x11 /tmp preparation rc.d script

Jose M Rodriguez josemi at freebsd.jazztel.es
Mon Jan 10 00:27:11 PST 2005 

Eric Anholt escribió:

>Attached are my proposed patches to deal with the X11 ICE issue.  To
>review, it's required because having .ICE not owned by root is a
>security issue, one that's been papered over with a printed warning and
>sleep(5) in libICE for years, and has recently been changed into an
>actual error by the X.Org folks.
>
>The question is whether to stick it in base or in ports:
>
>In favor of ports:
>  - Seems like the proper place.  Nothing happens for non-X11 users.
>In favor of base:
>  - Would either need to make a separate port just for the script, or
>    keep the script in at least 3 separate ports, disregarding the
>    cleanup of servers which might make for more ports affected.
>  
>
Well, seems that this is really needed only from xorg-libs.  That must 
be needed also from XFree86-4-libs, but this because we maintain two X11 
ports system.

>  - From ports, it might get started too late in the boot process, or
>    not at all in some installations.
>  
>
This is not a real thread.  Please, note cases.

>I decided to do it in the base system, assuming that we can spare 4
>inodes, given that we already have BSD.x11-4.dist happening.
>  
>
What I can't understand is the matter of choice.  Seems that having both 
solutions (ports and base) is not dangerous. You may need a ms timer to 
take this in account.

I think that the two solutions must be targeted, and the ports based one 
will be deprecated on time only when all our base targets (We must 
support Xorg also on RELENG_4, al last, while this is possible).

If you go to a rcNG script, make this have auto defaults, and install it 
from ports after OS_VERSION test.  You may lose this code from ports 
when all the possible targets of Xorg have this on base.

>Brooks's patch also allowed overriding the set of directories.  I don't
>think that's a real issue, and the clutter in /etc/defaults/rc.conf is
>worse.  I also think that cleartmp probably shouldn't be overloaded with
>X stuff, though there's still the BEFORE: preparex11 line, which I'm
>unsure of.
>
>So, attached are proposed patches for 6-current and 5-stable.  I haven't
>done a real install of them because my systems are out of date, but I
>wanted to get this out there for review so it can go into CVS soon after
>I test installing.  If they're good, they would be merged to RELENG_5_3
>and older, I hope, due to the security implications.
>
>Any comments?
>
>  
>
>------------------------------------------------------------------------
>
>Index: etc/defaults/rc.conf
>===================================================================
>RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
>retrieving revision 1.235
>diff -u -r1.235 rc.conf
>--- etc/defaults/rc.conf	15 Dec 2004 12:39:28 -0000	1.235
>+++ etc/defaults/rc.conf	10 Jan 2005 01:25:35 -0000
>@@ -443,6 +443,7 @@
> svr4_enable="NO"	# SysVR4 emulation loaded at startup (or NO).
> osf1_enable="NO"	# Alpha OSF/1 emulation loaded at startup (or NO).
> clear_tmp_enable="NO"	# Clear /tmp at startup.
>+prepare_x11_enable="YES" # Clean and recreate directories necessary for X11.
> ldconfig_insecure="NO"	# Set to YES to disable ldconfig security checks
> ldconfig_paths="/usr/lib/compat /usr/X11R6/lib /usr/local/lib /usr/local/lib/compat/pkg"
> 			# shared library search paths
>Index: etc/rc.d/Makefile
>===================================================================
>RCS file: /home/ncvs/src/etc/rc.d/Makefile,v
>retrieving revision 1.47
>diff -u -r1.47 Makefile
>--- etc/rc.d/Makefile	16 Nov 2004 04:20:09 -0000	1.47
>+++ etc/rc.d/Makefile	10 Jan 2005 00:55:40 -0000
>@@ -26,7 +26,7 @@
> 	nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
> 	othermta \
> 	pccard pcvt pf pflog \
>-	power_profile ppp-user pppoed preseedrandom pwcheck \
>+	power_profile ppp-user pppoed preparex11 preseedrandom pwcheck \
> 	quota \
> 	ramdisk ramdisk-own random rarpd rcconf.sh resolv root \
> 	route6d routed routing rpcbind rtadvd rwho \
>Index: etc/rc.d/cleartmp
>===================================================================
>RCS file: /home/ncvs/src/etc/rc.d/cleartmp,v
>retrieving revision 1.11
>diff -u -r1.11 cleartmp
>--- etc/rc.d/cleartmp	7 Oct 2004 13:55:25 -0000	1.11
>+++ etc/rc.d/cleartmp	10 Jan 2005 01:00:08 -0000
>@@ -6,7 +6,7 @@
> 
> # PROVIDE: cleartmp
> # REQUIRE: mountcritremote tmp
>-# BEFORE: DAEMON
>+# BEFORE: DAEMON preparex11
>  
>
I think you may take this better from your new script.  rcNG also 
support and REQUIRE/AFTER keyword. I think you must take preparex11 
_after_ cleartmp

