Bug 918434 - Change /var/{cache,log}/squid ownership to squid:squid
Change /var/{cache,log}/squid ownership to squid:squid
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Network
13.2
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Christian Wittmer
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-18 16:41 UTC by Marcos Mello
Modified: 2016-01-08 20:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
squid.spec (3.98 KB, patch)
2015-02-18 16:42 UTC, Marcos Mello
Details | Diff
squid.logrotate (450 bytes, patch)
2015-02-18 16:44 UTC, Marcos Mello
Details | Diff
squid.spec (V2) (4.52 KB, patch)
2015-02-20 12:37 UTC, Marcos Mello
Details | Diff
squid.logrotate (V2) (442 bytes, patch)
2015-02-20 12:41 UTC, Marcos Mello
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos Mello 2015-02-18 16:41:20 UTC
I am not sure why both folders are owned by root group since the user squid processes run on is squid:squid (Factory). Perhaps because the 'nogroup' group used by older packages is somewhat unprivileged and changing it artificially to root was a security measuse.

So I propose as a RFC (to Factory) the attached patches, that:

- Remove remaining permissions bits: it is unused.
- Change id/getent checks to use exit codes.
- Apply new group to /var/{cache,log}/squid contents if necessary on upgrade.
- Drop 'create' from logrotate config. Log files will be created by squid itself as squid:squid 640. Also supress errors from squid invocation there.
- Requires adjustments.

I tested these modifications (3.4.10-1.2 as base) upgrading from 3.4.4-3.4.2 (which still uses squid:nogroup) in 13.2 and everything is working so far. After a broader testing round, it can go to 13.2 updates.

Once this hits stable, #894636 and #894840 can be closed.
Comment 1 Marcos Mello 2015-02-18 16:42:49 UTC
Created attachment 623716 [details]
squid.spec
Comment 2 Marcos Mello 2015-02-18 16:44:03 UTC
Created attachment 623717 [details]
squid.logrotate
Comment 3 Marcus Meissner 2015-02-18 21:20:19 UTC
trhe permiussions are requiored for future or local usage, e.g. the pinger and basic_pam_auth have been requested recently.

please get in contact with the regular maintainers.



security will need to review if the log directory can be changed this way or if it is insecure.
Comment 4 Marcos Mello 2015-02-20 12:37:09 UTC
Created attachment 623993 [details]
squid.spec (V2)

- Put permissions back in
- Remove /etc/permissions.d/squid on %post
- Fix etc/ path and use more %{name} macros where appropriate
Comment 5 Marcos Mello 2015-02-20 12:41:22 UTC
Created attachment 623994 [details]
squid.logrotate (V2)

- Add missing 'nocreate'
- Drop 2>/dev/null from squid call. If it is running and something goes wrong, we want the information
Comment 6 Christian Wittmer 2016-01-08 20:23:48 UTC
sorry don't see your problem ...
... 
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/

...

/var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log {
    su squid squid
    compress
    dateext
    maxage 365
    rotate 99
    size=+4096k
    notifempty
    missingok
    create 640 squid squid
    sharedscripts
    postrotate
     /usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate
    endscript
}