# squid needs chmod 644 /dev/pf ?



## kvi (Jul 28, 2013)

Hi,

I am trying to run Squid 3.3.8 as a transparent proxy. I use pf as my firewall. I had huge problems getting it to work and I usually ended up getting this kind of lines to my cache.log:


```
2013/07/27 22:51:37 kid1| PF open failed: (13) Permission denied
```

After fighting with Squid for a day I finally decided to try `chmod 640 /dev/pf`. Didn't solve the problem, but running `chmod 644 /dev/pf` did solve it. 

I don't know if this can lead to security issues? I am the only one having an account to the system. 

Anyway, after a reboot the permissions of /dev/pf was set back to 600. Should I make a bootscript for setting permissions to 644 or does someone have a better solution after having this similar problem?


----------



## ShelLuser (Jul 28, 2013)

kvi said:
			
		

> After fighting with squid for a day I finally decided to try `chmod 640 /dev/pf`. Didn't solve the problem, but running `chmod 644 /dev/pf` did solve it.
> 
> I don't know if this can lead to security issues? I am the only one having an account to the system.


Well; you and the web server, the proxy server, your mail server and don't forget the optional DNS server. All of those also have an account on your system.

Yes, this could turn into quite the security issue because you just gave everyone on your system access to this device. So if you host websites on this server and people are allowed to run their own scripts you have a potential security risk, since they can now also inquire the state of your firewall (and perhaps even alter it, I'm not sure there though).

I'd suggest that you use groups instead. Most likely the device is owned by root:wheel, and obviously running a proxy server as a member of the wheel group is a bad idea. But you can easily create a new group, make the proxy server account a member of this group and then provide the required access bits to /dev/pf, but only to the group.

That way you'd still open the firewall up a little bit, but it would be a lot better than giving everyone access.


----------



## kpa (Jul 28, 2013)

The way you can control the access bits on /dev entries without using custom scripts is trough devfs.conf(5). For example:


```
perm pf 0644
```

The ultimate solution would be acl(3) support for devfs(8). You could then just state in a devfs.conf entry that you want to add read access for group proxy to devnode pf.


----------



## kvi (Jul 28, 2013)

I put permissions to 640 and used another group for /dev/pf. You are right that all services have access to the system, but I don't really run many things open to the internet. This is still better. 

I actually remember I saw an old thread where someone did this same trick, but I was still looking for a better solution when I found it. Had forgotten it until reminded again.


----------



## DutchDaemon (Jul 29, 2013)

/etc/devfs.conf:

```
own     pf      root:squid
perm    pf      0640
```

`service devfs restart`

Done.


----------

