From: "Alexey I. Froloff" <raorn@immo.ru>
To: ALT Devel discussion list <devel@altlinux.ru>
Subject: [devel] Q: squid - сил моих больше нет
Date: Wed, 22 Dec 2004 17:13:49 +0300
Message-ID: <20041222141348.GF544@immo.ru> (raw)
[-- Attachment #1: Type: text/plain, Size: 4320 bytes --]
Исходные данные: squid-2.5.STABLE7-alt{1,4}, ADS домен,
авторизация через самбовый ntlm_auth. Надо внести сквида в
группу winbind и тогда наступит счастие... А нифига.
# id squid
uid=23(squid) gid=23(squid) groups=23(squid),35(winbind)
Конфиг:
cache_effective_user squid
cache_effective_group squid
(cache_effective_group пробовал убирать - не помогает)
Смотрим ему в код (извините за размер):
src/main.c:475
static void
mainInitialize(void)
{
/* chroot if configured to run inside chroot */
if (Config.chroot_dir && chroot(Config.chroot_dir)) {
fatal("failed to chroot");
}
if (opt_catch_signals) {
squid_signal(SIGSEGV, death, SA_NODEFER | SA_RESETHAND);
squid_signal(SIGBUS, death, SA_NODEFER | SA_RESETHAND);
}
squid_signal(SIGPIPE, SIG_IGN, SA_RESTART);
squid_signal(SIGCHLD, sig_child, SA_NODEFER | SA_RESTART);
setEffectiveUser();
assert(Config.Sockaddr.http);
if (httpPortNumOverride != 1)
Config.Sockaddr.http->s.sin_port = htons(httpPortNumOverride);
if (icpPortNumOverride != 1)
Config.Port.icp = (u_short) icpPortNumOverride;
_db_init(Config.Log.log, Config.debugOptions);
fd_open(fileno(debug_log), FD_LOG, Config.Log.log);
src/main.c:437
static void
setEffectiveUser(void)
{
leave_suid(); /* Run as non privilegied user */
#ifdef _SQUID_OS2_
return;
#endif
if (geteuid() == 0) {
debug(0, 0) ("Squid is not safe to run as root! If you must\n");
debug(0, 0) ("start Squid as root, then you must configure\n");
debug(0, 0) ("it to run as a non-priveledged user with the\n");
debug(0, 0) ("'cache_effective_user' option in the config file.\n");
fatal("Don't run Squid as root, set 'cache_effective_user'!");
}
}
src/tools.c:515
void
leave_suid(void)
{
debug(21, 3) ("leave_suid: PID %d called\n", (int) getpid());
if (Config.effectiveGroup) {
#if HAVE_SETGROUPS
setgroups(1, &Config2.effectiveGroupID);
#endif
if (setgid(Config2.effectiveGroupID) < 0)
debug(50, 0) ("ALERT: setgid: %s\n", xstrerror());
}
if (geteuid() != 0)
return;
/* Started as a root, check suid option */
if (Config.effectiveUser == NULL)
return;
debug(21, 3) ("leave_suid: PID %d giving up root, becoming '%s'\n",
(int) getpid(), Config.effectiveUser);
if (!Config.effectiveGroup) {
if (setgid(Config2.effectiveGroupID) < 0)
debug(50, 0) ("ALERT: setgid: %s\n", xstrerror());
if (initgroups(Config.effectiveUser, Config2.effectiveGroupID) < 0) {
debug(50, 0) ("ALERT: initgroups: unable to set groups for User %s "
"and Group %u", Config.effectiveUser,
(unsigned) Config2.effectiveGroupID);
}
}
#if HAVE_SETRESUID
if (setresuid(Config2.effectiveUserID, Config2.effectiveUserID, 0) < 0)
debug(50, 0) ("ALERT: setresuid: %s\n", xstrerror());
#elif HAVE_SETEUID
if (seteuid(Config2.effectiveUserID) < 0)
debug(50, 0) ("ALERT: seteuid: %s\n", xstrerror());
#else
if (setuid(Config2.effectiveUserID) < 0)
debug(50, 0) ("ALERT: setuid: %s\n", xstrerror());
#endif
}
Теперь смотрим в strace, сооветствующий этому коду:
32724 open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory)
32724 setgroups32(1, [23]) = 0
32724 setgid32(23) = 0
32724 geteuid32() = 0
32724 setresuid32(23, 23, 0) = 0
32724 geteuid32() = 23
32724 open("/var/log/squid/cache.log", O_RDWR|O_APPEND|O_CREAT, 0666) = 3
(В логах тишина, потому как он ещё не открыт к этому времени)
Первый geteuid32 из leave_suid(), второй из setEffectiveUser().
Config2.effectiveGroupID и Config2.effectiveUserID определены,
Config.effectiveUser тоже очевидно не NULL, потому как
setresuid() вызывается. Где может быть проблема? Я уже даже не
знаю куда ему смотреть...
--
Regards, Sir Raorn.
-------------------
>Где можно взять этот драйвер? Я посмотрю, что там можно допилить для
>его сборки.
Перевожу:
"не фиг чайникам собирать модули ядра в пакеты".
-- rider in devel@
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2004-12-22 14:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-22 14:13 Alexey I. Froloff [this message]
2004-12-22 16:33 ` Alexey I. Froloff
2004-12-22 17:15 ` Dimitry V. Ketov
2004-12-22 18:11 ` Alexey I. Froloff
2004-12-22 19:31 ` Dimitry V. Ketov
2004-12-23 6:42 ` Alexey I. Froloff
2004-12-23 6:55 ` Dimitry V. Ketov
2004-12-23 8:31 ` Denis Ovsienko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041222141348.GF544@immo.ru \
--to=raorn@immo.ru \
--cc=devel@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git