On Wed, Dec 3, 2014 at 4:11 PM, Einfach Jemand <rru....@gmail.com> wrote:
> Am 03.12.2014 12:59, schrieb sven falempin:
>> On Tue, Dec 2, 2014 at 9:55 PM, Steve Shockley
>> <steve.shock...@shockley.net> wrote:
>>> On 12/2/2014 8:49 PM, Einfach Jemand wrote:
>>>
>>>> Hmm, I checked on one of my boxen and there /etc/passwd has
>>>>
>>>> _squid
>>>> ^------------! Note the underline.
>>>>
>>>> as account for this package, so you probably want
>>>
>>>
>>> According to the package README:
>>>
>>> When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
>>> "${RCDIR}/squid start") the appropriately-named login class is used
>>> automatically.
>>>
>>> So, the underline shouldn't be necessary.
>>>
>>
>> The login would be apply in a rc script ? I looked into that :
>>
>> is that why the _ goes away ?
>>
>> _name=$(basename $0)
>> [.. so name of the rc script is sed to get compiled login.conf info..]
>> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1
>> [ but this only print stuff according to man page ]
>>
>> There is a rcexec that force the usage of the login class
>>
>> grep rcexec /etc/rc.d/*
>> unbound use it, but not squid.
>>
>> I guess my perl script would have to do a strlimit after dropping
>> privilege to open 4096 files.
>>
>>
>> On the other hand, the class is supposed to be in master.passwd or be
>> to default:
>>
>>
>> name User's login name.
>> password User's encrypted password.
>> uid User's login user ID.
>> gid User's login group ID.
>> class User's general classification (see login.conf(5)).
>> change Password change time.
>> expire Account expiration time.
>> gecos General information about the user.
>> home_dir User's home directory.
>> shell User's login shell.
>>
>>
>> _squid:*:515:515:daemon:0:0:Squid Account:
>> _bgpd:*:75:75::0:0:BGP Daemon:/var/empty:/sbin/nologin
>>
>>
>> bgpd class is blank, squid is set to daemon.
>>
>> Is bgpd correctly configured ?
>
> Yes. It has an entry in /etc/login.conf
>
> man rc.subr explains it:
>
> -- quote --
> daemon_class Login class to run the daemon with, using su(1). This is
> a read only variable that gets set by rc.subr itself. It
> searches login.conf(5) for a login class that has the
> same name as the rc.d script itself and uses that. If no
> such login class exists then ``daemon'' will be used.
> -- end quote --
>
>> is squid using the daemon class ?
>
> Yes unless you have a stanze for squid in /etc/login.conf .
> (And the README for the package advises you to create one)
>
> A test _without_ a stanza for squid in /etc/login.conf and the first
> line of /etc/rc.d/squid set to
>
> #!/bin/sh -x
>
> results in
>
> root:/etc/rc.d:28# /etc/rc.d/squid start
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + [ -z ]
> + daemon_class=daemon
> + [ -z ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c daemon -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
> The same _with_ a stanza for squid in /etc/login.conf gives
>
> root:/etc/rc.d:34# /etc/rc.d/squid start
>
> + daemon=/usr/local/sbin/squid
> + daemon_timeout=35
> + . /etc/rc.d/rc.subr
> + [ -n ]
> + [ -n /usr/local/sbin/squid ]
> + unset _RC_DEBUG _RC_FORCE
> + getopts df c
> + shift 0
> + basename /etc/rc.d/squid
> + _name=squid
> + _RC_RUNDIR=/var/run/rc.d
> + _RC_RUNFILE=/var/run/rc.d/squid
> + _rc_do _rc_parse_conf
> + eval _rcflags=${squid_flags}
> + _rcflags=
> + eval _rcuser=${squid_user}
> + _rcuser=
> + eval _rctimeout=${squid_timeout}
> + _rctimeout=
> + getcap -f /etc/login.conf squid
> + > /dev/null
> + 2>&1
> + daemon_class=squid
> + [ -z squid ]
> + [ -z ]
> + daemon_user=root
> + [ -z 35 ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + [ -n ]
> + readonly daemon_class
> + unset _rcflags _rcuser _rctimeout
> + pexp=/usr/local/sbin/squid
> + rcexec=su -l -c squid -s /bin/sh root -c
> + rc_cmd start
> squid(ok)
>
>> am I forced to use BSD::resources to strlimit in the perl script to
>> validate this ?
>> is getcap doing something else than printing ?
>
> Yes, it returns $? which is used in rc.subr to set the login-class to
> daemon when there is no service-specific stanza in /etc/login.conf
>
> HTH
> rru
>
Ich verstehe jetzt
the answer to the BSD::resources is yes apparently
# su -l -c squid -s /bin/sh root -c "perl /root/fds.pl"
uid=515(_squid) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
ksh: ulimit: Permission denied
Error in tempfile() using template /tmp/XXXXXXXXXX: Could not create
temp file /tmp/f7PQGePzoX: Too many open files at /root/fds.pl line
20.
Count:125
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
