Feature Request: /usr/local/etc/rc.conf support

Ted Cabeen secabeen at pobox.com
Tue Feb 17 13:33:25 PST 2004 

Thomas-Martin Seck <tmseck-lists at netcologne.de> writes:

> * Ted Cabeen (secabeen at pobox.com):
>
>> tmseck-lists at netcologne.de (Thomas-Martin Seck) writes:
>> 
>> > * Ted Cabeen <secabeen at pobox.com> [gmane.os.freebsd.devel.ports]:
>> >
>> >> With the ever-increasing number of ports that use rc.conf variables to
>> >> regulate their startup, would it be possible to add support for a
>> >> /usr/local/etc/rc.conf file in FreeBSD?  The constant changes to the
>> >> rc.conf file have been playing havoc with my centralized management
>> >> systems, and it makes it harder and harder to keep the /etc/rc.conf
>> >> file set immutable (which I like to do on critical servers, to prevent
>> >> the securelevel from changing).
>> >
>> > You can use /etc/rc.conf.local.
>> 
>> Yeah, but that's supposedly deprecated.  
>
> Maybe, but 5.x still uses it "for historical reasons". Neither rc(8) nor
> rc.conf(5) say "deprecated". Do you mean rc.local?

Okay.  I read "for historical reasons" as "we might get rid of this
someday, so don't use it".

>> > See the declaration of rc_conf_files in /etc/defaults/rc.conf.
>> 
>> Also, that doesn't solve the problem of securelevels.  rc.conf.local
>> is still parsed by the boot scripts and could be used to over-ride the
>> system's securelevel.
>
> I cannot follow you here. What does the securelevel value have to do
> with all this?

The system securelevel is set in the /etc/rc.conf file.  To prevent an
attacker from changing the securelevel defined there and then
rebooting the machine, I set the /etc/rc.conf file to be immutable.
However, I'd like to be able to install new ports and have them start
automatically without having to boot to single-user to modify rc.conf
(or any other configuration file equivalent to rc.conf).

-- 
Ted Cabeen           http://www.pobox.com/~secabeen            ted at impulse.net 
Check Website or Keyserver for PGP/GPG Key BA0349D2         secabeen at pobox.com
"I have taken all knowledge to be my province." -F. Bacon  secabeen at cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot        cabeen at netcom.com

More information about the freebsd-ports mailing list