[squid-users] squid mitm

Niels Hofmans hello at ironpeak.be
Thu Nov 19 11:57:11 UTC 2020


Hi,

After noticing my permission errors on /ca.pem, I more or less got this:

Is /dev/log/ really required, since we log to /dev/stdout?

proxy_1       | [00] open("/dev/stdout", O_RDWR|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
proxy_1       | [00] writev(2, [{iov_base="WARNING: Cannot write log file: "..., iov_len=44}, {iov_base=NULL, iov_len=0}], 2WARNING: Cannot write log file: /dev/stdout
proxy_1       | [00] ) = 44
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base="/dev/stdout", iov_len=11}], 2/dev/stdout) = 11
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base=":", iov_len=1}], 2:) = 1
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base=" ", iov_len=1}], 2 ) = 1
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base="Permission denied", iov_len=17}], 2Permission denied) = 17
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base="\n", iov_len=1}], 2
proxy_1       | [00] ) = 1
proxy_1       | [00] writev(2, [{iov_base="", iov_len=0}, {iov_base="         messages will be sent t"..., iov_len=44}], 2         messages will be sent to 'stderr'.
proxy_1       | [00] ) = 44
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setresuid(-1, 0, -1)                    = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
proxy_1       | [00] umask(027)                              = 027
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setresuid(-1, 0, -1)                    = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
proxy_1       | [00] open("/var/run/squid.pid", O_RDONLY)    = -1 ENOENT (No such file or directory)
proxy_1       | [00] geteuid()                               = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setgid(1000)                            = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
proxy_1       | [00] connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 24) = -1 ENOENT (No such file or directory)
proxy_1       | [00] close(3)                                = 0
proxy_1       | [00] open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
proxy_1       | [00] fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
proxy_1       | [00] fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
proxy_1       | [00] read(3, "root:x:0:root\napp:x:1000:\ndnscac"..., 1024) = 88
proxy_1       | [00] read(3, "", 1024)                       = 0
proxy_1       | [00] close(3)                                = 0
proxy_1       | [00] setgroups(1, [1000])                    = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setresuid(1000, 1000, 0)                = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
proxy_1       | [00] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE, inheritable=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE}) = 0
proxy_1       | [00] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE, inheritable=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE}) = 0
proxy_1       | [00] prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
proxy_1       | [00] brk(0x55dd853ca000)                     = 0x55dd853ca000
proxy_1       | [00] brk(0x55dd853e5000)                     = 0x55dd853e5000
proxy_1       | [00] geteuid()                               = 1000
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setresuid(-1, 0, -1)                    = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
proxy_1       | [00] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
proxy_1       | [00] connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 12) = -1 ENOENT (No such file or directory)
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], [], 8)   = 0
proxy_1       | [00] fork()                                  = 2429
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] exit_group(0)                           = ?
proxy_1       | [00] +++ exited with 0 +++

-- 
Met vriendelijke groeten,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 19 Nov 2020, at 12:45, Niels Hofmans <hello at ironpeak.be> wrote:

Hello Amos,

I am using the latest squid release on alpine, which is 4.13-r0.
After using the exact command openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout ca.pem  -out ca.pem I still receive this error.

Since it’s a debug cert, I gisted it here: https://gist.githubusercontent.com/hazcod/530ae4ad467d8ed3de6621ba04dddc79/raw/fe62ab6b71f888dd890aded2d61c7c798747a665/ca.pem <https://gist.githubusercontent.com/hazcod/530ae4ad467d8ed3de6621ba04dddc79/raw/fe62ab6b71f888dd890aded2d61c7c798747a665/ca.pem>

strace excerpt:

proxy_1       | [00] brk(0x55e41021f000)                     = 0x55e41021f000
proxy_1       | [00] read(3, "", 1024)                       = 0
proxy_1       | [00] close(3)                                = 0
proxy_1       | [00] brk(0x55e410220000)                     = 0x55e410220000
proxy_1       | [00] getuid()                                = 0
proxy_1       | [00] geteuid()                               = 0
proxy_1       | [00] getgid()                                = 0
proxy_1       | [00] getegid()                               = 0
proxy_1       | [00] open("/ca.pem", O_RDONLY)               = -1 EACCES (Permission denied)
proxy_1       | [00] open("/ca.pem", O_RDONLY)               = -1 EACCES (Permission denied)
proxy_1       | [00] geteuid()                               = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setgid(1000)                            = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
proxy_1       | [00] connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 24) = -1 ENOENT (No such file or directory)
proxy_1       | [00] close(3)                                = 0
proxy_1       | [00] open("/etc/group", O_RDONLY|O_CLOEXEC)  = 3
proxy_1       | [00] fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
proxy_1       | [00] fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
proxy_1       | [00] read(3, "root:x:0:root\napp:x:1000:\ndnscac"..., 1024) = 88
proxy_1       | [00] read(3, "", 1024)                       = 0
proxy_1       | [00] close(3)                                = 0
proxy_1       | [00] setgroups(1, [1000])                    = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
proxy_1       | [00] setresuid(1000, 1000, 0)                = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
proxy_1       | [00] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE, inheritable=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE}) = 0
proxy_1       | [00] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE, inheritable=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_PTRACE}) = 0
proxy_1       | [00] prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
proxy_1       | [00] writev(2, [{iov_base="2020/11/19 11:44:20| ", iov_len=21}, {iov_base="FATAL: No valid signing certific"..., iov_len=73}], 22020/11/19 11:44:20| FATAL: No valid signing certificate configured for HTTP_port 0.0.0.0:3128) = 94
proxy_1       | [00] writev(2, [{iov_base="\n", iov_len=1}, {iov_base=NULL, iov_len=0}], 2
proxy_1       | [00] ) = 1
proxy_1       | [00] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
proxy_1       | [00] connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 12) = -1 ENOENT (No such file or directory)
proxy_1       | [00] sendto(3, "<9>Nov 19 11:44:20 : FATAL: No v"..., 95, 0, NULL, 0) = -1 ENOTCONN (Socket not connected)
proxy_1       | [00] connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 12) = -1 ENOENT (No such file or directory)
proxy_1       | [00] writev(2, [{iov_base="2020/11/19 11:44:20| Squid Cache"..., iov_len=72}, {iov_base=NULL, iov_len=0}], 22020/11/19 11:44:20| Squid Cache (Version 4.13): Terminated abnormally.
proxy_1       | [00] ) = 72
proxy_1       | [00] getrusage(RUSAGE_SELF, {ru_utime={tv_sec=0, tv_usec=76197}, ru_stime={tv_sec=0, tv_usec=100984}, ...}) = 0
proxy_1       | [00] writev(2, [{iov_base="CPU Usage: 0.177 seconds = 0.076"..., iov_len=50}, {iov_base=NULL, iov_len=0}], 2CPU Usage: 0.177 seconds = 0.076 user + 0.101 sys
proxy_1       | [00] ) = 50
proxy_1       | [00] writev(2, [{iov_base="Maximum Resident Size: 42304 KB\n", iov_len=32}, {iov_base=NULL, iov_len=0}], 2Maximum Resident Size: 42304 KB
proxy_1       | [00] ) = 32
proxy_1       | [00] writev(2, [{iov_base="Page faults with physical i/o: 0"..., iov_len=33}, {iov_base=NULL, iov_len=0}], 2Page faults with physical i/o: 0
proxy_1       | [00] ) = 33
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
proxy_1       | [00] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
proxy_1       | [00] exit_group(1)                           = ?
proxy_1       | [00] +++ exited with 1 +++
proxy_1       | [00] (error exit: exit status 1)


-- 
Met vriendelijke groeten,
Niels Hofmans


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201119/6e4bc83a/attachment-0001.htm>


More information about the squid-users mailing list