Re: [squid-users] Problems with effective user

From: Lloyd Parkes <Lloyd.Parkes@dont-contact.us>
Date: Mon, 27 Jun 2005 11:33:48 +1200

I've got back in the country and I've started doing more work on this. I've found answers to these questions before I found these questions. The squid-users mailing list is a bit busier than I expected and I only found this message by chance.

I've thrown truss at the problem and I now have a much clearer idea of what is going on.

>>> Henrik Nordstrom <hno@squid-cache.org> 06/25/05 9:25 AM >>>
>On Mon, 20 Jun 2005, Lloyd Parkes wrote:
>> Only one of the two squid processes runs as 'squid' the parent still
>> runs as 'root'
>This is the way it should be.

I agree. I can see that the command line squid is trying to signal the child squid that is running as squid and not the parent that is running as root.

>I would suspect you are running a nightly snapshot or STABLE10 patched
>with the chroot -k patch, and that there maybe is problems with this
>patch.

You are entirely correct. I've had a lot of luck in the past with adding patches from squid-cache.org to STABLE releases of squid, so I threw in all the patches (six of them).

I noticed that my test machine worked fine, so I ran "truss /usr/local/squid/sbin/squid -k reconfigure 2> truss.out" on each machine and compared the output. The production machine was doing completely different stuff from my test machine. I quickly confirmed that I had different binaries on the two machines (bad me).

Both squids read in the config file, but with the chroot patch, the config file gets 'activated'. I'm guessing it's the call to configDoConfigure() that does it. Later on squid calls setuid(squid) which sets the real, effective and saves user id to squid. It then tries to send the signal to the child squid. Unfortunately the child squid is running as
     USER RUSER PID PPID PGID SID COMMAND
    squid root 768 766 766 766 (squid) -sDYf /usr/local/squid/etc/squid.conf

and the real user id of the two processes need to match if the signal is to be delivered.

This is all on Solaris 9, but other systems should be broadly similar.

I can fix this by simply not using any of the extra patches. Hopefully this info will help with any future work on the chroot patch.

Cheers,
Lloyd
Received on Sun Jun 26 2005 - 17:34:05 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:03 MDT