Date: Fri, 13 Jan 2012 02:18:03 -0800 From: Doug Barton <dougb@FreeBSD.org> To: obrien@freebsd.org Cc: freebsd-rc@freebsd.org Subject: Re: Problem with LOGIN and cron Message-ID: <4F1004DB.2030102@FreeBSD.org> In-Reply-To: <20120112234424.GA41056@dragon.NUXI.org> References: <20120112234424.GA41056@dragon.NUXI.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------070301080102090707080508 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 01/12/2012 15:44, David O'Brien wrote: > 'LOGIN' states: > This is a dummy dependency to ensure user services such as xdm, > inetd, cron and kerberos are started after everything else, in > case the administrator has increased the system security level > and wants to delay user logins until the system is (almost) fully > operational. > > So based on that, 'securelevel' should have: > +# REQUIRE: sysctl > +# BEFORE: LOGIN I haven't fully processed the implications to your proposed change to rcorder, but a quick meta-note. We should not introduce any new examples of BEFORE in base rc.d scripts. That knob is useful for ports/local stuff, but it makes debugging harder. > Otherwise a cronjob could act against securelevel=1+ for a short peroid > of time. The right way to do what you're proposing is to have LOGIN REQUIRE securelevel. I tend to agree that the current order is sub-optimal. > But after adding that one gets > rcorder: Circular dependency on provision `LOGIN' in file `cron'. > rcorder: Circular dependency on provision `LOGIN' in file `jail'. > > As 'cron' has "BEFORE: securelevel". Why should that be the case? > This comes from r114735 (Move securelevel further back in the boot order) > but failed to state any serneios. > > Thoughts? It sounds like the change to cron's rcorder was an unintended side effect. The attached patch works without any circular dep errors. It produces the following: It moves cron and jail from right before LOGIN, to fairly late after it. There are no other changes. On my system specifically: /etc/rc.d/LOGIN <ports stuff> /etc/rc.d/ypxfrd /etc/rc.d/ypupdated /etc/rc.d/watchdogd /etc/rc.d/ubthidhci /etc/rc.d/syscons /etc/rc.d/sshd /etc/rc.d/sendmail /etc/rc.d/othermta /etc/rc.d/nfscbd /etc/rc.d/msgs /etc/rc.d/moused /etc/rc.d/mixer /etc/rc.d/jail *** /etc/rc.d/inetd /etc/rc.d/hostapd /etc/rc.d/gptboot /etc/rc.d/geli2 /etc/rc.d/ftpd /etc/rc.d/ftp-proxy /etc/rc.d/cron *** /etc/rc.d/bsnmpd /etc/rc.d/bgfsck /etc/rc.d/addswap I'm willing to listen to good arguments that describe why cron or jail should start before LOGIN, but if that's going to be the case then yes, we need to update that comment. Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ --------------070301080102090707080508 Content-Type: text/plain; name="rc.d-securelevel.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="rc.d-securelevel.diff" diff -ur /usr/src/etc/rc.d/LOGIN ./LOGIN --- /usr/src/etc/rc.d/LOGIN 2012-01-08 14:34:00.000000000 -0800 +++ ./LOGIN 2012-01-13 02:06:23.000000000 -0800 @@ -4,7 +4,7 @@ # # PROVIDE: LOGIN -# REQUIRE: DAEMON +# REQUIRE: DAEMON securelevel # This is a dummy dependency to ensure user services such as xdm, # inetd, cron and kerberos are started after everything else, in case diff -ur /usr/src/etc/rc.d/cron ./cron --- /usr/src/etc/rc.d/cron 2012-01-08 14:34:01.000000000 -0800 +++ ./cron 2012-01-13 02:08:04.000000000 -0800 @@ -5,7 +5,6 @@ # PROVIDE: cron # REQUIRE: LOGIN cleanvar -# BEFORE: securelevel # KEYWORD: shutdown . /etc/rc.subr diff -ur /usr/src/etc/rc.d/jail ./jail --- /usr/src/etc/rc.d/jail 2012-01-08 14:34:01.000000000 -0800 +++ ./jail 2012-01-13 02:08:29.000000000 -0800 @@ -5,7 +5,6 @@ # PROVIDE: jail # REQUIRE: LOGIN cleanvar -# BEFORE: securelevel # KEYWORD: nojail shutdown # WARNING: This script deals with untrusted data (the data and diff -ur /usr/src/etc/rc.d/securelevel ./securelevel --- /usr/src/etc/rc.d/securelevel 2012-01-08 14:34:01.000000000 -0800 +++ ./securelevel 2012-01-13 02:07:09.000000000 -0800 @@ -2,8 +2,8 @@ # # $FreeBSD: head/etc/rc.d/securelevel 220153 2011-03-30 01:19:00Z emaste $ # - # PROVIDE: securelevel +# REQUIRE: DAEMON . /etc/rc.subr --------------070301080102090707080508--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F1004DB.2030102>