On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand <rru....@gmail.com> wrote: > Am 03.12.2014 12:59, schrieb sven falempin: >> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley >> <steve.shock...@shockley.net> wrote: >>> On 12/2/2014 8:49 PM, Einfach Jemand wrote: >>> >>>> Hmm, I checked on one of my boxen and there /etc/passwd has >>>> >>>> _squid >>>> ^------------! Note the underline. >>>> >>>> as account for this package, so you probably want >>> >>> >>> According to the package README: >>> >>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from >>> "${RCDIR}/squid start") the appropriately-named login class is used >>> automatically. >>> >>> So, the underline shouldn't be necessary. >>> >> >> The login would be apply in a rc script ? I looked into that : >> >> is that why the _ goes away ? >> >> _name=$(basename $0) >> [.. so name of the rc script is sed to get compiled login.conf info..] >> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 >> [ but this only print stuff according to man page ] >> >> There is a rcexec that force the usage of the login class >> >> grep rcexec /etc/rc.d/* >> unbound use it, but not squid. >> >> I guess my perl script would have to do a strlimit after dropping >> privilege to open 4096 files. >> >> >> On the other hand, the class is supposed to be in master.passwd or be >> to default: >> >> >> name User's login name. >> password User's encrypted password. >> uid User's login user ID. >> gid User's login group ID. >> class User's general classification (see login.conf(5)). >> change Password change time. >> expire Account expiration time. >> gecos General information about the user. >> home_dir User's home directory. >> shell User's login shell. >> >> >> _squid:*:515:515:daemon:0:0:Squid Account: >> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin >> >> >> bgpd class is blank, squid is set to daemon. >> >> Is bgpd correctly configured ? > > Yes. It has an entry in /etc/login.conf > > man rc.subr explains it: > > -- quote -- > daemon_class Login class to run the daemon with, using su(1). This is > a read only variable that gets set by rc.subr itself. It > searches login.conf(5) for a login class that has the > same name as the rc.d script itself and uses that. If no > such login class exists then ``daemon'' will be used. > -- end quote -- > >> is squid using the daemon class ? > > Yes unless you have a stanze for squid in /etc/login.conf . > (And the README for the package advises you to create one) > > A test _without_ a stanza for squid in /etc/login.conf and the first > line of /etc/rc.d/squid set to > > #!/bin/sh -x > > results in > > root:/etc/rc.d:28# /etc/rc.d/squid start > + daemon=/usr/local/sbin/squid > + daemon_timeout=35 > + . /etc/rc.d/rc.subr > + [ -n ] > + [ -n /usr/local/sbin/squid ] > + unset _RC_DEBUG _RC_FORCE > + getopts df c > + shift 0 > + basename /etc/rc.d/squid > + _name=squid > + _RC_RUNDIR=/var/run/rc.d > + _RC_RUNFILE=/var/run/rc.d/squid > + _rc_do _rc_parse_conf > + eval _rcflags=${squid_flags} > + _rcflags= > + eval _rcuser=${squid_user} > + _rcuser= > + eval _rctimeout=${squid_timeout} > + _rctimeout= > + getcap -f /etc/login.conf squid > + > /dev/null > + 2>&1 > + [ -z ] > + daemon_class=daemon > + [ -z ] > + daemon_user=root > + [ -z 35 ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + readonly daemon_class > + unset _rcflags _rcuser _rctimeout > + pexp=/usr/local/sbin/squid > + rcexec=su -l -c daemon -s /bin/sh root -c > + rc_cmd start > squid(ok) > > The same _with_ a stanza for squid in /etc/login.conf gives > > root:/etc/rc.d:34# /etc/rc.d/squid start > > + daemon=/usr/local/sbin/squid > + daemon_timeout=35 > + . /etc/rc.d/rc.subr > + [ -n ] > + [ -n /usr/local/sbin/squid ] > + unset _RC_DEBUG _RC_FORCE > + getopts df c > + shift 0 > + basename /etc/rc.d/squid > + _name=squid > + _RC_RUNDIR=/var/run/rc.d > + _RC_RUNFILE=/var/run/rc.d/squid > + _rc_do _rc_parse_conf > + eval _rcflags=${squid_flags} > + _rcflags= > + eval _rcuser=${squid_user} > + _rcuser= > + eval _rctimeout=${squid_timeout} > + _rctimeout= > + getcap -f /etc/login.conf squid > + > /dev/null > + 2>&1 > + daemon_class=squid > + [ -z squid ] > + [ -z ] > + daemon_user=root > + [ -z 35 ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + [ -n ] > + readonly daemon_class > + unset _rcflags _rcuser _rctimeout > + pexp=/usr/local/sbin/squid > + rcexec=su -l -c squid -s /bin/sh root -c > + rc_cmd start > squid(ok) > >> am I forced to use BSD::resources to strlimit in the perl script to >> validate this ? >> is getcap doing something else than printing ? > > Yes, it returns $? which is used in rc.subr to set the login-class to > daemon when there is no service-specific stanza in /etc/login.conf > > HTH > rru >
Ich verstehe jetzt the answer to the BSD::resources is yes apparently # su -l -c squid -s /bin/sh root -c "perl /root/fds.pl" uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ksh: ulimit: Permission denied Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create temp file /tmp/f7PQGePzoX: Too many open files at /root/fds.pl line 20. Count:125 -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\