Date: Thu, 22 Dec 2005 12:44:42 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Thomas-Martin Seck <tmseck-lists@netcologne.de> Cc: Derkjan de Haan <derkjan@haanjdj.xs4all.nl>, Doug Barton <dougb@freebsd.org>, freebsd-ports@freebsd.org, timur@gnu.org Subject: Re: squid, samba startup scripts fail to run from base system rcorder Message-ID: <20051222204442.GA826@odin.ac.hmc.edu> In-Reply-To: <20051222202437.GA24311@bledge.tmseck.homedns.org> References: <002601c60667$271c6bd0$0102a8c0@bogomip> <43AB064A.3040706@FreeBSD.org> <20051222202437.GA24311@bledge.tmseck.homedns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 22, 2005 at 09:24:38PM +0100, Thomas-Martin Seck wrote: > * Doug Barton (dougb@FreeBSD.org): >=20 > > Derkjan de Haan wrote: > > >All, > > > > > >I run RELENG_6 on my system, and cvs-upping today, I noticed that samb= a=20 > > >and squid fail to start properly.=20 > >=20 > > I tried squid, and it worked for me without any alterations. I haven't= =20 > > tried samba yet, but I don't see anything terribly wrong with the boot= =20 > > script (although really it would be better to separate the two parts in= to=20 > > two different scripts). >=20 > Ok, here is the squid maintainer: >=20 > I am just about to update to the latest RELENG_6 to check for myself; > however it would be nice to hear if squid.sh in its "rcNG" incarnation > is not as broken as I had feared. >=20 > However, I am open to suggestions how squid.sh is best fit into new > world order. Currently I let it REQUIRE: NETWORKING SERVERS basically > because that is what the script I stole this from when I was forced to > provide rcNG support did. >=20 > If it's recommended to change this (provided this is backwards > compatible for the RELENG_5 users), I am all ears. The values of these comments have no impact on RELENG_5 because rcorder is never run on these scripts there. As a rule, servers that don't run things as individual users should "# REQUIRE: DAEMON" and those that do run things as individual users should "# REQUIRE: LOGIN". After LOGIN it should be safe for users to log in. Currently, there's a bug in the dependency order in that secure level comes after LOGIN and by design it's supposed to come before. This represents a potentially exploitable race. About the only service I can think of that might come before DAEMON is an LDAP or similar service that is used to provide local accounts for other services. On the whole, that probably shouldn't be the default even for such services. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDqxA5XY6L6fI4GtQRAonDAKCWBN2SRu83JwStQX7A6x0D9IFlyACfV5ND ArAvQ2Eyu2FyoNUuwKbxDZk= =7ppa -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051222204442.GA826>