Bug 918434 – Change /var/{cache,log}/squid ownership to squid:squid

Bug 918434 - Change /var/{cache,log}/squid ownership to squid:squid


Summary:	Change /var/{cache,log}/squid ownership to squid:squid

Status:	RESOLVED INVALID

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Network
Version:	13.2
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Christian Wittmer
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-02-18 16:41 UTC by Marcos Mello
Modified:	2016-01-08 20:23 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
squid.spec (3.98 KB, patch) 2015-02-18 16:42 UTC, Marcos Mello	Details \| Diff
squid.logrotate (450 bytes, patch) 2015-02-18 16:44 UTC, Marcos Mello	Details \| Diff
squid.spec (V2) (4.52 KB, patch) 2015-02-20 12:37 UTC, Marcos Mello	Details \| Diff
squid.logrotate (V2) (442 bytes, patch) 2015-02-20 12:41 UTC, Marcos Mello	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcos Mello 2015-02-18 16:41:20 UTC

I am not sure why both folders are owned by root group since the user squid processes run on is squid:squid (Factory). Perhaps because the 'nogroup' group used by older packages is somewhat unprivileged and changing it artificially to root was a security measuse.

So I propose as a RFC (to Factory) the attached patches, that:

- Remove remaining permissions bits: it is unused.
- Change id/getent checks to use exit codes.
- Apply new group to /var/{cache,log}/squid contents if necessary on upgrade.
- Drop 'create' from logrotate config. Log files will be created by squid itself as squid:squid 640. Also supress errors from squid invocation there.
- Requires adjustments.

I tested these modifications (3.4.10-1.2 as base) upgrading from 3.4.4-3.4.2 (which still uses squid:nogroup) in 13.2 and everything is working so far. After a broader testing round, it can go to 13.2 updates.

Once this hits stable, #894636 and #894840 can be closed.

Comment 1 Marcos Mello 2015-02-18 16:42:49 UTC

Created attachment 623716 [details]
squid.spec

Comment 2 Marcos Mello 2015-02-18 16:44:03 UTC

Created attachment 623717 [details]
squid.logrotate

Comment 3 Marcus Meissner 2015-02-18 21:20:19 UTC

trhe permiussions are requiored for future or local usage, e.g. the pinger and basic_pam_auth have been requested recently.

please get in contact with the regular maintainers.



security will need to review if the log directory can be changed this way or if it is insecure.

Comment 4 Marcos Mello 2015-02-20 12:37:09 UTC

Created attachment 623993 [details]
squid.spec (V2)

- Put permissions back in
- Remove /etc/permissions.d/squid on %post
- Fix etc/ path and use more %{name} macros where appropriate

Comment 5 Marcos Mello 2015-02-20 12:41:22 UTC

Created attachment 623994 [details]
squid.logrotate (V2)

- Add missing 'nocreate'
- Drop 2>/dev/null from squid call. If it is running and something goes wrong, we want the information

Comment 6 Christian Wittmer 2016-01-08 20:23:48 UTC

sorry don't see your problem ...
... 
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/

...

/var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log {
    su squid squid
    compress
    dateext
    maxage 365
    rotate 99
    size=+4096k
    notifempty
    missingok
    create 640 squid squid
    sharedscripts
    postrotate
     /usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate
    endscript
}