On 2014-02-23 17:04, Warner Losh wrote: > > On Feb 23, 2014, at 11:17 AM, David Chisnall <thera...@freebsd.org> wrote: > >> On 23 Feb 2014, at 18:11, Allan Jude <free...@allanjude.com> wrote: >> >>> sysrc solves this nicely, it is in base now, and is great for >>> programmatically adding, removing and changing lines in rc.conf style >>> files. It is also in ports for older versions of FreeBSD where it is not >>> in base. >> >> The problem is, there is no such thing as an rc.conf style file. rc.conf is >> just a shell script. If you only edit it with sysrc, or you are careful to >> preserve the structure, then it's fine. There is absolutely nothing >> stopping you, however, from writing arbitrarily complex shell scripts inside >> rc.conf. Sure, it's a terrible idea to do so, but when has that ever >> stopped anyone? >> >> An rc-replacement could enforce this by only accepting purely declarative >> files for configuration, guaranteeing that if they were syntactically valid >> they would also be machine editable, no matter what the user does to them. > > We already have a rc.conf.default. Why not a rc.conf.automation that does > that and is added to the list of things to source? Then things like sysrc > could operation on that secure in the knowledge that no shell commands could > be there, and all bets are off if someone edits it by hand? > > Warner >
This is basically what we do, we have puppet add: rc_conf_files="/etc/rc.conf /etc/rc.conf.local /etc/rc.conf.scaleengine" to rc.conf, and then we push our global config to the .scaleengine file -- Allan Jude
signature.asc
Description: OpenPGP digital signature
