Date: Wed, 22 Oct 2008 17:29:43 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: John Almberg <jalmberg@identry.com> Cc: freebsd-questions@freebsd.org Subject: Re: mysql connection through ssl tunnel Message-ID: <48FF54F7.6000506@infracaninophile.co.uk> In-Reply-To: <65233E01-1617-4C93-91ED-394330F31AA4@identry.com> References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> <48D8F881.1010000@unsane.co.uk> <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> <20081020212103.GA13334@icarus.home.lan> <007ABF71-6D85-4849-A9E7-933D18236EE8@identry.com> <48FD8876.5090805@infracaninophile.co.uk> <51D1673D-4689-4F9A-8217-CFC5C58A1145@identry.com> <33DD5BC0-7D57-4530-BB59-46E2D7A43F1A@identry.com> <65233E01-1617-4C93-91ED-394330F31AA4@identry.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig48401056F0D0DAC4D58577A2
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
John Almberg wrote:
>>> Now I just need to figure out how to start it on reboot, but that is =
>>> something I've been meaning to learn, anyway, so I don't mind.
>>
>> I hope you guys will bear with me just a little more... I have spent=20
>> the day trying to figure out how to create an rc script for autossh.=20
>> Very cool, and not as hard as I'd anticipated. It is attached below.
>>
>> The script works perfectly *iff* I run it from the command line as a=20
>> non-root user, like so:
>>
>> /usr/local/etc/rc.d/autossh start
>>
>> However, it does NOT work when executed by root. Instead, I get the=20
>> following error message in /var/log/messages
>>
>> messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely=20
>> with status 255; autossh exiting
>>
>> So (my understanding), autossh is starting, and tries to create the=20
>> tunnel, but the tunnel creation fails with the unhelpful 255 error=20
>> message.
>>
>> But only when executed by root. That's the puzzling part.
>>
>> I don't allow root logins on this server, but don't see how that could=
=20
>> cause this problem....
>>
>> I'm stumped. Any hints, much appreciated.
>>
>> -- John
>>
>> ----------------------
>>
>> #!/bin/sh
>> # PROVIDE: autossh
>> # REQUIRE: LOGIN
>> # KEYWORD: shutdown
>>
>> . /etc/rc.subr
>>
>> name=3D"autossh"
>> rcvar=3D`set_rcvar`
>> start_cmd=3D"${name}_start"
>> stop_cmd=3D":"
>>
>> load_rc_config $name
>> eval "${rcvar}=3D\${${rcvar}:=3D'NO'}"
>>
>> command=3D"/usr/local/bin/autossh"
>> command_args=3D"-M 20000 -fNg -L 33006:127.0.0.1:3306 admin@example.co=
m"
>> #pidfile=3D"/var/run/autossh.pid"
>> #AUTOSSH_PIDFILE=3D"$pidfile"; export AUTOSSH_PIDFILE
>>
>> autossh_start()
>> {
>> ${command} ${command_args}
>> echo "started autossh"
>> }
>>
>> run_rc_command "$1"
>>
>=20
> Answering my own question (probably the best way)...
>=20
> I solved this problem by figuring out how to execute the command inside=
=20
> the rc script as a non-root user. Like so:
>=20
> autossh_start()
> {
> echo "${command} ${command_args}"
> su admin -c "${command} ${command_args}"
> echo "started autossh"
> }
>=20
>=20
> This works beautifully, so I almost hesitate to ask, but is there=20
> anything wrong with this approach?
Nothing, except you're re-inventing the wheel. rc.subr already
has a mechanism for running commands as another user. Instead
of defining a new start() function, simply add something like:
: ${autossh_user:=3D'admin'}
towards the top of the script. (This also means you can override
the setting by defining 'autossh_user=3D"someoneelse"' in /etc/rc.conf
in the usual way)
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig48401056F0D0DAC4D58577A2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkj/VP0ACgkQ8Mjk52CukIw/jACcCYg8lEIPLr/vJ25nZLJzuPNK
EuUAniglq2+LTsQ9bjbJaDldLtgdlzWX
=CskT
-----END PGP SIGNATURE-----
--------------enig48401056F0D0DAC4D58577A2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48FF54F7.6000506>