[squid-dev] [PATCH] start workers as root

[Tsantilas Christos]

SMP workers in trunk start without root privileges. This results in 
startup  failures when workers need to use a privileged port (e.g., 443) 
or other  root-only features such as TPROXY.


This bug added with my Moved PID file management from Coordinator to 
Master patch.


The problem is inside watch_child function which called after a 
enter_suid() call, but the  writePidFile() call, inside the 
watch_child(), will leave suid mode before exit.


This patch removes the enter_suid/leave_suid cals from the writePidFile 
 and make the caller responsible for setting the root privileges if 
required.
start workers as root

SMP workers in trunk start without root privileges. This results in startup 
failures when workers need to use a privileged port (e.g., 443) or other 
root-only features such as TPROXY.

The watch_child function, responsible to watch and start squid workers for
the squid monitor process, called after a enter_suid() call, but the 
writePidFile() call, inside the watch_child(), will leave suid mode before exit.

This patch removes the enter_suid()/leave_suid() cals from the writePidFile and
make the caller responsible for setting the root privileges if required.

This is a Measurement Factory project

=== modified file 'src/main.cc'
--- src/main.cc	2015-02-09 18:12:51 +
+++ src/main.cc	2015-03-05 17:40:17 +
@@ -922,42 +922,45 @@
 
 storeDirOpenSwapLogs();
 
 mimeInit(Config.mimeTablePathname);
 
 if (unlinkdNeeded())
 unlinkdInit();
 
 #if USE_DELAY_POOLS
 Config.ClientDelay.finalize();
 #endif
 
 if (Config.onoff.announce) {
 if (!eventFind(start_announce, NULL))
 eventAdd(start_announce, start_announce, NULL, 3600.0, 1);
 } else {
 if (eventFind(start_announce, NULL))
 eventDelete(start_announce, NULL);
 }
 
-if (!InDaemonMode())
+if (!InDaemonMode()) {
+enter_suid();
 writePidFile(); /* write PID file */
+leave_suid();
+}
 
 reconfiguring = 0;
 }
 
 static void
 mainRotate(void)
 {
 icmpEngine.Close();
 redirectShutdown();
 #if USE_AUTH
 authenticateRotate();
 #endif
 externalAclShutdown();
 
 _db_rotate_log();   /* cache.log */
 storeDirWriteCleanLogs(1);
 storeLogRotate();   /* store.log */
 accessLogRotate();  /* access.log */
 #if ICAP_CLIENT
 icapLogRotate();   /*icap.log*/
@@ -1174,42 +1177,45 @@
 #if USE_WCCP
 wccpInit();
 
 #endif
 #if USE_WCCPv2
 
 wccp2Init();
 
 #endif
 }
 
 serverConnectionsOpen();
 
 neighbors_init();
 
 // neighborsRegisterWithCacheManager(); //moved to neighbors_init()
 
 if (Config.chroot_dir)
 no_suid();
 
-if (!configured_once  !InDaemonMode())
+if (!configured_once  !InDaemonMode()) {
+enter_suid();
 writePidFile(); /* write PID file */
+leave_suid();
+}
 
 #if defined(_SQUID_LINUX_THREADS_)
 
 squid_signal(SIGQUIT, rotate_logs, SA_RESTART);
 
 squid_signal(SIGTRAP, sigusr2_handle, SA_RESTART);
 
 #else
 
 squid_signal(SIGUSR1, rotate_logs, SA_RESTART);
 
 squid_signal(SIGUSR2, sigusr2_handle, SA_RESTART);
 
 #endif
 
 squid_signal(SIGHUP, reconfigure, SA_RESTART);
 
 squid_signal(SIGTERM, shut_down, SA_RESTART);
 
 squid_signal(SIGINT, shut_down, SA_RESTART);
@@ -1985,39 +1991,41 @@
 asnFreeMemory();
 clientdbFreeMemory();
 httpHeaderCleanModule();
 statFreeMemory();
 eventFreeMemory();
 mimeFreeMemory();
 errorClean();
 #endif
 // clear StoreController
 Store::Root(NULL);
 
 fdDumpOpen();
 
 comm_exit();
 
 RunRegisteredHere(RegisteredRunner::finishShutdown);
 
 memClean();
 
 if (!InDaemonMode()) {
+enter_suid();
 removePidFile();
+leave_suid();
 }
 
 debugs(1, DBG_IMPORTANT, Squid Cache (Version   version_string  ): Exiting normally.);
 
 /*
  * DPW 2006-10-23
  * We used to fclose(debug_log) here if it was set, but then
  * we forgot to set it to NULL.  That caused some coredumps
  * because exit() ends up calling a bunch of destructors and
  * such.   So rather than forcing the debug_log to close, we'll
  * leave it open so that those destructors can write some
  * debugging if necessary.  The file will be closed anyway when
  * the process truly exits.
  */
 
 exit(shutdown_status);
 }
 

=== modified file 'src/tools.cc'
--- src/tools.cc	2015-02-10 03:44:32 +
+++ src/tools.cc	2015-03-05 17:42:25 +
@@ -696,69 +696,63 @@
 roles.append( worker);
 if (IamDiskProcess())
 roles.append( disker);
 return roles;
 }
 
 void
 writePidFile(void)
 {
 int fd;
 const char *f = NULL;
 mode_t old_umask;
 char buf[32];
 
 if ((f = Config.pidFilename) == NULL)
 return;
 
 if (!strcmp(Config.pidFilename, none))
 return;
 
-enter_suid();
-
 old_umask = umask(022);
 
   

Re: [squid-dev] Moved PID file management from Coordinator to Master

[Alex Rousskov]

On 01/21/2015 05:03 AM, Amos Jeffries wrote:
 On 22/01/2015 12:57 a.m., Tsantilas Christos wrote:
 
 I am posting a new patch.
 
 This patch include fixes to follow Squid Coding Style but also have
 a fix for a small bug: In the previous patches I posted the pid
 creation done by master process but the pid file was not removed by
 master process. This patch fixes master process to remove pid file
 on exit.
 
 
 +1.


Amos,

This patch went into trunk (r13867 and r13868). Do you plan on
merging it (together with the pending start workers as root follow up)
into v3.5 branch? It is your call, of course, but it is essentially a
bug fix (SMP Squid does not restart reliably on busy servers without
these changes). We can provide a v3.5-specific [combined] patch if that
will make a positive decision easier for you.


Thank you,

Alex.
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] start workers as root

[Amos Jeffries]

On 7/03/2015 12:18 a.m., Tsantilas Christos wrote:
 SMP workers in trunk start without root privileges. This results in
 startup  failures when workers need to use a privileged port (e.g., 443)
 or other  root-only features such as TPROXY.
 
 This bug added with my Moved PID file management from Coordinator to
 Master patch.
 
 The problem is inside watch_child function which called after a
 enter_suid() call, but the  writePidFile() call, inside the
 watch_child(), will leave suid mode before exit.
 
 This patch removes the enter_suid/leave_suid cals from the writePidFile
  and make the caller responsible for setting the root privileges if
 required.

I think this is wrong approach.

Firstly, what are processes without SUID ability doing writing to secure
system files?

Secondly, I thought the entire point of the earlier patch was to make
the *MASTER* process was the one writing the PID file. Not
low-privileged workers.

Thirdly, the enter/leave_suid calls mean dangerous security stuff about
to happen and should only be called if absolutely necessary, AND only
around the (block of) system calls which require them.


Your description sounds like some part of the code in worker scope is
using enter_suid doing a lot of Squid stuff - plus incidentally some
root system stuff, then leave_suid. That is broken code. None of the
general Squid stuff are security sentitive system calls needing root
privileges.
 We should be fixing that broken code. Either to not need the system
suid privilege at all, or to call enter/leave_suid only around the
sensitive operation - while also ensuring those suid calls will work at
the point they are used.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev