Hi everybody,
i recently installed a server at a customer site with squid running in grsecurity with kernel 2.4.22
Everything works fine and stable but once in a while i get a deny from gr in dmesg regarding the squid cache directory:
grsec: From 1.2.3.4: denied unlink of /usr/local/squid/2.5.STABLE4/var/cache/00/3E/00003EA3 by (unlinkd:290) UID(1001) EUID(1001), parent (squid:284) UID(1001) EUID(1001)
Here is my squid acl:
/usr/local/squid/2.5.STABLE4/sbin/squid dAX {
/usr/local/squid/2.5.STABLE4/sbin/squid x
/usr/local/squid/2.5.STABLE4/libexec x
/usr/local/squid/2.5.STABLE4/etc r
/usr/local/squid/2.5.STABLE4/bin x
/usr/local/squid/2.5.STABLE4/sbin x
/usr/local/squid/2.5.STABLE4/share r
/usr/local/squid/2.5.STABLE4/var rw
/dev/log rw
/dev/null rw
/etc/passwd r
/etc/ld.so.cache r
/etc/nsswitch.conf r
/etc/resolv.conf r
/etc/hosts r
/usr/share/zoneinfo r
/etc/group r
/etc/host.conf r
/dev/tty rw
/lib rx
/etc/services r
/usr/lib/libdb3.so.3.0.2 rx
/usr/bin/unlink rxi
/ h
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
RES_CRASH 1 60000
connect {
0.0.0.0/0:80 stream tcp
0.0.0.0/0:443 stream tcp
x.x.x.x:53 dgram udp
}
bind {
0.0.0.0:0 dgram ip
0.0.0.0:0 dgram ip udp
127.0.0.1:0 stream ip tcp
0.0.0.0:3128 stream ip tcp
0.0.0.0:3130 dgram ip udp
0.0.0.0:0 stream ip tcp
}
}
As you can see the
usr/local/squid/2.5.STABLE4/var rw
should permit rw acces to the cache directory. The acl was created in learning mode and after that i added and summarised some entries. Obviously that may be room for improvement (let me know) but the acl works so far
I think i have an understanding problem regarding inheritance: in the error message i can see that not squid but unlinkd wants to access the file so according the documentation i added
/usr/bin/unlink rxi
to give unlink the same permissions as squid but still the denies pop up
regards,
weeny
having problem with acl for squid with inheritance
7 posts
• Page 1 of 1
having problem with acl for squid with inheritance
by weeny » Mon Dec 15, 2003 9:16 am
- weeny
- Posts: 11
- Joined: Fri Nov 21, 2003 4:26 am
by weeny » Mon Dec 15, 2003 11:50 am
Ah of course...
i did a which unlinkd and nothing was found in the path so i
did a which unlink and got
/usr/bin/unlink
and i thought that this is the programm squid is using but in fact (after i read youre reply) i searched with
find /usr/local -name unlinkd
and it showed me that there is a file called
/usr/local/squid/.../libexec/unlinkd
so I put it in my acl now with
usr/local/squid/.../sbin/squid {
[...]
/usr/local/squid/.../var rw
/usr/local/squid/.../libexec/unlinkd rxi
[...]
}
Is the rxi correct? the idea is that unlinkd inherits the rights from squid...
I cleared dmesg and will wait a couple of hours if the message pop's up again. Hope this works
but i am pretty convinced
Thank you once again for youre help
regards
weeny
i did a which unlinkd and nothing was found in the path so i
did a which unlink and got
/usr/bin/unlink
and i thought that this is the programm squid is using but in fact (after i read youre reply) i searched with
find /usr/local -name unlinkd
and it showed me that there is a file called
/usr/local/squid/.../libexec/unlinkd
so I put it in my acl now with
usr/local/squid/.../sbin/squid {
[...]
/usr/local/squid/.../var rw
/usr/local/squid/.../libexec/unlinkd rxi
[...]
}
Is the rxi correct? the idea is that unlinkd inherits the rights from squid...
I cleared dmesg and will wait a couple of hours if the message pop's up again. Hope this works
but i am pretty convinced
Thank you once again for youre help
regards
weeny
- weeny
- Posts: 11
- Joined: Fri Nov 21, 2003 4:26 am
...new results from dmesg
by weeny » Tue Dec 16, 2003 4:42 am
ok i still have this deny messages even after the changes...(i think i cleared the dmesg with dmesg -c in an gr free shell but i am not shure ... you cannot tell because of the missing timestamps of grsecurity in dmesg. maybe to make shure i also do a echo > /var/log/messages)
strange...
so what i tried now is to put the unlinkd binary in an extra acl and switched on learning mode like this
/usr/local/..../squid/sbin/squid dXA {
[...old stuff...]
/usr/local/..../squid/var rw
/usr/local/..../squid/libexec/unlinkd rxi
[...old stuff...]
}
# NEW ACL ->
/usr/local/..../squid/libexec/unlinkd lo {
/ h
-CAP_ALL
}
any more suggestions?
regards weeny
strange...
so what i tried now is to put the unlinkd binary in an extra acl and switched on learning mode like this
/usr/local/..../squid/sbin/squid dXA {
[...old stuff...]
/usr/local/..../squid/var rw
/usr/local/..../squid/libexec/unlinkd rxi
[...old stuff...]
}
# NEW ACL ->
/usr/local/..../squid/libexec/unlinkd lo {
/ h
-CAP_ALL
}
any more suggestions?
regards weeny
- weeny
- Posts: 11
- Joined: Fri Nov 21, 2003 4:26 am
...finally works
by weeny » Tue Dec 16, 2003 6:59 pm
Hi,
to close this topic -> the last version worked for me. After i put unklinkd in his own acl gr stop sending the deny messages for the cache directory
I wonder why it did not worked when unlinkd was a part of the squid rule with the rxi option
regards
weeny
P.S.
on the same server i have installed sendmail with mimedefang and spamassassin working quite well for one week now...if anyone is interessted in the ruleset...give me feedback
to close this topic -> the last version worked for me. After i put unklinkd in his own acl gr stop sending the deny messages for the cache directory
I wonder why it did not worked when unlinkd was a part of the squid rule with the rxi option
regards
weeny
P.S.
on the same server i have installed sendmail with mimedefang and spamassassin working quite well for one week now...if anyone is interessted in the ruleset...give me feedback
- weeny
- Posts: 11
- Joined: Fri Nov 21, 2003 4:26 am
7 posts
• Page 1 of 1