Available Categories

AdobeMacromediaProgrammingSQLServer AdministrationNetworkingMicrosoft ProductsMac OSLinux systemsMobile devicesXMLCertificationMisc

Available Tutorials

Active DirectoryActive Directory. Windows server 2003 Windows 2000SendmailSquid. The definitive guideTCPIP network administrationMicrosoft IIS 6 delta guideSecuring Windows Server 2003dns on windows server 2003Upgrading to php 5Windows XP tipsldap system administration
| More

5.7 A chroot Environment

Some people like to run Squid in a chroot environment. This is a Unix feature that gives a process a new root filesystem directory. It provides an extra level of security in the event that Squid is compromised. If an attacker somehow gains access to the operating system through Squid, she can only access files under the chroot filesystem. The other system files, outside of the chroot tree, remain inaccessible.

The easiest way to run Squid in a chroot environment is by specifying the new root directory in the squid.conf file with this directive:

chroot /new/root/directory

The chroot( ) system call requires superuser privileges, so you must start Squid as root to use this feature.


The chroot environment isn't for first-time Unix users. It is a little tricky because you must replicate a number of files underneath the new root directory. For example, if the default configuration file is normally /usr/local/squid/etc/squid.conf, and you use the chroot directive, the file must be located at /new/root/directory/usr/local/squid/etc/squid.conf. You must copy all of the files under $prefix/etc, $prefix/share, and $prefix/libexec to the chroot directory. Make sure that $prefix/var and the cache directories exist and are writable under the chroot directory as well.

Chances are that your operating system requires a number of files in the chroot directory, such as /etc/resolv.conf and /dev/null. If you use an external helper program, such as a redirector (see Chapter 11) or an authenticator (see Chapter 12), you'll also need some shared libraries from /usr/lib. You can use the ldd utility to find out which shared libraries are required for a given program:

% ldd /usr/local/squid/libexec/ncsa_auth

/usr/local/squid/libexec/ncsa_auth:

        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28067000)

        libm.so.2 => /usr/lib/libm.so.2 (0x28080000)

        libc.so.4 => /usr/lib/libc.so.4 (0x28098000)

You can also use the chroot command to test helpers:

# chroot /new/root/directory /usr/local/squid/libexec/ncsa_auth

/usr/libexec/ld-elf.so.1: Shared object "libcrypt.so.2" not found

For more information on chroot, see the chroot( ) manpage on your system.

    Squid. The definitive guide
    		Preface
    		Chapter 1. Introduction
    		Chapter 2. Getting Squid
    		Chapter 3. Compiling and Installing
    		Chapter 4. Configuration Guide for the Eager
    		Chapter 5. Running Squid
    		5.1 Squid Command-Line Options
    		5.2 Check Your Configuration File for Errors
    		5.3 Initializing Cache Directories
    		5.4 Testing Squid in a Terminal Window
    		5.5 Running Squid as a Daemon Process
    		5.6 Boot Scripts
    		5.7 A chroot Environment
    		5.8 Stopping Squid
    		5.9 Reconfiguring a Running Squid Process
    		5.10 Rotating the Log Files
    		5.11 Exercises
    		Chapter 6. All About Access Controls
    		Chapter 7. Disk Cache Basics
    		Chapter 8. Advanced Disk Cache Topics
    		Chapter 9. Interception Caching
    		Chapter 10. Talking to Other Squids
    		Chapter 11. Redirectors
    		Chapter 12. Authentication Helpers
    		Chapter 13. Log Files
    		Chapter 14. Monitoring Squid
    		Chapter 15. Server Accelerator Mode
    		Chapter 16. Debugging and Troubleshooting
    		Appendix A. Config File Reference
    		Appendix B. The Memory Cache
    		Appendix C. Delay Pools
    		Appendix D. Filesystem Performance Benchmarks
    		Appendix E. Squid on Windows
    		Appendix F. Configuring Squid Clients

    | More
    internet connection