On Tue, Dec 15, 2020 at 10:59:50PM +0000, Stuart Henderson wrote: > On 2020/12/15 23:07, Jan Klemkow wrote: > > for frequent performance test it would be nice to just start tcpbench > > as a regular service. tcpbench gets an extra user and group with this > > diff and is already pledged to "stdio". Thus, there should be no > > security risk to do this even in hostile environments. > > "io" is just for client, for server it's: > > $ ps -O pledge -ax|grep [t]cpb > 43696 stdio,inet,unix pf > I+p 0:00.00 tcpbench -s
Oh yes, sorry, I missed that by looking over the source too quickly. > > diff -u -p -r1.104 master.passwd > > --- etc/master.passwd 24 Apr 2020 14:57:31 -0000 1.104 > > +++ etc/master.passwd 15 Dec 2020 21:25:17 -0000 > > @@ -62,4 +62,5 @@ _ftp_proxy:*:109:109::0:0:ftp proxy daem > > _sndiop:*:110:110::0:0:sndio privileged user:/var/empty:/sbin/nologin > > _syspatch:*:112:112::0:0:syspatch unprivileged > > user:/var/empty:/sbin/nologin > > _slaacd:*:115:115::0:0:SLAAC Daemon:/var/empty:/sbin/nologin > > +_tcpbench:*:116:116::0:0:tcpbench unprivileged > > user:/var/empty:/sbin/nologin > > nobody:*:32767:32767::0:0:Unprivileged user:/nonexistent:/sbin/nologin > > no need to grow the "used system uid" space, 111 is available and was > taken for less than a day so it's unlikely anyone would even need to > merge passwd/group files. or maybe a lower one is better, I don't know > if there's a particular numbering plan for these.. Sure, I will fix that, if this thing has a future. > > Index: etc/rc.d/tcpbench > > =================================================================== > > RCS file: etc/rc.d/tcpbench > > diff -N etc/rc.d/tcpbench > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ etc/rc.d/tcpbench 15 Dec 2020 20:30:18 -0000 > > @@ -0,0 +1,12 @@ > > +#!/bin/ksh > > + > > +daemon="/usr/bin/tcpbench" > > +daemon_flags="-s" > > +daemon_user=_tcpbench > > + > > +. /etc/rc.d/rc.subr > > + > > +rc_reload=NO > > +rc_bg=YES > > + > > +rc_cmd $1 > > > > I am not a big fan of this to be honest. tcpbench is written more as a > test tool than a network daemon. For starters, the spew on the console > when it's active is not very nice. As I described in answer to Theo, its seems to be easier this way, if you and to script its. Or, you want to test the quality of link to different locations frequently.