[squid-dev] [PATCH] start workers as root
Amos Jeffries
squid3 at treenet.co.nz
Sat Mar 7 05:18:05 UTC 2015
On 7/03/2015 12:18 a.m., Tsantilas Christos wrote:
> SMP workers in trunk start without root privileges. This results in
> startup failures when workers need to use a privileged port (e.g., 443)
> or other root-only features such as TPROXY.
>
> This bug added with my "Moved PID file management from Coordinator to
> Master" patch.
>
> The problem is inside watch_child function which called after a
> enter_suid() call, but the writePidFile() call, inside the
> watch_child(), will leave suid mode before exit.
>
> This patch removes the enter_suid/leave_suid cals from the writePidFile
> and make the caller responsible for setting the root privileges if
> required.
I think this is wrong approach.
Firstly, what are processes without SUID ability doing writing to secure
system files?
Secondly, I thought the entire point of the earlier patch was to make
the *MASTER* process was the one writing the PID file. Not
low-privileged workers.
Thirdly, the enter/leave_suid calls mean "dangerous security stuff about
to happen" and should only be called if absolutely necessary, AND only
around the (block of) system calls which require them.
Your description sounds like some part of the code in worker scope is
using enter_suid doing a lot of Squid stuff - plus incidentally some
root system stuff, then leave_suid. That is broken code. None of the
general "Squid stuff" are security sentitive system calls needing root
privileges.
We should be fixing that broken code. Either to not need the system
suid privilege at all, or to call enter/leave_suid only around the
sensitive operation - while also ensuring those suid calls will work at
the point they are used.
Amos
More information about the squid-dev
mailing list