Date: Sat, 1 Jul 2017 00:27:09 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Anthony Pankov <ap00@mail.ru> Cc: freebsd-hackers@freebsd.org Subject: Re: using rc.subr only by root restriction Message-ID: <20170630222709.GA74602@stack.nl> In-Reply-To: <1599987034.20170623182536@mail.ru> References: <1599987034.20170623182536@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 23, 2017 at 06:25:36PM +0300, Anthony Pankov via freebsd-hackers wrote: > I was deploying my new system based on FreeBSD 11 and got ф > surprise. I have specific subsystem which use own startup scripts tied > to rc.subr for better integration. Those scripts can be used not > only by system startup but also by unpriveleged user. With FreeBSD > 11 in case of unpriveleged user the error appear: "limits: setrlimit > datasize: Operation not permitted" > There is a thread on a forum about the issue: > https://forums.freebsd.org/threads/58304/ > I've never seen a warning to do not use rc.subr in regular scripts > so I made it this way. > May be we can consider to patch rc.subr and remove this > restriction? > P.S. This patch helps, but may be there is a better way. > --- /etc/rc.subr.old 2017-06-21 07:11:39.716210000 +0300 > +++ /etc/rc.subr 2017-06-21 07:18:21.215444000 +0300 > @@ -1072,7 +1072,9 @@ > fi > > # Prepend default limits > - _doit="limits -C $_login_class $_doit" > + if [ `id -u` -eq 0 ]; then > + _doit="limits -C $_login_class $_doit" > + fi > > # run the full command > # I don't like that this starts id -u many times during startup. Perhaps you can use the id invocation in the code block that unsets $_user if running as that user. By the way, that code block seems to indicate that it was definitely supposed to work to use rc.subr without root privileges. The concern about resource limits and other context not matching normal boot is valid, though. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170630222709.GA74602>