Should a "squid" user have a shell?

[Rob Farmer]

On Wed, Sep 1, 2010 at 12:38 PM, Rob Farmer <rfarmer at predatorlabs.net> wrote:
> On Wed, Sep 1, 2010 at 9:02 AM, Ed Flecko <edflecko at gmail.com> wrote:
>> Hi folks,
>> I'm looking in some documentation for Squid, which I'm installing on a
>> FBSD 8.1 server, and it says I need to create a squid user and a squid
>> group because I'm building/installing from source.
>>
>> I see to create the squid user, I user the (of course) "adduser"
>> command (there isn't a default squid user with the base install, is
>> there?).
>>
>> 1.) When I use the adduser command, from a security perspective,
>> should the squid user have a shell? What should it be?
>>
>> 2.) How do I create a squid group and add the squid user to it?
>>
>> 3.) Since the squid user needs full access to the squid directory and
>> all of its files, what the easiest way to give the appropriate
>> permissions?
>
> Service accounts shouldn't have a password (their password field
> should be "starred out") and should have a shell of /usr/sbin/nologin
> (this program logs any attempt to run it and exits).
>
> The port using the following commands to set this up:
>
> pw groupadd squid -g 100 -q
> pw useradd -q -n squid -u 100 -g squid -c "Squid caching-proxy psuedo
> user" -d "/var/squid" -s "/usr/sbin/nologin" -h -

Addendum: the "-q" flag suppresses output/errors - good for a script,
but you probably want to remove it for interactive use.

-- 
Rob Farmer

>
> This assumes data is in /var/squid. You can create this directory and
> use chmod/chown to give the user and group necessary permissions.
>
> The UID and GID (100 and 100 in this case) come from the lists in
> /usr/ports and are reserved for squid to avoid conflicts.
>
> --
> Rob Farmer
>
>>
>> Thank you,
>> Ed
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>