On fre, 2008-11-14 at 16:41 +0100, Rudi Vankemmel wrote: > I have seen quite some postings indicating errors when issuing a > squid -k reconfigure or squid -k rotate from within a chroot jail. -k rotate should work fine in a chroot, but -k reconfigure requires a bit of dual filesystem layout and relaxed permissions to work. The reason to this is that Squid permanently drops all root permissions when chrooted, to prevent a possible chroot breakout in case of compromise, but the config file is still read as root before chrooting (another security measure, making it harder for a possible attacker to gain access to sensitive config material). To be able to use "-k reconfigure" you must set up so that all config files is accessible within the chroot as your cache_effective_user (usually done by giving one of it's groups read permission to the files), and also accessible using the same path outside the chroot. (some symlinking is required for this). Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
