Squid - WARNING: no_suid: setuid(0): (1) Operation not permitted
-
Testeado con squid3-dev 3.3.10 pkg 2.2.1 y squidGuard-squid3 1.4_4 pkg v.1.9.5
El error WARNING: no_suid: setuid(0): (1) Operation not permitted que aparece en /var/squid/logs/cache.log de squid (concretamente squid3-devel) parece no ser crítico.
El aviso/error puede verse cada vez que squid crea un nuevo proceso. Posteo partes de cache.log en arranque correcto.
Creación de los procesos para SSL Bump
2014/03/30 08:35:15 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
Creación de los procesos squidGuard
2014/03/30 08:35:15 kid1| helperOpenServers: Starting 8/16 'squidGuard' processes 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
Creación del proceso unlinkd
2014/03/30 08:35:16 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:16 kid1| Unlinkd pipe opened on FD 53
Creación del proceso pinger
2014/03/30 08:35:16 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:16 kid1| Pinger socket opened on FD 61
Procesos del usuario proxy
[2.1-RELEASE][admin@pfsense.localdomain]/root(17): ps aux | grep ^proxy proxy 11326 0.0 1.7 27080 17728 ?? SN 8:35AM 0:02.51 (squid-1) -f /usr/pbi/squid-i386/etc/squid/squid.conf (squid) proxy 12372 0.0 0.4 6168 3984 ?? IN 8:35AM 0:00.37 (ssl_crtd) -s /var/squid/lib/ssl_db -M 4MB -b 2048 (ssl_crtd) proxy 12679 0.0 0.4 6168 3804 ?? IN 8:35AM 0:00.02 (ssl_crtd) -s /var/squid/lib/ssl_db -M 4MB -b 2048 (ssl_crtd) proxy 12944 0.0 0.3 6168 3036 ?? IN 8:35AM 0:00.00 (ssl_crtd) -s /var/squid/lib/ssl_db -M 4MB -b 2048 (ssl_crtd) proxy 13166 0.0 0.3 6168 3036 ?? IN 8:35AM 0:00.00 (ssl_crtd) -s /var/squid/lib/ssl_db -M 4MB -b 2048 (ssl_crtd) proxy 13455 0.0 0.3 6168 3036 ?? IN 8:35AM 0:00.00 (ssl_crtd) -s /var/squid/lib/ssl_db -M 4MB -b 2048 (ssl_crtd) proxy 13482 0.0 1.5 64716 14900 ?? SN 8:35AM 0:00.90 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 13777 0.0 1.3 64716 13668 ?? IN 8:35AM 0:00.11 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 13832 0.0 1.3 64716 13220 ?? IN 8:35AM 0:00.06 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 14079 0.0 0.9 64716 9452 ?? IN 8:35AM 0:00.02 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 14518 0.0 0.9 64716 9452 ?? IN 8:35AM 0:00.02 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 14736 0.0 0.9 64716 9452 ?? IN 8:35AM 0:00.02 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 14963 0.0 0.9 64716 9452 ?? IN 8:35AM 0:00.02 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 15070 0.0 0.9 64716 9452 ?? IN 8:35AM 0:00.02 (squidGuard) -c /usr/pbi/squidguard-squid3-i386/etc/squidGuard/squidGuard.conf (squidGuard) proxy 16358 0.0 0.2 4472 1800 ?? IN 8:35AM 0:00.01 (unlinkd) (unlinkd) proxy 18267 0.0 0.2 4484 2112 ?? SN 8:35AM 0:00.02 (pinger) (pinger)
Secuencia completa de arranque
[2.1-RELEASE][admin@pfsense.localdomain]/root(18): cat /var/squid/logs/cache.log | grep "2014/03/30 08" 2014/03/30 08:35:15 kid1| Starting Squid Cache version 3.3.10 for i386-portbld-freebsd8.3... 2014/03/30 08:35:15 kid1| Process ID 11326 2014/03/30 08:35:15 kid1| Process Roles: worker 2014/03/30 08:35:15 kid1| With 11095 file descriptors available 2014/03/30 08:35:15 kid1| Initializing IP Cache... 2014/03/30 08:35:15 kid1| DNS Socket created at [::], FD 17 2014/03/30 08:35:15 kid1| DNS Socket created at 0.0.0.0, FD 18 2014/03/30 08:35:15 kid1| Adding domain localdomain from /etc/resolv.conf 2014/03/30 08:35:15 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2014/03/30 08:35:15 kid1| Adding nameserver 80.58.61.250 from /etc/resolv.conf 2014/03/30 08:35:15 kid1| Adding nameserver 80.58.61.254 from /etc/resolv.conf 2014/03/30 08:35:15 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| helperOpenServers: Starting 8/16 'squidGuard' processes 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:15 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2014/03/30 08:35:15 kid1| parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/ca/error-details.txt 2014/03/30 08:35:15 kid1| Unable to load default error language files. Reset to backups. 2014/03/30 08:35:15 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2014/03/30 08:35:15 kid1| parse error while reading template file: /usr/pbi/squid-i386/etc/squid/errors/templates/error-details.txt 2014/03/30 08:35:15 kid1| WARNING: failed to find or read error text file error-details.txt 2014/03/30 08:35:15 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2014/03/30 08:35:15 kid1| WARNING! invalid error detail name: X509_V_ERR_DIFFERENT_CRL_SCOPE 2014/03/30 08:35:15 kid1| Logfile: opening log /var/squid/logs/access.log 2014/03/30 08:35:15 kid1| WARNING: log parameters now start with a module name. Use 'stdio:/var/squid/logs/access.log' 2014/03/30 08:35:16 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:16 kid1| Unlinkd pipe opened on FD 53 2014/03/30 08:35:16 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2014/03/30 08:35:16 kid1| Store logging disabled 2014/03/30 08:35:16 kid1| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2014/03/30 08:35:16 kid1| Target number of buckets: 425 2014/03/30 08:35:16 kid1| Using 8192 Store buckets 2014/03/30 08:35:16 kid1| Max Mem size: 8192 KB 2014/03/30 08:35:16 kid1| Max Swap size: 102400 KB 2014/03/30 08:35:16 kid1| Rebuilding storage in /var/squid/cache (dirty log) 2014/03/30 08:35:16 kid1| Using Least Load store dir selection 2014/03/30 08:35:16 kid1| Current Directory is /etc 2014/03/30 08:35:16 kid1| Loaded Icons. 2014/03/30 08:35:16 kid1| HTCP Disabled. 2014/03/30 08:35:16 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted 2014/03/30 08:35:16 kid1| Pinger socket opened on FD 61 2014/03/30 08:35:16| pinger: Initialising ICMP pinger ... 2014/03/30 08:35:16| pinger: ICMP socket opened. 2014/03/30 08:35:16| pinger: ICMPv6 socket opened 2014/03/30 08:35:16 kid1| Squid plugin modules loaded: 0 2014/03/30 08:35:16 kid1| Adaptation support is off. 2014/03/30 08:35:16 kid1| Accepting SSL bumped HTTP Socket connections at local=192.168.1.1:3128 remote=[::] FD 56 flags=9 2014/03/30 08:35:16 kid1| Accepting NAT intercepted SSL bumped HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 57 flags=41 2014/03/30 08:35:16 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=127.0.0.1:3129 remote=[::] FD 58 flags=41 2014/03/30 08:35:16 kid1| Accepting ICP messages on [::]:7 2014/03/30 08:35:16 kid1| Sending ICP messages from [::]:7 2014/03/30 08:35:16 kid1| Store rebuilding is 82.56% complete 2014/03/30 08:35:16 kid1| Done reading /var/squid/cache swaplog (4844 entries) 2014/03/30 08:35:16 kid1| Finished rebuilding storage from disk. 2014/03/30 08:35:16 kid1| 4844 Entries scanned 2014/03/30 08:35:16 kid1| 0 Invalid entries. 2014/03/30 08:35:16 kid1| 0 With invalid flags. 2014/03/30 08:35:16 kid1| 4844 Objects loaded. 2014/03/30 08:35:16 kid1| 0 Objects expired. 2014/03/30 08:35:16 kid1| 0 Objects cancelled. 2014/03/30 08:35:16 kid1| 0 Duplicate URLs purged. 2014/03/30 08:35:16 kid1| 0 Swapfile clashes avoided. 2014/03/30 08:35:16 kid1| Took 0.44 seconds (10940.66 objects/sec). 2014/03/30 08:35:16 kid1| Beginning Validation Procedure 2014/03/30 08:35:16 kid1| Completed Validation Procedure 2014/03/30 08:35:16 kid1| Validated 4844 Entries 2014/03/30 08:35:16 kid1| store_swap_size = 92158.00 KB 2014/03/30 08:35:17 kid1| storeLateRelease: released 0 objects
-
¿Y qué es setuid?
Pues la forma en que FreeBSD gestiona/permite que un usuario "escale" privilegios hacia otro usuario (típicamente para hacer tareas de root).
http://www.freebsd.org/cgi/man.cgi?query=setuid
http://www.freebsd.org/doc/handbook/permissions.html (4.4.3. The setuid, setgid, and sticky Permissions)
- Este enlace contiene una magnífica explicación de cómo passwd precisa ejecutarse primero a nivel de usuario y después a nivel de root.
http://www.freebsd.org/doc/en/books/developers-handbook/secure-setuid.html
¿Por qué squid quiere pasar del usuario proxy a root?
http://wiki.squid-cache.org/ProgrammingGuide/ExternalPrograms?highlight=%28setuid%29
Más sobre el tema (no es un tema exclusivo de pfSense, es de squid)
Google squid setuid
Como usuario de FreBSD recuerdo haber tenido que ajustar este comportamiento alguna vez para PERL. Un ejemplo:
http://www.freebsdwiki.net/index.php/Perl_setuid
Entiendo pues que los procesos puestos en marcha por el usuario proxy quieren ser para algo root pero no se les da permiso. Sin embargo, el mensaje parece ser sólo una advertencia y squid3-devel con SSL Bump más squidGuard funcionan perfectamente.
Si hay dudas, parece que habría que añadir kern.sugid_coredump en System: Advanced: System Tunables para tener informes más completos, http://wiki.squid-cache.org/SquidFaq/BugReporting?highlight=%28setuid%29#crashes_and_core_dumps
-
¿Qué es cada proceso externo llamado por kid1 (squid-1, proceso padre)?
unlinkd (borrado de archivos obsoletos en la caché)
http://www.squid-cache.org/Doc/config/unlinkd_program/pinger (ping a squids próximos para decidir qué "padre" es mejor consultar)
http://www.squid-cache.org/Doc/config/pinger_enable/
http://www.squid-cache.org/Doc/config/pinger_program/
Mejor desactivarlo si no se necesita, http://forum.pfsense.org/index.php?topic=74314.0sslcrtd (generación de certificados "al vuelo" para SSL Bump)
http://www.squid-cache.org/Doc/config/sslcrtd_children/
http://www.squid-cache.org/Doc/config/sslcrtd_program/squidGuard (filtrado avanzado de URLs)
http://www.squid-cache.org/Doc/config/url_rewrite_program/
http://www.squidguard.org/Lista completa de directivas para squid.conf, http://www.squid-cache.org/Doc/config/
-
Relacionado con setuid pueden verse en /var/squid/logs/cache.log avisos como:
2014-03-30 10:46:48 [68375] (squidGuard): can't write to logfile /var/log/squidGuard.log 2014-03-30 10:46:48 [68375] New setting: logdir: /var/squidGuard/log
El motivo es el siguiente:
[2.1-RELEASE][admin@pfsense.localdomain]/var/log(56): find / -name squidGuard.log /var/log/squidGuard.log /var/squidGuard/log/squidGuard.log [2.1-RELEASE][admin@pfsense.localdomain]/var/log(57): ls -l /var/log/squidGuard.log -rw------- 1 root wheel 2098875 Mar 30 08:35 /var/log/squidGuard.log [2.1-RELEASE][admin@pfsense.localdomain]/var/log(58): ls -l /var/squidGuard/log/squidGuard.log -rwxr-xr-x 1 proxy proxy 359621 Mar 30 10:47 /var/squidGuard/log/squidGuard.log
Cuando squid ordena a squidGuard reconfigurarse intenta escribir en /var/log/squidGuard.log (al que sólo puede acceder root) y termina escribiendo en /var/squidGuard/log/squidGuard.log (que pertenece a proxy).
Sin embargo, cuando es el propio pfSense quien escribe (arranque, configurador web de squidGuard), lo hace en /var/log/squidGuard.log
Salvo lío en los logs, no tiene más importancia.
Solución (no probada) para que todo vaya al mismo sitio:
cd /var/log rm /var/log/squidGuard.log ln -s /var/squidGuard/log/squidGuard.log squidGuard.log