ebuild: squid-2.5.5.ebuild at least pam_auth and ncsa_auth need the suid root bit to work (i.e. for access to /etc/shadow). The default install gave me rwxr-xr-x perms (0755), user:root group:root : -rwxr-xr-x 1 root root 11344 May 25 02:36 /usr/lib/squid/ncsa_auth -rwxr-xr-x 1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth for those helpers to work, perms must be something like rxsr-x--- (4750) user:root group:squid : -rwsr-x--- 1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth -rwsr-x--- 1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth Reproducible: Always Steps to Reproduce: 1. fresh install of gentoo 2004.1 2. emerge squid 3. configure squid for pam_auth or ncsa_auth Actual Results: Access denied. (407) Expected Results: Access granted / Continue. (200) in squid-2.4.7.ebuild there used to be a (wrong) chmod command for pam_auth, but it has vanished in newer ebuilds.
above pasted ls outputs are wrong... after fresh install: -rwxr-xr-x 1 root root 11344 May 25 02:36 /usr/lib/squid/ncsa_auth -rwxr-xr-x 1 root root 11500 May 25 02:36 /usr/lib/squid/pam_auth should be: -rwsr-x--- 1 root squid 11344 May 25 02:36 /usr/lib/squid/ncsa_auth -rwsr-x--- 1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth
Adding to the todo list, probably wont look at this until wednesday or thursday unless you have a working solution already Jan..
Created attachment 32875 [details, diff] Diff from 2.5.5-r1.ebuild
Created attachment 32877 [details, diff] Diff from 2.5.5.ebuild
Hi Andrew, I do have a working solution, but remember that we are doing a suid root here! I've attached two patches, one for squid-2.5.5.ebuild and one for squid-2.5.5-r1.ebuild
This is added into 2.5.5-r2 For the time being I cannot find a better way to do this without suid root, which really is not an optimal solution, but it does work...
a man page pam_auth(8) i found explicitly demands suid root permissions in case of a shadow based system. There is no other way of accessing /etc/shadow at least for ncsa_auth. I don't know about pam_auth, but I suspect the same for it, even for pam_ldap enabled or other systems. IMO the only two solutions are: - install the authentication helpers suid root by default, maybe display a warning - install then 0755 root:root, but display a warning that in case of authentication one must change the perms of the helpers.
OK changes fixed in 2.5.5-r2 and in 2.5.6 whichever you like Closing.