Am 03.12.2014 12:59, schrieb sven falempin:
> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
> <steve.shock...@shockley.net> wrote:
>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>
>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>
>>> _squid
>>> ^------------! Note the underline.
>>>
>>> as account for this package, so you probably want
>>
>>
>> According to the package README:
>>
>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>> "${RCDIR}/squid start") the appropriately-named login class is used
>> automatically.
>>
>> So, the underline shouldn't be necessary.
>>
>
> The login would be apply in a rc script ? I looked into that :
>
> is that why the _ goes away ?
>
> _name=$(basename $0)
> [.. so name of the rc script is sed to get compiled login.conf info..]
> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
> [ but this only print stuff according to man page ]
>
> There is a rcexec that force the usage of the login class
>
> grep rcexec /etc/rc.d/*
> unbound use it, but not squid.
>
> I guess my perl script would have to do a strlimit after dropping
> privilege to open 4096 files.
>
>
> On the other hand, the class is supposed to be in master.passwd or be
> to default:
>
>
> name User's login name.
> password User's encrypted password.
> uid User's login user ID.
> gid User's login group ID.
> class User's general classification (see login.conf(5)).
> change Password change time.
> expire Account expiration time.
> gecos General information about the user.
> home_dir User's home directory.
> shell User's login shell.
>
>
> _squid:*:515:515:daemon:0:0:Squid Account:
> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
>
>
> bgpd class is blank, squid is set to daemon.
>
> Is bgpd correctly configured ?
Yes. It has an entry in /etc/login.conf
man rc.subr explains it:
-- quote --
daemon_class Login class to run the daemon with, using su(1). This is
a read only variable that gets set by rc.subr itself. It
searches login.conf(5) for a login class that has the
same name as the rc.d script itself and uses that. If no
such login class exists then ``daemon'' will be used.
-- end quote --
> is squid using the daemon class ?
Yes unless you have a stanze for squid in /etc/login.conf .
(And the README for the package advises you to create one)
A test _without_ a stanza for squid in /etc/login.conf and the first
line of /etc/rc.d/squid set to
#!/bin/sh -x
results in
root:/etc/rc.d:28# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ [ -z ]
+ daemon_class=daemon
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c daemon -s /bin/sh root -c
+ rc_cmd start
squid(ok)
The same _with_ a stanza for squid in /etc/login.conf gives
root:/etc/rc.d:34# /etc/rc.d/squid start
+ daemon=/usr/local/sbin/squid
+ daemon_timeout=35
+ . /etc/rc.d/rc.subr
+ [ -n ]
+ [ -n /usr/local/sbin/squid ]
+ unset _RC_DEBUG _RC_FORCE
+ getopts df c
+ shift 0
+ basename /etc/rc.d/squid
+ _name=squid
+ _RC_RUNDIR=/var/run/rc.d
+ _RC_RUNFILE=/var/run/rc.d/squid
+ _rc_do _rc_parse_conf
+ eval _rcflags=${squid_flags}
+ _rcflags=
+ eval _rcuser=${squid_user}
+ _rcuser=
+ eval _rctimeout=${squid_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf squid
+ > /dev/null
+ 2>&1
+ daemon_class=squid
+ [ -z squid ]
+ [ -z ]
+ daemon_user=root
+ [ -z 35 ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcuser _rctimeout
+ pexp=/usr/local/sbin/squid
+ rcexec=su -l -c squid -s /bin/sh root -c
+ rc_cmd start
squid(ok)
> am I forced to use BSD::resources to strlimit in the perl script to
> validate this ?
> is getcap doing something else than printing ?
Yes, it returns $? which is used in rc.subr to set the login-class to
daemon when there is no service-specific stanza in /etc/login.conf
HTH
rru
