Search squid archive

Re: 3.5.8 Arm7 socket permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

Thanks for the reply.
Libcap2 is in the build, but the build is for an Arm7 and the rootfs is read only. Anything that needs write access I have moved to a ram disk 
and symlinked it back into the expected place during the build process.

There must be something else in the OS standing in the way.
The unit has dnsmasq on it and that's working just fine. It also has a set of iptables rules that have been tested on an X86 system and work fine. 

I can see the run it as root idea is just wrong so that's off the table.

Darren B.


On 29/10/2015 12:37 PM, Amos Jeffries wrote:

On 29/10/2015 11:16 a.m., Darren Breeze ML wrote:

Hi all

I have built squid 3.5.8 with yocto to run on an arm 7.

This build of the OS seems to have different permissions for processes
opening sockets. THe DNS routine fails to open a socket with the
following error

root@test:~# 2015/10/28 22:07:43 testing| Starting Squid Cache version
3.5.8 for arm-poky-linux-gnueabi...
2015/10/28 22:07:43 kid1| Service Name: squid
2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
FATAL: Could not create a DNS socket

It looks like I would have to either run squid as a user that can do
this or change this underlying permissions setting in the OS.

I would rather fix the OS rather than run squid as root.


Firstly, since this is Linux ensure you are building Squid with libcap2
support. Squid actually uses capabilities when possible.


Secondly, *Starting* Squid as root does not mean it stays that way.

Squid is actually a pair of processes, one daemon manager and a daemon.
You need to start the main "squid" binary as root so the daemon manager
can do the root things before it drops down to a low-privilege account
for the regular operations.

That low-privilege account is set by whichever of these is found first
(in this order):
* the value in squid.conf cache_effective_user
* the username X specified in --with-default-user=X
* upstream default: "nobody"

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux