[Bug 1193938] New: squid hardening kills perl store-id program
http://bugzilla.opensuse.org/show_bug.cgi?id=1193938 Bug ID: 1193938 Summary: squid hardening kills perl store-id program Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: jimc@jfcarter.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 854720 --> http://bugzilla.opensuse.org/attachment.cgi?id=854720&action=edit Configuration file for Squid Version: squid-5.2-2.1.x86_64 installed 2021-12-15 My squid.conf (attached, not likely useful) says: store_id_program /etc/squid/store-id-distro.pl Starting when the new Squid version was installed, it filled up the root partition (/var/log/squid/cache.log) with complaints like this: Can't locate strict.pm: /usr/lib/perl5/site_perl/5.34.0/\ x86_64-linux-thread-multi/strict.pm: Permission denied at \ /etc/squid/store-id-distro.pl line 50. BEGIN failed--compilation aborted at /etc/squid/store-id-distro.pl line 50. (followed by complaints that too few store_id processes are running, and it starts another one, again failing, until the disc fills up.) strict.pm is actually at /usr/lib/perl5/5.34.0/strict.pm . This reminds me of a chroot situation, but more likely it's partial, i.e. a hardening command added in SuSE's current hardening campaign. I made a copy of /usr/lib/systemd/system/squid.service (in /etc/systemd...) and commented out hardening commands in various combinations. If I comment out "ProtectHome=true", leaving the others active, Squid returns to normal operation: store_id program is running, and cache.log is svelte. I recommend this change for other users of Squid. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1193938 http://bugzilla.opensuse.org/show_bug.cgi?id=1193938#c3 --- Comment #3 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1193938) was mentioned in https://build.opensuse.org/request/show/942126 Factory / squid -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1193938 http://bugzilla.opensuse.org/show_bug.cgi?id=1193938#c4 --- Comment #4 from James Carter <jimc@jfcarter.net> --- @Martin, thanks for the quick work! I noticed the OBS notice. @Adam, yes, my store_id program is happy with a readonly include path. I'll remember the override directory trick for future troubleshooting. But I can see that if it's over-used it can turn into a real spaghetti tangle. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1193938 http://bugzilla.opensuse.org/show_bug.cgi?id=1193938#c5 Martin Pluskal <mpluskal@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #5 from Martin Pluskal <mpluskal@suse.com> --- I guess it makes no point to keep this report open -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1193938 http://bugzilla.opensuse.org/show_bug.cgi?id=1193938#c8 James Carter <jimc@jfcarter.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #8 from James Carter <jimc@jfcarter.net> --- Oops, a regression! Versions: OpenSuSE Tumbleweed, cpe:/o:opensuse:tumbleweed:20220905 squid-5.6-3.1.x86_64 (fails, installed 2022-09-06) Prior: squid-5.6-2.1.x86_64 (works) I'm using the stock /usr/lib/systemd/system/squid.service unit. Following the suggestion of Adam Majer, I made a drop-in directory /etc/systemd/system/squid.service.d/10-protecthome.conf with this content: [Service] ProtectHome=read-only Section header '[Service]' is required. To fix, the value must be read-only (no quotes) or false, not an empty string. See "man systemd.exec" for docs. @Adam, for your perl script that doesn't do anything, I think if it would "use anything" ("use strict;" in my case), that would set off the bug. I have no idea why hiding the homedir would have such an effect, though. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com