I'm sorry that I haven't been able to help you with your problem. I know you are very confident of the ownership and permission sets that you are using, but you might want to at least consider other possibilities. I spent about an hour today on the net researching the "securing squid" topic. I'm not suggesting that one hour on the net is an exhaustive search, but I would expect to find generally accepted practices.
I did not find your ownership/permissions methodology mentioned. I did find "Securing and Optimizing Red Hat Linux - A guide for information system, configuration, optimization and network security professionals", and they seem to be at odds with your method. (see http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition- v1.3/chap28sec229.html or pdf: <http://www.dsinet.org/textfiles/unix/Securing-Optimizing-RH-Linux-1 _2.pdf>) They recommend that the squid log and cache directories should both be squid.squid and 0750/drwxr-x--- "for security reasons". (That's exactly the way mine is set up, by the way.) I'm not suggesting that drwx vs. drwxr-x would cause a problem, I don't know. (And I learned a long time ago that I don't know what I don't know.) I'm just pointing out that there are some in the security business who disagree with you. I've been able to help quite a few people here but I'll admit to you that I don't know how to get squidGuard working your way. I'm sure someone else here can help. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 18, 2002 9:25 AM To: Rick Matthews Cc: Squidguard Mailing List Subject: RE: WARNING: cannot run '/usr/local/bin/squidGuard' process On Thu, 18 Apr 2002, Rick Matthews wrote: > > > Hmm... There are quite a few discrepancies between your > > > listing and mine, and mine works. > > > > mine will also be more secure once all is said and done, > > a simple buffer overflow could breech your system, as > > root is the owner of all your squid files, running squid > > as a different user is far more secure. In fact if your > > running squid as root you will get a console error > > telling you not to run squid as root. > > You might have missed my statement 4 or 5 lines above this: > > > The owner of the running squid and squidGuard processes is squid. > > File ownership and process ownership are not the same thing. Here's > the running squid and squidGuard processes on my system (I've > deleted a few columns to prevent line wrap): > > USER PID COMMAND > root 1178 squid -D > squid 1180 (squid) -D > squid 1185 (unlinkd) > squid 2164 (squidGuard) > squid 2165 (squidGuard) > squid 2166 (squidGuard) > squid 2167 (squidGuard) > > Notice that there is one process owned by root and the rest owned by > squid; that is by design. Here's how the squid user's guide explains > it: > > ------- Clip from Squid User's Guide ------------ > Effective User and Group ID > =========================== > Squid can only bind to low numbered ports (such as port 80) if it is > started as root. Squid is normally started by your system's rc > scripts when the machine boots. Since these scripts run as root, > Squid is started as root at bootup time. > > Once Squid has been started, however, there is no need to run it as > root. Good security practice is to run programs as root only when > it's absolutely necessary, and for this reason Squid changes user > and group ID's once it has bound to the incoming network port. > > The cache_effective_user and cache_effective_group tags tell Squid > what ID's to change to. The Unix security system would be useless if > it allowed all users to change their ID's at will, so Squid only > attempts to change ID's if the main program is started as root. > > If you do not have root access to the machine, and are thus not > starting Squid as root, you can simply leave this option commented > out. Squid will then run with whatever user ID starts the actual > Squid binary. > > As discussed in chapter 2, this book assumes that you have created > both a squid user and a squid group on your cache machine. The above > tags should thus both be set to "squid". > -------- End of clip ------------------------- > > > as root is the owner of all your squid files, from looking at your directory listings for squid and squidGuard, under your owner and group yours said root.root NOT squid.squid sorry if i assumed to much, but by your permissions, ANYONE could run squid. on my box ONLY the users root or squid can access the two directories > On Wed, 17 Apr 2002, Rick Matthews wrote: > > > /usr/local> > > total 68 > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 . > > drwxr-xr-x 19 root root 4096 Sep 21 2001 .. > > drwxr-xr-x 6 root root 4096 Sep 28 2001 BerkeleyDB > > drwxr-xr-x 2 root root 4096 Mar 29 08:59 bin > > drwxr-xr-x 2 root root 4096 Feb 6 1996 doc > > drwxr-xr-x 2 root root 4096 Feb 6 1996 etc > > drwxr-xr-x 2 root root 4096 Jun 22 2001 include > > drwxr-xr-x 2 root root 4096 Feb 6 1996 lib > > drwxr-xr-x 2 root root 4096 Jun 22 2001 libexec > > drwxr-xr-x 5 2222 2222 4096 Feb 16 20:25 Net_SSLeay.pm-1.13 > > drwxr-xr-x 2 root root 4096 Oct 19 22:19 netterm > > drwxr-xr-x 2 root root 4096 Oct 19 22:24 sbin > > drwxr-xr-x 4 root root 4096 Oct 18 21:40 share > > drwxr-xr-x 5 _root root_ 4096 Apr 7 05:13 squidGuard > > drwxr-xr-x 4 root root 4096 Feb 6 1996 src > > > > /usr/local/bin> > > total 1784 > > drwxr-xr-x 2 root root 4096 Apr 17 21:55 . > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > -rwxr-xr-x 1 root root 18607 Oct 19 22:19 netedit > > -rwxr-xr-x 1 _root_ _ root_427931 Sep 28 2001 squidGuard > > Where did you get that idea? All of the following files are owned by > squid: > squid cache > squid logs > squidGuard blacklist directories and files > squidGuard logs > > > manually meaning running squidguard manually from > > the command line, and passing a URL. Just like > > they suggest doing to see if squidGuard runs proporly > > before editing the squid.conf file. following the > > instructions everything worked perfectly up untill > > squid is used to run the process. > > OK, I understand now; all of the *tests* were successful. You know, > the FAQ page <http://www.squidguard.org/faq/> addresses an issue > that is very similar, "squidGuard compiles fine and the tests > succeed, but it seems to pass all when run under Squid" well my problem is nothing like that, seeing as it wont start squidGuard and wont pass anything through. after using the FAQ suggestion: 2002/04/18 09:26:33| helperOpenServers: Starting 3 'squidGuard.sh' processes 2002/04/18 09:26:33| WARNING: Cannot run '/usr/local/squid/bin/squidGuard.sh' process. 2002/04/18 09:26:33| WARNING: Cannot run '/usr/local/squid/bin/squidGuard.sh' process. 2002/04/18 09:26:33| WARNING: Cannot run '/usr/local/squid/bin/squidGuard.sh' process. > > Let's get back to the information that you initially posted. I'll > try approaching it from another angle to see if I can get my point > across. > > Your squid process gave you the following message: > WARNING: Cannot run '/usr/local/bin/squidGuard'process. > What conditions could exist that would result in squid reporting > "Cannot run '/usr/local/bin/squidGuard'process."? > > Let's add another piece of information to the mix. > > If squidGuard has a problem getting started (e.g. initializing the > files that it needs) it will document the problems in the > squidGuard.log. You have stated that when squid tries to start > squidGuard there are no new entries added to the squidGuard log. > That tells me that squidGuard hasn't been given the opportunity to > start up. > > OK, let's put them together. > > Squid says that it "Cannot run '/usr/local/bin/squidGuard'process." > The evidence tells us that the squidGuard executable hasn't been > run. What conditions could produce these symptoms? (Could it be ... > permissions?) ok, ill play along with the permisions thing for a while, where are the missing files that arent owned by squid and arent readable by sqiud? they should all be in squid squidGuard and bin (the default locations) and ive already shown my permisions are all set +wrx for squid.squid > > How are your squid processes running? What do you get for a 'ps axu > | grep squid'? squid running peachy: /home/anthony> ps aux | grep squid root 5636 0.0 2.0 2908 1180 ?? Is 11:49PM 0:00.01 ./squid squid 5638 0.0 11.8 8024 7148 ?? S 11:49PM 0:14.27 (squid) (squid) squid 5639 0.0 0.7 860 392 ?? Is 11:49PM 0:00.05 (unlinkd) (unlinkd) > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 17, 2002 11:29 PM > To: Rick Matthews > Cc: Squidguard Mailing List > Subject: RE: WARNING: cannot run '/usr/local/bin/squidGuard' process > > > > On Wed, 17 Apr 2002, Rick Matthews wrote: > > > /usr/local> > > total 68 > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 . > > drwxr-xr-x 19 root root 4096 Sep 21 2001 .. > > drwxr-xr-x 6 root root 4096 Sep 28 2001 BerkeleyDB > > drwxr-xr-x 2 root root 4096 Mar 29 08:59 bin > > drwxr-xr-x 2 root root 4096 Feb 6 1996 doc > > drwxr-xr-x 2 root root 4096 Feb 6 1996 etc > > drwxr-xr-x 2 root root 4096 Jun 22 2001 include > > drwxr-xr-x 2 root root 4096 Feb 6 1996 lib > > drwxr-xr-x 2 root root 4096 Jun 22 2001 libexec > > drwxr-xr-x 5 2222 2222 4096 Feb 16 20:25 Net_SSLeay.pm-1.13 > > drwxr-xr-x 2 root root 4096 Oct 19 22:19 netterm > > drwxr-xr-x 2 root root 4096 Oct 19 22:24 sbin > > drwxr-xr-x 4 root root 4096 Oct 18 21:40 share > > drwxr-xr-x 5 root root 4096 Apr 7 05:13 squidGuard > > drwxr-xr-x 4 root root 4096 Feb 6 1996 src > > > > /usr/local/bin> > > total 1784 > > drwxr-xr-x 2 root root 4096 Apr 17 21:55 . > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > -rwxr-xr-x 1 root root 18607 Oct 19 22:19 netedit > > -rwxr-xr-x 1 root root427931 Sep 28 2001 squidGuard > > > > /usr/local/squidGuard> > > total 28 > > drwxr-xr-x 5 root root 4096 Apr 17 21:57 . > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > drwxr-xr-x 4 root root 4096 Sep 28 2001 db > > drwxr-xr-x 2 root root 4096 Apr 14 04:02 log > > drwxr-xr-x 2 root root 4096 Feb 8 17:57 updates > > -rw-r--r-- 1 root root 2624 Apr 14 07:42 squidGuard.conf > > > > /usr/local/squidGuard/log> > > total 2852 > > drwxr-xr-x 2 root root 4096 Apr 17 21:59 . > > drwxr-xr-x 5 root root 4096 Apr 17 21:57 .. > > -rw-rw-r-- 1 squid squid 110567 Apr 17 05:01 squidGuard.log > > > > squidGuard works fine over here. > > > > > (the only data available in the logfile > > > is from me manually starting squidGuard > > > while trying to figure out the problem, > > > i won't waste the time and bandwidth by > > > listing it here, no errors are in the > > > file when run manually, and nothing is > > > added when squid attempts to load it) > > > > Sounds like a permissions problem to me. > > > > > > From squid.conf: > > > > cache_effective_user squid > > cache_effective_group squid > > > > redirect_program /usr/local/bin/squidGuard > > redirect_children 4 > > > > > > From squidGuard.conf - <See attached squidGuard.conf> > > > > > > I don't have any squid or squidGuard messages in my dmesg file. > neither do i from when squid tries to run it > ive got a few line from trying to start squid after moving it to > another > directory, and forgetting to update the conf file first. other then > that > dmesg is clear - not an issue > > > > > The owner of the running squid and squidGuard processes is squid. > > > > > I doubt its a permisions/ownership issue. (unless there > > > are some other files i dont know about) > > > > Hmm... There are quite a few discrepancies between your listing > and > > mine, and mine works. > > mine will also be more secure once all is said and done, a simple > buffer > overflow could breech your system, as root is the owner of all your > squid > files, running squid as a different user is far more secure. In > fact if > your running squid as root you will get a console error telling you > not to > run squid as root. > > > > > > It's not a squidGuard config error, it works fine manually. > > > > What does "it works fine manually" mean? Are you saying that you > can > > start it fine as root, but squid can't start it as squid? (Does > that > > tell you something?) > manually meaning running squidguard manually from the command line, > and > passing a URL. Just like they suggest doing to see if squidGuard > runs > proporly before editing the squid.conf file. > following the instructions everything worked perfectly up untill > squid is > used to run the process. > > > > I hope you find this helpful. > > > > Rick Matthews > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, April 17, 2002 3:16 PM > > To: [EMAIL PROTECTED] > > Subject: WARNING: cannot run '/usr/local/bin/squidGuard' process > > > > > > /usr/local> ls -la > > total 32 > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 . > > drwxr-xr-x 15 root wheel 512 Mar 31 23:26 .. > > drwxr-xr-x 6 root wheel 512 Apr 14 18:42 BerkeleyDB > > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 bin > > drwxr-xr-x 3 root wheel 512 Feb 19 21:24 etc > > drwxr-xr-x 2 root wheel 512 Mar 30 19:18 include > > drwxr-xr-x 2 root wheel 512 Mar 30 19:15 info > > drwxr-xr-x 4 root wheel 1024 Mar 30 19:18 lib > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libdata > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libexec > > drwxr-xr-x 26 root wheel 512 Feb 19 21:24 man > > drwxr-xr-x 9 root wheel 512 Feb 19 23:12 samba > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 sbin > > drwxr-xr-x 11 root wheel 512 Feb 19 21:24 share > > drwx------ 7 squid squid 512 Apr 14 19:43 squid > > drwx------ 4 squid squid 512 Apr 14 21:06 squidGuard > > > > > > /usr/local/squid> ls -la > > total 16 > > drwx------ 7 squid squid 512 Apr 14 19:43 . > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > drwx------ 2 squid squid 512 Apr 15 09:13 bin > > drwx------ 18 squid squid 512 Apr 17 11:12 cache > > drwx------ 4 squid squid 512 Feb 19 22:20 etc > > drwx------ 3 squid squid 512 Feb 19 22:20 libexec > > drwx------ 2 squid squid 512 Apr 17 11:11 logs > > -rwx------ 1 squid squid 682 Apr 14 19:48 squid.out > > > > > > /usr/local/bin> ls -la > > total 1530 > > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 . > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > -rwxr-xr-x 1 root wheel 1837 Mar 30 19:15 glib-config > > -r-xr-xr-x 1 root wheel 1053932 Jan 23 01:30 lynx > > -rwxr-x--- 1 squid squid 421124 Apr 15 00:17 squidGuard > > -rwxr-xr-x 1 root wheel 34108 Mar 30 19:18 xdelta > > -rwxr-xr-x 1 root wheel 1943 Mar 30 19:18 xdelta-config > > > > /usr/local/squidGuard> ls -la > > total 10 > > drwx------ 4 squid squid 512 Apr 14 21:06 . > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > drwx------ 13 squid squid 512 Apr 14 21:09 db > > drwx------ 2 squid squid 512 Apr 14 20:39 log > > -rwx------ 1 squid squid 538 Apr 15 08:51 squidGuard.conf > > > > /usr/local/squidGuard/log> ls -la > > total 8 > > drwx------ 2 squid squid 512 Apr 14 20:39 . > > drwx------ 4 squid squid 512 Apr 14 21:06 .. > > -rwx------ 1 squid squid 2679 Apr 15 00:19 squidGuard.log > > > > > > /usr/local/squid/logs/cache.log > > --------------------------------- > > 2002/04/15 00:08:39| Starting Squid Cache version 2.4.STABLE4 for > > i386-unknown-f > > reebsd4.5... > > 2002/04/15 00:08:39| Process ID 4549 > > 2002/04/15 00:08:39| With 957 file descriptors available > > 2002/04/15 00:08:39| Performing DNS Tests... > > 2002/04/15 00:08:39| Successful DNS name lookup tests... > > 2002/04/15 00:08:39| DNS Socket created on FD 4 > > 2002/04/15 00:08:39| Adding nameserver 204.248.184.2 from > > /etc/resolv.conf > > 2002/04/15 00:08:39| Adding nameserver 204.248.184.13 from > > /etc/resolv.conf > > 2002/04/15 00:08:39| Adding nameserver 4.1.1.1 from > /etc/resolv.conf > > 2002/04/15 00:08:39| Adding nameserver 4.1.1.2 from > /etc/resolv.conf > > 2002/04/15 00:08:39| helperOpenServers: Starting 3 'squidGuard' > > processes > > 2002/04/15 00:08:39| WARNING: Cannot run > '/usr/local/bin/squidGuard' > > process. > > 2002/04/15 00:08:39| WARNING: Cannot run > '/usr/local/bin/squidGuard' > > process. > > 2002/04/15 00:08:39| WARNING: Cannot run > '/usr/local/bin/squidGuard' > > process. > > 2002/04/15 00:08:39| Unlinkd pipe opened on FD 9 > > 2002/04/15 00:08:39| Swap maxSize 102400 KB, estimated 7876 > objects > > 2002/04/15 00:08:39| Target number of buckets: 393 > > 2002/04/15 00:08:39| Using 8192 Store buckets > > 2002/04/15 00:08:39| Max Mem size: 8192 KB > > > > (the only data available in the logfile is from me manually > > starting > > squidGuard > > while trying to figure out the problem, i won't waste the time > > and > > bandwidth by > > listing it here, no errors are in the file when run manually, > > and > > nothing is added > > when squid attempts to load it) > > > > > > > > From squid.conf: > > > > cache_effective_user squid > > cache_effective_group squid > > > > redirect_program /usr/local/bin/squidGuard -c > > /usr/local/squidGuard/squidGuard.conf > > redirect_children 3 #Very little taffic, but i have set this up > to > > 20 and > > still no go > > > > > > From squidGuard.conf > > > > dbhome /usr/local/squidGuard/db > > dest porn { > > domainlist porn/domains > > urllist porn/urls > > } > > dest violence { > > domainlist violence/domains > > urllist violence/urls > > } > > dest aggressive { > > domainlist aggressive/domains > > urllist aggressive/urls > > } > > dest drugs { > > domainlist drugs/domains > > urllist drugs/urls > > } > > dest ads { > > domainlist ads/domains > > urllist ads/urls > > } > > dest gamble { > > domainlist gambling/domains > > urllist gambling/urls > > } > > acl { > > default { > > pass !porn !violence !drugs !ads !gamble all > > redirect www.google.com > > } > > } > > > > > > The only squid/squidGuard messages in my dmesg* files are from > > troubleshooting, moving > > files around, when moved it does say file not found. But this is > > normal. > > > > And now for my list of things ive tried: > > > > Running squid as root, these and revised permisions. Same error. > > Setting permisions to 777. Same error. > > Moving squidGuard and all files to squid directory > > using default directory, using current > > > > I doubt its a permisions/ownership issue. (unless there are some > > other > > files i dont > > know about) > > It's not a squidGuard config error, it works fine manually. > > > > Ive run out of solutions... hoping i could get a little help!! I'm > > about > > to pull > > my hair out!!!!! > > > > If im forgetting any important details just let me know. > > > > Please respond directly to my e-mail as well as to the list if > > possable. > > [EMAIL PROTECTED] > > > > > > > > >
