5.7 A chroot Environment

Some people like to run Squid in a chroot environment. This is a Unix feature that gives a process a new root filesystem directory. It provides an extra level of security in the event that Squid is compromised. If an attacker somehow gains access to the operating system through Squid, she can only access files under the chroot filesystem. The other system files, outside of the chroot tree, remain inaccessible.

The easiest way to run Squid in a chroot environment is by specifying the new root directory in the squid.conf file with this directive:

chroot /new/root/directory

The chroot( ) system call requires superuser privileges, so you must start Squid as root to use this feature.

The chroot environment isn't for first-time Unix users. It is a little tricky because you must replicate a number of files underneath the new root directory. For example, if the default configuration file is normally /usr/local/squid/etc/squid.conf, and you use the chroot directive, the file must be located at /new/root/directory/usr/local/squid/etc/squid.conf. You must copy all of the files under $prefix/etc, $prefix/share, and $prefix/libexec to the chroot directory. Make sure that $prefix/var and the cache directories exist and are writable under the chroot directory as well.

Chances are that your operating system requires a number of files in the chroot directory, such as /etc/resolv.conf and /dev/null. If you use an external helper program, such as a redirector (see Chapter 11) or an authenticator (see Chapter 12), you'll also need some shared libraries from /usr/lib. You can use the ldd utility to find out which shared libraries are required for a given program:

% ldd /usr/local/squid/libexec/ncsa_auth


        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28067000)

        libm.so.2 => /usr/lib/libm.so.2 (0x28080000)

        libc.so.4 => /usr/lib/libc.so.4 (0x28098000)

You can also use the chroot command to test helpers:

# chroot /new/root/directory /usr/local/squid/libexec/ncsa_auth

/usr/libexec/ld-elf.so.1: Shared object "libcrypt.so.2" not found

For more information on chroot, see the chroot( ) manpage on your system.

    Appendix A. Config File Reference