Re: Re[2]: [squid-users] Unable to open configuration file

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Tue, 15 Jan 2002 08:53:42 +1000 (EST)

Hi,

On Mon, 14 Jan 2002, Henrik Nordstrom wrote:

> On Monday 14 January 2002 12.36, Alexander Galitski wrote:
> > Hello Henrik Nordstrom,
> >
> > Monday, January 14, 2002, 9:47:02 AM, you wrote:
> > >> I was merely quoting the uSer Guide, not passing a personal
> > >> opinion. If the User Guide is incorrect, it should be corrected
> > >> by someone who knows what the correct ownerships and permissions
> > >> should be.
> >
> > HN> Where does it tell that config files should be owned by squid?

It doesn't. I was mistaken. I misinterpreted the following from Chapter 3:

    In Chapter 4 we go through the process of changing the user-id that
    Squid runs as, so that files Squid creates are owned by the squid
    user-id, and by the group squid. Binaries are owned by root, and
    config files are changeable by the squidadm group.

> > quoting myself:
> > Chapter 5 - the part "Subdirectory Permissions":
> >
> > ...
> > The /usr/local/squid/etc/ directory should be owned by root, group
> > squidadm, so that squid-administrators would be able to create and
> > update config files. ...
> > cd /usr/local/squid/etc
> > chmod 2775 .
> > chown root:squidadm . *
> > ...
>
>
> Exacly. The config files should be owned by root, only writeable by
> Squid administrators. This does not make them owned by squid.
>
> The directory is setgroupid squidadm to make sure that any files
> created by Squid administrators in this directory will also have the
> group squidadm.
>
>
> Squid should preferably be running as squid:squid

And this takes us back to where we started. Here's part of Alex's
original email showing the permissions on squid.conf.

-r-xr-x--- 1 root squidadm 92485 Dec 28 15:44 /usr/local/squid/etc/squid.conf

I don't know what prompted Alex to set the permissions that way, but I
guess the problem is that squid cannot read the file once it has switched
uid. When it starts, squid is running as root and so can read the file.
Once it has switched to cache_effective_user and _group the file is
inaccessible and squid dies on reconfigure.

I guess the thing that's missing is that, if I understand the User Guide's
intentions of squidadm, the permissions should be 664 on config files. I
could not see anywhere that specifies the permissions on the config files
apart from a section in chapter 5 regarding RCS files where it says:

     # change the permissions of the files in the RCS directory to match
     # newly created files
     chown root:squidadm RCS/*
     chmod 770 RCS/*

This will cause checked-out files to also be 770 will it not? In this case
squid running as squid:squid will fail on a reconfigure cos it cannot read
the config file.

Colin
Received on Mon Jan 14 2002 - 15:54:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:51 MST