From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Testing squid 4.0.23 - grsec denied kernel module auto-load of nf_conntrack_netlink by uid 23 Date: Sun, 21 Jan 2018 18:57:55 +0000 Message-ID: <1516561075.2373.1.camel@ipfire.org> In-Reply-To: <9ee1de16-fc80-9c0f-e359-177b9e8931d0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3065639266065286918==" List-Id: --===============3065639266065286918== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Hello, yes this is correct. We don't allow an unprivileged user to load any kernel modules. What does squid need this for? Why are you playing around with squid 4? You should be able to load the module first and then start squid. Best, -Michael On Sun, 2018-01-21 at 01:50 +0100, Matthias Fischer wrote: > Hi, > > Just to keep in touch, I tested 'squid 4.0.23' yesterday - it seemed to > run fine at first. But after a while I took a closer look at the logs > and discovered a bunch of kernel messages within a few hours and I don't > know what exactly triggered these messages: > > ... > 132 Time(s): grsec: denied kernel module auto-load of > nf_conntrack_netlink by uid 23 > ... > > As far as I found out: "uid 23" => squid-user, and the new squid tried > to 'autoload' a module which 'grsec' didn't like. Is this a correct > interpretation and has anyone some useable clue how to avoid this? > > Besides, after going back to '3.5.27' the messages didn't came back > again. '4.0.22' didn't throw these messages, too. They changed something > and I don't know what it is... > > Thanks for all tips! > > Best, > Matthias > > --===============3065639266065286918== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwazRyTUFDZ2tRZ0hudy8yK1EKQ1FlVndnLzlGb3VOQlkzS2pZ aG5EZjNsOEUwUkVLTGF2eGh5Sm8vbi80dTNNNE1FUFhnakFpTTlNdUpnbmJhSwo1RFlpY0JDaE5Q SDNVZEhmc0lheStNSm00ZDh4ODJQUFF5QlhIb1RxWlRwWTAzcVQ1Y01iSEwvQ0R2dytzV1ZtCkgx Z29STTNkelRTV3pmL2N0bGpBQ09tVmEyQ285NHNhcFNNT2YzZ1h2WFVyRmtPeXFNRzJwNlJsY2I4 VWhwSk4KMVVpVm4vSXdCekNNdnVyT2pYYmFoOGhwN2dYSnFCQXNrdDE0N0Z0Y2ZmVzBLN1BjcE83 aUMvM1VnTVNnRk5iSQpldnNvOUYzTWVsRC95NTRmNTQxcWRlUkNlR2xuUzNaL1ptRWFOaUh1Y1Jw eDZ4SWR1ZDYyRjFJWDRJcDM0WlB2ClVxd0tXU3JqeHE4ME9CQnNKVmFZWVU5Rk1yVE5FaUw3dmN0 L1hXbmpCcVgvbHlmajVjQ3JjeDZOd2VCbnlHSGgKcHBQNHh3aEZyQU9GWEk3bUZENTdMeEFMa3l6 UU1NK2xNQkNoVjk2TGQ4dENVMy9VRWk2clJBeldyakNtYlZoRQpBeDVncVNqK1JvT2ZWNGhQTjZy NHR4K1dvbXk3aDZPc09aL1hDT0NPaTZEK09VemtzSkcwVndudER6QWdydStoCklhQzA0N2txZFU0 UGtJUmhpWHRtZ3dVSmtYMGR5OWdVcVJ1SjlqUUZwa0JNaDRkYTVQTHMrU2tSdVpURDRZc0gKMDdK Y2tYY2VPVDlFUWtZaGJaeUMxaHdlY1BIcG9raWZEUGtXSHlwZUZYMlFHTjR3VTJmNVBpZlppU1NR TjdENApVMXRRZUNhUEJYSmp1bXNqek16WVI1SWZFLzJhdG16VGZFWXJ4TkNRdHhXSlE2VnRPR1k9 Cj1RaG5BCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============3065639266065286918==--