SquidGuard: Config files executable?

  • Hello. Just a quick question: Why are the configuration files of SquidGuard executable (for everyone) and couldn't this be a security issue?

    ls -la /usr/local/etc/squidGuard/
    total 30
    drwxr-xr-x   2 squid  squid   512 Jul 29 16:22 .
    drwxr-xr-x  27 root   wheel  2048 Jul 28 17:27 ..
    -rwxr-xr-x   1 squid  squid  1383 Jul 29 16:19 blacklist.files
    -rwxr-xr-x   1 squid  squid  8597 Jul 29 16:31 squidGuard.conf
    -rwxr-xr-x   1 squid  squid   455 Jul 29 14:58 squidGuard__usrdbrebuild.conf
    -rwxr-xr-x   1 squid  squid  8159 Jul 29 16:19 squidGuard_blk_rebuild.conf
    -rwxr-xr-x   1 squid  squid  2484 Aug  4 10:20 squidguard_conf.xml

  • Rebel Alliance Developer Netgate

    They aren't actually scripts so that isn't really a security issue, but it isn't necessary. Most likely something in the package code is doing a chmod on them with unnecessary permissions.

  • Well it could become a security issue, if someone manages somehow to get code into one of the files.

  • Rebel Alliance Developer Netgate

    It would also have to have the right shabang at the start of the file, which I don't see happening.

    Looking at the code, it seems to blindly set 0755 permissions everywhere, though I don't immediately see a good reason for it to do so. It should probably be using 0644 instead, but that is something that will need some testing before putting it in the package.

  • Yeah I just felt uneasy seeing that. I believe nothing has to have +x except for those that need to be executed. Everything else should be only readable for those that need to read it.

Log in to reply