The only 'consumers' of this I know are xdm related scripts on localpkg 
and gettys from init after
rc has finished.

> 
> . /etc/rc.subr
> 
>@@ -30,10 +30,3 @@
> 
> load_rc_config $name
> run_rc_command "$1"
>-
>-# Remove X lock files, since they will prevent you from
>-# restarting X
>-#
>-rm -f /tmp/.X[0-9]-lock
>-rm -fr /tmp/.X11-unix
>-mkdir -m 1777 /tmp/.X11-unix
>Index: etc/rc.d/preparex11
>===================================================================
>RCS file: etc/rc.d/preparex11
>diff -N etc/rc.d/preparex11
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ etc/rc.d/preparex11	10 Jan 2005 01:10:44 -0000
>@@ -0,0 +1,27 @@
>+#!/bin/sh
>+#
>+# $FreeBSD$
>+#
>+
>+# PROVIDE: preparex11
>  
>
consider REQUIRE: mountall cleartmp

>+# REQUIRE: mountall
>+# BEFORE: DAEMON
>  
>
We have lost symtem flags

>+# KEYWORD: FreeBSD NetBSD
>
>+
>+. /etc/rc.subr
>+
>+name="preparex11"
>+rcvar=`set_rcvar prepare_x11`
>+start_cmd="preparex11_start"
>+stop_cmd=":"
>+
>+preparex11_start()
>+{
>+	echo "Preparing /tmp for X11 applications."
>+	rm -f /tmp/.X*-lock
>+	rm -fr /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
>+	mkdir -m 1777 /tmp/.X11-unix /tmp/.font-unix /tmp/.ICE-unix
>+}
>+
>+load_rc_config $name
>  
>
if you add the next auto default here, this same script will work 
installed from ports.  Install it with, 000. name prefix, so this is 
take before gdm.sh or similar

:  ${prepare_x11_enable:="YES"}

>+run_rc_command "$1"
>Index: share/man/man5/rc.conf.5
>===================================================================
>RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
>retrieving revision 1.241
>diff -u -r1.241 rc.conf.5
>--- share/man/man5/rc.conf.5	5 Jan 2005 09:52:12 -0000	1.241
>+++ share/man/man5/rc.conf.5	10 Jan 2005 01:25:36 -0000
>@@ -2586,6 +2586,17 @@
> to have
> .Pa /tmp
> cleaned at startup.
>+.It Va prepare_x11_enable
>+.Pq Vt bool
>+Set to
>+.Dq Li NO
>+to disable removing stale X server lockfiles and disable removing and recreating
>+.Pa /tmp/.ICE-unix ,
>+.Pa /tmp/.X11-unix ,
>+and
>+.Pa /tmp/.font-unix
>+at startup.  May be a security issue if X11 applications are used with this
>+disabled.
> .It Va ldconfig_paths
> .Pq Vt str
> Set to the list of shared library paths to use with
>  
>
>  
>
<snip/>

--
  josemi

More information about the freebsd-x11 mailing list