empty ACL warning during cron.daily/logrotate

Bug #1659567 reported by Stefan Taferner
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
squid-deb-proxy (Debian)
New
Unknown
squid-deb-proxy (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

I daily get an email from logrotate:

/etc/cron.daily/logrotate:
2017/01/26 06:25:01| Warning: empty ACL: acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"

The pkg-blacklist-regexp.acl file is empty.

This is a clean install of Ubuntu Server 16.04.1

The file /etc/squid-deb-proxy/pkg-blacklist.d/10-default contains only comments - the default
installation of it.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@racb - I know you are on the squid merge - have you (or could you) have a look at the packaging/generating of this file on the current version you prepare?

Revision history for this message
Robie Basak (racb) wrote :

squid-deb-proxy is a separate source package. I can look at it, but I think I can do that after upload of squid3 itself, right?

Revision history for this message
Stefan Taferner (taferner) wrote :

As stated in some of the other bug reports, making any blacklist entry lets the daily warning email go away. I created a file /etc/squid-deb-proxy/pkg-blacklist.d/01-dummy with the single line:
dummy.package

This works around the issue.

I write this for the case that somebody stumbles about this bug report in search for a fix.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid-deb-proxy (Ubuntu):
status: New → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

Steps to reproduce:

apt install squid-deb-proxy
logrotate -f /etc/logrotate.d/squid-deb-proxy

Confirmed on 14.04 and on Zesty.

Changed in squid-deb-proxy (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Robie Basak (racb) wrote :

@Amos,

Could I have your advice on this please?

It seems that:

squid-deb-proxy has a static configuration in /etc/squid-deb-proxy/squid-deb-proxy.conf containing:
    acl blockedpkgs urlpath_regex "/etc/squid-deb-proxy/autogenerated/pkg-blacklist-regexp.acl"

Files in /etc/squid-deb-proxy/autogenerated are automatically generated, and in packaging we'd prefer not to have to alter /etc/squid-deb-proxy/squid-deb-proxy.conf dynamically.

This causes an emailed logrotation warning when logrotate calls "/usr/sbin/squid -f /etc/squid-deb-proxy/squid-deb-proxy.conf -k rotate". The warning comes from src/acl/Acl.cc because the ACL is empty. But in the default case, this is intentional.

I could suppress the warning with a grep in logrotate's call to "squid -k rotate", but this seems like an ugly hack. Is there any better way to suppress the warning, and if not, could we have one please? I also would prefer not to suppress *all* warnings, as anything else might be valid. It's just that this warning in particular is not valid in this case. Any time we use external ACL files, I think "empty file" is a valid case to avoid having to make "no ACL here" a special case that needs altering of the configuration file. Perhaps we could just drop this warning upstream?

Revision history for this message
Amos Jeffries (yadi) wrote :

There is no way that I'm aware of in any current Squid.

The check is a generic validity check used for all ACLs. Whether it is 'harmless' depends on future events at the time of checking. So just silencing or ignoring would leave a lot of nasty misconfigurations quietly accepted.

That said; for an automated rotate 2>/dev/null seems reasonable. These types of thing should be caught and fixed on the previous startup or manual rotate attempts.

Long-term I think we are going to have to add an explicit flag to indicate whether an ACL is allowed to be empty or not.

Changed in squid-deb-proxy (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.