Package: squid3
Version: 3.5.16-1
Severity: normal
Tags: patch
Dear Maintainer,
Since squid 3.5.16, squid properly handles when pinger helper is
installed with raised capabilities instead of setuid-root. Please avoid
installing pinger as suid root when possible, patch attached.
diff -Nru squid3-3.5.16/debian/control squid3-3.5.16/debian/control
--- squid3-3.5.16/debian/control 2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/control 2016-04-13 23:02:24.000000000 +0300
@@ -23,6 +23,7 @@
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser, logrotate (>= 3.5.4-1), squid-common (= ${source:Version}), lsb-base, libdbi-perl
Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbindd
+Recommends: libcap2-bin [linux-any]
Conflicts: squid3 (<< ${binary:Version})
Replaces: squid3
Description: Full featured Web Proxy cache (HTTP proxy)
diff -Nru squid3-3.5.16/debian/rules squid3-3.5.16/debian/rules
--- squid3-3.5.16/debian/rules 2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/rules 2016-04-15 21:47:32.000000000 +0300
@@ -62,8 +62,6 @@
DEB_MAKE_CLEAN_TARGET = distclean
-DEB_FIXPERMS_EXCLUDE = /usr/lib/squid/pinger
-
install/squid::
install -m 755 -g root -d $(INSTALLDIR)/usr/lib/cgi-bin
mv $(INSTALLDIR)/etc/squid/squid.conf.documented $(INSTALLDIR)/etc/squid/squid.conf
@@ -85,7 +84,6 @@
install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1
mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge
install -m 644 -g root debian/squid-purge.8 $(INSTALLDIR)/usr/share/man/man8
- chmod 4755 $(INSTALLDIR)/usr/lib/squid/pinger
clean::
# nothing to do
diff -Nru squid3-3.5.16/debian/squid.postinst squid3-3.5.16/debian/squid.postinst
--- squid3-3.5.16/debian/squid.postinst 2016-04-03 20:57:40.000000000 +0300
+++ squid3-3.5.16/debian/squid.postinst 2016-04-13 23:13:13.000000000 +0300
@@ -73,6 +73,22 @@
chown -R $usr:$grp $log_dir
fi
fi
+
+ # If we have setcap is installed, try setting cap_net_raw+ep,
+ # which allows us to install our binaries without the setuid
+ # bit.
+ PINGER=/usr/lib/squid/pinger
+ if command -v setcap > /dev/null; then
+ if setcap cap_net_raw+ep $PINGER; then
+ echo "Setcap worked! $PINGER is not suid!"
+ else
+ echo "Setcap failed on $PINGER, falling back to setuid" >&2
+ chmod u+s $PINGER
+ fi
+ else
+ echo "Setcap is not installed, falling back to setuid" >&2
+ chmod u+s $PINGER
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;