Hi, Can you take a look? https://bugzilla.opensuse.org/show_bug.cgi?id=918434 Squid daemon having its own exclusive group should allow us drop root group ownership on these folders. Current 13.2 package (3.4.4-3.4.2): # ls -al /var/{cache,log}/squid /var/cache/squid: total 76 drwxr-x--- 18 squid root 4096 Feb 20 07:31 . drwxr-xr-x 8 root root 4096 Feb 20 07:30 .. drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 00 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 01 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 02 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 03 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 04 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 05 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 06 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 07 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 08 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 09 drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0A drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0B drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0C drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0D drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0E drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0F -rw-r----- 1 squid nogroup 72 Feb 20 07:31 swap.state /var/log/squid: total 96 drwxr-x--- 2 squid root 4096 Feb 20 07:33 . drwxr-xr-x 7 root root 4096 Feb 20 07:33 .. -rw-r----- 1 squid root 0 Feb 20 07:33 access.log -rw-r----- 1 squid nogroup 416 Feb 20 07:32 access.log-20150220.xz -rw-r----- 1 squid root 79913 Feb 20 07:33 cache.log -rw-r----- 1 squid nogroup 1580 Feb 20 07:32 cache.log-20150220.xz After the changes: # ls -al /var/{cache,log}/squid /var/cache/squid: total 76 drwxr-x--- 18 squid squid 4096 Feb 20 07:34 . drwxr-xr-x 8 root root 4096 Feb 20 07:30 .. drwxr-x--- 258 squid squid 4096 Feb 20 07:31 00 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 01 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 02 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 03 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 04 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 05 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 06 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 07 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 08 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 09 drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0A drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0B drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0C drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0D drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0E drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0F -rw-r----- 1 squid squid 72 Feb 20 07:34 swap.state /var/log/squid: total 176 drwxr-x--- 2 squid squid 4096 Feb 19 17:15 . drwxr-xr-x 7 root root 4096 Feb 20 07:33 .. -rw-r----- 1 squid squid 0 Feb 20 07:33 access.log -rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz -rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log -rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz logrotate config fragment is using 'su squid squid' as an extra safety measure. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org