On 21.01.2018 19:57, Michael Tremer wrote:
Hello,
yes this is correct.
We don't allow an unprivileged user to load any kernel modules.
Ok, then my suspicion was right.
What does squid need this for? Why are you playing around with squid 4?
1. I don't know. 3.5.27 doesn't do this. 2. As I wrote - just to keep in touch with their development. Once in a while, 'squid 3' will be deprecated and I wanted to see what comes next, even though this may take a long time. Just being curious and the 'Devel' was somehow bored. ;-)
You should be able to load the module first and then start squid.
I'm not that curious - this was for testing and for testing only.
Best, Matthias
Best, -Michael
On Sun, 2018-01-21 at 01:50 +0100, Matthias Fischer wrote:
Hi,
Just to keep in touch, I tested 'squid 4.0.23' yesterday - it seemed to run fine at first. But after a while I took a closer look at the logs and discovered a bunch of kernel messages within a few hours and I don't know what exactly triggered these messages:
... 132 Time(s): grsec: denied kernel module auto-load of nf_conntrack_netlink by uid 23 ...
As far as I found out: "uid 23" => squid-user, and the new squid tried to 'autoload' a module which 'grsec' didn't like. Is this a correct interpretation and has anyone some useable clue how to avoid this?
Besides, after going back to '3.5.27' the messages didn't came back again. '4.0.22' didn't throw these messages, too. They changed something and I don't know what it is...
Thanks for all tips!
Best, Matthias