Date: Mon, 10 Jan 2005 09:40:47 +0100 From: Jose M Rodriguez <josemi@freebsd.jazztel.es> To: Jose M Rodriguez <josemi@freebsd.jazztel.es> Cc: x11@FreeBSD.org Subject: Re: x11 /tmp preparation rc.d script Message-ID: <41E23F8F.4040701@redesjm.local> In-Reply-To: <41E23C58.10606@redesjm.local> References: <1105321614.8452.54.camel@leguin> <41E23C58.10606@redesjm.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Jose M Rodriguez escribió:
> Eric Anholt escribió:
>
>> Attached are my proposed patches to deal with the X11 ICE issue. To
>> review, it's required because having .ICE not owned by root is a
>> security issue, one that's been papered over with a printed warning and
>> sleep(5) in libICE for years, and has recently been changed into an
>> actual error by the X.Org folks.
>>
...
As a latter think about this, consider take also periodic related fixes
(We clear this directories by default) and try to get a OS_VERSION bump
closest to this.
--
josemi
>> The question is whether to stick it in base or in ports:
>>
>> In favor of ports:
>> - Seems like the proper place. Nothing happens for non-X11 users.
>> In favor of base:
>> - Would either need to make a separate port just for the script, or
>> keep the script in at least 3 separate ports, disregarding the
>> cleanup of servers which might make for more ports affected.
>>
>>
> Well, seems that this is really needed only from xorg-libs. That must
> be needed also from XFree86-4-libs, but this because we maintain two
> X11 ports system.
>
>> - From ports, it might get started too late in the boot process, or
>> not at all in some installations.
>>
>>
> This is not a real thread. Please, note cases.
>
>> I decided to do it in the base system, assuming that we can spare 4
>> inodes, given that we already have BSD.x11-4.dist happening.
>>
>>
> What I can't understand is the matter of choice. Seems that having
> both solutions (ports and base) is not dangerous. You may need a ms
> timer to take this in account.
>
> I think that the two solutions must be targeted, and the ports based
> one will be deprecated on time only when all our base targets (We must
> support Xorg also on RELENG_4, al last, while this is possible).
>
> If you go to a rcNG script, make this have auto defaults, and install
> it from ports after OS_VERSION test. You may lose this code from
> ports when all the possible targets of Xorg have this on base.
>
>> Brooks's patch also allowed overriding the set of directories. I don't
>> think that's a real issue, and the clutter in /etc/defaults/rc.conf is
>> worse. I also think that cleartmp probably shouldn't be overloaded with
>> X stuff, though there's still the BEFORE: preparex11 line, which I'm
>> unsure of.
>>
>> So, attached are proposed patches for 6-current and 5-stable. I haven't
>> done a real install of them because my systems are out of date, but I
>> wanted to get this out there for review so it can go into CVS soon after
>> I test installing. If they're good, they would be merged to RELENG_5_3
>> and older, I hope, due to the security implications.
>>
>> Any comments?
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> Index: etc/defaults/rc.conf
>> ===================================================================
>> RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
>> retrieving revision 1.235
>> diff -u -r1.235 rc.conf
>> --- etc/defaults/rc.conf 15 Dec 2004 12:39:28 -0000 1.235
>> +++ etc/defaults/rc.conf 10 Jan 2005 01:25:35 -0000
>> @@ -443,6 +443,7 @@
>> svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO).
>> osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO).
>> clear_tmp_enable="NO" # Clear /tmp at startup.
>> +prepare_x11_enable="YES" # Clean and recreate directories necessary
>> for X11.
>> ldconfig_insecure="NO" # Set to YES to disable ldconfig security
>> checks
>> ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib
>> /usr/local/lib/compat/pkg"
>> # shared library search paths
>> Index: etc/rc.d/Makefile
>> ===================================================================
>> RCS file: /home/ncvs/src/etc/rc.d/Makefile,v
>> retrieving revision 1.47
>> diff -u -r1.47 Makefile
>> --- etc/rc.d/Makefile 16 Nov 2004 04:20:09 -0000 1.47
>> +++ etc/rc.d/Makefile 10 Jan 2005 00:55:40 -0000
>> @@ -26,7 +26,7 @@
>> nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
>> othermta \
>> pccard pcvt pf pflog \
>> - power_profile ppp-user pppoed preseedrandom pwcheck \
>> + power_profile ppp-user pppoed preparex11 preseedrandom pwcheck \
>> quota \
>> ramdisk ramdisk-own random rarpd rcconf.sh resolv root \
>> route6d routed routing rpcbind rtadvd rwho \
>> Index: etc/rc.d/cleartmp
>> ===================================================================
>> RCS file: /home/ncvs/src/etc/rc.d/cleartmp,v
>> retrieving revision 1.11
>> diff -u -r1.11 cleartmp
>> --- etc/rc.d/cleartmp 7 Oct 2004 13:55:25 -0000 1.11
>> +++ etc/rc.d/cleartmp 10 Jan 2005 01:00:08 -0000
>> @@ -6,7 +6,7 @@
>>
>> # PROVIDE: cleartmp
>> # REQUIRE: mountcritremote tmp
>> -# BEFORE: DAEMON
>> +# BEFORE: DAEMON preparex11
>>
>>
> I think you may take this better from your new script. rcNG also
> support and REQUIRE/AFTER keyword. I think you must take preparex11
> _after_ cleartmp
>
> The only 'consumers' of this I know are xdm related scripts on
> localpkg and gettys from init after
> rc has finished.
>
>>
>> . /etc/rc.subr
>>
>> @@ -30,10 +30,3 @@
>>
>> load_rc_config $name
>> run_rc_command "$1"
>> -
>> -# Remove X lock files, since they will prevent you from
>> -# restarting X
>> -#
>> -rm -f /tmp/.X[0-9]-lock
>> -rm -fr /tmp/.X11-unix
>> -mkdir -m 1777 /tmp/.X11-unix
>> Index: etc/rc.d/preparex11
>> ===================================================================
>> RCS file: etc/rc.d/preparex11
>> diff -N etc/rc.d/preparex11
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ etc/rc.d/preparex11 10 Jan 2005 01:10:44 -0000
>> @@ -0,0 +1,27 @@
>> +#!/bin/sh
>> +#
>> +# $FreeBSD$
>> +#
>> +
>> +# PROVIDE: preparex11
>>
>>
> consider REQUIRE: mountall cleartmp
>
>> +# REQUIRE: mountall
>> +# BEFORE: DAEMON
>>
>>
> We have lost symtem flags
>
>> +# KEYWORD: FreeBSD NetBSD
>>
>> +
>> +. /etc/rc.subr
>> +
>> +name="preparex11"
>> +rcvar=`set_rcvar prepare_x11`
>> +start_cmd="preparex11_start"
>> +stop_cmd=":"
>> +
>> +preparex11_start()
>> +{
>> + echo "Preparing /tmp for X11 applications."
>> + rm -f /tmp/.X*-lock
>> + rm -fr /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
>> + mkdir -m 1777 /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
>> +}
>> +
>> +load_rc_config $name
>>
>>
> if you add the next auto default here, this same script will work
> installed from ports. Install it with, 000. name prefix, so this is
> take before gdm.sh or similar
>
> : ${prepare_x11_enable:="YES"}
>
>> +run_rc_command "$1"
>> Index: share/man/man5/rc.conf.5
>> ===================================================================
>> RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
>> retrieving revision 1.241
>> diff -u -r1.241 rc.conf.5
>> --- share/man/man5/rc.conf.5 5 Jan 2005 09:52:12 -0000 1.241
>> +++ share/man/man5/rc.conf.5 10 Jan 2005 01:25:36 -0000
>> @@ -2586,6 +2586,17 @@
>> to have
>> .Pa /tmp
>> cleaned at startup.
>> +.It Va prepare_x11_enable
>> +.Pq Vt bool
>> +Set to
>> +.Dq Li NO
>> +to disable removing stale X server lockfiles and disable removing
>> and recreating
>> +.Pa /tmp/.ICE-unix ,
>> +.Pa /tmp/.X11-unix ,
>> +and
>> +.Pa /tmp/.font-unix
>> +at startup. May be a security issue if X11 applications are used
>> with this
>> +disabled.
>> .It Va ldconfig_paths
>> .Pq Vt str
>> Set to the list of shared library paths to use with
>>
>>
>>
>>
> <snip/>
>
> --
> josemi
> _______________________________________________
> freebsd-x11@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-x11
> To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E23F8F.4040701>