Date: Sun, 09 Jan 2005 17:46:54 -0800 From: Eric Anholt <eta@lclark.edu> To: x11@FreeBSD.org, ports@FreeBSD.org Subject: x11 /tmp preparation rc.d script Message-ID: <1105321614.8452.54.camel@leguin>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Attached are my proposed patches to deal with the X11 ICE issue. To
review, it's required because having .ICE not owned by root is a
security issue, one that's been papered over with a printed warning and
sleep(5) in libICE for years, and has recently been changed into an
actual error by the X.Org folks.
The question is whether to stick it in base or in ports:
In favor of ports:
- Seems like the proper place. Nothing happens for non-X11 users.
In favor of base:
- Would either need to make a separate port just for the script, or
keep the script in at least 3 separate ports, disregarding the
cleanup of servers which might make for more ports affected.
- From ports, it might get started too late in the boot process, or
not at all in some installations.
I decided to do it in the base system, assuming that we can spare 4
inodes, given that we already have BSD.x11-4.dist happening.
Brooks's patch also allowed overriding the set of directories. I don't
think that's a real issue, and the clutter in /etc/defaults/rc.conf is
worse. I also think that cleartmp probably shouldn't be overloaded with
X stuff, though there's still the BEFORE: preparex11 line, which I'm
unsure of.
So, attached are proposed patches for 6-current and 5-stable. I haven't
done a real install of them because my systems are out of date, but I
wanted to get this out there for review so it can go into CVS soon after
I test installing. If they're good, they would be merged to RELENG_5_3
and older, I hope, due to the security implications.
Any comments?
--
Eric Anholt eta@lclark.edu
http://people.freebsd.org/~anholt/ anholt@FreeBSD.org
[-- Attachment #2 --]
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.235
diff -u -r1.235 rc.conf
--- etc/defaults/rc.conf 15 Dec 2004 12:39:28 -0000 1.235
+++ etc/defaults/rc.conf 10 Jan 2005 01:25:35 -0000
@@ -443,6 +443,7 @@
svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO).
osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO).
clear_tmp_enable="NO" # Clear /tmp at startup.
+prepare_x11_enable="YES" # Clean and recreate directories necessary for X11.
ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks
ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib /usr/local/lib/compat/pkg"
# shared library search paths
Index: etc/rc.d/Makefile
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/Makefile,v
retrieving revision 1.47
diff -u -r1.47 Makefile
--- etc/rc.d/Makefile 16 Nov 2004 04:20:09 -0000 1.47
+++ etc/rc.d/Makefile 10 Jan 2005 00:55:40 -0000
@@ -26,7 +26,7 @@
nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
othermta \
pccard pcvt pf pflog \
- power_profile ppp-user pppoed preseedrandom pwcheck \
+ power_profile ppp-user pppoed preparex11 preseedrandom pwcheck \
quota \
ramdisk ramdisk-own random rarpd rcconf.sh resolv root \
route6d routed routing rpcbind rtadvd rwho \
Index: etc/rc.d/cleartmp
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/cleartmp,v
retrieving revision 1.11
diff -u -r1.11 cleartmp
--- etc/rc.d/cleartmp 7 Oct 2004 13:55:25 -0000 1.11
+++ etc/rc.d/cleartmp 10 Jan 2005 01:00:08 -0000
@@ -6,7 +6,7 @@
# PROVIDE: cleartmp
# REQUIRE: mountcritremote tmp
-# BEFORE: DAEMON
+# BEFORE: DAEMON preparex11
. /etc/rc.subr
@@ -30,10 +30,3 @@
load_rc_config $name
run_rc_command "$1"
-
-# Remove X lock files, since they will prevent you from
-# restarting X
-#
-rm -f /tmp/.X[0-9]-lock
-rm -fr /tmp/.X11-unix
-mkdir -m 1777 /tmp/.X11-unix
Index: etc/rc.d/preparex11
===================================================================
RCS file: etc/rc.d/preparex11
diff -N etc/rc.d/preparex11
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ etc/rc.d/preparex11 10 Jan 2005 01:10:44 -0000
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: preparex11
+# REQUIRE: mountall
+# BEFORE: DAEMON
+# KEYWORD: FreeBSD NetBSD
+
+. /etc/rc.subr
+
+name="preparex11"
+rcvar=`set_rcvar prepare_x11`
+start_cmd="preparex11_start"
+stop_cmd=":"
+
+preparex11_start()
+{
+ echo "Preparing /tmp for X11 applications."
+ rm -f /tmp/.X*-lock
+ rm -fr /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
+ mkdir -m 1777 /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
+}
+
+load_rc_config $name
+run_rc_command "$1"
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.241
diff -u -r1.241 rc.conf.5
--- share/man/man5/rc.conf.5 5 Jan 2005 09:52:12 -0000 1.241
+++ share/man/man5/rc.conf.5 10 Jan 2005 01:25:36 -0000
@@ -2586,6 +2586,17 @@
to have
.Pa /tmp
cleaned at startup.
+.It Va prepare_x11_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+to disable removing stale X server lockfiles and disable removing and recreating
+.Pa /tmp/.ICE-unix ,
+.Pa /tmp/.X11-unix ,
+and
+.Pa /tmp/.font-unix
+at startup. May be a security issue if X11 applications are used with this
+disabled.
.It Va ldconfig_paths
.Pq Vt str
Set to the list of shared library paths to use with
[-- Attachment #3 --]
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.212.2.9
diff -u -r1.212.2.9 rc.conf
--- etc/defaults/rc.conf 3 Jan 2005 12:41:39 -0000 1.212.2.9
+++ etc/defaults/rc.conf 10 Jan 2005 01:10:15 -0000
@@ -438,6 +438,7 @@
svr4_enable="NO" # SysVR4 emulation loaded at startup (or NO).
osf1_enable="NO" # Alpha OSF/1 emulation loaded at startup (or NO).
clear_tmp_enable="NO" # Clear /tmp at startup.
+prepare_x11_enable="YES" # Clean and recreate directories necessary for X11.
ldconfig_insecure="NO" # Set to YES to disable ldconfig security checks
ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib"
# shared library search paths
Index: etc/rc.d/Makefile
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/Makefile,v
retrieving revision 1.41.2.1
diff -u -r1.41.2.1 Makefile
--- etc/rc.d/Makefile 14 Oct 2004 04:36:15 -0000 1.41.2.1
+++ etc/rc.d/Makefile 10 Jan 2005 01:18:22 -0000
@@ -26,7 +26,7 @@
nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
othermta \
pccard pcvt pf pflog preseedrandom \
- power_profile ppp-user pppoed pwcheck \
+ power_profile ppp-user pppoed preparex11 pwcheck \
quota \
random rarpd rcconf.sh resolv root \
route6d routed routing rpcbind rtadvd rwho \
Index: etc/rc.d/cleartmp
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/cleartmp,v
retrieving revision 1.10.2.1
diff -u -r1.10.2.1 cleartmp
--- etc/rc.d/cleartmp 10 Oct 2004 09:50:53 -0000 1.10.2.1
+++ etc/rc.d/cleartmp 10 Jan 2005 01:26:45 -0000
@@ -6,7 +6,7 @@
# PROVIDE: cleartmp
# REQUIRE: mountcritremote tmp
-# BEFORE: DAEMON
+# BEFORE: DAEMON preparex11
. /etc/rc.subr
@@ -30,10 +30,3 @@
load_rc_config $name
run_rc_command "$1"
-
-# Remove X lock files, since they will prevent you from
-# restarting X
-#
-rm -f /tmp/.X[0-9]-lock
-rm -fr /tmp/.X11-unix
-mkdir -m 1777 /tmp/.X11-unix
Index: etc/rc.d/preparex11
===================================================================
RCS file: etc/rc.d/preparex11
diff -N etc/rc.d/preparex11
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ etc/rc.d/preparex11 10 Jan 2005 01:10:56 -0000
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: preparex11
+# REQUIRE: mountall
+# BEFORE: DAEMON
+# KEYWORD: FreeBSD NetBSD
+
+. /etc/rc.subr
+
+name="preparex11"
+rcvar=`set_rcvar prepare_x11`
+start_cmd="preparex11_start"
+stop_cmd=":"
+
+preparex11_start()
+{
+ echo "Preparing /tmp for X11 applications."
+ rm -f /tmp/.X*-lock
+ rm -fr /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
+ mkdir -m 1777 /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
+}
+
+load_rc_config $name
+run_rc_command "$1"
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.221.2.8
diff -u -r1.221.2.8 rc.conf.5
--- share/man/man5/rc.conf.5 5 Jan 2005 08:31:19 -0000 1.221.2.8
+++ share/man/man5/rc.conf.5 10 Jan 2005 01:25:47 -0000
@@ -2586,6 +2586,17 @@
to have
.Pa /tmp
cleaned at startup.
+.It Va prepare_x11_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+to disable removing stale X server lockfiles and disable removing and recreating
+.Pa /tmp/.ICE-unix ,
+.Pa /tmp/.X11-unix ,
+and
+.Pa /tmp/.font-unix
+at startup. May be a security issue if X11 applications are used with this
+disabled.
.It Va ldconfig_paths
.Pq Vt str
Set to the list of shared library paths to use with
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1105321614.8452.54.camel>