Search squid archive

Re: Problem writing squid PID file when tproxyisenabled.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My quick analysis showed that the issue is caused by the capset() call in
leave_suid(). Not sure how it affects creating  the pid file, though this
happens well before the leave_suid() call.

Squid starts leaving suid very early, then bounces back to root
momentarily to perform privileged actions.

I think I understand what happens here... if you have TPROXY enabled
Squid drops quite many capabilities to be able to keep some without
running as root. One of those capabilities dropped is CAP_FOWNER and as
result the pid file can only be created in directories owned by root.

You can verify if this is the cause by removing the enter/leave_suid
calls from tools.c writePidFile() and around the related safeunlink call
in main.c squidShutdown().

Commenting out enter_suid() in writePidFile() is able to create the PID
file.
On the other side, obviously if the directory holding the PID file is owned
by root (like /var/run in Redhat) then the same type of problem would occur.



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux