using rc.subr only by root restriction

Anthony Pankov ap00 at mail.ru
Mon Jun 26 07:33:10 UTC 2017 

Hello,

> this was my fault. :)

Did you mean that you've commited a patch which change the behavior?

> There are some limits that you can set as a user.

> I think this is a fine change; but I can't speak for the correctness
> of using rc.subr as a general library set for your own purposes. :0

At this time I don't think that my patch is a best solutions.

First  of  all  I  don't see any explanation of ${name}_login_class in
rc.subr(8).  Silently  applying  'daemon'  login class to all services
seems to be very surprising. I think there are  people who modified 'daemon'
login  class  and  get  a weird  result in their system. I know how
complex to investigate such things.

May  be  we  can agree at "explicit is better than implicit" principle
and  do  not  apply  a  login  class  when  ${name}_login_class is not
declared explicity?

It will solve my problem too.


> On 23 June 2017 at 08:25, Anthony Pankov via freebsd-hackers
> <freebsd-hackers at freebsd.org> wrote:
>> Greetings
>>
>> I  was  deploying  my  new  system  based  on  FreeBSD 11 and got ф
>> surprise.
>> I have specific subsystem which use own startup scripts tied to rc.subr
>> for better integration. Those  scripts  can  be  used  not  only  by system startup but also by
>> unpriveleged user.
>> With  FreeBSD  11 in case of unpriveleged user the error appear:  "limits:
>> setrlimit datasize: Operation not permitted"
>>
>> There is a thread on a forum about the issue: https://forums.freebsd.org/threads/58304/
>>
>> I've  never  seen a warning  to do not use rc.subr in regular scripts so I
>> made it this way.
>>
>> May    be    we   can  consider  to  patch  rc.subr  and  remove  this
>> restriction?
>>
>>
>>
>> P.S. This patch helps, but may be there is a better way.
>> --- /etc/rc.subr.old    2017-06-21 07:11:39.716210000 +0300
>> +++ /etc/rc.subr        2017-06-21 07:18:21.215444000 +0300
>> @@ -1072,7 +1072,9 @@
>>                         fi
>>
>>                                         # Prepend default limits
>> -                       _doit="limits -C $_login_class $_doit"
>> +                       if [ `id -u` -eq 0 ]; then
>> +                               _doit="limits -C $_login_class $_doit"
>> +                       fi
>>
>>                                         # run the full command
>>                                         #
>>
>>
>> --
>>
>>  Anthony Pankov                          mailto:ap00 at mail.ru
>>

More information about the freebsd-hackers mailing list