Problem with LOGIN and cron
Doug Barton
dougb at FreeBSD.org
Fri Jan 13 10:18:04 UTC 2012
On 01/12/2012 15:44, David O'Brien wrote:
> 'LOGIN' states:
> This is a dummy dependency to ensure user services such as xdm,
> inetd, cron and kerberos are started after everything else, in
> case the administrator has increased the system security level
> and wants to delay user logins until the system is (almost) fully
> operational.
>
> So based on that, 'securelevel' should have:
> +# REQUIRE: sysctl
> +# BEFORE: LOGIN
I haven't fully processed the implications to your proposed change to
rcorder, but a quick meta-note. We should not introduce any new examples
of BEFORE in base rc.d scripts. That knob is useful for ports/local
stuff, but it makes debugging harder.
> Otherwise a cronjob could act against securelevel=1+ for a short peroid
> of time.
The right way to do what you're proposing is to have LOGIN REQUIRE
securelevel. I tend to agree that the current order is sub-optimal.
> But after adding that one gets
> rcorder: Circular dependency on provision `LOGIN' in file `cron'.
> rcorder: Circular dependency on provision `LOGIN' in file `jail'.
>
> As 'cron' has "BEFORE: securelevel". Why should that be the case?
> This comes from r114735 (Move securelevel further back in the boot order)
> but failed to state any serneios.
>
> Thoughts?
It sounds like the change to cron's rcorder was an unintended side
effect. The attached patch works without any circular dep errors. It
produces the following:
It moves cron and jail from right before LOGIN, to fairly late after it.
There are no other changes. On my system specifically:
/etc/rc.d/LOGIN
<ports stuff>
/etc/rc.d/ypxfrd
/etc/rc.d/ypupdated
/etc/rc.d/watchdogd
/etc/rc.d/ubthidhci
/etc/rc.d/syscons
/etc/rc.d/sshd
/etc/rc.d/sendmail
/etc/rc.d/othermta
/etc/rc.d/nfscbd
/etc/rc.d/msgs
/etc/rc.d/moused
/etc/rc.d/mixer
/etc/rc.d/jail ***
/etc/rc.d/inetd
/etc/rc.d/hostapd
/etc/rc.d/gptboot
/etc/rc.d/geli2
/etc/rc.d/ftpd
/etc/rc.d/ftp-proxy
/etc/rc.d/cron ***
/etc/rc.d/bsnmpd
/etc/rc.d/bgfsck
/etc/rc.d/addswap
I'm willing to listen to good arguments that describe why cron or jail
should start before LOGIN, but if that's going to be the case then yes,
we need to update that comment.
Doug
--
You can observe a lot just by watching. -- Yogi Berra
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
-------------- next part --------------
diff -ur /usr/src/etc/rc.d/LOGIN ./LOGIN
--- /usr/src/etc/rc.d/LOGIN 2012-01-08 14:34:00.000000000 -0800
+++ ./LOGIN 2012-01-13 02:06:23.000000000 -0800
@@ -4,7 +4,7 @@
#
# PROVIDE: LOGIN
-# REQUIRE: DAEMON
+# REQUIRE: DAEMON securelevel
# This is a dummy dependency to ensure user services such as xdm,
# inetd, cron and kerberos are started after everything else, in case
diff -ur /usr/src/etc/rc.d/cron ./cron
--- /usr/src/etc/rc.d/cron 2012-01-08 14:34:01.000000000 -0800
+++ ./cron 2012-01-13 02:08:04.000000000 -0800
@@ -5,7 +5,6 @@
# PROVIDE: cron
# REQUIRE: LOGIN cleanvar
-# BEFORE: securelevel
# KEYWORD: shutdown
. /etc/rc.subr
diff -ur /usr/src/etc/rc.d/jail ./jail
--- /usr/src/etc/rc.d/jail 2012-01-08 14:34:01.000000000 -0800
+++ ./jail 2012-01-13 02:08:29.000000000 -0800
@@ -5,7 +5,6 @@
# PROVIDE: jail
# REQUIRE: LOGIN cleanvar
-# BEFORE: securelevel
# KEYWORD: nojail shutdown
# WARNING: This script deals with untrusted data (the data and
diff -ur /usr/src/etc/rc.d/securelevel ./securelevel
--- /usr/src/etc/rc.d/securelevel 2012-01-08 14:34:01.000000000 -0800
+++ ./securelevel 2012-01-13 02:07:09.000000000 -0800
@@ -2,8 +2,8 @@
#
# $FreeBSD: head/etc/rc.d/securelevel 220153 2011-03-30 01:19:00Z emaste $
#
-
# PROVIDE: securelevel
+# REQUIRE: DAEMON
. /etc/rc.subr
More information about the freebsd-rc
mailing list