Date: Tue, 17 Feb 2004 13:33:25 -0800 From: Ted Cabeen <secabeen@pobox.com> To: Thomas-Martin Seck <tmseck-lists@netcologne.de> Cc: freebsd-ports@freebsd.org Subject: Re: Feature Request: /usr/local/etc/rc.conf support Message-ID: <87znbh4cii.fsf@gray.impulse.net> In-Reply-To: <20040217212137.GD719@laurel.tmseck.homedns.org> (Thomas-Martin Seck's message of "Tue, 17 Feb 2004 22:21:37 %2B0100") References: <20040217193127.5655.qmail@laurel.tmseck.homedns.org> <87vfm5777l.fsf@gray.impulse.net> <20040217212137.GD719@laurel.tmseck.homedns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thomas-Martin Seck <tmseck-lists@netcologne.de> writes: > * Ted Cabeen (secabeen@pobox.com): > >> tmseck-lists@netcologne.de (Thomas-Martin Seck) writes: >> >> > * Ted Cabeen <secabeen@pobox.com> [gmane.os.freebsd.devel.ports]: >> > >> >> With the ever-increasing number of ports that use rc.conf variables to >> >> regulate their startup, would it be possible to add support for a >> >> /usr/local/etc/rc.conf file in FreeBSD? The constant changes to the >> >> rc.conf file have been playing havoc with my centralized management >> >> systems, and it makes it harder and harder to keep the /etc/rc.conf >> >> file set immutable (which I like to do on critical servers, to prevent >> >> the securelevel from changing). >> > >> > You can use /etc/rc.conf.local. >> >> Yeah, but that's supposedly deprecated. > > Maybe, but 5.x still uses it "for historical reasons". Neither rc(8) nor > rc.conf(5) say "deprecated". Do you mean rc.local? Okay. I read "for historical reasons" as "we might get rid of this someday, so don't use it". >> > See the declaration of rc_conf_files in /etc/defaults/rc.conf. >> >> Also, that doesn't solve the problem of securelevels. rc.conf.local >> is still parsed by the boot scripts and could be used to over-ride the >> system's securelevel. > > I cannot follow you here. What does the securelevel value have to do > with all this? The system securelevel is set in the /etc/rc.conf file. To prevent an attacker from changing the securelevel defined there and then rebooting the machine, I set the /etc/rc.conf file to be immutable. However, I'd like to be able to install new ports and have them start automatically without having to boot to single-user to modify rc.conf (or any other configuration file equivalent to rc.conf). -- Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com "I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org "Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87znbh4cii.fsf>