[squid-users] Building squid | Best Practices?

Sun Sep 27 00:16:17 UTC 2015

On 26/09/2015 6:21 p.m., Howard Waterfall wrote:
> Hey guys back at it. I expect that Linux issues are really a much bigger
> problem for me than squid!
> 
> I'm running into this problem now:
> 
> /var/run/squid3.pid: (13) Permission denied
> 
> 
> I know it's a permission problem, but not sure the optimal way of fixing it.
> 
> I created user 'proxy' and group 'squid' to run squid:
> 
> sudo addgroup --system squid
> sudo adduser --system --no-create-home --group proxy squid
> 
> 
> And I set up my build config accordingly:
> 
> --with-default-user=proxy
> 
> 
> but 'proxy' does not have access to /var/run:
> 
> lrwxrwxrwx 1 root root /var/run
> 

Everything has access to /var/run (the "rwx" on 'other' permissions).
The symlink should point at /run which has similar permissions that any
account can read, and root can create/write.

Note that Squid needs to be started by the root account to have its
required security capabilities.

> 
> This explains why /var/run/squid3.pid cannot be written, but I'm not sure
> simply changing ownership of /var/run to 'proxy' is the best approach given
> that squid is not the only service that accesses that folder. I'm thinking
> that I should configure the build differently.
> 
> In order to see what configurations are used in the distro package, I
> installed it:
> 
> sudo apt-get install squid
> 
> 
> and had a look at the output of:
> 
> squid3 -v
> 
> 
> These setting are troubling for me:
> 
> --prefix=/usr
> --localstatedir=/var
> --with-swapdir=/var/spool/squid3
> --with-logdir=/var/log/squid3
> --with-pidfile=/var/run/squid3.pid
> --datadir=/usr/share/squid3
> --mandir=/usr/share/man'
> --sysconfdir=/etc
> --sysconfdir=/etc/squid3
> 
> 
> Yes --sysconfdir is defined twice! Regardless of that, wouldn't it better
> to set them up this way:
> 
> --prefix=/usr
> --localstatedir=${prefix}/var
> --with-swapdir=${localstatedir}/spool/squid3
> --with-logdir=${localstatedir}/log/squid3
> --with-pidfile=${localstatedir}/run/squid3.pid
> --datadir=${prefix}/share/squid3
> --mandir=${prefix}/share/man'
> --sysconfdir=${prefix}/etc/squid3
> 

For you when custom building yes. The OS distributors chose the other
way for their own reasons. The primary being that the OS package needs
to be installed to the FHS system locations, not user custom-build
locations.

> 
> I'm not positive about this directive:
> 
> --sysconfdir=${prefix}/etc/squid3
> 
> 
> that may be better left as:
> 
> --sysconfdir=/etc/squid3
> 
> 
> I am curious about the others though. If what I've said makes sense, I'll
> update my build config that way and make one more change:
> 
> --prefix=/proxy
> 

Up to you. Consider the prefix as a type of weak chroot. Squid will be
installed inside it, but access to non-squid system things doesn't
depend on the usual chroot copying and restrictions.

Amos