[Buildroot] [PATCH 1/2] squid: create a user/group

[Buildroot] [PATCH 1/2] squid: create a user/group

[Gustavo Zacarias]

Even though squid uses nobody/nogroup it ain't good for security if
every daemon around uses it, specially since squid is used as a caching
proxy most of the time and that would mean other daemons/scripts run as
nobody would have access to potentially sensitive information.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/squid/squid.mk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index c8d7417..5e2e659 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -39,7 +39,8 @@ SQUID_CONF_OPTS = \
 	--with-logdir=/var/log/squid/ \
 	--with-pidfile=/var/run/squid.pid \
 	--with-swapdir=/var/cache/squid/ \
-	--enable-icap-client
+	--enable-icap-client \
+	--with-default-user=squid
 
 # On uClibc librt needs libpthread
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS)$(BR2_TOOLCHAIN_USES_UCLIBC),yy)
@@ -60,4 +61,8 @@ endef
 
 SQUID_POST_INSTALL_TARGET_HOOKS += SQUID_CLEANUP_TARGET
 
+define SQUID_USERS
+	squid -1 squid -1 * - - - Squid proxy cache
+endef
+
 $(eval $(autotools-package))
-- 
2.0.5

[Buildroot] [PATCH 2/2] squid: add sysv initscript

[Gustavo Zacarias]

Add SysV-style initscript, complete rewrite from
http://patchwork.ozlabs.org/patch/412057/

'stop' is handled by squid itself to gracefully (as possible) close
every pending connection and commit changes to disk. By default this is
configured for 30 seconds and can be configured via shutdown_lifetime in
/etc/squid.conf if someone is too anxious.
The script won't block until squid is properly shutdown - but people
should _REALLY_ use restart or reload if that's what they want, instead
of stop+start.

'restart' is handled by squid itself, since if we do a stop/start cycle
we must wait for a clean shutdown cycle (takes time).

'reload' is also handled by squid itself and it's not the same as
restart, it will just trigger a configuration reload without purging
runtime cache (RAM) contents.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 package/squid/S97squid | 40 ++++++++++++++++++++++++++++++++++++++++
 package/squid/squid.mk |  5 +++++
 2 files changed, 45 insertions(+)
 create mode 100755 package/squid/S97squid

diff --git a/package/squid/S97squid b/package/squid/S97squid
new file mode 100755
index 0000000..b30af5b
--- /dev/null
+++ b/package/squid/S97squid
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+[ -x /usr/sbin/squid ] || exit 0
+[ -f /etc/squid.conf ] || exit 0
+
+case "$1" in
+  start)
+    echo -n "Starting squid: "
+    if [ ! -d /var/log/squid ]; then
+      mkdir -p /var/log/squid
+      chown squid:squid /var/log/squid
+    fi
+    start-stop-daemon -S -x /usr/sbin/squid
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+
+   stop)
+    echo -n "Stopping squid: "
+    /usr/sbin/squid -k shutdown
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+
+  reload)
+    echo -n "Reloading squid configuration: "
+    /usr/sbin/squid -k reconfigure
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+
+  restart)
+    echo -n "Restarting squid: "
+    /usr/sbin/squid -k restart
+    [ $? = 0 ] && echo "OK" || echo "FAIL"
+    ;;
+
+  *)
+    echo "Usage: $0 {start|stop|reload|restart}"
+    exit 1
+esac
+
+exit 0
diff --git a/package/squid/squid.mk b/package/squid/squid.mk
index 5e2e659..0bf516f 100644
--- a/package/squid/squid.mk
+++ b/package/squid/squid.mk
@@ -65,4 +65,9 @@ define SQUID_USERS
 	squid -1 squid -1 * - - - Squid proxy cache
 endef
 
+define SQUID_INSTALL_INIT_SYSV
+	$(INSTALL) -m 755 -D package/squid/S97squid \
+		$(TARGET_DIR)/etc/init.d/S97squid
+endef
+
 $(eval $(autotools-package))
-- 
2.0.5

[Buildroot] [PATCH 2/2] squid: add sysv initscript

[Thomas Petazzoni]

Dear Gustavo Zacarias,

On Wed, 14 Jan 2015 16:14:44 -0300, Gustavo Zacarias wrote:

> diff --git a/package/squid/S97squid b/package/squid/S97squid
> new file mode 100755
> index 0000000..b30af5b
> --- /dev/null
> +++ b/package/squid/S97squid
> @@ -0,0 +1,40 @@
> +#!/bin/sh
> +
> +[ -x /usr/sbin/squid ] || exit 0
> +[ -f /etc/squid.conf ] || exit 0

I must say I'm not very happy with those "if something is missing,
let's bail out silently" tests. We're doing the same in other init
scripts (as we discussed on IRC), but I think we should probably
rethink that a bit, and at least display an error message.

Also, checking for /usr/sbin/squid sound a bit silly, since the init
script is installed by the squid package, which also has installed the
squid binary.

I've nonetheless applied. Follow-up patches welcome, maybe as part of a
more global overhaul of our init scripts.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 2/2] squid: add sysv initscript

[Gustavo Zacarias]

On 01/14/2015 04:51 PM, Thomas Petazzoni wrote:
> I must say I'm not very happy with those "if something is missing,
> let's bail out silently" tests. We're doing the same in other init
> scripts (as we discussed on IRC), but I think we should probably
> rethink that a bit, and at least display an error message.
> 
> Also, checking for /usr/sbin/squid sound a bit silly, since the init
> script is installed by the squid package, which also has installed the
> squid binary.
> 
> I've nonetheless applied. Follow-up patches welcome, maybe as part of a
> more global overhaul of our init scripts.

I'll write up my proposal tonight and send it to the mailing list since
i've got many ideas already written up.
I don't want to change too many initscripts without a green card first
since it requires quite some testing.
Regards.

[Buildroot] [PATCH 1/2] squid: create a user/group

[Thomas Petazzoni]

Dear Gustavo Zacarias,

On Wed, 14 Jan 2015 16:14:43 -0300, Gustavo Zacarias wrote:
> Even though squid uses nobody/nogroup it ain't good for security if
> every daemon around uses it, specially since squid is used as a caching
> proxy most of the time and that would mean other daemons/scripts run as
> nobody would have access to potentially sensitive information.
> 
> Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
> ---
>  package/squid/squid.mk | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)

Applied, thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com