Bug 237713

Summary: security/kstart: rc script still starts before cleartmp
Product: Ports & Packages Reporter: William Hooper <wsh-bugs>
Component: Individual Port(s)Assignee: Ryan Steinmetz <zi>
Status: New ---    
Severity: Affects Some People CC: wsh-bugs
Priority: --- Flags: bugzilla: maintainer-feedback? (zi)
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235757

Description William Hooper 2019-05-02 20:30:23 UTC
On 12.0-RELEASE-p3, using kstart-4.2_2 with nss-pam-ldapd-sasl-0.9.10_1, both
installed as packages, the fix from bug #235757 doesn't work for me: the
Kerberos credential cache written by kstart, /tmp/krb5cc_928, is removed from
/tmp before nslcd can use it.

rcorder(8) causes both kstart and nslcd to start before cleartmp:

  root@host:~ # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E 'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: Circular dependency on provision `DAEMON' in file `/usr/local/etc/rc.d/kstart'.
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no providers.
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/cleartmp
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN

The circular dependency in the error message seems to involve /etc/rc.d/LOGIN.
The kstart script says it requires DAEMON but must run before LOGIN:

  root@host:~ # head -9 /usr/local/etc/rc.d/kstart
  #!/bin/sh
  # $FreeBSD: head/security/kstart/files/kstart.in 496119 2019-03-18 02:28:10Z zi $
  
  # PROVIDE: kstart
  # REQUIRE: DAEMON
  # BEFORE: LOGIN
  # KEYWORD: shutdown
  
  # Add the following lines to /etc/rc.conf to enable kstart:

The LOGIN script, however, requires DAEMON, so LOGIN can't run before DAEMON:

  root@host:~ # head -9 /etc/rc.d/LOGIN
  #!/bin/sh
  #
  # $FreeBSD: releng/12.0/libexec/rc/rc.d/LOGIN 278706 2015-02-13 20:52:23Z ngie $
  #
  
  # PROVIDE: LOGIN
  # REQUIRE: DAEMON
  
  #       This is a dummy dependency to ensure user services such as xdm,

I worked around the problem by changing REQUIRE: DAEMON to REQUIRE: cleartmp
in /usr/local/etc/rc.d/kstart, after which the rcorder output was as expected:

  root@host:/etc/rc.d # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E 'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no providers.
  /etc/rc.d/cleartmp
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN