From owner-freebsd-questions@FreeBSD.ORG Fri Dec 24 09:37:27 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA610106564A for ; Fri, 24 Dec 2010 09:37:27 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.freebsd.org (Postfix) with ESMTP id 0A2A88FC13 for ; Fri, 24 Dec 2010 09:37:26 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.93.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPSA id 15200985 for freebsd-questions@freebsd.org; Fri, 24 Dec 2010 15:37:25 +0600 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.3/8.14.3) with ESMTP id oBO9bPWG024004 for ; Fri, 24 Dec 2010 15:37:25 +0600 (OMST) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.3/8.14.3/Submit) id oBO9bOCd024003 for freebsd-questions@freebsd.org; Fri, 24 Dec 2010 15:37:24 +0600 (OMST) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Fri, 24 Dec 2010 15:37:24 +0600 From: Victor Sudakov To: freebsd-questions@freebsd.org Message-ID: <20101224093724.GC23384@admin.sibptus.tomsk.ru> Mail-Followup-To: Victor Sudakov , freebsd-questions@freebsd.org References: <20101223172752.GA8539@admin.sibptus.tomsk.ru> <20101223201249.ea7648aa.freebsd@edvax.de> <20101223191443.GA24653@gizmo.acns.msu.edu> <20101224031352.GB16472@admin.sibptus.tomsk.ru> <20101224042542.3e21a6df.freebsd@edvax.de> <20101224035041.GF16472@admin.sibptus.tomsk.ru> <4D14233F.4070107@herveybayaustralia.com.au> <20101224080354.GA21712@admin.sibptus.tomsk.ru> <4D14555B.3000909@herveybayaustralia.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D14555B.3000909@herveybayaustralia.com.au> User-Agent: Mutt/1.4.2.3i Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.livejournal.com/pubkey.bml?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 Subject: Re: rc.d and environment variables X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2010 09:37:27 -0000 Da Rock wrote: > > > > > >>Doesn't the rc.d script run as root initially and then a method (default > >>flags, etc) is used to change the owner to a nobody (restricted > >>privilege user)? Just my 2c, but please correct me if I'm wrong. > >> > > > >That is probably correct, rc.subr does "su -m $user", but the login > >class is not applied there, nor is the users's shell called. > > > > > Exactly. Which means that you'd have to adapt root's env because root's > shell would be called(?). In this case, how do I limit the variables's visibility only to the particular daemon (svnserve) or particular user (svn)? > > PITA, but as an alternative couldn't all the keytabs be stored in the > same _secure_ location? Then a global env could be used. I really don't know what the security implications will be if /etc/krb5.keytab is readable by anyone besides the root user? Do you have a clue about it? There are other services' keys stored there besides svn (host/*, cvs/* etc). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru