Bug#822992: squid3: please avoid installing pinger with suid-root when possible

Fri, 29 Apr 2016 11:48:42 -0700 

Package: squid3
Version: 3.5.16-1
Severity: normal
Tags: patch

Dear Maintainer,
Since squid 3.5.16, squid properly handles when pinger helper is installed with raised capabilities instead of setuid-root. Please avoid installing pinger as suid root when possible, patch attached. 


diff -Nru squid3-3.5.16/debian/control squid3-3.5.16/debian/control
--- squid3-3.5.16/debian/control	2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/control	2016-04-13 23:02:24.000000000 +0300
@@ -23,6 +23,7 @@
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser, logrotate (>= 3.5.4-1), squid-common (= ${source:Version}), lsb-base, libdbi-perl
 Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd
+Recommends: libcap2-bin [linux-any]
 Conflicts: squid3 (<< ${binary:Version})
 Replaces: squid3
 Description: Full featured Web Proxy cache (HTTP proxy)
diff -Nru squid3-3.5.16/debian/rules squid3-3.5.16/debian/rules
--- squid3-3.5.16/debian/rules	2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/rules	2016-04-15 21:47:32.000000000 +0300
@@ -62,8 +62,6 @@
 
 DEB_MAKE_CLEAN_TARGET = distclean
 
-DEB_FIXPERMS_EXCLUDE = /usr/lib/squid/pinger
-
 install/squid::
 	install -m 755 -g root -d $(INSTALLDIR)/usr/lib/cgi-bin
 	mv $(INSTALLDIR)/etc/squid/squid.conf.documented $(INSTALLDIR)/etc/squid/squid.conf
@@ -85,7 +84,6 @@
 	install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
 	mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
 	install -m 644 -g root debian/squid-purge.8  $(INSTALLDIR)/usr/share/man/man8
-	chmod 4755 $(INSTALLDIR)/usr/lib/squid/pinger
 
 clean::
 	# nothing to do
diff -Nru squid3-3.5.16/debian/squid.postinst squid3-3.5.16/debian/squid.postinst
--- squid3-3.5.16/debian/squid.postinst	2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/squid.postinst	2016-04-13 23:13:13.000000000 +0300
@@ -73,6 +73,22 @@
 		  		chown -R $usr:$grp $log_dir
 			fi
 		fi
+		
+		# If we have setcap is installed, try setting cap_net_raw+ep,
+		# which allows us to install our binaries without the setuid
+		# bit.
+		PINGER=/usr/lib/squid/pinger
+		if command -v setcap > /dev/null; then
+			if setcap cap_net_raw+ep $PINGER; then
+				echo "Setcap worked! $PINGER is not suid!"
+			else
+				echo "Setcap failed on $PINGER, falling back to setuid" >&2
+				chmod u+s $PINGER
+			fi
+		else
+			echo "Setcap is not installed, falling back to setuid" >&2
+			chmod u+s $PINGER
+		fi
 		;;
 	abort-upgrade|abort-remove|abort-deconfigure)
 		;;

Reply via email to