[squid-users] 3.5.8 Arm7 socket permissions
Darren Breeze ML
darren.j.breeze.ml at gmail.com
Thu Oct 29 10:11:57 UTC 2015
Hi
Thanks for the reply.
Libcap2 is in the build, but the build is for an Arm7 and the rootfs is
read only. Anything that needs write access I have moved to a ram disk
and symlinked it back into the expected place during the build process.
There must be something else in the OS standing in the way.
The unit has dnsmasq on it and that's working just fine. It also has a
set of iptables rules that have been tested on an X86 system and work fine.
I can see the run it as root idea is just wrong so that's off the table.
Darren B.
On 29/10/2015 12:37 PM, Amos Jeffries wrote:
> On 29/10/2015 11:16 a.m., Darren Breeze ML wrote:
>> Hi all
>>
>> I have built squid 3.5.8 with yocto to run on an arm 7.
>>
>> This build of the OS seems to have different permissions for processes
>> opening sockets. THe DNS routine fails to open a socket with the
>> following error
>>
>> root at test:~# 2015/10/28 22:07:43 testing| Starting Squid Cache version
>> 3.5.8 for arm-poky-linux-gnueabi...
>> 2015/10/28 22:07:43 kid1| Service Name: squid
>> 2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
>> 2015/10/28 22:07:43 kid1| comm_open: socket failure: (13) Permission denied
>> FATAL: Could not create a DNS socket
>>
>> It looks like I would have to either run squid as a user that can do
>> this or change this underlying permissions setting in the OS.
>>
>> I would rather fix the OS rather than run squid as root.
>
> Firstly, since this is Linux ensure you are building Squid with libcap2
> support. Squid actually uses capabilities when possible.
>
>
> Secondly, *Starting* Squid as root does not mean it stays that way.
>
> Squid is actually a pair of processes, one daemon manager and a daemon.
> You need to start the main "squid" binary as root so the daemon manager
> can do the root things before it drops down to a low-privilege account
> for the regular operations.
>
> That low-privilege account is set by whichever of these is found first
> (in this order):
> * the value in squid.conf cache_effective_user
> * the username X specified in --with-default-user=X
> * upstream default: "nobody"
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list