Skip to content

feat(squid): run container as non-root proxy user #404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat(squid): run container as non-root proxy user #404

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

Squid container previously started as root to fix mounted volume permissions, increasing impact of potential container escapes or Squid vulnerabilities.

Changes

Container security

  • Added USER proxy directive to run as non-root (UID 13, GID 13) from container start
  • Removed chown/chmod from entrypoint - no longer requires root at any point
  • Made /run writable by proxy user in Dockerfile (required for PID file)

Host directory permissions

  • Changed SSL database permissions: 0o7000o777 (directories), 0o6000o666 (files)
  • Squid logs already created with 0o777 - no changes needed
  • Host creates directories world-writable so proxy user can write without privilege escalation

Implementation approach

// SSL database now accessible by non-root proxy user
fs.mkdirSync(sslDbPath, { recursive: true, mode: 0o777 });  // was 0o700
fs.mkdirSync(certsPath, { mode: 0o777 });                   // was 0o700
fs.writeFileSync(indexPath, '', { mode: 0o666 });           // was 0o600

This eliminates root access entirely from the Squid container runtime, reducing attack surface compared to privilege-dropping patterns.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] Run Squid container as non-root user</issue_title>
<issue_description>## Priority
Medium

Description

The Squid container currently runs as root initially, which increases the impact of potential container escapes or vulnerabilities in Squid itself.

Impact

  • Severity: Medium
  • Attack Vector: Squid vulnerability or container escape with root privileges
  • Risk: Greater system compromise if Squid is compromised

Proposed Solution

Configure Squid to run as a non-root user from the start:

  1. Use USER directive in Dockerfile
  2. Ensure proper permissions for Squid directories
  3. Update entrypoint script if needed

Effort Estimate

~3 hours

References

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 23, 2026 21:10
@Mossaka
feat(squid): run container as non-root proxy user
f4e6efb 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
docs: update architecture docs for non-root squid
9cbe0f3 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Configure Squid container to run as non-root user feat(squid): run container as non-root proxy user Jan 23, 2026
Copilot AI requested a review from Mossaka January 23, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] Run Squid container as non-root user

2 participants

@Mossaka