Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 52977 - squid authentication helpers lack suid permissions
Summary: squid authentication helpers lack suid permissions
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Andrew Bevitt
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-04 07:05 UTC by Jan Koop
Modified: 2004-07-14 22:29 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Diff from 2.5.5-r1.ebuild (suid_authhelpers_r1.patch,691 bytes, patch)
2004-06-07 09:46 UTC, Jan Koop 		Details | Diff
Diff from 2.5.5.ebuild (suid_authhelpers.patch,655 bytes, patch)
2004-06-07 09:50 UTC, Jan Koop 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Koop 2004-06-04 07:05:27 UTC 
ebuild: squid-2.5.5.ebuild
at least pam_auth and ncsa_auth need the suid root bit to work (i.e. for access to /etc/shadow).
The default install gave me rwxr-xr-x perms (0755), user:root group:root :
-rwxr-xr-x  1 root root  11344 May 25 02:36 /usr/lib/squid/ncsa_auth
-rwxr-xr-x  1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth
for those helpers to work, perms must be something like rxsr-x--- (4750) user:root group:squid :
-rwsr-x---  1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth
-rwsr-x---  1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth


Reproducible: Always
Steps to Reproduce:
1. fresh install of gentoo 2004.1
2. emerge squid
3. configure squid for pam_auth or ncsa_auth
Actual Results:  
Access denied. (407)

Expected Results:  
Access granted / Continue. (200)

in squid-2.4.7.ebuild there used to be a (wrong) chmod command for pam_auth, but it has 
vanished in newer ebuilds.
Comment 1 Jan Koop 2004-06-04 07:09:31 UTC 
above pasted ls outputs are wrong...

after fresh install:
-rwxr-xr-x  1 root root  11344 May 25 02:36 /usr/lib/squid/ncsa_auth
-rwxr-xr-x  1 root root 11500 May 25 02:36 /usr/lib/squid/pam_auth

should be:
-rwsr-x---  1 root squid 11344 May 25 02:36 /usr/lib/squid/ncsa_auth
-rwsr-x---  1 root squid 11500 May 25 02:36 /usr/lib/squid/pam_auth
Comment 2 Andrew Bevitt 2004-06-04 17:37:41 UTC 
Adding to the todo list, probably wont look at this until wednesday or thursday unless you have a working solution already Jan..
Comment 3 Jan Koop 2004-06-07 09:46:57 UTC 
Created attachment 32875 [details, diff]
Diff from 2.5.5-r1.ebuild
Comment 4 Jan Koop 2004-06-07 09:50:33 UTC 
Created attachment 32877 [details, diff]
Diff from 2.5.5.ebuild
Comment 5 Jan Koop 2004-06-07 09:52:44 UTC 
Hi Andrew,
I do have a working solution, but remember that we are doing a suid root here!

I've attached two patches, one for squid-2.5.5.ebuild and one for squid-2.5.5-r1.ebuild
Comment 6 Andrew Bevitt 2004-06-11 07:14:23 UTC 
This is added into 2.5.5-r2 

For the time being I cannot find a better way to do this without suid root, which really is not an optimal solution, but it does work...
Comment 7 Jan Koop 2004-06-15 02:37:55 UTC 
a man page pam_auth(8) i found explicitly demands suid root permissions in case of a shadow based system. There is no other way of accessing /etc/shadow at least for ncsa_auth. I don't know about pam_auth, but I suspect the same for it, even for pam_ldap enabled or other systems.

IMO the only two solutions are:
- install the authentication helpers suid root by default, maybe display a warning
- install then 0755 root:root, but display a warning that in case of authentication one must change the perms of the helpers.
Comment 8 Andrew Bevitt 2004-07-14 22:29:04 UTC 
OK changes fixed in 2.5.5-r2 and in 2.5.6 whichever you like

Closing.