> > Hmm... There are quite a few discrepancies between your > > listing and mine, and mine works. > > mine will also be more secure once all is said and done, > a simple buffer overflow could breech your system, as > root is the owner of all your squid files, running squid > as a different user is far more secure. In fact if your > running squid as root you will get a console error > telling you not to run squid as root.
You might have missed my statement 4 or 5 lines above this: > The owner of the running squid and squidGuard processes is squid. File ownership and process ownership are not the same thing. Here's the running squid and squidGuard processes on my system (I've deleted a few columns to prevent line wrap): USER PID COMMAND root 1178 squid -D squid 1180 (squid) -D squid 1185 (unlinkd) squid 2164 (squidGuard) squid 2165 (squidGuard) squid 2166 (squidGuard) squid 2167 (squidGuard) Notice that there is one process owned by root and the rest owned by squid; that is by design. Here's how the squid user's guide explains it: ------- Clip from Squid User's Guide ------------ Effective User and Group ID =========================== Squid can only bind to low numbered ports (such as port 80) if it is started as root. Squid is normally started by your system's rc scripts when the machine boots. Since these scripts run as root, Squid is started as root at bootup time. Once Squid has been started, however, there is no need to run it as root. Good security practice is to run programs as root only when it's absolutely necessary, and for this reason Squid changes user and group ID's once it has bound to the incoming network port. The cache_effective_user and cache_effective_group tags tell Squid what ID's to change to. The Unix security system would be useless if it allowed all users to change their ID's at will, so Squid only attempts to change ID's if the main program is started as root. If you do not have root access to the machine, and are thus not starting Squid as root, you can simply leave this option commented out. Squid will then run with whatever user ID starts the actual Squid binary. As discussed in chapter 2, this book assumes that you have created both a squid user and a squid group on your cache machine. The above tags should thus both be set to "squid". -------- End of clip ------------------------- > as root is the owner of all your squid files, Where did you get that idea? All of the following files are owned by squid: squid cache squid logs squidGuard blacklist directories and files squidGuard logs > manually meaning running squidguard manually from > the command line, and passing a URL. Just like > they suggest doing to see if squidGuard runs proporly > before editing the squid.conf file. following the > instructions everything worked perfectly up untill > squid is used to run the process. OK, I understand now; all of the *tests* were successful. You know, the FAQ page <http://www.squidguard.org/faq/> addresses an issue that is very similar, "squidGuard compiles fine and the tests succeed, but it seems to pass all when run under Squid" Let's get back to the information that you initially posted. I'll try approaching it from another angle to see if I can get my point across. Your squid process gave you the following message: WARNING: Cannot run '/usr/local/bin/squidGuard'process. What conditions could exist that would result in squid reporting "Cannot run '/usr/local/bin/squidGuard'process."? Let's add another piece of information to the mix. If squidGuard has a problem getting started (e.g. initializing the files that it needs) it will document the problems in the squidGuard.log. You have stated that when squid tries to start squidGuard there are no new entries added to the squidGuard log. That tells me that squidGuard hasn't been given the opportunity to start up. OK, let's put them together. Squid says that it "Cannot run '/usr/local/bin/squidGuard'process." The evidence tells us that the squidGuard executable hasn't been run. What conditions could produce these symptoms? (Could it be ... permissions?) How are your squid processes running? What do you get for a 'ps axu | grep squid'? Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 11:29 PM To: Rick Matthews Cc: Squidguard Mailing List Subject: RE: WARNING: cannot run '/usr/local/bin/squidGuard' process On Wed, 17 Apr 2002, Rick Matthews wrote: > /usr/local> > total 68 > drwxr-xr-x 17 root root 4096 Apr 17 21:47 . > drwxr-xr-x 19 root root 4096 Sep 21 2001 .. > drwxr-xr-x 6 root root 4096 Sep 28 2001 BerkeleyDB > drwxr-xr-x 2 root root 4096 Mar 29 08:59 bin > drwxr-xr-x 2 root root 4096 Feb 6 1996 doc > drwxr-xr-x 2 root root 4096 Feb 6 1996 etc > drwxr-xr-x 2 root root 4096 Jun 22 2001 include > drwxr-xr-x 2 root root 4096 Feb 6 1996 lib > drwxr-xr-x 2 root root 4096 Jun 22 2001 libexec > drwxr-xr-x 5 2222 2222 4096 Feb 16 20:25 Net_SSLeay.pm-1.13 > drwxr-xr-x 2 root root 4096 Oct 19 22:19 netterm > drwxr-xr-x 2 root root 4096 Oct 19 22:24 sbin > drwxr-xr-x 4 root root 4096 Oct 18 21:40 share > drwxr-xr-x 5 root root 4096 Apr 7 05:13 squidGuard > drwxr-xr-x 4 root root 4096 Feb 6 1996 src > > /usr/local/bin> > total 1784 > drwxr-xr-x 2 root root 4096 Apr 17 21:55 . > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > -rwxr-xr-x 1 root root 18607 Oct 19 22:19 netedit > -rwxr-xr-x 1 root root427931 Sep 28 2001 squidGuard > > /usr/local/squidGuard> > total 28 > drwxr-xr-x 5 root root 4096 Apr 17 21:57 . > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > drwxr-xr-x 4 root root 4096 Sep 28 2001 db > drwxr-xr-x 2 root root 4096 Apr 14 04:02 log > drwxr-xr-x 2 root root 4096 Feb 8 17:57 updates > -rw-r--r-- 1 root root 2624 Apr 14 07:42 squidGuard.conf > > /usr/local/squidGuard/log> > total 2852 > drwxr-xr-x 2 root root 4096 Apr 17 21:59 . > drwxr-xr-x 5 root root 4096 Apr 17 21:57 .. > -rw-rw-r-- 1 squid squid 110567 Apr 17 05:01 squidGuard.log > > squidGuard works fine over here. > > > (the only data available in the logfile > > is from me manually starting squidGuard > > while trying to figure out the problem, > > i won't waste the time and bandwidth by > > listing it here, no errors are in the > > file when run manually, and nothing is > > added when squid attempts to load it) > > Sounds like a permissions problem to me. > > > From squid.conf: > > cache_effective_user squid > cache_effective_group squid > > redirect_program /usr/local/bin/squidGuard > redirect_children 4 > > > From squidGuard.conf - <See attached squidGuard.conf> > > I don't have any squid or squidGuard messages in my dmesg file. neither do i from when squid tries to run it ive got a few line from trying to start squid after moving it to another directory, and forgetting to update the conf file first. other then that dmesg is clear - not an issue > > The owner of the running squid and squidGuard processes is squid. > > > I doubt its a permisions/ownership issue. (unless there > > are some other files i dont know about) > > Hmm... There are quite a few discrepancies between your listing and > mine, and mine works. mine will also be more secure once all is said and done, a simple buffer overflow could breech your system, as root is the owner of all your squid files, running squid as a different user is far more secure. In fact if your running squid as root you will get a console error telling you not to run squid as root. > > > It's not a squidGuard config error, it works fine manually. > > What does "it works fine manually" mean? Are you saying that you can > start it fine as root, but squid can't start it as squid? (Does that > tell you something?) manually meaning running squidguard manually from the command line, and passing a URL. Just like they suggest doing to see if squidGuard runs proporly before editing the squid.conf file. following the instructions everything worked perfectly up untill squid is used to run the process. > > I hope you find this helpful. > > Rick Matthews > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, April 17, 2002 3:16 PM > To: [EMAIL PROTECTED] > Subject: WARNING: cannot run '/usr/local/bin/squidGuard' process > > > /usr/local> ls -la > total 32 > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 . > drwxr-xr-x 15 root wheel 512 Mar 31 23:26 .. > drwxr-xr-x 6 root wheel 512 Apr 14 18:42 BerkeleyDB > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 bin > drwxr-xr-x 3 root wheel 512 Feb 19 21:24 etc > drwxr-xr-x 2 root wheel 512 Mar 30 19:18 include > drwxr-xr-x 2 root wheel 512 Mar 30 19:15 info > drwxr-xr-x 4 root wheel 1024 Mar 30 19:18 lib > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libdata > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libexec > drwxr-xr-x 26 root wheel 512 Feb 19 21:24 man > drwxr-xr-x 9 root wheel 512 Feb 19 23:12 samba > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 sbin > drwxr-xr-x 11 root wheel 512 Feb 19 21:24 share > drwx------ 7 squid squid 512 Apr 14 19:43 squid > drwx------ 4 squid squid 512 Apr 14 21:06 squidGuard > > > /usr/local/squid> ls -la > total 16 > drwx------ 7 squid squid 512 Apr 14 19:43 . > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > drwx------ 