From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Dec 2004 17:13:49 +0300 From: "Alexey I. Froloff" To: ALT Devel discussion list Message-ID: <20041222141348.GF544@immo.ru> Mail-Followup-To: ALT Devel discussion list Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a1QUDc0q7S3U7/Jg" Content-Disposition: inline User-Agent: Mutt/1.5.6+cvs20041102i X-Virus-Scanned: by amavisd-new at immo.ru Subject: [devel] Q: squid - =?koi8-r?b?08nMIM3Pycggws/M2NvFIM7F1A==?= X-BeenThere: devel@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 14:13:56 -0000 Archived-At: List-Archive: List-Post: --a1QUDc0q7S3U7/Jg Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =E9=D3=C8=CF=C4=CE=D9=C5 =C4=C1=CE=CE=D9=C5: squid-2.5.STABLE7-alt{1,4}, AD= S =C4=CF=CD=C5=CE, =C1=D7=D4=CF=D2=C9=DA=C1=C3=C9=D1 =DE=C5=D2=C5=DA =D3=C1=CD=C2=CF=D7=D9=CA = ntlm_auth. =EE=C1=C4=CF =D7=CE=C5=D3=D4=C9 =D3=CB=D7=C9=C4=C1 =D7 =C7=D2=D5=D0=D0=D5 winbind =C9 =D4=CF=C7=C4=C1 =CE=C1=D3=D4=D5=D0=C9=D4 =D3= =DE=C1=D3=D4=C9=C5... =E1 =CE=C9=C6=C9=C7=C1. # id squid uid=3D23(squid) gid=3D23(squid) groups=3D23(squid),35(winbind) =EB=CF=CE=C6=C9=C7: cache_effective_user squid cache_effective_group squid (cache_effective_group =D0=D2=CF=C2=CF=D7=C1=CC =D5=C2=C9=D2=C1=D4=D8 - =CE= =C5 =D0=CF=CD=CF=C7=C1=C5=D4) =F3=CD=CF=D4=D2=C9=CD =C5=CD=D5 =D7 =CB=CF=C4 (=C9=DA=D7=C9=CE=C9=D4=C5 =DA= =C1 =D2=C1=DA=CD=C5=D2): src/main.c:475 static void mainInitialize(void) { /* chroot if configured to run inside chroot */ if (Config.chroot_dir && chroot(Config.chroot_dir)) { fatal("failed to chroot"); } if (opt_catch_signals) { squid_signal(SIGSEGV, death, SA_NODEFER | SA_RESETHAND); squid_signal(SIGBUS, death, SA_NODEFER | SA_RESETHAND); } squid_signal(SIGPIPE, SIG_IGN, SA_RESTART); squid_signal(SIGCHLD, sig_child, SA_NODEFER | SA_RESTART); setEffectiveUser(); assert(Config.Sockaddr.http); if (httpPortNumOverride !=3D 1) Config.Sockaddr.http->s.sin_port =3D htons(httpPortNumOverride); if (icpPortNumOverride !=3D 1) Config.Port.icp =3D (u_short) icpPortNumOverride; _db_init(Config.Log.log, Config.debugOptions); fd_open(fileno(debug_log), FD_LOG, Config.Log.log); src/main.c:437 static void setEffectiveUser(void) { leave_suid(); /* Run as non privilegied user */ #ifdef _SQUID_OS2_ return; #endif if (geteuid() =3D=3D 0) { debug(0, 0) ("Squid is not safe to run as root! If you must\n"); debug(0, 0) ("start Squid as root, then you must configure\n"); debug(0, 0) ("it to run as a non-priveledged user with the\n"); debug(0, 0) ("'cache_effective_user' option in the config file.\n"); fatal("Don't run Squid as root, set 'cache_effective_user'!"); } } =20 src/tools.c:515 void leave_suid(void) { debug(21, 3) ("leave_suid: PID %d called\n", (int) getpid()); if (Config.effectiveGroup) { #if HAVE_SETGROUPS setgroups(1, &Config2.effectiveGroupID); #endif if (setgid(Config2.effectiveGroupID) < 0) debug(50, 0) ("ALERT: setgid: %s\n", xstrerror()); } if (geteuid() !=3D 0)=20 return; /* Started as a root, check suid option */ if (Config.effectiveUser =3D=3D NULL) return; debug(21, 3) ("leave_suid: PID %d giving up root, becoming '%s'\n", (int) getpid(), Config.effectiveUser); if (!Config.effectiveGroup) { if (setgid(Config2.effectiveGroupID) < 0) debug(50, 0) ("ALERT: setgid: %s\n", xstrerror()); if (initgroups(Config.effectiveUser, Config2.effectiveGroupID) < 0)= { debug(50, 0) ("ALERT: initgroups: unable to set groups for User= %s " "and Group %u", Config.effectiveUser, (unsigned) Config2.effectiveGroupID); } } =20 #if HAVE_SETRESUID if (setresuid(Config2.effectiveUserID, Config2.effectiveUserID, 0) < 0) debug(50, 0) ("ALERT: setresuid: %s\n", xstrerror()); #elif HAVE_SETEUID if (seteuid(Config2.effectiveUserID) < 0) debug(50, 0) ("ALERT: seteuid: %s\n", xstrerror()); #else if (setuid(Config2.effectiveUserID) < 0) debug(50, 0) ("ALERT: setuid: %s\n", xstrerror()); #endif =20 } =20 =F4=C5=D0=C5=D2=D8 =D3=CD=CF=D4=D2=C9=CD =D7 strace, =D3=CF=CF=D7=C5=D4=D3= =D4=D7=D5=C0=DD=C9=CA =DC=D4=CF=CD=D5 =CB=CF=C4=D5: 32724 open("/proc/sys/kernel/ngroups_max", O_RDONLY) =3D -1 ENOENT (No such= file or directory) 32724 setgroups32(1, [23]) =3D 0 32724 setgid32(23) =3D 0 32724 geteuid32() =3D 0 32724 setresuid32(23, 23, 0) =3D 0 32724 geteuid32() =3D 23 32724 open("/var/log/squid/cache.log", O_RDWR|O_APPEND|O_CREAT, 0666) =3D 3 (=F7 =CC=CF=C7=C1=C8 =D4=C9=DB=C9=CE=C1, =D0=CF=D4=CF=CD=D5 =CB=C1=CB =CF= =CE =C5=DD=A3 =CE=C5 =CF=D4=CB=D2=D9=D4 =CB =DC=D4=CF=CD=D5 =D7=D2=C5=CD=C5= =CE=C9) =F0=C5=D2=D7=D9=CA geteuid32 =C9=DA leave_suid(), =D7=D4=CF=D2=CF=CA =C9=DA= setEffectiveUser(). Config2.effectiveGroupID =C9 Config2.effectiveUserID =CF=D0=D2=C5=C4=C5=CC= =C5=CE=D9, Config.effectiveUser =D4=CF=D6=C5 =CF=DE=C5=D7=C9=C4=CE=CF =CE=C5 NULL, =D0= =CF=D4=CF=CD=D5 =CB=C1=CB setresuid() =D7=D9=DA=D9=D7=C1=C5=D4=D3=D1. =E7=C4=C5 =CD=CF=D6=C5=D4 =C2= =D9=D4=D8 =D0=D2=CF=C2=CC=C5=CD=C1? =F1 =D5=D6=C5 =C4=C1=D6=C5 =CE=C5 =DA=CE=C1=C0 =CB=D5=C4=C1 =C5=CD=D5 =D3=CD=CF=D4=D2=C5=D4=D8... --=20 Regards, Sir Raorn. ------------------- >=E7=C4=C5 =CD=CF=D6=CE=CF =D7=DA=D1=D4=D8 =DC=D4=CF=D4 =C4=D2=C1=CA=D7=C5= =D2? =F1 =D0=CF=D3=CD=CF=D4=D2=C0, =DE=D4=CF =D4=C1=CD =CD=CF=D6=CE=CF =C4= =CF=D0=C9=CC=C9=D4=D8 =C4=CC=D1 >=C5=C7=CF =D3=C2=CF=D2=CB=C9. =F0=C5=D2=C5=D7=CF=D6=D5: "=CE=C5 =C6=C9=C7 =DE=C1=CA=CE=C9=CB=C1=CD =D3=CF=C2=C9=D2=C1=D4=D8 =CD=CF= =C4=D5=CC=C9 =D1=C4=D2=C1 =D7 =D0=C1=CB=C5=D4=D9". -- rider in devel@ --a1QUDc0q7S3U7/Jg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFByYEcVqT7+fkT8woRAp2+AKCA/5U9d14z6eX+CG/6ahJ0gV0ZBwCfZWWt ZVzUzYcFinuHc6eacfmlJPs= =hiZM -----END PGP SIGNATURE----- --a1QUDc0q7S3U7/Jg--