Re: [squid-users] Squid in chroot jail reconfigure/rotate FATAL errors: SOLVED

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 18 Nov 2008 09:57:44 +0100

On fre, 2008-11-14 at 16:41 +0100, Rudi Vankemmel wrote:
> I have seen quite some postings indicating errors when issuing a
> squid -k reconfigure or squid -k rotate from within a chroot jail.

-k rotate should work fine in a chroot, but -k reconfigure requires a
bit of dual filesystem layout and relaxed permissions to work.

The reason to this is that Squid permanently drops all root permissions
when chrooted, to prevent a possible chroot breakout in case of
compromise, but the config file is still read as root before chrooting
(another security measure, making it harder for a possible attacker to
gain access to sensitive config material).

To be able to use "-k reconfigure" you must set up so that all config
files is accessible within the chroot as your cache_effective_user
(usually done by giving one of it's groups read permission to the
files), and also accessible using the same path outside the chroot.
(some symlinking is required for this).

Regards
Henrik

Received on Tue Nov 18 2008 - 08:57:50 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 18 2008 - 12:00:03 MST