A few /etc/ksh.kshrc tweaks
1) telnetd removed, so it won't be a parent process 2) Restricted shells can redirect window decor to /dev/tty 3) In wcd(), only do _ignore() if cd (e.g: can't cd /root) Index: ksh.kshrc === RCS file: /cvs/src/etc/ksh.kshrc,v retrieving revision 1.19 diff -u -p -r1.19 ksh.kshrc --- ksh.kshrc 11 Jul 2014 21:12:39 - 1.19 +++ ksh.kshrc 25 Oct 2014 16:32:36 - @@ -82,14 +82,19 @@ case $- in xterm*) ILS='\033]1;'; ILE='\007' WLS='\033]2;'; WLE='\007' - parent=`ps -ax 2/dev/null | grep $PPID | grep -v grep` - case $parent in - *telnet*) - export TERM=xterms;; - esac - ;; *) ;; esac + + #[[ -o restricted ]] $-r not set until after + # processing of shell init files. The best we can do: + # TODO: find a better way to test for restrictions on /bin/{k}sh + [[ ${SHELL} == '/bin/rksh' ]] + { + # Restricted shells can't cd, nor redirect output + print -n ${WLS}$USER@$HOST ($tty) ~${WLE} /dev/tty + unset ILS ILE WLS WLE + } + # do we want window decorations? if [ $ILS ]; then function ilabel { print -n ${ILS}$*${ILE}/dev/tty; } @@ -103,7 +108,7 @@ case $- in function wftp { ilabel ftp $*; ftp $@; _ignore eval istripe; } - function wcd { \cd $@; _ignore eval stripe; } + function wcd { \cd $@_ignore eval stripe; } function wssh{ \ssh $@;_ignore eval 'istripe; stripe'; } function wtelnet { \telnet $@; _ignore eval 'istripe; stripe'; }
Re: rcctl: find(1) service files in /etc/rc.d
On 2014-10-14 Tue 00:24 AM |, Antoine Jacoutot wrote: Makes sense yes. Not sure I'd want a function just for that one liner though. I'll commit something tomorrow. Nice one, using shell internals. This restricts the listing to files which are also executable: Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.45 diff -u -p -r1.45 rcctl.sh --- rcctl.sh15 Oct 2014 07:38:24 - 1.45 +++ rcctl.sh15 Oct 2014 09:01:35 - @@ -39,10 +39,12 @@ needs_root() ls_rcscripts() { local _s - cd /etc/rc.d set -- * + cd /etc/rc.d || exit + set -- * for _s; do [ ${_s} = rc.subr ] continue - [ ! -d ${_s} ] echo ${_s} + [[ -d ${_s} ]] continue + [[ -f ${_s} -x ${_s} ]] echo ${_s} done }
rcctl: find(1) service files in /etc/rc.d
Move 2 duplicate searches into a function. The diff also ignores (RCS) subdirectories. $ find /etc/rc.d ! -type f /etc/rc.d /etc/rc.d/RCS Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.43 diff -u -p -r1.43 rcctl.sh --- rcctl.sh11 Oct 2014 19:12:19 - 1.43 +++ rcctl.sh13 Oct 2014 20:10:34 - @@ -93,7 +93,7 @@ svc_get_defaults() print -r -- $(svc_default_enabled_flags ${_svc}) svc_default_enabled ${_svc} else - for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do + get_svc_list | while read _i; do echo ${_i}_flags=$(svc_default_enabled_flags ${_i}) done for _i in ${_special_services}; do @@ -134,7 +134,7 @@ svc_get_status() svc_get_flags ${_svc} svc_is_enabled ${_svc} else - for _i in $(ls -A /etc/rc.d | grep -v rc.subr); do + get_svc_list | while read _i; do echo ${_i}_flags=$(svc_get_flags ${_i}) done for _i in ${_special_services}; do @@ -175,6 +175,12 @@ svc_is_special() [ -n ${_svc} ] || return echo ${_special_services} | grep -qw ${_svc} +} + +get_svc_list() +{ + # Ignore rc.subr (RCS) subdirectories: + find /etc/rc.d -type f -maxdepth 1 ! -name rc.subr } append_to_pkg_scripts()
rcctl: un-hardcode /etc/rc.conf{.local}
Some notes to demo the diff below: # -=-=-=-=-=-=-= Assignment: me$ _STATIC_RCCONF='/etc/rc.conf' me$ _RCCONF=${_STATIC_RCCONF}.local # -=-=-=-=-=-=-= Test 1: me$ print ${_STATIC_RCCONF} ${_RCCONF} /etc/rc.conf /etc/rc.conf.local me$ print ${_RCCONF%/*} ${_RCCONF##*/} /etc rc.conf.local # -=-=-=-=-=-=-= Test 2: me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || print $? mktemp: cannot make temp file /etc/rc.conf.local.luzxGjy18I: Permission denied 1 # -=-=-=-=-=-=-= Reassignment: me$ _STATIC_RCCONF='/tmp/rc.conf' me$ _RCCONF=${_STATIC_RCCONF}.local # -=-=-=-=-=-=-= Test 3: me$ _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || print $? me$ ls ${_TMP_RCCONF} /tmp/rc.conf.local.ZLyVBCNMtk Index: rcctl.sh === RCS file: /cvs/src/usr.sbin/rcctl/rcctl.sh,v retrieving revision 1.41 diff -u -p -r1.41 rcctl.sh --- rcctl.sh10 Oct 2014 15:59:36 - 1.41 +++ rcctl.sh11 Oct 2014 12:41:22 - @@ -18,7 +18,9 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. _special_services=accounting check_quotas ipsec multicast_host multicast_router pf spamd_black -readonly _special_services +_STATIC_RCCONF='/etc/rc.conf' +_RCCONF=${_STATIC_RCCONF}.local +readonly _special_services _STATIC_RCCONF _RCCONF # get local functions from rc.subr(8) FUNCS_ONLY=1 @@ -38,21 +40,21 @@ needs_root() rcconf_edit_begin() { - _TMP_RCCONF=$(mktemp -p /etc -t rc.conf.local.XX) || exit 1 - if [ -f /etc/rc.conf.local ]; then + _TMP_RCCONF=$(mktemp -p ${_RCCONF%/*} -t ${_RCCONF##*/}.XX) || exit + if [ -f ${_RCCONF} ]; then # only to keep permissions (file content is not needed) - cp -p /etc/rc.conf.local ${_TMP_RCCONF} || exit 1 + cp -p ${_RCCONF} ${_TMP_RCCONF} || exit 1 else - touch /etc/rc.conf.local || exit 1 + touch ${_RCCONF} || exit 1 fi } rcconf_edit_end() { sort -u -o ${_TMP_RCCONF} ${_TMP_RCCONF} || exit 1 - mv ${_TMP_RCCONF} /etc/rc.conf.local || exit 1 - if [ ! -s /etc/rc.conf.local ]; then - rm /etc/rc.conf.local || exit 1 + mv ${_TMP_RCCONF} ${_RCCONF} || exit 1 + if [ ! -s ${_RCCONF} ]; then + rm ${_RCCONF} || exit 1 fi } @@ -62,7 +64,7 @@ svc_default_enabled() [ -n ${_svc} ] || return local _ret=1 - _rc_parse_conf /etc/rc.conf + _rc_parse_conf ${_STATIC_RCCONF} svc_is_enabled ${_svc} _ret=0 _rc_parse_conf @@ -166,7 +168,7 @@ append_to_pkg_scripts() if [ -z ${pkg_scripts} ]; then echo pkg_scripts=${_svc} ${_TMP_RCCONF} elif ! echo ${pkg_scripts} | grep -qw ${_svc}; then - grep -v ^pkg_scripts.*= /etc/rc.conf.local ${_TMP_RCCONF} + grep -v ^pkg_scripts.*= ${_RCCONF} ${_TMP_RCCONF} echo pkg_scripts=${pkg_scripts} ${_svc} ${_TMP_RCCONF} fi rcconf_edit_end @@ -182,7 +184,7 @@ rm_from_pkg_scripts() rcconf_edit_begin sed /^pkg_scripts[[::]]/{s/[[::]]${_svc}[[::]]//g s/['\]//g;s/ *= */=/;s/ */ /g;s/ $//;/=$/d;} \ - /etc/rc.conf.local ${_TMP_RCCONF} + ${_RCCONF} ${_TMP_RCCONF} rcconf_edit_end } @@ -193,7 +195,7 @@ add_flags() if svc_is_special ${_svc}; then rcconf_edit_begin - grep -v ^${_svc}.*= /etc/rc.conf.local ${_TMP_RCCONF} + grep -v ^${_svc}.*= ${_RCCONF} ${_TMP_RCCONF} if ! svc_default_enabled ${_svc}; then echo ${_svc}=YES ${_TMP_RCCONF} fi @@ -219,7 +221,7 @@ add_flags() fi rcconf_edit_begin - grep -v ^${_svc}_flags.*= /etc/rc.conf.local ${_TMP_RCCONF} + grep -v ^${_svc}_flags.*= ${_RCCONF} ${_TMP_RCCONF} if [ -n ${_flags} ] || \ ( svc_is_base ${_svc} ! svc_default_enabled ${_svc} ); then echo ${_svc}_flags=${_flags} ${_TMP_RCCONF} @@ -234,12 +236,12 @@ rm_flags() rcconf_edit_begin if svc_is_special ${_svc}; then - grep -v ^${_svc}.*= /etc/rc.conf.local ${_TMP_RCCONF} + grep -v ^${_svc}.*= ${_RCCONF} ${_TMP_RCCONF} if svc_default_enabled ${_svc}; then echo ${_svc}=NO ${_TMP_RCCONF} fi else - grep -v ^${_svc}_flags.*= /etc/rc.conf.local ${_TMP_RCCONF} + grep -v ^${_svc}_flags.*= ${_RCCONF} ${_TMP_RCCONF} if svc_default_enabled ${_svc}; then echo ${_svc}_flags=NO ${_TMP_RCCONF} fi
Re: /etc/services records for squid cvsyncd
On 2014-07-15 Tue 22:11 PM |, Antoine Jacoutot wrote: I run both squid and cvsyncd and never needed these entries. Doubtful anyone _needs_ the Microsoft-SQL-* entries. Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -u -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 19:28:37 - @@ -294,9 +294,11 @@ support1529/tcp # GNATS, cygnus bug datametrics1645/udp ekshell2 2106/tcp# Encrypted kshell - UColorado, Boulder webster2627/tcp# Network dictionary +squid 3128/tcp# Squid caching web proxy canna 5680/tcp# Kana-Kanji server sane-port 6566/tcp# SANE Control Port icb7326/tcp# Internet Citizen's Band +cvsyncd/tcp# CVS sync daemon spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration -- Antoine -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: DNS control port additions to /etc/services
On 2014-07-15 Tue 16:04 PM |, Theo de Raadt wrote: On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: Suggestion of add NSD, Unbound BIND control ports to /etc/services: Makes sense to me. Anyone want to OK this? Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -r1.87 services --- etc/services 12 Jul 2014 14:51:07 - 1.87 +++ etc/services 15 Jul 2014 11:17:31 - @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # Kerberos 5 kad kerberos-adm 749/udp # Kerberos 5 kadmin rsync 873/tcp # rsync server cddb 888/tcp cddbp # Audio CD Database +named-rndc953/tcp # Domain Name System (DNS) BIND RNDC Service +named-rndc953/udp # Domain Name System (DNS) BIND RNDC Service imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp # imap4 protocol over TLS/SSL pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL That means two more reserved ports are taken out of the bucket. Strip out the Kerberos stuff?: $ fgrep -i Kerberos etc/services kerberos88/udp kerberos-sec# Kerberos 5 UDP kerberos88/tcp kerberos-sec# Kerberos 5 TCP kpasswd 464/tcp # Kerberos 5 password changing kpasswd 464/udp # Kerberos 5 password changing klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp krcmd # Kerberos remote shell ekshell 545/tcp # Kerberos encrypted shell kerberos-adm749/tcp # Kerberos 5 kadmin kerberos-adm749/udp # Kerberos 5 kadmin kpop1109/tcp# Pop with Kerberos eklogin 2105/tcp# Kerberos encrypted rlogin rkinit 2108/tcp# Kerberos remote kinit kx 2111/tcp# X over kerberos kip 2112/tcp# IP over kerberos iprop 2121/tcp# Kerberos incremental propagation krb524 /tcp# Kerberos 5-4 krb524 /udp# Kerberos 5-4 afs3-kaserver 7004/tcp# AFS kerberos authentication server afs3-kaserver 7004/udp# AFS kerberos authentication server kerberos-iv 750/udp kdc # Kerberos authentication--udp kerberos-iv 750/tcp kdc # Kerberos authentication--tcp kerberos_master 751/udp # Kerberos 4 kadmin kerberos_master 751/tcp # Kerberos 4 kadmin krb_prop754/tcp hprop # Kerberos slave propagation krbupdate 760/tcp kreg# BSD Kerberos registration
DNS control port additions to /etc/services
Suggestion of add NSD, Unbound BIND control ports to /etc/services: Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 11:17:31 - @@ -181,6 +181,8 @@ kerberos-adm749/tcp # Kerberos 5 kad kerberos-adm 749/udp # Kerberos 5 kadmin rsync 873/tcp # rsync server cddb 888/tcp cddbp # Audio CD Database +named-rndc 953/tcp # Domain Name System (DNS) BIND RNDC Service +named-rndc 953/udp # Domain Name System (DNS) BIND RNDC Service imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp # imap4 protocol over TLS/SSL pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL @@ -301,6 +303,8 @@ spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration dhcpd-sync 8067/udp# dhcpd(8) synchronisation +nsd-cntl 8952/tcp# NSD authoritative DNS server control +unbound-cntl 8953/tcp# Unbound validating, recursive, and caching DNS server control hunt 26740/udp # hunt(6) # # Appletalk
/etc/services records for squid cvsyncd
The IANA names don't match these popular OpenBSD package's port numbers: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=3128 = ndl-aas, not web cache/squid http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search= = cbt, not cvsync Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -u -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 19:28:37 - @@ -294,9 +294,11 @@ support1529/tcp# GNATS, cygnus bug datametrics1645/udp ekshell2 2106/tcp# Encrypted kshell - UColorado, Boulder webster2627/tcp# Network dictionary +squid 3128/tcp# Squid caching web proxy canna 5680/tcp# Kana-Kanji server sane-port 6566/tcp# SANE Control Port icb7326/tcp# Internet Citizen's Band +cvsyncd/tcp# CVS sync daemon spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration
Re: lynx: disable old protocols
On 2014-07-11 Fri 03:03 AM |, Theo de Raadt wrote: If lynx was removed from base, and only available in ports... how many of you would even know of it's existance and use it? Several times a week I use lynx for http or local html docs. If it wasn't in base, I'd install it/some similar package via siteXX.tgz
Re: 8 port serial card connections
On 2014-06-20 Fri 16:14 PM |, Maurice Janssen wrote: # FIXME No. 9 Moxa card port: moxa09:dv=/dev/tty10:common: # FIXME No. 10 Moxa card port: moxa10:dv=/dev/tty11:common: Try /dev/tty0a and /dev/tty0b Perfect! Here's a man page diff to sync with lines 1383-1397 of /usr/src/sys/dev/pci/pucdata.c Index: share/man/man4/puc.4 === RCS file: /cvs/src/share/man/man4/puc.4,v retrieving revision 1.47 diff -u -p -r1.47 puc.4 --- share/man/man4/puc.42 Feb 2014 19:39:55 - 1.47 +++ share/man/man4/puc.420 Jun 2014 17:00:27 - @@ -85,6 +85,7 @@ The driver currently supports the follow .It Tn Moxa Technologies Co., Ltd. PCI I/O Card 4S (4 port serial) .It Tn Moxa Technologies Co., Ltd. C104H/PCI (4 port serial) .It Tn Moxa Technologies Co., Ltd. CP104/PCI (4 port serial) +.It Tn Moxa Technologies Co., Ltd. C168H/PCI (8 port serial) .It Tn NEC PK-UG-X008 (serial) .It Tn NEC PK-UG-X001 K56flex PCI (modem) .It Tn NetMos 1P (1 port parallel)
Re: sudo -u environment help
FYI;- The sudo users mailing list quickly said the 3 issues I identified are known bugs, which have been fixed in newer sudo versions. http://www.sudo.ws/sudo/stable.html The current stable release of sudo is 1.8.10p3 $ sudo -V Sudo version 1.7.2p8 $ uname -a OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386 http://thread.gmane.org/gmane.comp.tools.sudo.user/4367 http://thread.gmane.org/gmane.os.openbsd.misc/211823/ Bug 387 refers to MAIL being fixed in 1.7.4: http://www.sudo.ws/bugs/show_bug.cgi?id=387 Bug 527 (FreeBSD sudo -i doesn't use variables from /etc/login.conf) seems to be similar: http://www.sudo.ws/bugs/show_bug.cgi?id=527 which is logged as Fixed in sudo 1.8.4 Maybe that fix also covers the login.conf path umask issues: http://www.sudo.ws/sudo/stable.html#1.8.4 On systems that use login.conf, sudo -i now sets environment variables based on login.conf. http://www.sudo.ws/sudo/stable.html#1.8.5 The initial evironment created when env_reset is in effect now includes the contents of /etc/environment on AIX systems and the setenv and path entries from /etc/login.conf on BSD systems. sudo-users mailing list sudo-us...@sudo.ws For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
Re: sudo -u environment help
FYI tech@, there was a thread on misc@ about sudo -iu not setting some environment variables: http://thread.gmane.org/gmane.os.openbsd.misc/211823/ On 2014-04-08 Tue 09:26 AM |, Craig R. Skinner wrote: To clarify, there are no ~/. shell dot files. $PATH umask are set in /etc/login.conf $MAIL is the default set by login(1) /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, window decor some aliases, nothing major. This arrangement works fine when logging in directly, or via sudo su -l user From my reading of sudo(8), I thought the same environment could be gained with something like sudo -H -i -u username. Am I missing sudo flags or settings in /etc/sudoers? On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: Hi, When sudo'ing to another user, how can I obtain all of their environment settings as they receive when logging in themselves? When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Here, $PATH, $MAIL umask are unchanged: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Compare the difference when logging in as that user: $ login david ... $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin /var/mail/david 022 /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ :passwordtries=0:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize-cur= staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :datasize-cur= $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# Defaults env_keep +=DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE Defaults env_keep +=MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE Defaults env_keep +=PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR Defaults env_keep +=RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL Defaults env_keep +=WRKOBJDIR Defaults always_set_home, ignore_dot, use_loginclass login(1): login enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter (SHELL), search path (PATH), terminal type (TERM), and user name (both LOGNAME and USER). ENVIRONMENT login sets the following environment variables: HOME MAIL sudo(8): Command Environment .. On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables. How can I become another user - without knowing their password, and gain their 'natural' environment? e.g. from wheel group to a users group member. 'su -l username' 'login username' require their password. I thought 'sudo -H -i -u username' would do it. Any suggestions on what else I need to configure?
Re: OpenSSH hole, April 9
On 2014-04-11 Fri 08:58 AM |, Bob Beck wrote: sponsors having privileged access to the information (in other words they aren't donors, they are paying for early access.) Benefits with strings attached are not donations, ... more like bribes. Respect for freedom fighting and staying open!
Re: missing ports.tar.gz in snapshot
On 2014-03-06 Thu 15:42 PM |, Stuart Henderson wrote: Personally I'd keep them for releases (which also gives people a base to speed up updates to -current) but probably drop them for snapshots.. Sensible logic;- reducing workload, network electricity costs!
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote: Enhance rc.d/rc.subr with lowered/raised daemon running priority. Take 2: Replace /etc/rc.d/daemon rc_renice=X with /etc/rc.conf.local daemon_nice=X $ fgrep _nice /etc/rc.conf.local sshd_nice=-10 dhcpd_nice=15 inetd_nice=YES greyscanner_nice=YES $ sudo /etc/rc.d/dhcpd -d restart doing rc_read_runfile doing rc_read_runfile doing rc_check dhcpd doing rc_stop doing rc_wait stop doing rc_check doing rc_rm_runfile (ok) doing rc_read_runfile doing rc_check dhcpd doing rc_pre doing rc_start doing rc_write_runfile doing rc_reprioritise 6142: old priority 0, new priority 15 (ok) $ ps -l -U _dhcp UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND 77 6142 1 0 2 15 672 880 pollINs ??0:00.00 /usr/sbin/dhcpd Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -u -p -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 28 Dec 2013 21:02:51 - @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $ +# $OpenBSD: rc.subr,v 1.14 2013/12/28 20:46:25 skinner Exp $ # # Copyright (c) 2010, 2011 Antoine Jacoutot ajacou...@openbsd.org # Copyright (c) 2010, 2011 Ingo Schwarze schwa...@openbsd.org @@ -104,6 +104,28 @@ rc_wait() { return 1 } +rc_reprioritise() +{ + [[ ${_rcnice} == 'YES' ]] || + { + # nice(1): The priority can be adjusted over a + # range of -20 (the highest) to 20 (the lowest). + for _renice_level in $(jot 40 20 -20) + do + [[ ${_rcnice} == ${_renice_level} ]] + { + _scheduling_priority=${_rcnice} + break + } + done + } + + # nice(1): an increment of 10 is assumed. + [[ -z ${_scheduling_priority} ]] _scheduling_priority='10' + + renice -n ${_scheduling_priority} -p $(pgrep -f ^${pexp}) +} + rc_cmd() { local _bg _n @@ -136,6 +158,20 @@ rc_cmd() { fi [ -z ${INRC} ] rc_do rc_check exit 0 echo $_n ${INRC:+ }${_name} + + # sanitise _rcnice (only used for start) once before loop below + [[ ${_rcnice} == 'YES' ]] || + { + # if digits present + printf %d ${_rcnice} /dev/null 21 + { + # strip non-digits for + # comparison in rc_reprioritise() + _rcnice=$(printf %d ${_rcnice}) + [[ ${_rcnice} -eq 0 ]] unset _rcnice + } + } + while true; do # no real loop, only needed to break if type rc_pre /dev/null; then rc_do rc_pre || break @@ -148,6 +184,7 @@ rc_cmd() { rc_do rc_wait start || break fi rc_do rc_write_runfile + [[ -n ${_rcnice} ]] rc_do rc_reprioritise rc_exit ok done # handle failure @@ -203,6 +240,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name} eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcnice=\${${_name}_nice} getcap -f /etc/login.conf ${_name} 1/dev/null 21 \ daemon_class=${_name} @@ -213,6 +251,7 @@ getcap -f /etc/login.conf ${_name} 1/de [ -n ${_RC_FORCE} ] [ X${_rcflags} = XNO ] unset _rcflags [ -n ${_rcflags} ] daemon_flags=${_rcflags} [ -n ${_rcuser} ] daemon_user=${_rcuser} +[[ ${_rcnice} == 'NO' ]] unset _rcnice # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) Cheers, -- Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 21:16 PM |, Craig R. Skinner wrote: On 2013-12-19 Thu 13:43 PM |, Craig R. Skinner wrote: Enhance rc.d/rc.subr with lowered/raised daemon running priority. Take 2: Replace /etc/rc.d/daemon rc_renice=X with /etc/rc.conf.local daemon_nice=X Take 3 - simplify: Use nice directly between ${rcexec} ${daemon} with rc_start(), rather than renice post start. Change rc_reprioritise() to rc_validate_rcnice() Backgrounding still works as expected. This now works with privilege separated binaries, such as ntpd: $ fgrep ntp /etc/rc.conf.local ntpd_flags=-s ntpd_nice=YES $ ps -l -U _ntp UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND 83 4226 1 0 2 10 708 1136 pollSNs ??0:00.09 ntpd: ntp engine (ntpd) 83 22421 4226 3 2 10 644 1020 pollINs ??0:00.01 ntpd: dns engine (ntpd) Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -u -p -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 28 Dec 2013 23:10:14 - @@ -1,4 +1,4 @@ -# $OpenBSD: rc.subr,v 1.70 2013/07/11 09:34:33 otto Exp $ +# $OpenBSD: rc.subr,v 1.15 2013/12/28 22:57:21 skinner Exp $ # # Copyright (c) 2010, 2011 Antoine Jacoutot ajacou...@openbsd.org # Copyright (c) 2010, 2011 Ingo Schwarze schwa...@openbsd.org @@ -54,7 +54,8 @@ rc_rm_runfile() { } rc_start() { - ${rcexec} ${daemon} ${daemon_flags} ${_bg} + [[ -n ${_rcnice} ]] _nice=$(which nice) -n ${_rcnice} + ${rcexec} ${_nice} ${daemon} ${daemon_flags} ${_bg} } rc_check() { @@ -104,6 +105,46 @@ rc_wait() { return 1 } +rc_validate_rcnice() +{ + [[ -x $(which nice) ]] || + { + # /usr not mounted? + unset _rcnice + return + } + + [[ ${_rcnice} == 'YES' ]] + { + # nice(1): an increment of 10 is assumed. + _rcnice=10 + return + } + + # if digits present + printf %d ${_rcnice} /dev/null 21 + { + # strip non-digits for comparison + _rcnice=$(printf %d ${_rcnice}) + [[ ${_rcnice} -eq 0 ]] + { + unset _rcnice + return + } + } + + # nice(1): The priority can be adjusted over a + # range of -20 (the highest) to 20 (the lowest). + for _nice_level in $(jot 40 20 -20) + do + [[ ${_rcnice} == ${_nice_level} ]] return + done + + # Shouldn't get this far: + print -u2 $0: ignoring invalid ${_name}_nice level: ${_rcnice} + unset _rcnice +} + rc_cmd() { local _bg _n @@ -136,6 +177,9 @@ rc_cmd() { fi [ -z ${INRC} ] rc_do rc_check exit 0 echo $_n ${INRC:+ }${_name} + + [[ -n ${_rcnice} ]] rc_validate_rcnice + while true; do # no real loop, only needed to break if type rc_pre /dev/null; then rc_do rc_pre || break @@ -203,6 +247,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name} eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcnice=\${${_name}_nice} getcap -f /etc/login.conf ${_name} 1/dev/null 21 \ daemon_class=${_name} @@ -213,6 +258,7 @@ getcap -f /etc/login.conf ${_name} 1/de [ -n ${_RC_FORCE} ] [ X${_rcflags} = XNO ] unset _rcflags [ -n ${_rcflags} ] daemon_flags=${_rcflags} [ -n ${_rcuser} ] daemon_user=${_rcuser} +[[ ${_rcnice} == 'NO' ]] unset _rcnice # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) Cheers, -- Craig Skinner | http://www.bbc.co.uk/programmes/b03mtrg9/clips
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-28 Sat 15:13 PM |, Theo de Raadt wrote: Enhance rc.d/rc.subr with lowered/raised daemon running priority. You still have done nothing to prove the case for this extra complexity. When I managed customer's dedicated servers, it would have been useful, for example, to have sshd running at a higher priority than apache, so when their box bogged with some sad customer web-app, more than one ssh keystoke could be typed per minute to kill off their stuff. Maybe a general purpose box could have SpamAssassin running at a lower priority as working a queued mail spool is not user interactive. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 08:55 AM |, Theo de Raadt wrote: You seem to be coming from the perspective that people do stupid things, and our base system should handle those stupid things. My perspective is maildir (backed IMAP) is commonly deployed, and such are as well being security checked.
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-21 Sat 09:16 AM |, Theo de Raadt wrote: You seem to be coming from the perspective that people do stupid things, and our base system should handle those stupid things. My perspective is maildir (backed IMAP) is commonly deployed, and such are as well being security checked. Yes, and perhaps that means they should use a different directory! No thanks. I say /var/mail is the right place for maildirs. The mailbox format is too limiting these days, with all of its file locking problems. A cluster of SMTP servers can concurrently write to a set of NFS mounted /var/mail directories, while simultaneously, a cluster of IMAP servers can concurrently both read and write to the same NFS mounted /var/mail directories. I'll continue to locally patch security, as I'm not fool who makes an idol out of archaic UNIX traditions. Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: Alter daemon scheduling priority with renice for rc.d
On 2013-12-21 Sat 17:13 PM |, Alexander Hall wrote: Comments/testing observations/? This is not the purpose nor responsibility off the rc.d scripts. What alternatives have you in mind? Maybe an /etc/rc.nicetab which a root run cron job parses for daemon values, then checks that against the process tree. Repeated every minute... in case some process was started. Unlikely. This is cleaner works: ksh syntax used (which works with /bin/sh bin/ksh being the same binary), but dinnae ken if that's wrong... for rc* stuff. Use renice as simple nice didn't always work on daemons started in the background. Niceness level sanity checked, defaulting to 10. Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -u -p -r1.70 rc.subr --- rc.subr11 Jul 2013 09:34:33 - 1.70 +++ rc.subr19 Dec 2013 13:17:45 - @@ -104,6 +104,25 @@ rc_wait() { return 1 } +rc_reprioritise() +{ + [[ ${rc_renice} != 'YES' ]] + { + for _renice_level in $(jot 40 20 -20) + do + [[ ${rc_renice} == ${_renice_level} ]] + { + _scheduling_priority=${rc_renice} + break + } + done + } + + [[ -z ${_scheduling_priority} ]] _scheduling_priority='10' + + renice -n ${_scheduling_priority} -p $(pgrep -f ^${pexp}) +} + rc_cmd() { local _bg _n @@ -136,6 +155,17 @@ rc_cmd() { fi [ -z ${INRC} ] rc_do rc_check exit 0 echo $_n ${INRC:+ }${_name} + + [[ ${rc_renice} == 'NO' ]] unset rc_renice + [[ -n ${rc_renice} ]] + { + printf %d ${rc_renice} /dev/null 21 + { + rc_renice=$(printf %d ${rc_renice}) + [[ ${rc_renice} -eq 0 ]] unset rc_renice + } + } + while true; do # no real loop, only needed to break if type rc_pre /dev/null; then rc_do rc_pre || break @@ -148,6 +178,7 @@ rc_cmd() { rc_do rc_wait start || break fi rc_do rc_write_runfile + [[ -n ${rc_renice} ]] rc_do rc_reprioritise rc_exit ok done # handle failure -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 20:48 PM |, J??r??mie Courr??ges-Anglas wrote: skin...@britvault.co.uk (Craig R. Skinner) writes: On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote: Check the security of /var/mail/dirs similar to /var/mail/boxes: Indeed, but security(8) really reflects things in the base OS, smtpd.conf(8) deliver to maildir path Mail is added to a maildir. Its location, path, may contain format specifiers that are expanded before use Therefore: ... deliver to maildir /var/mail/%{user.username} Therefore? How so? What's the logic, here? THEREFORE software in base can deliver to maildir in /var/mail Indeed, but security(8) really reflects things in the base OS, OK? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-18 Wed 15:54 PM |, Stuart Henderson wrote: Check the security of /var/mail/dirs similar to /var/mail/boxes: Indeed, but security(8) really reflects things in the base OS, smtpd.conf(8) deliver to maildir path Mail is added to a maildir. Its location, path, may contain format specifiers that are expanded before use Therefore: ... deliver to maildir /var/mail/%{user.username} OK for the patch then? Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 13:15 PM |, Craig R. Skinner wrote: On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: On 2013/12/16 12:11, Craig R. Skinner wrote: Check the security of /var/mail/dirs similar to /var/mail/boxes: Aren't maildirs usually in ~/Maildir? MTA's can deliver to maildirs in several places. Postfix example (the trailing slash changes from mbox to maildir format): $ postconf -h mail_spool_directory /var/mail/ Usually, all user web files are kept in ~/public_html OpenBSD places them in /var/www/users/$LOGIN By keeping all mail in a separately mounted /var/mail partition, (with simple mutt dovecot configs) mail only users can have /var/empty has $HOME, authpf or nologin as $SHELL. This eliminates SQL or other complicated mail stores for 'virtual' users Separate 'black box' servers can be dedicated to mail only duties, without user shell logins, /var/mail can be NFS exported as there are no file locking problems with maildirs - each message is a unique file. New mail can be delivered without locking the box. Also, an annual dump cycle can be set on /home, with quarterly/monthly level 0 dumps on /var/mail, different quotas set on the different partitions. Possibilities abound, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
security(8) check maildir as well as mailbox permissions
Check the security of /var/mail/dirs similar to /var/mail/boxes: Index: security === RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.23 diff -u -u -p -r1.23 security --- security21 Mar 2013 09:37:37 - 1.23 +++ security16 Dec 2013 12:05:52 - @@ -458,9 +458,16 @@ sub check_mailboxes { my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, user $name mailbox is owned by $fname; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), - sprintf 'user %s mailbox is %s, group %s', - $name, strmode($mode), $gname; + if (S_ISDIR($mode)) { + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR), + sprintf 'user %s maildir is %s, group %s', + $name, strmode($mode), $gname; + } + else { + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + sprintf 'user %s mailbox is %s, group %s', + $name, strmode($mode), $gname; + } } closedir $dh; } Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: security(8) check maildir as well as mailbox permissions
On 2013-12-16 Mon 12:22 PM |, Stuart Henderson wrote: On 2013/12/16 12:11, Craig R. Skinner wrote: Check the security of /var/mail/dirs similar to /var/mail/boxes: Aren't maildirs usually in ~/Maildir? MTA's can deliver to maildirs in several places. Postfix example (the trailing slash changes from mbox to maildir format): $ postconf -h mail_spool_directory /var/mail/ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
As the others here with brains have had a chance to sleep on this, what's the current thinking? As I understand it, there are 2 decisions to make: 1) How to decide if a $daemon is a script as opposed to a binary (*) file(1) (*) dd(d) (*) sed(1) Could stat(1) be tasked to switch case on file attributes (e.g: size)? 2) Whether to check if a script's interpreter is valid http://openbsd.7691.n7.nabble.com/etc-rc-d-rc-subr-prefix-pexp-with-script-interpretor-path-td234439.html Yes/No/Other? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 23:28 PM |, Alexander Hall wrote: sed can do it all. Really. This is getting beyond me Alexander. Is sed a mechanism to step away from using file(1) ? Notes: - I separate re_quote() cause I think it can be useful in other places. - I think re_quote() is (basic) regex complete. - I don't care if the interpreter is (or seems) nonexistant, as that shouldn't be a runtime error. - I'm sure sed may die horribly if you try to feed it a 9GB oneline file. However, if so, it should not produce any output anyway. ;) If this would ever be considered a real problem, dd(1) would help (as espie already mentioned). re_quote() { sed 's/\([]^$*.\\[]\)/\\\1/g'; } interpreter=$( sed -n 's/^#![[:space:]]*\(.*\)/\1 /p;q' ${daemon} | re_quote) pexp=$interpreter$pexp Moreover, - you probably want to unset $interpreter when done. - we might want to re_quote the entire $pexp later instead.
/etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
For scripts (perl, shell, whatever...), prefix ${pexp} with the script's interpretor path as defined by the script. No need to override ${pexp} in the daemon's rc file. Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 10:26:09 - @@ -221,4 +221,9 @@ unset _rcflags _rcuser pexp=${daemon}${daemon_flags:+ ${daemon_flags}} +file ${daemon} | fgrep -q script +{ + shebang=$(head -n 1 ${daemon} | cut -d! -f2) + pexp=${shebang} ${pexp} +} rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c e.g. Remove pexp= from /etc/rc.d/greyscanner: --- greyscanner.pkg Mon Aug 19 14:46:01 2013 +++ greyscanner Mon Sep 16 11:30:33 2013 @@ -6,7 +6,6 @@ . /etc/rc.d/rc.subr -pexp=/usr/bin/perl ${daemon} rc_reload=NO rc_cmd $1 $ sudo /etc/rc.d/greyscanner restart greyscanner(ok) greyscanner(ok) $ cat /var/run/rc.d/greyscanner /usr/bin/perl /usr/local/sbin/greyscanner $ ps auxwww | fgrep greyscanner root 25280 0.0 0.6 4896 2920 ?? Is11:35AM0:00.04 /usr/bin/perl /usr/local/sbin/greyscanner Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 13:00 PM |, Antoine Jacoutot wrote: Heh, very interesting trick ;-) But I don't think that is 100% full proof as is. e.g. $ head -n 1 /usr/local/bin/xml2-config | cut -d! -f2 /bin/sh You have a white space before the interpreter. If you can improve that and make sure it works with all similar rc scripts then I think it is definitely something that should be looked into. Thanks. Well spotted Antoine. I wrote a test script with various shebang lines of: #![space]/bin/ksh #![space][space]/bin/ksh #![space][tab]/bin/ksh -x #![tab]/bin/ksh -x #![space]/usr/bin/perl #![space][space]/usr/bin/perl #![space][tab]/usr/bin/perl -T #![tab][tab][tab]/usr/bin/perl -T This seems to work with these test scenarios (as seen in /var/run/rc.d/rcshebangtester): Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 12:09:42 - @@ -221,4 +221,9 @@ unset _rcflags _rcuser pexp=${daemon}${daemon_flags:+ ${daemon_flags}} +file ${daemon} | fgrep -q script +{ + shebang=$(head -n 1 ${daemon} | cut -d! -f2 | sed 's/^[[:blank:]]*//') + pexp=${shebang} ${pexp} +} rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c Would it also be worthwhile verifying the 1st element of $shebang is executable before prefixing $pexp? Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 15:12 PM |, Paul de Weerd wrote: Hi Craig, --- cat bad_script.sh # This is a VERY BAD example of a script! This will break your # shebang thingambob echo Now what... -- I think you'd be better of making sure the first two characters in the file are actually #!: head -n1 ${FILE} | grep '^#!' | sed 's/^#![[:blank:]]*//' Good idea Paul. Implemented below, along with rudimentary testing for a valid interpreter: Index: rc.subr === RCS file: /cvs/src/etc/rc.d/rc.subr,v retrieving revision 1.70 diff -u -r1.70 rc.subr --- rc.subr 11 Jul 2013 09:34:33 - 1.70 +++ rc.subr 16 Sep 2013 18:19:14 - @@ -221,4 +221,15 @@ unset _rcflags _rcuser pexp=${daemon}${daemon_flags:+ ${daemon_flags}} +file ${daemon} | fgrep -q script +{ + shebang=$(head -n 1 ${daemon} | grep '^#!' | sed 's/^#![[:blank:]]*//') + interpreter=$(echo ${shebang} | cut -d' ' -f1) + if [[ -f ${interpreter} -x ${interpreter} ]] + then + pexp=${shebang} ${pexp} + else + rc_err $0: invalid interpreter: ${interpreter} + fi +} rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c Test scripts: #-=-= /etc/rc.d/rcshebangtester -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #!/bin/sh #daemon=/home/me/bin/rcshebangtester.dud #daemon=/home/me/bin/rcshebangtester.ksh daemon=/home/me/bin/rcshebangtester.pl . /etc/rc.d/rc.subr rc_bg=YES #pexp=/bin/ksh ${daemon} #pexp=/usr/bin/perl -T ${daemon} #pexp=/usr/bin/perl ${daemon} rc_cmd $1 #-=-= /home/me/bin/rcshebangtester.dud -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #!/var/empty #! /dev/null #! /usr/lib/libc.a # swap about above echo 'Busted!' #-=-= /home/me/bin/rcshebangtester.ksh =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #! /bin/ksh -x #! /bin/ksh # swap about above while true do uptime sleep 1 done #-=-= /home/me/bin/rcshebangtester.pl =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #! /usr/bin/perl -T #!/usr/bin/perl # swap about above use strict; use warnings; for(;;) { print time(), \n; sleep 1; } #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $ sudo /etc/rc.d/rcshebangtester -d -f start; \ cat /var/run/rc.d/rcshebangtester; echo; sleep 5; \ sudo /etc/rc.d/rcshebangtester -d -f stop doing rc_read_runfile doing rc_check rcshebangtester doing rc_start 1379357218 1379357219 doing rc_wait start doing rc_check doing rc_write_runfile (ok) /usr/bin/perl -T /home/me/bin/rcshebangtester.pl 1379357220 1379357221 1379357222 1379357223 1379357224 doing rc_read_runfile doing rc_check rcshebangtester doing rc_stop doing rc_wait stop doing rc_check doing rc_rm_runfile (ok) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Any other thoughts? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: diff: /etc/rc.d/spamd rc_reload=NO
ping On 2013-09-06 Fri 10:29 AM |, David Coppa wrote: On Thu, Sep 5, 2013 at 9:31 PM, Craig R. Skinner skin...@britvault.co.uk wrote: Doesn't seem to reload once chrooted: $ sudo /etc/rc.d/spamd -d reload doing rc_read_runfile doing rc_check spamd doing rc_reload Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0) doing rc_wait reload doing rc_check doing rc_check ... .. . doing rc_check (failed) Index: spamd === RCS file: /cvs/src/etc/rc.d/spamd,v retrieving revision 1.2 diff -u -r1.2 spamd --- spamd 8 Jul 2011 02:15:34 - 1.2 +++ spamd 5 Sep 2013 19:19:54 - @@ -7,6 +7,7 @@ . /etc/rc.d/rc.subr pexp=spamd: \[priv\] +rc_reload=NO rc_pre() { [ X${spamd_black} != XNO ] \ OK with me. ciao, David -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
ping On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote: I changed my mind and decided it is better to just move the chown and chmod out of copydotfiles() and add an explicit check for skeldir set to the empty string. Much as I would like to prettify the user.c code it is a losing battle so here is a minimal diff. - todd Index: usr.sbin/user/user.c === RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v retrieving revision 1.95 diff -u -r1.95 user.c --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95 +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 - @@ -290,6 +290,8 @@ DIR *dirp; int n; + if (*skeldir != '\0') + return 0; if ((dirp = opendir(skeldir)) == NULL) { warn(can't open source . files dir `%s', skeldir); return 0; @@ -308,8 +310,6 @@ (void) asystem(cd %s %s -rw -pe %s . %s, skeldir, PAX, (verbose) ? -v : , dir); } - (void) asystem(%s -R -P %u:%u %s, CHOWN, uid, gid, dir); - (void) asystem(%s -R u+w %s, CHMOD, dir); return n; } @@ -1177,6 +1177,9 @@ err(EXIT_FAILURE, can't mkdir `%s', home); } (void) copydotfiles(up-u_skeldir, up-u_uid, gid, home); + (void) asystem(%s -R -P %u:%u %s, CHOWN, up-u_uid, + gid, home); + (void) asystem(%s -R u+w %s, CHMOD, home); } } if (strcmp(up-u_primgrp, =uid) == 0 -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: diff: /etc/rc.d/spamd rc_reload=NO
On 2013-09-06 Fri 10:29 AM |, David Coppa wrote: OK with me. ciao, David Anyone else? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
Solved? On 2013-09-05 Thu 14:48 PM |, Todd C. Miller wrote: I changed my mind and decided it is better to just move the chown and chmod out of copydotfiles() and add an explicit check for skeldir set to the empty string. Much as I would like to prettify the user.c code it is a losing battle so here is a minimal diff. - todd Index: usr.sbin/user/user.c === RCS file: /home/cvs/openbsd/src/usr.sbin/user/user.c,v retrieving revision 1.95 diff -u -r1.95 user.c --- usr.sbin/user/user.c 2 Apr 2013 05:04:47 - 1.95 +++ usr.sbin/user/user.c 5 Sep 2013 20:47:23 - @@ -290,6 +290,8 @@ DIR *dirp; int n; + if (*skeldir != '\0') + return 0; if ((dirp = opendir(skeldir)) == NULL) { warn(can't open source . files dir `%s', skeldir); return 0; @@ -308,8 +310,6 @@ (void) asystem(cd %s %s -rw -pe %s . %s, skeldir, PAX, (verbose) ? -v : , dir); } - (void) asystem(%s -R -P %u:%u %s, CHOWN, uid, gid, dir); - (void) asystem(%s -R u+w %s, CHMOD, dir); return n; } @@ -1177,6 +1177,9 @@ err(EXIT_FAILURE, can't mkdir `%s', home); } (void) copydotfiles(up-u_skeldir, up-u_uid, gid, home); + (void) asystem(%s -R -P %u:%u %s, CHOWN, up-u_uid, + gid, home); + (void) asystem(%s -R u+w %s, CHMOD, home); } } if (strcmp(up-u_primgrp, =uid) == 0
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:18 AM |, Kenneth R Westerback wrote: This makes sense to me. ok krw@ Ken ping? -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
diff: /etc/rc.d/spamd rc_reload=NO
Doesn't seem to reload once chrooted: $ sudo /etc/rc.d/spamd -d reload doing rc_read_runfile doing rc_check spamd doing rc_reload Sep 5 19:57:54 oak spamd[22335]: greyreader failed (Error 0) doing rc_wait reload doing rc_check doing rc_check ... .. . doing rc_check (failed) Index: spamd === RCS file: /cvs/src/etc/rc.d/spamd,v retrieving revision 1.2 diff -u -r1.2 spamd --- spamd 8 Jul 2011 02:15:34 - 1.2 +++ spamd 5 Sep 2013 19:19:54 - @@ -7,6 +7,7 @@ . /etc/rc.d/rc.subr pexp=spamd: \[priv\] +rc_reload=NO rc_pre() { [ X${spamd_black} != XNO ] \ Cheers, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: useradd with empty -k doesn't chown/chmod new home directory
On 2013-08-31 Sat 11:45 AM |, patrick keshishian wrote: On Sat, Aug 31, 2013 at 06:23:25AM -0600, Todd C. Miller wrote: Assuming we want to make this a non-fatal error the following should do. You meant non-existent skel dir, not empty. Unless you meant empty argument for -k option, i.e., -k Yes, that was my intention. i.e. don't copy the skel dir but is there a good use-case for that? For example, if an organisation had a number of database administrators and they were added to the group 'dbas'. In /home/dba there could be files, scripts, passwords,... that only the DBA team should have common access to. Likewise for hostmasters, postmasters, webmasters, management, marketing, sales, http://article.gmane.org/gmane.os.openbsd.bugs/19980