LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Separate Account for Squid Proxy? (https://www.linuxquestions.org/questions/linux-security-4/separate-account-for-squid-proxy-4175419465/)

OtagoHarbour 07-30-2012 10:04 PM
Separate Account for Squid Proxy?
 
I have a DMZ with Ubuntu 11.04 on the web server and Ubuntu 11.10 on the applications server. I am thinking of setting the Squid proxy up on the web server in order to enhance security by having Squid keep a log of packets that go in and out.

I read here that on should have a separate account for Squid. But the article is pretty old and a more recent article about using Squid for security does not mention doing that. Also I am running a web site and it seems that I need to be logged into the account I am running the web site from.

Any advice about whether I should have a separate account for Squid would be greatly appreciated.

evo2 07-30-2012 11:10 PM
Hi,

I recommend installing it with your package manager and then reading /usr/share/doc/squid/README.Debian.gz and then decide if you want to (and how)
to run as a dedicated user.

Evo2.

darthaxul 07-31-2012 12:20 AM
depends
 
Depends on how you want it set up really. But I would stick with separate accounts for separate tasks, just for logging purposes. But maybe it's easier to have one account for everything, but when the time comes to troubleshoot it may be harder to find the trouble point.

OtagoHarbour 07-31-2012 09:13 AM
Quote:
Originally Posted by evo2 (Post 4741819)
Hi,

I recommend installing it with your package manager and then reading /usr/share/doc/squid/README.Debian.gz and then decide if you want to (and how)
to run as a dedicated user.

Evo2.
Thank you for your reply. I got the following errors when I tried to install Squid from the Ubuntu (v 11.04) software center.

Code:
installArchives() failed: Preconfiguring packages ...
Preconfiguring packages ...
Preconfiguring packages ...
Selecting previously deselected package squid.
(Reading database ...
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 263966 files and directories currently installed.)
Unpacking squid (from .../squid_2.7.STABLE9-2.1ubuntu6_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up rsh-client (0.17-15) ...
update-alternatives: error: alternative link /usr/bin/rcp is already managed by rcpDisabled.
dpkg: error processing rsh-client (--configure):
 subprocess installed post-installation script returned error exit status 2
Setting up squid (2.7.STABLE9-2.1ubuntu6) ...
squid start/running, process 24039
Errors were encountered while processing:
 rsh-client
Setting up rsh-client (0.17-15) ...
update-alternatives: error: alternative link /usr/bin/rcp is already managed by rcpDisabled.
dpkg: error processing rsh-client (--configure):
 subprocess installed post-installation script returned error exit status 2
Thanks,
Peter.

OtagoHarbour 07-31-2012 09:17 AM
Quote:
Originally Posted by darthaxul (Post 4741853)
Depends on how you want it set up really. But I would stick with separate accounts for separate tasks, just for logging purposes. But maybe it's easier to have one account for everything, but when the time comes to troubleshoot it may be harder to find the trouble point.
Thank you for your reply. Sorry if this is a stupid question. A lot of this is new to me. If I am running Squid from a separate account, would I not need to log out of any other account and log into the Squid account in order for Squid to run?

Thanks,
Peter.

evo2 07-31-2012 07:17 PM
Hi,

Quote:
Originally Posted by OtagoHarbour (Post 4742167)
Thank you for your reply. Sorry if this is a stupid question. A lot of this is new to me. If I am running Squid from a separate account, would I not need to log out of any other account and log into the Squid account in order for Squid to run?
The daemon startup would be initiated by root but an su to the squid user would be performed before squid is launched. This is standard practice for a huge number of daemons that run on *nix type systems.

Please check the README.Debian.gz as I suggested earlier.

Evo2.

evo2 07-31-2012 07:25 PM
Hi,
Quote:
Originally Posted by OtagoHarbour (Post 4742165)
I got the following errors when I tried to install Squid from the Ubuntu (v 11.04) software center.
for some reason you seem to be trying to install rsh-client. Unfortunately the full output is missing (or perhaps this is a "feature" of "software center") so I don't know why that is happening.

Are you comfortable using the command line?

Evo2.

OtagoHarbour 08-03-2012 09:13 PM
Quote:
Originally Posted by evo2 (Post 4742576)

Are you comfortable using the command line?

Evo2.
Yes. I am comfortale using the command line. In fact I would prefer to do that since the pacake manager seems unreliable.

Thanks,
Peter.


All times are GMT -5. The time now is 02:51 PM.