rc.d and environment variables
Da Rock
freebsd-questions at herveybayaustralia.com.au
Fri Dec 24 10:41:51 UTC 2010
On 12/24/10 19:37, Victor Sudakov wrote:
> Da Rock wrote:
>
>>>
>>>
>>>> Doesn't the rc.d script run as root initially and then a method (default
>>>> flags, etc) is used to change the owner to a nobody (restricted
>>>> privilege user)? Just my 2c, but please correct me if I'm wrong.
>>>>
>>>>
>>> That is probably correct, rc.subr does "su -m $user", but the login
>>> class is not applied there, nor is the users's shell called.
>>>
>>>
>>>
>> Exactly. Which means that you'd have to adapt root's env because root's
>> shell would be called(?).
>>
> In this case, how do I limit the variables's visibility only to the
> particular daemon (svnserve) or particular user (svn)?
>
>
>> PITA, but as an alternative couldn't all the keytabs be stored in the
>> same _secure_ location? Then a global env could be used.
>>
> I really don't know what the security implications will be if
> /etc/krb5.keytab is readable by anyone besides the root user? Do you
> have a clue about it? There are other services' keys stored there
> besides svn (host/*, cvs/* etc).
>
>
At the risk of getting laughed off stage, and pulling in yet another
service, what about ldap? I believe there is supposed to be a way to
store keytabs in ldap, which theoretically would mean only the
particular services would be able to access their keytabs.
More information about the freebsd-questions
mailing list