it would be a lot better than giving everyone access.
 
  • Thanks
Reactions: kvi
The way you can control the access bits on /dev entries without using custom scripts is trough devfs.conf(5). For example:

Code: 
perm pf 0644

The ultimate solution would be acl(3) support for devfs(8). You could then just state in a devfs.conf entry that you want to add read access for group proxy to devnode pf.
 
  • Thanks
Reactions: kvi
I put permissions to 640 and used another group for /dev/pf. You are right that all services have access to the system, but I don't really run many things open to the internet. This is still better.

I actually remember I saw an old thread where someone did this same trick, but I was still looking for a better solution when I found it. Had forgotten it until reminded again.
 
You must log in or register to reply here.
Back
Top