Date: Fri, 24 Dec 2010 20:38:25 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: rc.d and environment variables Message-ID: <4D147821.3020706@herveybayaustralia.com.au> In-Reply-To: <20101224093724.GC23384@admin.sibptus.tomsk.ru> References: <20101223172752.GA8539@admin.sibptus.tomsk.ru> <20101223201249.ea7648aa.freebsd@edvax.de> <20101223191443.GA24653@gizmo.acns.msu.edu> <20101224031352.GB16472@admin.sibptus.tomsk.ru> <20101224042542.3e21a6df.freebsd@edvax.de> <20101224035041.GF16472@admin.sibptus.tomsk.ru> <4D14233F.4070107@herveybayaustralia.com.au> <20101224080354.GA21712@admin.sibptus.tomsk.ru> <4D14555B.3000909@herveybayaustralia.com.au> <20101224093724.GC23384@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/24/10 19:37, Victor Sudakov wrote: > Da Rock wrote: > >>> >>> >>>> Doesn't the rc.d script run as root initially and then a method (default >>>> flags, etc) is used to change the owner to a nobody (restricted >>>> privilege user)? Just my 2c, but please correct me if I'm wrong. >>>> >>>> >>> That is probably correct, rc.subr does "su -m $user", but the login >>> class is not applied there, nor is the users's shell called. >>> >>> >>> >> Exactly. Which means that you'd have to adapt root's env because root's >> shell would be called(?). >> > In this case, how do I limit the variables's visibility only to the > particular daemon (svnserve) or particular user (svn)? > > >> PITA, but as an alternative couldn't all the keytabs be stored in the >> same _secure_ location? Then a global env could be used. >> > I really don't know what the security implications will be if > /etc/krb5.keytab is readable by anyone besides the root user? Do you > have a clue about it? There are other services' keys stored there > besides svn (host/*, cvs/* etc). > > At the risk of getting laughed off stage, and pulling in yet another service, what about ldap? I believe there is supposed to be a way to store keytabs in ldap, which theoretically would mean only the particular services would be able to access their keytabs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D147821.3020706>