squid,
samba startup scripts fail to run from base system rcorder
Brooks Davis
brooks at one-eyed-alien.net
Thu Dec 22 12:44:58 PST 2005
On Thu, Dec 22, 2005 at 09:24:38PM +0100, Thomas-Martin Seck wrote:
> * Doug Barton (dougb at FreeBSD.org):
>
> > Derkjan de Haan wrote:
> > >All,
> > >
> > >I run RELENG_6 on my system, and cvs-upping today, I noticed that samba
> > >and squid fail to start properly.
> >
> > I tried squid, and it worked for me without any alterations. I haven't
> > tried samba yet, but I don't see anything terribly wrong with the boot
> > script (although really it would be better to separate the two parts into
> > two different scripts).
>
> Ok, here is the squid maintainer:
>
> I am just about to update to the latest RELENG_6 to check for myself;
> however it would be nice to hear if squid.sh in its "rcNG" incarnation
> is not as broken as I had feared.
>
> However, I am open to suggestions how squid.sh is best fit into new
> world order. Currently I let it REQUIRE: NETWORKING SERVERS basically
> because that is what the script I stole this from when I was forced to
> provide rcNG support did.
>
> If it's recommended to change this (provided this is backwards
> compatible for the RELENG_5 users), I am all ears.
The values of these comments have no impact on RELENG_5 because rcorder
is never run on these scripts there. As a rule, servers that don't run
things as individual users should "# REQUIRE: DAEMON" and those that do
run things as individual users should "# REQUIRE: LOGIN". After LOGIN
it should be safe for users to log in. Currently, there's a bug in the
dependency order in that secure level comes after LOGIN and by design
it's supposed to come before. This represents a potentially exploitable
race.
About the only service I can think of that might come before DAEMON
is an LDAP or similar service that is used to provide local accounts for
other services. On the whole, that probably shouldn't be the default
even for such services.
-- Brooks
--
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20051222/86f43ff4/attachment.bin
More information about the freebsd-ports
mailing list