Date: Fri, 23 Dec 2005 04:51:59 +0100 From: "Timur I. Bakeyev" <timur@gnu.org> To: Thomas-Martin Seck <tmseck-lists@netcologne.de> Cc: Derkjan de Haan <derkjan@haanjdj.xs4all.nl>, freebsd-ports@freebsd.org Subject: Re: squid, samba startup scripts fail to run from base system rcorder Message-ID: <20051223035159.GA78371@com.bat.ru> In-Reply-To: <20051222204442.GA826@odin.ac.hmc.edu> References: <002601c60667$271c6bd0$0102a8c0@bogomip> <43AB064A.3040706@FreeBSD.org> <20051222202437.GA24311@bledge.tmseck.homedns.org> <20051222204442.GA826@odin.ac.hmc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 22, 2005 at 12:44:42PM -0800, Brooks Davis wrote: > > The values of these comments have no impact on RELENG_5 because rcorder > is never run on these scripts there. As a rule, servers that don't run > things as individual users should "# REQUIRE: DAEMON" and those that do > run things as individual users should "# REQUIRE: LOGIN". After LOGIN > it should be safe for users to log in. Currently, there's a bug in the > dependency order in that secure level comes after LOGIN and by design > it's supposed to come before. This represents a potentially exploitable > race. > > About the only service I can think of that might come before DAEMON > is an LDAP or similar service that is used to provide local accounts for > other services. On the whole, that probably shouldn't be the default > even for such services. Add here Samba as well or, more exactly, windbindd daemon - it also acts as nsswitch provider. So, it should fit into the first category. With regards, Timur Bakeyev.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051223035159.GA78371>