You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the squidsrv service runs under the account NT AUTHORITY\LocalSystem. As this is the system account with highest administrative privilages, this is a huge security issue - consider a security flaw in the proxy implementation, if an attacker is able to perform remote code execution, they gain control of the entire system.
It would be better to run the service under an account with least privileges. I would suggest using a dedicated virtual account for this purpose, such as NT Service\squidsrv. This could be realised by using the Account property of the ServiceInstall element in the installer. Note that the permissions of the /dev and /var folders have to be changed accordingly as well. (I have noticed that log files and the PID file have broken security descriptors when created through the service / cygwin itself, so they might have to be created and configured beforehand)
The text was updated successfully, but these errors were encountered:
Currently, the squidsrv service runs under the account
NT AUTHORITY\LocalSystem. As this is the system account with highest administrative privilages, this is a huge security issue - consider a security flaw in the proxy implementation, if an attacker is able to perform remote code execution, they gain control of the entire system.It would be better to run the service under an account with least privileges. I would suggest using a dedicated virtual account for this purpose, such as
NT Service\squidsrv. This could be realised by using theAccountproperty of theServiceInstallelement in the installer. Note that the permissions of the/devand/varfolders have to be changed accordingly as well. (I have noticed that log files and the PID file have broken security descriptors when created through the service / cygwin itself, so they might have to be created and configured beforehand)The text was updated successfully, but these errors were encountered: