chrooting Squid

From: Jim Breton <vader@dont-contact.us>
Date: Tue, 18 Apr 2000 05:51:53 +0000

Hi, I had been running Squid 2.2 STABLE 4 for a while now (several
months) and just upgraded to 2.3 STABLE 2 today. There are two things
with which I'm having trouble and would like help if possible.

First, I can't seem to get it to chroot itself. Previously, I was
chrooting 2.2 by hand -- creating all the required dirs, files, etc..
Now that 2.3 has built-in chroot support I would like to do this, but I
can't figure out the correct squid.conf syntax for this. The default
conf gives no examples.

I have tried the following:

chroot yes
chroot on
chroot /usr/local/squid

but no matter what, I get the following error:

Apr 17 18:56:14 tarkin (squid): failed to chroot

How should I be doing this? And do I still need to create the
mini-filesystem by hand?

The second problem I am seeing is that Squid does not appear to be
dropping all root privileges when I run it. I have set the
cache_effective_user and group to "squid" -- a local account on my
system, which is Debian potato running on a 2.2.14 kernel.

# ps auxw | grep squid
root 10711 0.0 0.9 3220 872 ? S 18:17 0:00
/usr/local/squid/bin/squid
squid 10712 0.6 3.8 5296 3676 ? S 18:17 0:00 (squid)
squid 10713 0.0 0.3 980 304 ? S 18:17 0:00 (unlinkd)

# cat /proc/10712/status (snipped)
        Name: squid
        State: S (sleeping)
        Pid: 10712
        PPid: 10711
        Uid: 1017 1017 0 1017
        Gid: 1017 1017 1017 1017

Note that 10711 is running as root, and 10712 also retains some root
privileges as well (I'm not sure offhand which this is without looking
at some docs).

Is this intentional? For now, I am using "su squid" and then running
the squid binary as user "squid" to be on the safe side. I believe,
however, my old version 2.2 did not behave this way. Didn't it drop all
privs even when executed as root?

Appreciate any help, please copy me on any replies as I am not on this
list, this is really the only issue I've ever had with Squid. Thanks!

-- 
Jim B.
vader@conflict.net
Received on Mon Apr 17 2000 - 23:54:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:52:58 MST