any help is much apreciated, but like i said in the first post, i set all permisions to 777 and still got the same problem,(main reson i dount think its permisions) if everything for squid was set to 777 no matter what user squid is run as it shouldnt make a difference
On Thu, 18 Apr 2002, Rick Matthews wrote: > I'm sorry that I haven't been able to help you with your problem. > > I know you are very confident of the ownership and permission sets > that you are using, but you might want to at least consider other > possibilities. I spent about an hour today on the net researching > the "securing squid" topic. I'm not suggesting that one hour on the > net is an exhaustive search, but I would expect to find generally > accepted practices. > > I did not find your ownership/permissions methodology mentioned. I > did find "Securing and Optimizing Red Hat Linux - A guide for > information system, configuration, optimization and network security > professionals", and they seem to be at odds with your method. (see > http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition- > v1.3/chap28sec229.html > or pdf: > <http://www.dsinet.org/textfiles/unix/Securing-Optimizing-RH-Linux-1 > _2.pdf>) > > They recommend that the squid log and cache directories should both > be squid.squid and 0750/drwxr-x--- "for security reasons". (That's > exactly the way mine is set up, by the way.) I'm not suggesting that > drwx vs. drwxr-x would cause a problem, I don't know. (And I learned > a long time ago that I don't know what I don't know.) I'm just > pointing out that there are some in the security business who > disagree with you. > > I've been able to help quite a few people here but I'll admit to you > that I don't know how to get squidGuard working your way. I'm sure > someone else here can help. > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, April 18, 2002 9:25 AM > To: Rick Matthews > Cc: Squidguard Mailing List > Subject: RE: WARNING: cannot run '/usr/local/bin/squidGuard' process > > > On Thu, 18 Apr 2002, Rick Matthews wrote: > > > > > Hmm... There are quite a few discrepancies between your > > > > listing and mine, and mine works. > > > > > > mine will also be more secure once all is said and done, > > > a simple buffer overflow could breech your system, as > > > root is the owner of all your squid files, running squid > > > as a different user is far more secure. In fact if your > > > running squid as root you will get a console error > > > telling you not to run squid as root. > > > > You might have missed my statement 4 or 5 lines above this: > > > > > The owner of the running squid and squidGuard processes is > squid. > > > > File ownership and process ownership are not the same thing. > Here's > > the running squid and squidGuard processes on my system (I've > > deleted a few columns to prevent line wrap): > > > > USER PID COMMAND > > root 1178 squid -D > > squid 1180 (squid) -D > > squid 1185 (unlinkd) > > squid 2164 (squidGuard) > > squid 2165 (squidGuard) > > squid 2166 (squidGuard) > > squid 2167 (squidGuard) > > > > Notice that there is one process owned by root and the rest owned > by > > squid; that is by design. Here's how the squid user's guide > explains > > it: > > > > ------- Clip from Squid User's Guide ------------ > > Effective User and Group ID > > =========================== > > Squid can only bind to low numbered ports (such as port 80) if it > is > > started as root. Squid is normally started by your system's rc > > scripts when the machine boots. Since these scripts run as root, > > Squid is started as root at bootup time. > > > > Once Squid has been started, however, there is no need to run it > as > > root. Good security practice is to run programs as root only when > > it's absolutely necessary, and for this reason Squid changes user > > and group ID's once it has bound to the incoming network port. > > > > The cache_effective_user and cache_effective_group tags tell Squid > > what ID's to change to. The Unix security system would be useless > if > > it allowed all users to change their ID's at will, so Squid only > > attempts to change ID's if the main program is started as root. > > > > If you do not have root access to the machine, and are thus not > > starting Squid as root, you can simply leave this option commented > > out. Squid will then run with whatever user ID starts the actual > > Squid binary. > > > > As discussed in chapter 2, this book assumes that you have created > > both a squid user and a squid group on your cache machine. The > above > > tags should thus both be set to "squid". > > -------- End of clip ------------------------- > > > > > as root is the owner of all your squid files, > from looking at your directory listings for squid and squidGuard, > under > your owner and group yours said root.root NOT squid.squid > sorry if i assumed to much, but by your permissions, ANYONE could > run > squid. on my box ONLY the users root or squid can access the two > directories > > > > On Wed, 17 Apr 2002, Rick Matthews wrote: > > > > > /usr/local> > > > total 68 > > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 . > > > drwxr-xr-x 19 root root 4096 Sep 21 2001 .. > > > drwxr-xr-x 6 root root 4096 Sep 28 2001 BerkeleyDB > > > drwxr-xr-x 2 root root 4096 Mar 29 08:59 bin > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 doc > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 etc > > > drwxr-xr-x 2 root root 4096 Jun 22 2001 include > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 lib > > > drwxr-xr-x 2 root root 4096 Jun 22 2001 libexec > > > drwxr-xr-x 5 2222 2222 4096 Feb 16 20:25 Net_SSLeay.pm-1.13 > > > drwxr-xr-x 2 root root 4096 Oct 19 22:19 netterm > > > drwxr-xr-x 2 root root 4096 Oct 19 22:24 sbin > > > drwxr-xr-x 4 root root 4096 Oct 18 21:40 share > > > drwxr-xr-x 5 _root root_ 4096 Apr 7 05:13 squidGuard > > > drwxr-xr-x 4 root root 4096 Feb 6 1996 src > > > > > > /usr/local/bin> > > > total 1784 > > > drwxr-xr-x 2 root root 4096 Apr 17 21:55 . > > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > > -rwxr-xr-x 1 root root 18607 Oct 19 22:19 netedit > > > -rwxr-xr-x 1 _root_ _ root_427931 Sep 28 2001 squidGuard > > > > > > Where did you get that idea? All of the following files are owned > by > > squid: > > squid cache > > squid logs > > squidGuard blacklist directories and files > > squidGuard logs > > > > > manually meaning running squidguard manually from > > > the command line, and passing a URL. Just like > > > they suggest doing to see if squidGuard runs proporly > > > before editing the squid.conf file. following the > > > instructions everything worked perfectly up untill > > > squid is used to run the process. > > > > OK, I understand now; all of the *tests* were successful. You > know, > > the FAQ page <http://www.squidguard.org/faq/> addresses an issue > > that is very similar, "squidGuard compiles fine and the tests > > succeed, but it seems to pass all when run under Squid" > > well my problem is nothing like that, seeing as it wont start > squidGuard > and wont pass anything through. > > > > after using the FAQ suggestion: > > 2002/04/18 09:26:33| helperOpenServers: Starting 3 'squidGuard.sh' > processes > 2002/04/18 09:26:33| WARNING: Cannot run > '/usr/local/squid/bin/squidGuard.sh' process. > 2002/04/18 09:26:33| WARNING: Cannot run > '/usr/local/squid/bin/squidGuard.sh' process. > 2002/04/18 09:26:33| WARNING: Cannot run > '/usr/local/squid/bin/squidGuard.sh' process. > > > > > > > > Let's get back to the information that you initially posted. I'll > > try approaching it from another angle to see if I can get my point > > across. > > > > Your squid process gave you the following message: > > WARNING: Cannot run '/usr/local/bin/squidGuard'process. > > What conditions could exist that would result in squid reporting > > "Cannot run '/usr/local/bin/squidGuard'process."? > > > > Let's add another piece of information to the mix. > > > > If squidGuard has a problem getting started (e.g. initializing the > > files that it needs) it will document the problems in the > > squidGuard.log. You have stated that when squid tries to start > > squidGuard there are no new entries added to the squidGuard log. > > That tells me that squidGuard hasn't been given the opportunity to > > start up. > > > > OK, let's put them together. > > > > Squid says that it "Cannot run > '/usr/local/bin/squidGuard'process." > > The evidence tells us that the squidGuard executable hasn't been > > run. What conditions could produce these symptoms? (Could it be > ... > > permissions?) > > ok, ill play along with the permisions thing for a while, where are > the > missing files that arent owned by squid and arent readable by sqiud? > they should all be in squid squidGuard and bin (the default > locations) > and ive already shown my permisions are all set +wrx for squid.squid > > > > > How are your squid processes running? What do you get for a 'ps > axu > > | grep squid'? > > squid running peachy: > > > > /home/anthony> ps aux | grep squid > root 5636 0.0 2.0 2908 1180 ?? Is 11:49PM 0:00.01 > ./squid > squid 5638 0.0 11.8 8024 7148 ?? S 11:49PM 0:14.27 > (squid) > (squid) > squid 5639 0.0 0.7 860 392 ?? Is 11:49PM 0:00.05 > (unlinkd) > (unlinkd) > > > > > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, April 17, 2002 11:29 PM > > To: Rick Matthews > > Cc: Squidguard Mailing List > > Subject: RE: WARNING: cannot run '/usr/local/bin/squidGuard' > process > > > > > > > > On Wed, 17 Apr 2002, Rick Matthews wrote: > > > > > /usr/local> > > > total 68 > > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 . > > > drwxr-xr-x 19 root root 4096 Sep 21 2001 .. > > > drwxr-xr-x 6 root root 4096 Sep 28 2001 BerkeleyDB > > > drwxr-xr-x 2 root root 4096 Mar 29 08:59 bin > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 doc > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 etc > > > drwxr-xr-x 2 root root 4096 Jun 22 2001 include > > > drwxr-xr-x 2 root root 4096 Feb 6 1996 lib > > > drwxr-xr-x 2 root root 4096 Jun 22 2001 libexec > > > drwxr-xr-x 5 2222 2222 4096 Feb 16 20:25 Net_SSLeay.pm-1.13 > > > drwxr-xr-x 2 root root 4096 Oct 19 22:19 netterm > > > drwxr-xr-x 2 root root 4096 Oct 19 22:24 sbin > > > drwxr-xr-x 4 root root 4096 Oct 18 21:40 share > > > drwxr-xr-x 5 root root 4096 Apr 7 05:13 squidGuard > > > drwxr-xr-x 4 root root 4096 Feb 6 1996 src > > > > > > /usr/local/bin> > > > total 1784 > > > drwxr-xr-x 2 root root 4096 Apr 17 21:55 . > > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > > -rwxr-xr-x 1 root root 18607 Oct 19 22:19 netedit > > > -rwxr-xr-x 1 root root427931 Sep 28 2001 squidGuard > > > > > > /usr/local/squidGuard> > > > total 28 > > > drwxr-xr-x 5 root root 4096 Apr 17 21:57 . > > > drwxr-xr-x 17 root root 4096 Apr 17 21:47 .. > > > drwxr-xr-x 4 root root 4096 Sep 28 2001 db > > > drwxr-xr-x 2 root root 4096 Apr 14 04:02 log > > > drwxr-xr-x 2 root root 4096 Feb 8 17:57 updates > > > -rw-r--r-- 1 root root 2624 Apr 14 07:42 squidGuard.conf > > > > > > /usr/local/squidGuard/log> > > > total 2852 > > > drwxr-xr-x 2 root root 4096 Apr 17 21:59 . > > > drwxr-xr-x 5 root root 4096 Apr 17 21:57 .. > > > -rw-rw-r-- 1 squid squid 110567 Apr 17 05:01 squidGuard.log > > > > > > squidGuard works fine over here. > > > > > > > (the only data available in the logfile > > > > is from me manually starting squidGuard > > > > while trying to figure out the problem, > > > > i won't waste the time and bandwidth by > > > > listing it here, no errors are in the > > > > file when run manually, and nothing is > > > > added when squid attempts to load it) > > > > > > Sounds like a permissions problem to me. > > > > > > > > > From squid.conf: > > > > > > cache_effective_user squid > > > cache_effective_group squid > > > > > > redirect_program /usr/local/bin/squidGuard > > > redirect_children 4 > > > > > > > > > From squidGuard.conf - <See attached squidGuard.conf> > > > > > > > > > > I don't have any squid or squidGuard messages in my dmesg file. > > neither do i from when squid tries