>> My quick analysis showed that the issue is caused by the capset() call in
>> leave_suid(). Not sure how it affects creating the pid file, though this
>> happens well before the leave_suid() call.
> Squid starts leaving suid very early, then bounces back to root
> momentarily to perform privileged actions.
> I think I understand what happens here... if you have TPROXY enabled
> Squid drops quite many capabilities to be able to keep some without
> running as root. One of those capabilities dropped is CAP_FOWNER and as
> result the pid file can only be created in directories owned by root.
> You can verify if this is the cause by removing the enter/leave_suid
> calls from tools.c writePidFile() and around the related safeunlink call
> in main.c squidShutdown().
Commenting out enter_suid() in writePidFile() is able to create the PID
file.
On the other side, obviously if the directory holding the PID file is owned
by root (like /var/run in Redhat) then the same type of problem would occur.
Received on Tue Feb 13 2007 - 22:55:10 MST
This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST