Re: [squid-users] squid setuid-binary ncsa_auth and pam_auth

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 2 Nov 2007 11:37:46 +1300 (NZDT)

> During a review on squid, we found the following setuid-binary set to
> run as root
> E: squid setuid-binary /usr/lib64/squid/ncsa_auth root 04750
> E: squid setuid-binary /usr/lib64/squid/pam_auth root 04750
>
> Kicking around Google I find that:
>
> ncsa_auth allows Squid to read and authenticate user and password
> information from an NCSA/Apache httpd-style password file when using
> basic HTTP authentication.
>
> Pam_auth allows Squid to connect to a mostly any available PAM database
> to validate the user name and password of Basic HTTP authentication.
>
> The only thing I can think of these being used for is if we needed to
> allow normal users to access squid, or to auth to the cachemngr.cgi - is
> this true? Is it safe to turn this off if I don't want to use either of
> these features? If so, shouldn't this be off by default?

If you are not using basic auth, then yes it is probably safe to turn them
off by default.

Amos
Received on Thu Nov 01 2007 - 16:37:49 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST