On a machine with remote NFS mounts and ipfw *without* DEFAULT_TO_ACCEPT [1] compiled into the kernel, the saned and subversion rc scripts affect the loading of ipfw's rules, demoting it to way down the order and the NETWORKING placeholder never seems to be reached. This has the effect of blocking mountcritremote from loading any NFS filesystems in fstab, halting the boot and dropping to single user. rcorder reports many circular dependencies. This makes no sense: # $FreeBSD: ports/graphics/sane-backends/files/saned.in,v 1.3 2012/02/19 01:34:56 fjoe Exp $ # # PROVIDE: saned # REQUIRE: LOGIN netif routing mountcritlocal # BEFORE: NETWORKING Before NETWORKING but requiring LOGIN? And saned is a network daemon, for goodness' sake! Not sure exactly what's wrong with svnserve, since I needed this box back soonest and simply deleted it as I don't run a subversion server on this client. Other scripts may be similarly broken. svnserve also affects yp startup on my NIS master, breaking yp completely. [1] Potential security implications with IPFIREWALL_DEFAULT_TO_ACCEPT option in kernel as there's now a window of opportunity for an open firewall for a length of time after the network comes up. Fix: Fix the rc scripts in these ports to not affect base's rcorder. In the case of sane-backends' saned, just remove the # BEFORE: NETWORKING line. How-To-Repeat: Install graphics/sane-backends or devel/subversion on a machine with ipfw enabled and ipfw set to default deny.
Responsible Changed From-To: freebsd-ports-bugs->lev Over to maintainer of devel/subversion. graphics/sane-backends is unmaintained. http://www.freebsd.org/cgi/query-pr.cgi?pr=165928 Date: Sun, 11 Mar 2012 19:04:05 -0700
dougb 2012-03-19 23:33:15 UTC FreeBSD ports repository Modified files: graphics/sane-backends Makefile graphics/sane-backends/files saned.in Log: Relative to the problem mentioned in the PR, fix the rc.d script to avoid a circular dependency problem which adversely affects other scripts, including those in the base. Specifically, it's impossible to have both: REQUIRE: LOGIN and BEFORE: NETWORKING Since this services runs as an unprivileged user, LOGIN wins. While I'm here, apply various other cleanups, including adding KEYWORD: shutdown, putting the elements in more typical order, fixing some syntax issues, etc. Bump PORTREVISION due to the previous incarnation of the rc.d script being actually pathological, rather than just slightly wacky. PR: ports/165928 Submitted by: Matt Dawson <matt@chronos.org.uk> Feature safe: yes Revision Changes Path 1.104 +1 -1 ports/graphics/sane-backends/Makefile 1.4 +15 -17 ports/graphics/sane-backends/files/saned.in _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Looks like devel/subversion and its associated svnserve script are actually fine as I can't reproduce what I was seeing before with a fresh install. Doug's commit fixes saned, so this PR can now be closed. -- Matt Dawson GW0VNR MTD15-RIPE
State Changed From-To: open->closed Fixed for sane by dougb@, not relevant for subversion.