to run it > > ive got a few line from trying to start squid after moving it to > > another > > directory, and forgetting to update the conf file first. other > then > > that > > dmesg is clear - not an issue > > > > > > > > The owner of the running squid and squidGuard processes is > squid. > > > > > > > I doubt its a permisions/ownership issue. (unless there > > > > are some other files i dont know about) > > > > > > Hmm... There are quite a few discrepancies between your listing > > and > > > mine, and mine works. > > > > mine will also be more secure once all is said and done, a simple > > buffer > > overflow could breech your system, as root is the owner of all > your > > squid > > files, running squid as a different user is far more secure. In > > fact if > > your running squid as root you will get a console error telling > you > > not to > > run squid as root. > > > > > > > > > It's not a squidGuard config error, it works fine manually. > > > > > > What does "it works fine manually" mean? Are you saying that you > > can > > > start it fine as root, but squid can't start it as squid? (Does > > that > > > tell you something?) > > manually meaning running squidguard manually from the command > line, > > and > > passing a URL. Just like they suggest doing to see if squidGuard > > runs > > proporly before editing the squid.conf file. > > following the instructions everything worked perfectly up untill > > squid is > > used to run the process. > > > > > > I hope you find this helpful. > > > > > > Rick Matthews > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Wednesday, April 17, 2002 3:16 PM > > > To: [EMAIL PROTECTED] > > > Subject: WARNING: cannot run '/usr/local/bin/squidGuard' process > > > > > > > > > /usr/local> ls -la > > > total 32 > > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 . > > > drwxr-xr-x 15 root wheel 512 Mar 31 23:26 .. > > > drwxr-xr-x 6 root wheel 512 Apr 14 18:42 BerkeleyDB > > > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 bin > > > drwxr-xr-x 3 root wheel 512 Feb 19 21:24 etc > > > drwxr-xr-x 2 root wheel 512 Mar 30 19:18 include > > > drwxr-xr-x 2 root wheel 512 Mar 30 19:15 info > > > drwxr-xr-x 4 root wheel 1024 Mar 30 19:18 lib > > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libdata > > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 libexec > > > drwxr-xr-x 26 root wheel 512 Feb 19 21:24 man > > > drwxr-xr-x 9 root wheel 512 Feb 19 23:12 samba > > > drwxr-xr-x 2 root wheel 512 Feb 19 21:24 sbin > > > drwxr-xr-x 11 root wheel 512 Feb 19 21:24 share > > > drwx------ 7 squid squid 512 Apr 14 19:43 squid > > > drwx------ 4 squid squid 512 Apr 14 21:06 squidGuard > > > > > > > > > /usr/local/squid> ls -la > > > total 16 > > > drwx------ 7 squid squid 512 Apr 14 19:43 . > > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > > drwx------ 2 squid squid 512 Apr 15 09:13 bin > > > drwx------ 18 squid squid 512 Apr 17 11:12 cache > > > drwx------ 4 squid squid 512 Feb 19 22:20 etc > > > drwx------ 3 squid squid 512 Feb 19 22:20 libexec > > > drwx------ 2 squid squid 512 Apr 17 11:11 logs > > > -rwx------ 1 squid squid 682 Apr 14 19:48 squid.out > > > > > > > > > /usr/local/bin> ls -la > > > total 1530 > > > drwxr-xr-x 2 root wheel 512 Apr 15 09:11 . > > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > > -rwxr-xr-x 1 root wheel 1837 Mar 30 19:15 glib-config > > > -r-xr-xr-x 1 root wheel 1053932 Jan 23 01:30 lynx > > > -rwxr-x--- 1 squid squid 421124 Apr 15 00:17 squidGuard > > > -rwxr-xr-x 1 root wheel 34108 Mar 30 19:18 xdelta > > > -rwxr-xr-x 1 root wheel 1943 Mar 30 19:18 xdelta-config > > > > > > /usr/local/squidGuard> ls -la > > > total 10 > > > drwx------ 4 squid squid 512 Apr 14 21:06 . > > > drwxr-xr-x 16 root wheel 512 Apr 14 20:39 .. > > > drwx------ 13 squid squid 512 Apr 14 21:09 db > > > drwx------ 2 squid squid 512 Apr 14 20:39 log > > > -rwx------ 1 squid squid 538 Apr 15 08:51 squidGuard.conf > > > > > > /usr/local/squidGuard/log> ls -la > > > total 8 > > > drwx------ 2 squid squid 512 Apr 14 20:39 . > > > drwx------ 4 squid squid 512 Apr 14 21:06 .. > > > -rwx------ 1 squid squid 2679 Apr 15 00:19 squidGuard.log > > > > > > > > > /usr/local/squid/logs/cache.log > > > --------------------------------- > > > 2002/04/15 00:08:39| Starting Squid Cache version 2.4.STABLE4 > for > > > i386-unknown-f > > > reebsd4.5... > > > 2002/04/15 00:08:39| Process ID 4549 > > > 2002/04/15 00:08:39| With 957 file descriptors available > > > 2002/04/15 00:08:39| Performing DNS Tests... > > > 2002/04/15 00:08:39| Successful DNS name lookup tests... > > > 2002/04/15 00:08:39| DNS Socket created on FD 4 > > > 2002/04/15 00:08:39| Adding nameserver 204.248.184.2 from > > > /etc/resolv.conf > > > 2002/04/15 00:08:39| Adding nameserver 204.248.184.13 from > > > /etc/resolv.conf > > > 2002/04/15 00:08:39| Adding nameserver 4.1.1.1 from > > /etc/resolv.conf > > > 2002/04/15 00:08:39| Adding nameserver 4.1.1.2 from > > /etc/resolv.conf > > > 2002/04/15 00:08:39| helperOpenServers: Starting 3 'squidGuard' > > > processes > > > 2002/04/15 00:08:39| WARNING: Cannot run > > '/usr/local/bin/squidGuard' > > > process. > > > 2002/04/15 00:08:39| WARNING: Cannot run > > '/usr/local/bin/squidGuard' > > > process. > > > 2002/04/15 00:08:39| WARNING: Cannot run > > '/usr/local/bin/squidGuard' > > > process. > > > 2002/04/15 00:08:39| Unlinkd pipe opened on FD 9 > > > 2002/04/15 00:08:39| Swap maxSize 102400 KB, estimated 7876 > > objects > > > 2002/04/15 00:08:39| Target number of buckets: 393 > > > 2002/04/15 00:08:39| Using 8192 Store buckets > > > 2002/04/15 00:08:39| Max Mem size: 8192 KB > > > > > > (the only data available in the logfile is from me manually > > > starting > > > squidGuard > > > while trying to figure out the problem, i won't waste the > time > > > and > > > bandwidth by > > > listing it here, no errors are in the file when run > manually, > > > and > > > nothing is added > > > when squid attempts to load it) > > > > > > > > > > > > From squid.conf: > > > > > > cache_effective_user squid > > > cache_effective_group squid > > > > > > redirect_program /usr/local/bin/squidGuard -c > > > /usr/local/squidGuard/squidGuard.conf > > > redirect_children 3 #Very little taffic, but i have set this up > > to > > > 20 and > > > still no go > > > > > > > > > From squidGuard.conf > > > > > > dbhome /usr/local/squidGuard/db > > > dest porn { > > > domainlist porn/domains > > > urllist porn/urls > > > } > > > dest violence { > > > domainlist violence/domains > > > urllist violence/urls > > > } > > > dest aggressive { > > > domainlist aggressive/domains > > > urllist aggressive/urls > > > } > > > dest drugs { > > > domainlist drugs/domains > > > urllist drugs/urls > > > } > > > dest ads { > > > domainlist ads/domains > > > urllist ads/urls > > > } > > > dest gamble { > > > domainlist gambling/domains > > > urllist gambling/urls > > > } > > > acl { > > > default { > > > pass !porn !violence !drugs !ads !gamble all > > > redirect www.google.com > > > } > > > } > > > > > > > > > The only squid/squidGuard messages in my dmesg* files are from > > > troubleshooting, moving > > > files around, when moved it does say file not found. But this > is > > > normal. > > > > > > And now for my list of things ive tried: > > > > > > Running squid as root, these and revised permisions. Same > error. > > > Setting permisions to 777. Same error. > > > Moving squidGuard and all files to squid directory > > > using default directory, using current > > > > > > I doubt its a permisions/ownership issue. (unless there are some > > > other > > > files i dont > > > know about) > > > It's not a squidGuard config error, it works fine manually. > > > > > > Ive run out of solutions... hoping i could get a little help!! > I'm > > > about > > > to pull > > > my hair out!!!!! > > > > > > If im forgetting any important details just let me know. > > > > > > Please respond directly to my e-mail as well as to the list if > > > possable. > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > >
