On Sat, Mar 24, 2012 at 05:32:30PM +0100, Alexander Leidinger wrote:
> On Fri, 23 Mar 2012 04:08:47 -0700 Jeremy Chadwick
> <free...@jdc.parodius.com> wrote:
>
> > Editing /etc/periodic/security/510.ipfdenied's hashbang line to use -x
> > doesn't change the behaviour either (maybe stderr gets sent to
> > /dev/null?), whether I run it by hand as a script or via "periodic
> > security".
>
> Use "set -x" instead of modifying the first line (I assume the script
> is already started with the correct shell, so the first line is
> ignored). I would also add "env" before and after the sourcing of the
> periodic.conf to see what is defined or not.
I hadn't considered that -- thanks for the tip Alexander.
After briefly checking both systems, it appears that Matthew was
correct. (I had no idea he sent a follow-up reply until maybe half an
hour ago; I never received a copy of his mail. Not sure if I was CC'd
or not; please do keep me CC'd as I'm not subscribed to the lists)
The problem script is indeed /etc/periodic/security/610.ipf6denied,
which is why I was getting no where poking at 510.ipfdenied.
The reason only 2 of our systems have this problem is that these 2
systems were rebuilt (bare-bones OS install) fairly recently (02/16 and
03/03 followed by a world rebuild on 03/09). I can tell this from
simply doing ls -l /etc/periodic/security. All our systems have the
following (and always have):
src.conf:
WITHOUT_INET6=true
WITHOUT_IPFILTER=true
make.conf:
WITHOUT_IPV6=true
NO_INET6=yes
The reason the problem doesn't affect the other machines is that they
never had a copy of 610.ipf6denied ever installed -- the base
installation was from a much older FreeBSD memstick image (either
8.2-STABLE or 8.1, I forget).
That explains where the file came from on the newer 2 systems, but
doesn't explain why mergemaster or make delete-old isn't nuking the
periodic script. So I began to dig into that:
Based on what I can see, the crux of the problem is that
src/tools/build/mk/OptionalObsoleteFiles.inc is lacking two OLD_FILES
lines under the ".if ${MK_IPFILTER} == no" clause:
OLD_FILES+=etc/periodic/security/510.ipfdenied
OLD_FILES+=etc/periodic/security/610.ipf6denied
Based on what I see in that file (ex. the MK_ZFS==no bits), that looks
to be the correct solution.
Shall I file a PR for this or is there already one? :-)
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
