Squid in chroot jail reconfigure/rotate FATAL errors: SOLVED

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid in chroot jail reconfigure/rotate FATAL errors: SOLVED

Rudi Vankemmel
I have seen quite some postings indicating errors when issuing a
squid -k reconfigure or squid -k rotate from within a chroot jail.

I am running squid V2.7 Stable 2 in a chroot jail: /chroot/squid as
user.group = squid.squid  This is configured as such in the config file.
In the chroot jail i have a Squid and a SquidGuard directory (containing
the respective installs) besides the jail ./etc, ./lib and ./dev dirs.

The first error i encountered was when doing a squid -k rotate.
This should rotate the log files.  The following error was seen:

"FATAL: Unable to open configuration file:
 /chroot/squid/Squid/etc/squid.conf: (2) No such file or directory"

After this squid exits and if you are lucky then starts automagically.
It might also crash your system completely.

The reason in my case for this was that the config file is read as root.root
at start time from outside the chroot jail i.e.
/chroot/squid/Squid/etc/squid.conf
However, when rotating, squid runs as squid.squid and inside the jail:
/chroot/squid.  When it restarts now it looks for the file using the full path
in the chroot jail i.e. it looks for:
/chroot/squid/chroot/squid/Squid/etc/squid.conf.
And this file does not exist there !
Note that restarting automagically (from scratch) works fine as you
run root.root
from outside the jail again !

This is easily solved by creating the dirs ./chroot/squid/ again within the
/chroot/squid jail and placing there again a link to the Squid directory:
i.e. in Chroot jail /chroot/squid/:
 -) Mkdir ./chroot/squid  ;  i.e. we make a directory /chroot/squid/chroot/squid
 -) Cd ./chroot/squid/
 -) Ln -s ../../Squid ./Squid   ;  i.e. this is looping back to the entry point
    just after the original chroot jail.
    This becomes the new entry point when restarting after a rotation.

Make also sure the permissions are OK for both root and squid: i used root.squid
Note that this is safe to do so as we are staying within the chroot jail.

This solved the rotate problem but next the following error was seen:

"FATAL: getgrnam failed to find groupid for effective group 'squid'"

Now this is an easy one: using strace i found that it is due to the
fact that squid
cannot retrieve groupid info within the chroot jail.  This is easily
solved by creating
a passwd and group (or shadow versions) within the jail i.e.
/chroot/squid/etc/passwd
and /chroot/squid/etc/group.  In my case i took a copy from the normal
passwd and group
file and stripped everything away just leaving the squid user and group in it.

Note that you might need also a copy of the /etc/services into
/chroot/squid/etc/services

After these changes everything works fine.
Hope it is useful for you !

Rudi Vankemmel
Reply | Threaded
Open this post in threaded view
|

Re: Squid in chroot jail reconfigure/rotate FATAL errors: SOLVED

Henrik Nordström
On fre, 2008-11-14 at 16:41 +0100, Rudi Vankemmel wrote:
> I have seen quite some postings indicating errors when issuing a
> squid -k reconfigure or squid -k rotate from within a chroot jail.

-k rotate should work fine in a chroot, but -k reconfigure requires a
bit of dual filesystem layout and relaxed permissions to work.

The reason to this is that Squid permanently drops all root permissions
when chrooted, to prevent a possible chroot breakout in case of
compromise, but the config file is still read as root before chrooting
(another security measure, making it harder for a possible attacker to
gain access to sensitive config material).

To be able to use "-k reconfigure" you must set up so that all config
files is accessible within the chroot as your cache_effective_user
(usually done by giving one of it's groups read permission to the
files), and also accessible using the same path outside the chroot.
(some symlinking is required for this).

Regards
Henrik


signature.asc (316 bytes) Download Attachment