Page 1 of 1

Acl's for squid ?

PostPosted: Wed Apr 16, 2003 4:42 am
by szpak
Does anyone have a nice set of acl's for squid ?
I'm running chrooted squid-2.5.STABLE2,
effect when using acl's from learning mode :)

----

Apr 11 17:22:33 linux kernel: grsec: From 192.168.0.24: attempted connect to 150.254.5.4 port 53 sock type 2 protocol 17 by (s
quid:28236) UID(65534) EUID(65534), parent (squid:28456) UID(0) EUID(0)
Apr 11 17:22:33 linux kernel: grsec: From 192.168.0.24: attempted connect to 150.254.2.3 port 53 sock type 2 protocol 17 by (s
quid:28236) UID(65534) EUID(65534), parent (squid:28456) UID(0) EUID(0)
Apr 11 17:22:33 linux kernel: grsec: From 192.168.0.24: attempted connect to 150.254.5.4 port 53 sock type 2 protocol 17 by (s
quid:28236) UID(65534) EUID(65534), parent (squid:28456) UID(0) EUID(0)
Apr 11 17:22:33 linux kernel: grsec: From 192.168.0.24: attempted connect to 150.254.2.3 port 53 sock type 2 protocol 17 by (s
quid:28236) UID(65534) EUID(65534), parent (squid:28456) UID(0) EUID(0)
Apr 11 17:22:33 linux kernel: grsec: From 192.168.0.38: attempted socket(2,1,0) by (squid:28236) UID(65534) EUID(65534), paren
t (squid:28456) UID(0) EUID(0)



--
Przemysław Borkowski

PostPosted: Wed Apr 16, 2003 6:43 am
by spender
Could you paste your current ACL for squid? You shouldn't be getting anything denied if the process is in learning mode.

-Brad

PostPosted: Wed Apr 16, 2003 7:25 am
by szpak
Here's acl from learning mode
errors are when I try to use it ;-)


/usr/local/squid/sbin/squid o {
/usr/local/squid/var/run/squid.pid w
/usr/local/squid/var/logs/store.log a
/usr/local/squid/var/logs/cache.log ra
/usr/local/squid/var/logs/access.log a
/usr/local/squid/var/cache rw
/dev/log rw
/home rxw
/home/szpak/.bash_history rxa
/mnt rw
/dev
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty0 rw
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/dev/tty7 rw
/dev/tty8 rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/dsp0 rw
/dev/mixer rw
/dev/mixer0 rw
/dev/ippp0 rw
/dev/ippp1 rw
/dev/ippp2 rw
/dev/ippp3 rw
/dev/ippp4 rw
/dev/ippp5 rw
/dev/ippp6 rw
/dev/ippp7 rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/dev/hdb r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rxw
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rxw
/var/tmp rw
/var/log r
/boot h
/etc/grsec h
/opt h
/media/cdrom r
/media/floppy rw
/initrd h
/usr/local/squid/sbin/squid x
/ h

+CAP_ALL
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_SYS_MODULE
-CAP_SYS_RAWIO
-CAP_SYS_PTRACE
-CAP_SYS_ADMIN
-CAP_SYS_TTY_CONFIG
-CAP_MKNOD

bind {
192.168.0.1:3128 stream tcp
}
}

PostPosted: Wed Apr 16, 2003 7:30 am
by spender
What version of grsecurity/gradm are you using?

-Brad

PostPosted: Wed Apr 16, 2003 7:48 am
by szpak
1.9.9e & gradm 1.9.9d