Problem with LOGIN and cron

'LOGIN' states:
        This is a dummy dependency to ensure user services such as xdm,
        inetd, cron and kerberos are started after everything else, in
        case the administrator has increased the system security level
        and wants to delay user logins until the system is (almost) fully
        operational.

So based on that, 'securelevel' should have:
+# REQUIRE: sysctl
+# BEFORE:  LOGIN
Otherwise a cronjob could act against securelevel=1+ for a short peroid
of time.

But after adding that one gets
        rcorder: Circular dependency on provision `LOGIN' in file `cron'.
        rcorder: Circular dependency on provision `LOGIN' in file `jail'.

As 'cron' has "BEFORE: securelevel".  Why should that be the case?
This comes from r114735 (Move securelevel further back in the boot order)
but failed to state any serneios.

Thoughts?


'jail' has "REQUIRE: LOGIN" (r113568) and "BEFORE: securelevel".  I see
the need for "BEFORE: securelevel", but why the need for "REQUIRE:
LOGIN"?

--
-- David  ([hidden email])

P.S. Does this change in ordering look OK?
--- /tmp/1 2012-01-12 15:40:27.000000000 -0800
+++ /tmp/2 2012-01-12 15:40:33.000000000 -0800
@@ -126,14 +126,13 @@ sdpd
 rfcomm_pppd_server
 rtadvd
 rwho
+jail
+localpkg
+securelevel
 LOGIN
 syscons
 sshd
 sendmail
-cron
-jail
-localpkg
-securelevel
 power_profile
 othermta
 nfscbd
@@ -148,6 +147,7 @@ geli2
 ftpd
 ftp-proxy
 dhclient
+cron
 bsnmpd
 bluetooth
 bgfsck
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"

On 12 January 2012 23:44, David O'Brien <[hidden email]> wrote:
Hm, but what if I have an @reboot line in crontab, that relies on
securelevel <1?

Can't we change the wording in the docs instead?

Chris
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"

On 01/12/2012 15:44, David O'Brien wrote: I haven't fully processed the implications to your proposed change to
rcorder, but a quick meta-note. We should not introduce any new examples
of BEFORE in base rc.d scripts. That knob is useful for ports/local
stuff, but it makes debugging harder.

> Otherwise a cronjob could act against securelevel=1+ for a short peroid
> of time.

The right way to do what you're proposing is to have LOGIN REQUIRE
securelevel. I tend to agree that the current order is sub-optimal.

> But after adding that one gets
> rcorder: Circular dependency on provision `LOGIN' in file `cron'.
> rcorder: Circular dependency on provision `LOGIN' in file `jail'.
>
> As 'cron' has "BEFORE: securelevel".  Why should that be the case?
> This comes from r114735 (Move securelevel further back in the boot order)
> but failed to state any serneios.
>
> Thoughts?

It sounds like the change to cron's rcorder was an unintended side
effect. The attached patch works without any circular dep errors. It
produces the following:

It moves cron and jail from right before LOGIN, to fairly late after it.
There are no other changes. On my system specifically:

/etc/rc.d/LOGIN
<ports stuff>
/etc/rc.d/ypxfrd
/etc/rc.d/ypupdated
/etc/rc.d/watchdogd
/etc/rc.d/ubthidhci
/etc/rc.d/syscons
/etc/rc.d/sshd
/etc/rc.d/sendmail
/etc/rc.d/othermta
/etc/rc.d/nfscbd
/etc/rc.d/msgs
/etc/rc.d/moused
/etc/rc.d/mixer
/etc/rc.d/jail ***
/etc/rc.d/inetd
/etc/rc.d/hostapd
/etc/rc.d/gptboot
/etc/rc.d/geli2
/etc/rc.d/ftpd
/etc/rc.d/ftp-proxy
/etc/rc.d/cron ***
/etc/rc.d/bsnmpd
/etc/rc.d/bgfsck
/etc/rc.d/addswap

I'm willing to listen to good arguments that describe why cron or jail
should start before LOGIN, but if that's going to be the case then yes,
we need to update that comment.


Doug

--

        You can observe a lot just by watching. -- Yogi Berra

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"

On Fri, Jan 13, 2012 at 02:18:03AM -0800, Doug Barton wrote:
> I haven't fully processed the implications to your proposed change to
> rcorder, but a quick meta-note. We should not introduce any new
> examples of BEFORE in base rc.d scripts. That knob is useful for
> ports/local stuff, but it makes debugging harder.

Doug,
Thanks for the info.  I need to digest the BEFORE vs. LOGIN REQUIRE it a
little bit more with my local patch.


> It moves cron and jail from right before LOGIN, to fairly late after it.
> There are no other changes. On my system specifically:

With my change, jail was pushed earlier, not later.  I'm pretty sure
jail should run before changes the secure level -- especially if one
wants securelevel=3.

I have no opinion on cron running later than it did before.

--
-- David  ([hidden email])
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"

On Fri, Jan 13, 2012 at 11:28:10AM -0800, David O'Brien wrote:         $ man 5 crontab | grep @reboot
                   @reboot         Run once, at startup.

--
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://yomoli.com

On 01/13/2012 11:32, David O'Brien wrote: Fair enough, attached patch doesn't change jail but moves cron late like
my last patch.


Doug

--

        You can observe a lot just by watching. -- Yogi Berra

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[hidden email]"