x11 /tmp preparation rc.d script

Eric Anholt eta at lclark.edu
Sun Jan 9 17:47:04 PST 2005 

Attached are my proposed patches to deal with the X11 ICE issue.  To
review, it's required because having .ICE not owned by root is a
security issue, one that's been papered over with a printed warning and
sleep(5) in libICE for years, and has recently been changed into an
actual error by the X.Org folks.

The question is whether to stick it in base or in ports:

In favor of ports:
  - Seems like the proper place.  Nothing happens for non-X11 users.
In favor of base:
  - Would either need to make a separate port just for the script, or
    keep the script in at least 3 separate ports, disregarding the
    cleanup of servers which might make for more ports affected.
  - From ports, it might get started too late in the boot process, or
    not at all in some installations.

I decided to do it in the base system, assuming that we can spare 4
inodes, given that we already have BSD.x11-4.dist happening.

Brooks's patch also allowed overriding the set of directories.  I don't
think that's a real issue, and the clutter in /etc/defaults/rc.conf is
worse.  I also think that cleartmp probably shouldn't be overloaded with
X stuff, though there's still the BEFORE: preparex11 line, which I'm
unsure of.

So, attached are proposed patches for 6-current and 5-stable.  I haven't
done a real install of them because my systems are out of date, but I
wanted to get this out there for review so it can go into CVS soon after
I test installing.  If they're good, they would be merged to RELENG_5_3
and older, I hope, due to the security implications.

Any comments?

-- 
Eric Anholt                                eta at lclark.edu          
http://people.freebsd.org/~anholt/         anholt at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: preparex11-current
Type: text/x-patch
Size: 3711 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050109/0ce98dd8/preparex11-current.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: preparex11-stable
Type: text/x-patch
Size: 3699 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20050109/0ce98dd8/preparex11-stable.bin

More information about the freebsd-ports mailing list