fix(squid): run Squid container as non-root user (#1153)

Mossaka · claude · web-flow · commit 8c6047f17811 · 2026-03-05T11:22:55.000-08:00
* fix(security): run Squid container as non-root user Install gosu in the Squid container and use it to drop from root to the proxy user (UID 13) before starting Squid. The entrypoint still runs as root initially to fix mounted volume permissions, then drops privileges via `gosu proxy` before exec'ing squid. Changes: - Dockerfile: install gosu, create and chown /var/spool/squid, /var/run/squid, and /etc/squid for the proxy user - entrypoint.sh: use `exec gosu proxy squid -N -d 1` instead of `exec squid -N -d 1` Fixes #250 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(squid): ensure /run/squid.pid is writable by proxy user Squid's default pid_filename is /run/squid.pid, which is not writable by the proxy user after dropping privileges via gosu. Create and chown the pid file before starting Squid. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(squid): make squid.conf readable by proxy user The squid.conf was written with mode 0o600 (owner-only), but since Squid now runs as the proxy user via gosu, it couldn't read its own config file. Changed to 0o644 so the proxy user can read it. The docker-compose.yml retains 0o600 since it contains sensitive environment variables. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/containers/squid/Dockerfile b/containers/squid/Dockerfile
@@ -1,19 +1,20 @@
 FROM ubuntu/squid:latest
 
 # Install additional tools for debugging, healthcheck, and SSL Bump
+# gosu is used to drop from root to proxy user after permission setup
 # Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build
 RUN set -eux; \
-    PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \
+    PKGS="curl dnsutils gosu net-tools netcat-openbsd openssl squid-openssl"; \
     apt-get update && \
     apt-get install -y --only-upgrade gpgv && \
     ( apt-get install -y --no-install-recommends $PKGS || \
       (rm -rf /var/lib/apt/lists/* && apt-get update && \
        apt-get install -y --no-install-recommends $PKGS) ) && \
     rm -rf /var/lib/apt/lists/*
 
-# Create log directory and SSL database directory
-RUN mkdir -p /var/log/squid && \
-    chown -R proxy:proxy /var/log/squid
+# Create log directory and SSL database directory, ensure proxy user owns them
+RUN mkdir -p /var/log/squid /var/spool/squid /var/run/squid && \
+    chown -R proxy:proxy /var/log/squid /var/spool/squid /var/run/squid /etc/squid
 
 # Copy entrypoint script
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
diff --git a/containers/squid/entrypoint.sh b/containers/squid/entrypoint.sh
@@ -19,5 +19,11 @@ if [ -d "/var/spool/squid_ssl_db" ]; then
   echo "[squid-entrypoint] SSL certificate database ready"
 fi
 
-# Start Squid
-exec squid -N -d 1
+# Ensure Squid config directory and run directory are writable by proxy
+chown -R proxy:proxy /etc/squid /var/run/squid /var/spool/squid 2>/dev/null || true
+
+# Ensure pid file is writable by proxy user (default: /run/squid.pid)
+touch /run/squid.pid && chown proxy:proxy /run/squid.pid
+
+# Drop to proxy user and start Squid
+exec gosu proxy squid -N -d 1
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -2008,11 +2008,11 @@ describe('docker-manager', () => {
         // May fail after writing configs
       }
 
-      // Verify squid.conf has restricted permissions
+      // Verify squid.conf is readable by proxy user (0o644) for non-root Squid
       const squidConfPath = path.join(testDir, 'squid.conf');
       if (fs.existsSync(squidConfPath)) {
         const stats = fs.statSync(squidConfPath);
-        expect((stats.mode & 0o777).toString(8)).toBe('600');
+        expect((stats.mode & 0o777).toString(8)).toBe('644');
       }
 
       // Verify docker-compose.yml has restricted permissions
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -1254,7 +1254,7 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
     allowHostPorts: config.allowHostPorts,
   });
   const squidConfigPath = path.join(config.workDir, 'squid.conf');
-  fs.writeFileSync(squidConfigPath, squidConfig, { mode: 0o600 });
+  fs.writeFileSync(squidConfigPath, squidConfig, { mode: 0o644 });
   logger.debug(`Squid config written to: ${squidConfigPath}`);
 
   // Write Docker Compose config

Original file line number	Diff line number	Diff line change
`@@ -2008,11 +2008,11 @@ describe('docker-manager', () => {`
`2008`	`2008`	`// May fail after writing configs`
`2009`	`2009`	`}`
`2010`	`2010`
`2011`		`- // Verify squid.conf has restricted permissions`
	`2011`	`+ // Verify squid.conf is readable by proxy user (0o644) for non-root Squid`
`2012`	`2012`	`const squidConfPath = path.join(testDir, 'squid.conf');`
`2013`	`2013`	`if (fs.existsSync(squidConfPath)) {`
`2014`	`2014`	`const stats = fs.statSync(squidConfPath);`
`2015`		`- expect((stats.mode & 0o777).toString(8)).toBe('600');`
	`2015`	`+ expect((stats.mode & 0o777).toString(8)).toBe('644');`
`2016`	`2016`	`}`
`2017`	`2017`
`2018`	`2018`	`// Verify docker-compose.yml has restricted permissions`