[squid-users] 3.5.8 Arm7 socket permissions
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 29 04:37:06 UTC 2015
On 29/10/2015 11:16 a.m., Darren Breeze ML wrote:
> Hi all
>
> I have built squid 3.5.8 with yocto to run on an arm 7.
>
> This build of the OS seems to have different permissions for processes
> opening sockets. THe DNS routine fails to open a socket with the
> following error
>
> root at test:~# 2015/10/28 22:07:43 testing| Starting Squid Cache version
> 3.5.8 for arm-poky-linux-gnueabi...
> 2015/10/28 22:07:43 kid1| Service Name: squid
> 2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
> 2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
> FATAL: Could not create a DNS socket
>
> It looks like I would have to either run squid as a user that can do
> this or change this underlying permissions setting in the OS.
>
> I would rather fix the OS rather than run squid as root.
Firstly, since this is Linux ensure you are building Squid with libcap2
support. Squid actually uses capabilities when possible.
Secondly, *Starting* Squid as root does not mean it stays that way.
Squid is actually a pair of processes, one daemon manager and a daemon.
You need to start the main "squid" binary as root so the daemon manager
can do the root things before it drops down to a low-privilege account
for the regular operations.
That low-privilege account is set by whichever of these is found first
(in this order):
* the value in squid.conf cache_effective_user
* the username X specified in --with-default-user=X
* upstream default: "nobody"
Amos
More information about the squid-users
mailing list