Squid is a proxy server that can be configured in a reverse proxy mode or accelerated mode.  This mode allows us to take some of the complexity out of managing our Cold Fusion environment.

In an effort to reduce the risk and contain the damage caused by, as yet, unknown or undiscovered bugs in squid, we can quarentine the exececution environment into a chroot jail. A program that is started using the chroot command is started with the filesystem root specified on the command line. This will isolate the execution of that process (and all subprocesses) to that directory and below. While it is theoretically possible to break out of this sort of jail, it is not part of the script-kiddie arsenal (yet); therefore, this method provides a form of apriori bug protection (if you will). Additionally we will take advantage of BINDs capibility to run suid as a non-privilidged user.

This procedure covers creation of a chroot jail for the Solaris 7 OS. To start off we need to decide where our to house the jails for various executables. (I am taking the generic approach that there may be other programs that could use this method for additional security.) I have adopted /opt/jails as the base directory. In this case we'll put squid in /opt/jails/squid. Note: this procedure is only used to protect squid instances on external webservers.
(Comments copied and adapted from  Chroot-BIND by Mark Owens)

1. System File Preparation
1. Create a psuedo-user called squid with the UID of 51000 in /etc/passwd and /etc/shadow. (use /bin/false as the login shell)
2. Create a group called squid with the GID of 51000 in /etc/group
3. mkdir /opt/jails
4. chown root:other /opt/jails
5. chmod 700 /opt/jails
6. mkdir /opt/jails/etc
7. chown root:other /opt/jails/etc
8. chmod 700 /opt/jails/etc
2. Create the squid jail
1. mkdir /opt/jails/squid
2. chown squid:squid /opt/jails/squid
3. chmod 755 /opt/jails/squid
4. cd /opt/jails/squid
5. mkdir bin dev etc opt tmp usr var
6. chown root:other bin dev etc opt tmp usr var
7. chmod 755 bin dev etc opt usr var
8. chmod 777 tmp
9. chmod o+s tmp
10. mkdir opt/squid usr/lib var/adm var/tmp
11. chown squid:squid opt/squid var/adm
12. chmod 750 opt/squid
13. chown root:other usr/lib var/tmp
14. chmod 755 usr/lib
15. chmod 770 var/adm
16. chmod 777 var/tmp
17. chmod o+s var/tmp
18. mkdir /opt/jails/squid/usr/platform
19. mkdir /opt/jails/squid/usr/platform/SUNW,Ultra-5_10
20. mkdir /opt/jails/squid/usr/platform/SUNW,Ultra-5_10/lib
21. chmod -R 755 /opt/jails/squid/usr/platforms
22. mkdir /opt/jails/squid/var/cache
23. chown squid:squid /opt/jails/squid/var/cache
24. chmod 775 /opt/jails/squid/var/cache
3. Fill in OS required portion of the squid jail
1. Setup bin directory
• cd /opt/jails/squid/bin
• cp /bin/sh .
• cp /bin/false .
• chown bin:bin sh false
• chmod 555 sh false
2. Create the needed devices
• cd /opt/jails/squid/dev
• mknod conslog c 21 0
• mknod log c 21 5
• mknod null c 13 2
• mknod syscon c 0 0
• mknod zero c 13 12
• chmod 666 conslog null zero
• chmod 640 log
• chmod 620 syscon
• chown root:other log null zero
• chown root:sys conslog
• chown root:tty syscon
3. Setup system configuration files
• cd /opt/jails/squid/etc
• cp /etc/group .
• remove all entries except root other bin sys tty and squid
• cp /etc/hosts .
• cp /etc/nsswitch.conf .
• cp /etc/resolv.conf .
• cp /etc/passwd .
• remove all entries except root sys squid
• cp /etc/shadow .
• remove all entries except root sys squid
• lock all entries with the *LK* passwd string
• set the ageing info to 6445 for all entries
• cp /etc/TIMEZONE .
• cp /etc/netconfig .
• chmod 444 group hosts nsswitch.conf passwd resolv.conf TIMEZONE netconfig
• chmod 400 shadow
• chown root:sys group hosts nsswitch.conf
• chown root:other passwd resolv.conf shadow TIMEZONE netconfig
4. Copy the needed libraries
• cd /opt/jails/squid/usr/lib
• cp /usr/lib/ld.so.1 .
• cp /usr/lib/libc.so.1 .
• cp /usr/lib/libcrypt_i.so.1 .
• cp /usr/lib/libgen.so.1 .
• cp /usr/lib/libdl.so.1 .
• cp /usr/lib/libl.so.1 .
• cp /usr/lib/libm.so.1 .
• cp /usr/lib/libmp.so.1 .
• cp /usr/lib/libmp.so.2 .
• cp /usr/lib/libnsl.so.1 .
• cp /usr/lib/libpthread.so.1 .
• cp /usr/lib/libresolv.so.2 .
• cp /usr/lib/libsocket.so.1 .
• cp /usr/lib/libthread.so.1 .
• cp /usr/lib/nss_dns.so.1 .
• cp /usr/lib/nss_files.so.1 .
• chmod 755 *
• chown bin:bin l*
4. Install the squid package from omni
1. copy /usr/local/squid.opt-installed.tar.Z to /opt
2. zcat /opt/squid.opt-installed.tar.Z | tar xvf -
3. modify the /opt/squid/etc/squid.conf to contain the following
• cache_effective_user squid
• cache_effective_group squid
• cache_dir null /opt/jails/squid/var/tmp (This is to set it so it will not cache. /var/tmp can be anything, but must exist)
4. /opt/squid/bin/squid -z (Initializes the cache)
5. mv /opt/squid /opt/jails/squid/opt
6. vi /opt/jails/squid/opt/squid/etc/squid.conf
• change cache_dir to cache_dir null /var/tmp
• Make all changes appropriate to server...httpd_accel_port, httpd_accel_host, http_port, and any acl changes
• Sample squid.conf here
7. cd /opt/jails/
8. chown -R squid:squid squid
9. chroot /opt/jails/squid /opt/squid/bin/squid

 
 
1. Configure startup scripts
1. mv /opt/jails/squid/opt/squid/etc/S80squid /etc/rc2.d
2. Test squid
3. Post-install
1. Ensure that chroot area is maintained at the current revision levels for security patches that affect the usr/lib and bin files.
2. Maintain squid executables as required.

References

1. Squid website