rc.d and environment variables
vas at mpeks.tomsk.su
Fri Dec 24 09:37:27 UTC 2010
Da Rock wrote:
> >>Doesn't the rc.d script run as root initially and then a method (default
> >>flags, etc) is used to change the owner to a nobody (restricted
> >>privilege user)? Just my 2c, but please correct me if I'm wrong.
> >That is probably correct, rc.subr does "su -m $user", but the login
> >class is not applied there, nor is the users's shell called.
> Exactly. Which means that you'd have to adapt root's env because root's
> shell would be called(?).
In this case, how do I limit the variables's visibility only to the
particular daemon (svnserve) or particular user (svn)?
> PITA, but as an alternative couldn't all the keytabs be stored in the
> same _secure_ location? Then a global env could be used.
I really don't know what the security implications will be if
/etc/krb5.keytab is readable by anyone besides the root user? Do you
have a clue about it? There are other services' keys stored there
besides svn (host/*, cvs/* etc).
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions