Nachdem ich jetzt eine ganze Weile gesucht habe wie man squid chrootet hier meine Lösung. Diese hat keinen Anspruch auf Vollständigkeit, schon garnicht vollständige Sicherheit, sie soll eher als Ausgangspunkt für eigene Versuche gelten. Das gentoolkit muß hierfür installiert sein.
chroot-Verzeichnis anlegen
Code: Select all
ERROR_LANG="English" # siehe /usr/lib/squid/errors
CHROOT_DIR="/squidroot"
for a in `qpkg -l -nc squid | grep -v "^www-proxy/squid-" | grep -v "^CONTENTS:" `; do
b=`dirname $a`
mkdir -p ${CHROOT_DIR}/$b
cp -pv $a ${CHROOT_DIR}/$b
done
for a in `ldd /usr/sbin/squid | cut -d ">" -f 2 | cut -d "(" -f 1` ; do
b=`dirname $a`
mkdir -p ${CHROOT_DIR}/$b
cp -p $a ${CHROOT_DIR}/$b
done
cp -p /lib/libnss_* ${CHROOT_DIR}/lib/
cat /etc/passwd | grep "^root" > ${CHROOT_DIR}/etc/passwd
cat /etc/passwd | grep "^squid" >> ${CHROOT_DIR}/etc/passwd
cat /etc/group | grep "^root" > ${CHROOT_DIR}/etc/group
cat /etc/group | grep "^squid" >> ${CHROOT_DIR}/etc/group
# errorlanguage
mv ${CHROOT_DIR}/usr/lib/squid/errors/${ERROR_LANG} ${CHROOT_DIR}/etc/squid/errors
rm -rf ${CHROOT_DIR}/usr/lib/squid/errors
cp -p /etc/squid/* ${CHROOT_DIR}/etc/squid
mkdir ${CHROOT_DIR}/dev
cp -a /dev/null ${CHROOT_DIR}/dev/
cp -a /dev/tty ${CHROOT_DIR}/dev/
cp -p /etc/hosts ${CHROOT_DIR}/etc
cp -p /etc/ld.so.cache ${CHROOT_DIR}/etc
cp -p /etc/localtime ${CHROOT_DIR}/etc
cp -p /etc/nsswitch.conf ${CHROOT_DIR}/etc
cp -p /etc/resolv.conf ${CHROOT_DIR}/etc
mkdir -p ${CHROOT_DIR}/var/log/squid
chown squid: ${CHROOT_DIR}/var/log/squid/
mkdir -p ${CHROOT_DIR}/var/run
mkdir -p ${CHROOT_DIR}/var/cache/squid
chown squid: ${CHROOT_DIR}/var/cache/squid
Code: Select all
chroot ${CHROOT_DIR} /usr/sbin/squid -z/etc/init.d/squid
Code: Select all
#!/sbin/runscript
# modified squid-script for chroot the squid
CHROOT_DIR="/squidroot"
opts="${opts} reload"
depend() {
need net
}
# Try to increase the # of filedescriptors we can open.
maxfds() {
[ -n "$SQUID_MAXFD" ] || return
[ -f /proc/sys/fs/file-max ] || return 0
[ $SQUID_MAXFD -le 8192 ] || SQUID_MAXFD=8192
global_file_max=`cat /proc/sys/fs/file-max`
minimal_file_max=$(($SQUID_MAXFD + 4096))
if [ "$global_file_max" -lt $minimal_file_max ]
then
echo $minimal_file_max > /proc/sys/fs/file-max
fi
ulimit -n $SQUID_MAXFD
}
start() {
maxfds
ebegin "Starting squid (chroot)"
start-stop-daemon --quiet --start --exec /usr/bin/chroot \
--pidfile /var/run/squid.pid -- ${CHROOT_DIR} /usr/sbin/squid ${SQUID_OPTS} < /dev/null
sleep 1
eend $?
}
stop() {
ebegin "Stopping squid (chroot)"
PID=`cat ${CHROOT_DIR}/var/run/squid.pid 2>/dev/null`
start-stop-daemon --stop --quiet --pidfile ${CHROOT_DIR}/var/run/squid.pid
# Now we have to wait until squid has _really_ stopped.
sleep 2
if test -n "$PID" && kill -0 $PID 2>/dev/null
then
einfon "Waiting ."
cnt=0
while kill -0 $PID 2>/dev/null
do
cnt=`expr $cnt + 1`
if [ $cnt -gt 60 ]
then
# Waited 120 seconds now. Fail.
eend 1 "Failed."
break
fi
sleep 2
echo -n "."
done
echo -n "done."
eend 0
else
eend 0
fi
}
reload() {
ebegin "Reloading squid (chroot)"
/usr/bin/chroot ${CHROOT_DIR} /usr/sbin/squid -k reconfigure
eend $?
}
/etc/cron.weekly/squid.cron
Code: Select all
#!/bin/sh
CHROOT_DIR="/squidroot"
test -e ${CHROOT_DIR}/var/run/squid.pid && \
test -n "`cat ${CHROOT_DIR}/var/run/squid.pid|xargs ps -p|grep squid`" && \
chroot ${CHROOT_DIR} /usr/sbin/squid -k rotate
Läuft der Host mit dynamischen IPs (und wechselnden Nameservern) sollte in der /etc/ppp/ip-up die jeweils aktuelle /etc/resolv.conf nach ${CHROOT_DIR}/etc/ kopiert werden.
Teilweise geklaut aus http://www.debiansec.com/linux/services/webproxy.html
Bitte Feedback!
