[opensuse-security] Change /var/{cache,log}/squid ownership to squid:squid

20 Feb 2015

      Hi,

Can you take a look?

https://bugzilla.opensuse.org/show_bug.cgi?id=918434

Squid daemon having its own exclusive group should allow us drop root
group ownership on these folders.

Current 13.2 package (3.4.4-3.4.2):

# ls -al /var/{cache,log}/squid
/var/cache/squid:
total 76
drwxr-x---  18 squid root    4096 Feb 20 07:31 .
drwxr-xr-x   8 root  root    4096 Feb 20 07:30 ..
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 00
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 01
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 02
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 03
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 04
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 05
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 06
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 07
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 08
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 09
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0A
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0B
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0C
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0D
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0E
drwxr-x--- 258 squid nogroup 4096 Feb 20 07:31 0F
-rw-r-----   1 squid nogroup   72 Feb 20 07:31 swap.state

/var/log/squid:
total 96
drwxr-x--- 2 squid root     4096 Feb 20 07:33 .
drwxr-xr-x 7 root  root     4096 Feb 20 07:33 ..
-rw-r----- 1 squid root        0 Feb 20 07:33 access.log
-rw-r----- 1 squid nogroup   416 Feb 20 07:32 access.log-20150220.xz
-rw-r----- 1 squid root    79913 Feb 20 07:33 cache.log
-rw-r----- 1 squid nogroup  1580 Feb 20 07:32 cache.log-20150220.xz

After the changes:

# ls -al /var/{cache,log}/squid
/var/cache/squid:
total 76
drwxr-x---  18 squid squid 4096 Feb 20 07:34 .
drwxr-xr-x   8 root  root  4096 Feb 20 07:30 ..
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 00
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 01
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 02
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 03
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 04
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 05
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 06
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 07
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 08
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 09
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0A
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0B
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0C
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0D
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0E
drwxr-x--- 258 squid squid 4096 Feb 20 07:31 0F
-rw-r-----   1 squid squid   72 Feb 20 07:34 swap.state

/var/log/squid:
total 176
drwxr-x--- 2 squid squid   4096 Feb 19 17:15 .
drwxr-xr-x 7 root  root    4096 Feb 20 07:33 ..
-rw-r----- 1 squid squid      0 Feb 20 07:33 access.log
-rw-r----- 1 squid squid    416 Feb 20 07:32 access.log-20150220.xz
-rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log
-rw-r----- 1 squid squid   1580 Feb 20 07:32 cache.log-20150220.xz

logrotate config fragment is using 'su squid squid' as an extra safety measure.
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org

Marcos Felipe Rasia de Mello

Ludwig Nussel

Marcos Felipe Rasia de Mello

Ludwig Nussel

Marcos Felipe Rasia de Mello

tags

participants (2)