Safe to run squid_user=root ?
Christian Walther
cptsalek at gmail.com
Wed Jun 17 05:50:59 UTC 2009
2009/6/17 Jeffrey Goldberg <jeffrey at goldmark.org>:
> www/squid30 sets up an rc.d startup script that includes
>
> squid_user=${squid_user:-squid}
>
> This makes it impossible to get squid to listen on a port lower than 1024.
>
> If I specify
>
> squid_user=root
>
> in my rc.conf will I be doing something stupid? Does squid appropriately
> drop privileges after binding to a socket?
I'm not sure if squid works if you configure it to listen to port 80.
If it won't work, I see three possibilities:
1. use a jail and set squid_user=root (maybe it won't hurt that much
if someone hacks into the proxy)
2. Set up squid with its standard port, and use SSHs port forwarding
feature. This might be done as root. E.g. squid listens to
localhost:3128, and the port forwarding goes to $EXT_IP:70.
3. Use any other unprivileged port that is used by any protocol.
There's a nice list at
http://www.iana.org/assignments/port-numbers
> The background for this is that I want to set up a proxy to listen on port
> 70 (yes that is gopher). There is a bit of a move afoot to set up proxies
> to allow people from Iran to get to sites like twitter and facebook which
> are currently being blocked by the Iranian government. They have just
> started blocking things to destination ports like 8080 and 3128.
Yes, I heard and thinking about setting up a proxy, too. I'm just not
sure that I want to have everyone on the net to be able to access it.
I'm not sure if authentication is an option here, though.
More information about the freebsd-ports
mailing list