On Monday 14 January 2002 23.53, Colin Campbell wrote:
> And this takes us back to where we started. Here's part of Alex's
> original email showing the permissions on squid.conf.
>
> -r-xr-x--- 1 root squidadm 92485 Dec 28 15:44
> /usr/local/squid/etc/squid.conf
>
> I don't know what prompted Alex to set the permissions that way,
> but I guess the problem is that squid cannot read the file once it
> has switched uid. When it starts, squid is running as root and so
> can read the file. Once it has switched to cache_effective_user and
> _group the file is inaccessible and squid dies on reconfigure.
Smells like a minor bug. Only the user starting Squid should need to
be able to read the config.
Checking.. yep. Seems to be the case. Please try the attached patch.
Workaround: Have configuration files world readable, or fully restart
Squid when changing the configuration.
Note: The other configuration files such as mime.conf is
intentionally read by the cache_effective_user, and thus needs to be
world readable even after this patch.
To summarize the recommended permissions in a squid/squidadm setup:
Squid configuration directories: (etc)
Owner: root
Group: squidadm
Mode: 2775 (rwxrwsr-x)
Squid configuration data:
squid.conf and any files included by it
Owner: root
Group: squidadm
Mode: 660 (rw-rw----) (*1)
mime.conf:
Owner: root
Group: squidadm
Mode: 664 (rw-rw-r--)
Note 1: In Squid version prior to Squid-2.5 squid.conf files may
need to be world readable (Mode: 664) for "squid -k reconfigure" to
work. As a workaround if having the files world readable is not
acceptable, restart Squid when changing configuration data.
Squid binaries:
Owner: root
Group: squidadm
Mode: 775 (rwxrwxr-x)
Squid cache and logs directories:
Owner: squid
Group: squidadm
Mode: 2770 (rwxrws---)
Squid effective user and group:
cache_effective_user squid
cache_effective_group squid
Regards
Henrik Nordström
Squid Developer
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:51 MST