From owner-freebsd-hackers@freebsd.org Sat Jul 1 08:25:30 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6EA6DA15DA for ; Sat, 1 Jul 2017 08:25:30 +0000 (UTC) (envelope-from ap00@mail.ru) Received: from smtp36.i.mail.ru (smtp36.i.mail.ru [94.100.177.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 78CC27DF39 for ; Sat, 1 Jul 2017 08:25:29 +0000 (UTC) (envelope-from ap00@mail.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Subject:CC:To:Message-ID:From:Date; bh=Q4gkZlNol/H3IGiOP8Cqdyhe7ojP4EnYqgASwTo/OPc=; b=pqQSUQVzUoZY5/ueeFZ8FJfBQdFIPFFui8z0m0U3FXhoGVVJx9hp7hBgeHbKd1czF9umn2UgO8BWOGJHYQ96tw4ckD+u5vnW01c3PxiFpvpm5mU/4aBqLSDGoeZ9jjrHy5OA5i5Thh7Atsx9MDu4OujxaZtoXkN8LEnmRHyJZ5c=; Received: from [91.190.121.202] (port=49232 helo=[192.168.192.10]) by smtp36.i.mail.ru with esmtpa (envelope-from ) id 1dRDiS-0008HP-96; Sat, 01 Jul 2017 11:25:20 +0300 Date: Sat, 1 Jul 2017 11:25:18 +0300 From: Anthony Pankov X-Priority: 3 (Normal) Message-ID: <1656711497.20170701112518@mail.ru> To: Jilles Tjoelker CC: freebsd-hackers@freebsd.org Subject: Re: using rc.subr only by root restriction In-Reply-To: <20170630222709.GA74602@stack.nl> References: <1599987034.20170623182536@mail.ru> <20170630222709.GA74602@stack.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Authentication-Results: smtp36.i.mail.ru; auth=pass smtp.auth=ap00@mail.ru smtp.mailfrom=ap00@mail.ru X-7FA49CB5: 0D63561A33F958A5EA86AA3B663DD6A6FEF2848491B8A80A1F42DF47398C4A6D725E5C173C3A84C3727597FF642BA4D74A448D8C3B069C2142F54486E6D6388DC4224003CC836476C0CAF46E325F83A50BF2EBBBDD9D6B0F8DB212830C5B42F72623479134186CDE6BA297DBC24807EABDAD6C7F3747799A X-Mailru-Sender: D8D48EF70163D79D00784CDFC8FD3107ABAF719BFB34B4C65738E85548DE9FAAAA9FACF08E54A1E250D5CF8590B94F4EC77752E0C033A69E81198BD1A48777B793AC9912533B2342AE208404248635DF X-Mras: OK X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jul 2017 08:25:30 -0000 > I don't like that this starts id -u many times during startup. I also think that proposed patch is far away from beautiful solution. My second suggestion was to not apply login class until it explicity specified but this is also not a clear way. > Perhaps > you can use the id invocation in the code block that unsets $_user if > running as that user. Sorry, I didn't catch. > By the way, that code block seems to indicate that it was definitely > supposed to work to use rc.subr without root privileges. The concern > about resource limits and other context not matching normal boot is > valid, though. -- Best regards, Anthony mailto:ap00@mail.ru