[Bug 237713] security/kstart: rc script still starts before cleartmp

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu May 2 20:30:25 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237713

            Bug ID: 237713
           Summary: security/kstart: rc script still starts before
                    cleartmp
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: zi at FreeBSD.org
          Reporter: wsh-bugs at wshooper.org
          Assignee: zi at FreeBSD.org
             Flags: maintainer-feedback?(zi at FreeBSD.org)

On 12.0-RELEASE-p3, using kstart-4.2_2 with nss-pam-ldapd-sasl-0.9.10_1, both
installed as packages, the fix from bug #235757 doesn't work for me: the
Kerberos credential cache written by kstart, /tmp/krb5cc_928, is removed from
/tmp before nslcd can use it.

rcorder(8) causes both kstart and nslcd to start before cleartmp:

  root at host:~ # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E
'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: Circular dependency on provision `DAEMON' in file
`/usr/local/etc/rc.d/kstart'.
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no
providers.
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/cleartmp
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN

The circular dependency in the error message seems to involve /etc/rc.d/LOGIN.
The kstart script says it requires DAEMON but must run before LOGIN:

  root at host:~ # head -9 /usr/local/etc/rc.d/kstart
  #!/bin/sh
  # $FreeBSD: head/security/kstart/files/kstart.in 496119 2019-03-18 02:28:10Z
zi $

  # PROVIDE: kstart
  # REQUIRE: DAEMON
  # BEFORE: LOGIN
  # KEYWORD: shutdown

  # Add the following lines to /etc/rc.conf to enable kstart:

The LOGIN script, however, requires DAEMON, so LOGIN can't run before DAEMON:

  root at host:~ # head -9 /etc/rc.d/LOGIN
  #!/bin/sh
  #
  # $FreeBSD: releng/12.0/libexec/rc/rc.d/LOGIN 278706 2015-02-13 20:52:23Z
ngie $
  #

  # PROVIDE: LOGIN
  # REQUIRE: DAEMON

  #       This is a dummy dependency to ensure user services such as xdm,

I worked around the problem by changing REQUIRE: DAEMON to REQUIRE: cleartmp
in /usr/local/etc/rc.d/kstart, after which the rcorder output was as expected:

  root at host:/etc/rc.d # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E
'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no
providers.
  /etc/rc.d/cleartmp
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list