Mailinglist Archive: opensuse-security (12 mails)

< Previous Next >
Re: [opensuse-security] Change /var/{cache,log}/squid ownership to squid:squid
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Mon, 23 Feb 2015 10:52:41 +0100
  • Message-id: <>
Marcos Felipe Rasia de Mello schrieb:
2015-02-20 11:53 GMT-02:00 Ludwig Nussel <ludwig.nussel@xxxxxxx>:
Marcos Felipe Rasia de Mello schrieb:

total 176
drwxr-x--- 2 squid squid 4096 Feb 19 17:15 .
drwxr-xr-x 7 root root 4096 Feb 20 07:33 ..
-rw-r----- 1 squid squid 0 Feb 20 07:33 access.log
-rw-r----- 1 squid squid 416 Feb 20 07:32 access.log-20150220.xz
-rw-r----- 1 squid squid 163672 Feb 20 07:34 cache.log
-rw-r----- 1 squid squid 1580 Feb 20 07:32 cache.log-20150220.xz

logrotate config fragment is using 'su squid squid' as an extra safety

That is still just a hack though for software that really offers no
other choice. In general it's better to not allow the daemon to write to
the directory of it's log files. That avoids all kinds of trouble for
anything that needs to operate on that directory (like logrotate or rpm
but also the admin himself). It also has the benefit that the daemon
user cannot corrupt or remove log files that have been rotated, ie can't
cover the tracks.

Does current root group ownership bring any security?

No. As I tried to explain if you want to improve security it
would be better to change the directory to root:root.

What do you think about the proposed changes?

Looks more or less cosmetic to me. I have no opinion on that :-)


(o_ Ludwig Nussel
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer
Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5; 90409 Nürnberg; Germany
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >