From owner-freebsd-questions@FreeBSD.ORG Wed Oct 22 16:30:04 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACFCB1065672 for ; Wed, 22 Oct 2008 16:30:04 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id D72098FC18 for ; Wed, 22 Oct 2008 16:30:03 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m9MGTnpO031538; Wed, 22 Oct 2008 17:29:57 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m9MGTnpO031538 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1224692997; bh=LIJqQXFFsxV9xL In4gUN3l595KfmeSKC9DvwrStniPE=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48FF54F7.6000506@infracaninophile.co.uk>|Date:=20Wed,=2 022=20Oct=202008=2017:29:43=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201 .0|To:=20John=20Almberg=20|CC:=20freebsd-ques tions@freebsd.org|Subject:=20Re:=20mysql=20connection=20through=20s sl=20tunnel|References:=20<8B945891-5F96-4FBF-8175-15F67F03DD92@ide ntry.com>=09<48D8F881.1010000@unsane.co.uk>=09<912A74FB-0292-4A53-B 480-34FE69D9C465@identry.com>=09<20081020212103.GA13334@icarus.home .lan>=09<007ABF71-6D85-4849-A9E7-933D18236EE8@identry.com>=09<48FD8 876.5090805@infracaninophile.co.uk>=09<51D1673D-4689-4F9A-8217-CFC5 C58A1145@identry.com>=09<33DD5BC0-7D57-4530-BB59-46E2D7A43F1A@ident ry.com>=20<65233E01-1617-4C93-91ED-394330F31AA4@identry.com>|In-Rep ly-To:=20<65233E01-1617-4C93-91ED-394330F31AA4@identry.com>|X-Enigm ail-Version:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg= 3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0 D=0A=20boundary=3D"------------enig48401056F0D0DAC4D58577A2"; b=DEK xdUWAE7ISNHaNb3ESgJprLkyN08kqSSxZWssUt19KwIM+Eb2AjQToT3DAIZGyxAi0yN SZVX2mCUdJjTP8+//kOTY5sq2iHnuokTSvCtYF4ZHKCoLalU+zBOOJakGxZTfdiia4i 2xS/ZZJqsfhblcttr3PuXfc880HPOEYh70= Message-ID: <48FF54F7.6000506@infracaninophile.co.uk> Date: Wed, 22 Oct 2008 17:29:43 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: John Almberg References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> <48D8F881.1010000@unsane.co.uk> <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> <20081020212103.GA13334@icarus.home.lan> <007ABF71-6D85-4849-A9E7-933D18236EE8@identry.com> <48FD8876.5090805@infracaninophile.co.uk> <51D1673D-4689-4F9A-8217-CFC5C58A1145@identry.com> <33DD5BC0-7D57-4530-BB59-46E2D7A43F1A@identry.com> <65233E01-1617-4C93-91ED-394330F31AA4@identry.com> In-Reply-To: <65233E01-1617-4C93-91ED-394330F31AA4@identry.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig48401056F0D0DAC4D58577A2" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 22 Oct 2008 17:29:57 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8468/Wed Oct 22 13:35:20 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 16:30:04 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig48401056F0D0DAC4D58577A2 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable John Almberg wrote: >>> Now I just need to figure out how to start it on reboot, but that is = >>> something I've been meaning to learn, anyway, so I don't mind. >> >> I hope you guys will bear with me just a little more... I have spent=20 >> the day trying to figure out how to create an rc script for autossh.=20 >> Very cool, and not as hard as I'd anticipated. It is attached below. >> >> The script works perfectly *iff* I run it from the command line as a=20 >> non-root user, like so: >> >> /usr/local/etc/rc.d/autossh start >> >> However, it does NOT work when executed by root. Instead, I get the=20 >> following error message in /var/log/messages >> >> messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely=20 >> with status 255; autossh exiting >> >> So (my understanding), autossh is starting, and tries to create the=20 >> tunnel, but the tunnel creation fails with the unhelpful 255 error=20 >> message. >> >> But only when executed by root. That's the puzzling part. >> >> I don't allow root logins on this server, but don't see how that could= =20 >> cause this problem.... >> >> I'm stumped. Any hints, much appreciated. >> >> -- John >> >> ---------------------- >> >> #!/bin/sh >> # PROVIDE: autossh >> # REQUIRE: LOGIN >> # KEYWORD: shutdown >> >> . /etc/rc.subr >> >> name=3D"autossh" >> rcvar=3D`set_rcvar` >> start_cmd=3D"${name}_start" >> stop_cmd=3D":" >> >> load_rc_config $name >> eval "${rcvar}=3D\${${rcvar}:=3D'NO'}" >> >> command=3D"/usr/local/bin/autossh" >> command_args=3D"-M 20000 -fNg -L 33006:127.0.0.1:3306 admin@example.co= m" >> #pidfile=3D"/var/run/autossh.pid" >> #AUTOSSH_PIDFILE=3D"$pidfile"; export AUTOSSH_PIDFILE >> >> autossh_start() >> { >> ${command} ${command_args} >> echo "started autossh" >> } >> >> run_rc_command "$1" >> >=20 > Answering my own question (probably the best way)... >=20 > I solved this problem by figuring out how to execute the command inside= =20 > the rc script as a non-root user. Like so: >=20 > autossh_start() > { > echo "${command} ${command_args}" > su admin -c "${command} ${command_args}" > echo "started autossh" > } >=20 >=20 > This works beautifully, so I almost hesitate to ask, but is there=20 > anything wrong with this approach? Nothing, except you're re-inventing the wheel. rc.subr already has a mechanism for running commands as another user. Instead of defining a new start() function, simply add something like: : ${autossh_user:=3D'admin'} towards the top of the script. (This also means you can override the setting by defining 'autossh_user=3D"someoneelse"' in /etc/rc.conf in the usual way) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig48401056F0D0DAC4D58577A2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkj/VP0ACgkQ8Mjk52CukIw/jACcCYg8lEIPLr/vJ25nZLJzuPNK EuUAniglq2+LTsQ9bjbJaDldLtgdlzWX =CskT -----END PGP SIGNATURE----- --------------enig48401056F0D0DAC4D58577A2--