Date: Fri, 1 Sep 2006 08:35:20 -0500 From: Brooks Davis <brooks@one-eyed-alien.net> To: Doug Barton <dougb@freebsd.org> Cc: ports@freebsd.org, Jiawei Ye <leafy7382@gmail.com> Subject: Re: Jabberd vs PostgreSQL Message-ID: <20060901133519.GA14134@lor.one-eyed-alien.net> In-Reply-To: <44F7C639.90905@FreeBSD.org> References: <c21e92e20608292112u714e3b5ck9ca346acffe4a30b@mail.gmail.com> <44F7C639.90905@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 31, 2006 at 10:33:45PM -0700, Doug Barton wrote: > Jiawei Ye wrote: >=20 > > I can see that postgresql requires LOGIN, but jabberd is BEFORE:LOGIN, > > what is the proper solution? >=20 > If I understand correctly, pgsql runs as an unprivileged user, which means > it needs to REQUIRE LOGIN. OTOH, there is no reason that jabberd should r= un > BEFORE LOGIN, and I suspect that is an artifact of copying and pasting a > script that had that in it for no good reason. In fact, > ports/net-im/jabber/files/jabberd.sh.in does not have that line, so I am > wondering what port you're working with here. I'd agree that pgsql should REQUIRE LOGIN, but I think the reason is subtilly different. In my mind the key with LOGIN is that the system is ready security wise to allow users to interact with the machine via methods other than the administrative console. This should mean the secure level is elevated and any other security bootstrapping is done. IIRC this is actually not the case and should be fixed. Running as an unprivleged user isn't usable as a differentiating feature. For example dhclient runs in part as an unpriveleged user. > In any case, the proper fix here seems to be to have jabber REQUIRE > postgresql. Try that, and if it works, you're golden. There are a couple problems with "REQUIRE postgresql" in general: - There's no requirement that you run a database on the machine the application is on. (This is why ports depend on the -client not the -server port). - Several ports will work out of the box with either postgres or mysql so depending one or the other is wrong. As is depending on both. I think the right thing is create a stub DATABASE provider that mysql and postgres can be BEFORE. Ports that want a database can just depend on that. It will insure that ordering is correct if the server is local without causing problems if it isn't or requiring script modifications for ports that can use more than one database from the same package. -- Brooks --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE+DcXXY6L6fI4GtQRAvOSAKDlpuzBZ38nqXqysmCHNitY7739xgCeIPDC tza3HcIyLd1ET68jOz888iQ= =VJZo -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060901133519.GA14134>