Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted from Amos Jeffries on 2013-01-31 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 01 Feb 2013 13:09:00 +1300

On 1/02/2013 6:03 a.m., Alex Rousskov wrote:
> On 01/31/2013 03:06 AM, Amos Jeffries wrote:
>> On 31/01/2013 10:24 p.m., Simone Levy wrote:
>>> Hello there,
>>>
>>> we are receiving warnings after upgrading squid from version 3.1 to
>>> 3.2 on FreeBSD. Squid appears to be fully operational though.
>>>
>>> The warnings seem to be relative to starting the helpers and opening
>>> the log files, but the helpers are started and the log files written to.
>> When dealing with logs from asynchronous event code things are not
>> always as they seem.
>> If those are working its most likely not them.
>>
>> You might have to start Squid under a debugger to find out what
>> specifically setuid is being called for.
> Amos,
>
> FWIW, I have seen this warning on FreeBSD as well. Squid calls
> set_uid(0) unconditionally. My setuid man page does not mention UID of
> zero, and I have not investigated why that call was added, but I have a
> feeling that FreeBSD does not like it:
>
>> no_suid(void)
>> {
> ...
>> debugs(21, 3, "no_suid: PID " << getpid() << " giving up root priveleges for ever");
>>
>> if (setuid(0) < 0)
>> debugs(50, DBG_IMPORTANT, "WARNING: no_suid: setuid(0): " << xstrerror());

Hmm. Yes the warning is new since we started adding debugs() about
failed system calls to display reviously hidden system errors.

Looking at all the documentation about setuid() and seteuid() I'm
wondering if this was supposed to be seteuid(0) - to clear any
effective-user restrictions before dropping privileges down to the
low-privileges UID.

I'm also wondering if setuid(uid) was done earlier and the low-privilege
user is what is being dened the setuid(0) - but I can't see any sign of
the "Dropping privileges" message that should appear first. Can one of
you start your Squid with level-3 debug and see where in this startup
list the dropping message appears?

There is also http://bugs.squid-cache.org/show_bug.cgi?id=3751 involved
with this somehow.

Amos
Received on Fri Feb 01 2013 - 00:09:20 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 01 2013 - 12:00:05 MST