On Fri, Sep 05, 2008 at 07:40:13PM -0700, Joshua Piccari wrote: > Hi all, > I am setting up a few jails and I want them all to use the same /etc files > (with the exception of the files related to the password files and > databases), so I mounted a shared /etc folder as a nullfs with read-only > permissions. The problem is that using utilities like pw or chpass create > temporary files in /etc and that file system is mounted read-only. > So is there a way to force any utilities that create temp files in /etc to > use another location, something like /usr/local/etc for example?
I've had a chat with another user off-list about this, and the conclusion reached is that your mounting of /etc read-only is a bad idea, for many different reasons. Let's step through things slowly, so that hopefully it'll make sense. Foremost, /etc is mounted read-only, so what purpose does it serve to be using passwd or group-editing utilities on that system? You'd need r/w access to be able to accomplish that. Secondly, utilities like vipw(8), chpass(1), pw(8), and many others all create temporary files in /etc for security reasons: the temporary files *must* be on the same filesystem. In your case, /etc is its own filesystem, mounted read-only. So, placing the temporary files (e.g. /etc/pw.XXXXXX when using vipw(8)) on a separate filesystem or separate location is not plausible. Regarding the security implications, others will have to chime in here. Thirdly, some (but not all) of the utilities support command-line flags that allow an alternative directory to /etc: pw(8) -V flag vipw(8) -d flag pwd_mkdb(8) -d flag chpass(1) no support passwd(1) no support rmuser(8) no support adduser(8) no support Fourthly, there are periodic(8) scripts which explicitly refer to /etc/master.passwd and do not support an alternative directory. Those scripts will break, and disabling them is not recommended. Finally, some other caveats/situations which will likely arise: - The administrator (you) will have to remember to use the above flags every time they use said utilities; chances are you'll forget, especially since the flags aren't all the same, - A user of your jail may become very surprised when they find passwd, group, or other files missing from /etc, - Third-party software which reads /etc/passwd or related files will fail since you'd be using an alternative /etc directory. I'm pretty sure we have some ports which use rmuser/adduser (meaning the software itself, not necessarily the port installation part). Hope this sheds some light on things. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"