From c0be3908f660ad08168cda5f6d765ac13d571a1f Mon Sep 17 00:00:00 2001
From: Sergio Durigan Junior <sergiodj@debian.org>
Date: Sun, 31 May 2020 11:37:03 -0400
Subject: [PATCH] Use start-stop-daemon to run squid and change UID/GID

Even when we just want to run squid in a non-daemon, we have to resort
to start-stop-daemon because the process needs to be executed using
squid's UID/GID (i.e., proxy:proxy) every time, due to apparmor
restrictions.
---
 debian/squid.rc | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/debian/squid.rc b/debian/squid.rc
index 9c8878ef3..170c3568c 100644
--- a/debian/squid.rc
+++ b/debian/squid.rc
@@ -23,6 +23,7 @@ DAEMON=/usr/sbin/squid
 PIDFILE=/run/squid/$NAME.pid
 CONFIG=/etc/squid/squid.conf
 SQUID_ARGS="-YC -f $CONFIG"
+SQUID_UID_GID="proxy:proxy"
 
 [ ! -f /etc/default/squid ] || . /etc/default/squid
 
@@ -36,7 +37,8 @@ ulimit -n 65535
 
 find_cache_dir () {
 	w=" 	" # space tab
-        res=`$DAEMON -k parse -f $CONFIG 2>&1 |
+        res=`start-stop-daemon --chuid $SQUID_UID_GID --start \
+		--exec $DAEMON -- -k parse -f $CONFIG 2>&1 |
 		grep "Processing:" |
 		sed s/.*Processing:\ // |
 		sed -ne '
@@ -50,7 +52,8 @@ find_cache_dir () {
 
 grepconf () {
 	w=" 	" # space tab
-        res=`$DAEMON -k parse -f $CONFIG 2>&1 |
+        res=`start-stop-daemon --chuid $SQUID_UID_GID --start \
+		--exec $DAEMON -- -k parse -f $CONFIG 2>&1 |
 		grep "Processing:" |
 		sed s/.*Processing:\ // |
 		sed -ne '
@@ -91,14 +94,16 @@ start () {
 	if test -d "$cache_dir" -a ! -d "$cache_dir/00"
 	then
 		log_warning_msg "Creating $DESC cache structure"
-		$DAEMON -z —-foreground -f $CONFIG
+		start-stop-daemon --chuid $SQUID_UID_GID --start \
+				  --exec $DAEMON -- -z —-foreground -f $CONFIG
 		[ -x /sbin/restorecon ] && restorecon -R $cache_dir
 	fi
 
 	umask 027
 	ulimit -n 65535
 	cd $run_dir
-	start-stop-daemon --quiet --start \
+	start-stop-daemon --chuid $SQUID_UID_GID \
+		--quiet --start \
 		--pidfile $PIDFILE \
 		--exec $DAEMON -- $SQUID_ARGS < /dev/null
 	return $?
@@ -142,7 +147,8 @@ fi
 
 case "$1" in
     start)
-	res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
+	res=`start-stop-daemon --chuid $SQUID_UID_GID --start \
+		--exec $DAEMON -- -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
 	if test -n "$res";
 	then
 		log_failure_msg "$res"
@@ -165,7 +171,8 @@ case "$1" in
 	fi
 	;;
     reload|force-reload)
-	res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
+	res=`start-stop-daemon --chuid $SQUID_UID_GID --start \
+		--exec $DAEMON -- -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
 	if test -n "$res";
 	then
 		log_failure_msg "$res"
@@ -178,7 +185,8 @@ case "$1" in
 	fi
 	;;
     restart)
-	res=`$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
+	res=`start-stop-daemon --chuid $SQUID_UID_GID --start \
+		--exec $DAEMON -- -k parse -f $CONFIG 2>&1 | grep -o "FATAL: .*"`
 	if test -n "$res";
 	then
 		log_failure_msg "$res"
-- 
GitLab