2 squid squid 512 Apr 15 09:13 bin > drwx------ 18 squid squid 512 Apr 17 11:12 cache > drwx------ 4 squid squid 512 Feb 19 22:20 etc > drwx------ 3 squid squid 512 Feb 19 22:20 libexec > drwx------ 2 squid squid 512 Apr 17 11:11 logs > -rwx------ 1 squid squid 682 Apr 14 19:48 squid.out > > > /usr/local/bin> ls -la > total 1530 > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 . > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > -rwxr-xr-x 1 root wheel 1837 Mar 30 19:15 glib-config > -r-xr-xr-x 1 root wheel 1053932 Jan 23 01:30 lynx > -rwxr-x--- 1 squid squid 421124 Apr 15 00:17 squidGuard > -rwxr-xr-x 1 root wheel 34108 Mar 30 19:18 xdelta > -rwxr-xr-x 1 root wheel 1943 Mar 30 19:18 xdelta-config > > /usr/local/squidGuard> ls -la > total 10 > drwx------ 4 squid squid 512 Apr 14 21:06 . > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > drwx------ 13 squid squid 512 Apr 14 21:09 db > drwx------ 2 squid squid 512 Apr 14 20:39 log > -rwx------ 1 squid squid 538 Apr 15 08:51 squidGuard.conf > > /usr/local/squidGuard/log> ls -la > total 8 > drwx------ 2 squid squid 512 Apr 14 20:39 . > drwx------ 4 squid squid 512 Apr 14 21:06 .. > -rwx------ 1 squid squid 2679 Apr 15 00:19 squidGuard.log > > > /usr/local/squid/logs/cache.log > --------------------------------- > 2002/04/15 00:08:39| Starting Squid Cache version 2.4.STABLE4 for > i386-unknown-f > reebsd4.5... > 2002/04/15 00:08:39| Process ID 4549 > 2002/04/15 00:08:39| With 957 file descriptors available > 2002/04/15 00:08:39| Performing DNS Tests... > 2002/04/15 00:08:39| Successful DNS name lookup tests... > 2002/04/15 00:08:39| DNS Socket created on FD 4 > 2002/04/15 00:08:39| Adding nameserver 204.248.184.2 from > /etc/resolv.conf > 2002/04/15 00:08:39| Adding nameserver 204.248.184.13 from > /etc/resolv.conf > 2002/04/15 00:08:39| Adding nameserver 4.1.1.1 from /etc/resolv.conf > 2002/04/15 00:08:39| Adding nameserver 4.1.1.2 from /etc/resolv.conf > 2002/04/15 00:08:39| helperOpenServers: Starting 3 'squidGuard' > processes > 2002/04/15 00:08:39| WARNING: Cannot run '/usr/local/bin/squidGuard' > process. > 2002/04/15 00:08:39| WARNING: Cannot run '/usr/local/bin/squidGuard' > process. > 2002/04/15 00:08:39| WARNING: Cannot run '/usr/local/bin/squidGuard' > process. > 2002/04/15 00:08:39| Unlinkd pipe opened on FD 9 > 2002/04/15 00:08:39| Swap maxSize 102400 KB, estimated 7876 objects > 2002/04/15 00:08:39| Target number of buckets: 393 > 2002/04/15 00:08:39| Using 8192 Store buckets > 2002/04/15 00:08:39| Max Mem size: 8192 KB > > (the only data available in the logfile is from me manually > starting > squidGuard > while trying to figure out the problem, i won't waste the time > and > bandwidth by > listing it here, no errors are in the file when run manually, > and > nothing is added > when squid attempts to load it) > > > > From squid.conf: > > cache_effective_user squid > cache_effective_group squid > > redirect_program /usr/local/bin/squidGuard -c > /usr/local/squidGuard/squidGuard.conf > redirect_children 3 #Very little taffic, but i have set this up to > 20 and > still no go > > > From squidGuard.conf > > dbhome /usr/local/squidGuard/db > dest porn { > domainlist porn/domains > urllist porn/urls > } > dest violence { > domainlist violence/domains > urllist violence/urls > } > dest aggressive { > domainlist aggressive/domains > urllist aggressive/urls > } > dest drugs { > domainlist drugs/domains > urllist drugs/urls > } > dest ads { > domainlist ads/domains > urllist ads/urls > } > dest gamble { > domainlist gambling/domains > urllist gambling/urls > } > acl { > default { > pass !porn !violence !drugs !ads !gamble all > redirect www.google.com > } > } > > > The only squid/squidGuard messages in my dmesg* files are from > troubleshooting, moving > files around, when moved it does say file not found. But this is > normal. > > And now for my list of things ive tried: > > Running squid as root, these and revised permisions. Same error. > Setting permisions to 777. Same error. > Moving squidGuard and all files to squid directory > using default directory, using current > > I doubt its a permisions/ownership issue. (unless there are some > other > files i dont > know about) > It's not a squidGuard config error, it works fine manually. > > Ive run out of solutions... hoping i could get a little help!! I'm > about > to pull > my hair out!!!!! > > If im forgetting any important details just let me know. > > Please respond directly to my e-mail as well as to the list if > possable. > [EMAIL PROTECTED] > > >
