[squid-dev] [PATCH] start workers as root

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 8 03:57:37 UTC 2015 

On 8/03/2015 6:34 a.m., Tsantilas Christos wrote:
> On 03/07/2015 07:18 AM, Amos Jeffries wrote:
>> On 7/03/2015 12:18 a.m., Tsantilas Christos wrote:
>>> SMP workers in trunk start without root privileges. This results in
>>> startup  failures when workers need to use a privileged port (e.g., 443)
>>> or other  root-only features such as TPROXY.
>>>
>>> This bug added with my "Moved PID file management from Coordinator to
>>> Master" patch.
>>>
>>> The problem is inside watch_child function which called after a
>>> enter_suid() call, but the  writePidFile() call, inside the
>>> watch_child(), will leave suid mode before exit.
>>>
>>> This patch removes the enter_suid/leave_suid cals from the writePidFile
>>>   and make the caller responsible for setting the root privileges if
>>> required.
>>
>> I think this is wrong approach.
>>
>> Firstly, what are processes without SUID ability doing writing to secure
>> system files?
> 
> What do you mean here?

After your patch that makes the master file the one writing the PID file
what are the workers (non-master) doing writing to it?

> 
>>
>> Secondly, I thought the entire point of the earlier patch was to make
>> the *MASTER* process was the one writing the PID file. Not
>> low-privileged workers.
> 
> Yes the master process writing the pid file, not the workers.
> 
>>
>> Thirdly, the enter/leave_suid calls mean "dangerous security stuff about
>> to happen" and should only be called if absolutely necessary, AND only
>> around the (block of) system calls which require them.
> 
> I agree.
> However the watch_child which is implements the master process, is
> designed to run in suid mode. This was not changed by the PID patch.
> Just due to a bug added with the PID patch this function leaves the suid
> mode.


I think I understand you there. You mean this process:

 enter_suid()
 ...
 watch_child()
  ...
  writePidFile() {
   enter_squid() // no-op
   ...
   leave_suid()
 }
 ... something that needs suid. oops.


> 
> Maybe we want to fix master process to not run in suid mode, but I believe:
>   - This is not a scope for this patch
>   - The master process does not do a lot of thinks. Probably we do not
> need to make it run with low privileges. Moreover we may have problems
> with the kids. (Is it possible for kids to run with different
> cache_effective_user parameter?)
> 

Yes, more than possible - probable that somebody will or is already
doing so. Just the other day I saw someone running workers with
different PID files.
Thats the kind of thing that happens with these directives available in
via squid.conf per-worker.


>>
>> Your description sounds like some part of the code in worker scope is
>> using enter_suid doing a lot of Squid stuff - plus incidentally some
>> root system stuff, then leave_suid. That is broken code. None of the
>> general "Squid stuff" are security sentitive system calls needing root
>> privileges.
> 
> No, please forget the workers. This patch does not change anything in a
> worker.
> Please take a look into the writePidFile function, and into watch_child
> function (which implements the master process)
> 

The place your patch is changing are all in the workers code.

Instead of moving the enter_suid() outside of writePidFile() in several
places the master code should call enter only to preserve the part of
code *it* needs suid. eg.

 watch_child()
   ...
   writePidFile()
   enter_suid(); // writePidFile() uses leave_suid()
   ...

Much simpler patch, and fewer places overall using enter/leave_suid.

Amos

More information about the squid-dev mailing list