Bug 237713 - security/kstart: rc script still starts before cleartmp
Summary: security/kstart: rc script still starts before cleartmp
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-02 20:30 UTC by William Hooper
Modified: 2019-05-02 20:30 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (zi)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description William Hooper 2019-05-02 20:30:23 UTC
On 12.0-RELEASE-p3, using kstart-4.2_2 with nss-pam-ldapd-sasl-0.9.10_1, both
installed as packages, the fix from bug #235757 doesn't work for me: the
Kerberos credential cache written by kstart, /tmp/krb5cc_928, is removed from
/tmp before nslcd can use it.

rcorder(8) causes both kstart and nslcd to start before cleartmp:

  root@host:~ # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E 'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: Circular dependency on provision `DAEMON' in file `/usr/local/etc/rc.d/kstart'.
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no providers.
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/cleartmp
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN

The circular dependency in the error message seems to involve /etc/rc.d/LOGIN.
The kstart script says it requires DAEMON but must run before LOGIN:

  root@host:~ # head -9 /usr/local/etc/rc.d/kstart
  #!/bin/sh
  # $FreeBSD: head/security/kstart/files/kstart.in 496119 2019-03-18 02:28:10Z zi $
  
  # PROVIDE: kstart
  # REQUIRE: DAEMON
  # BEFORE: LOGIN
  # KEYWORD: shutdown
  
  # Add the following lines to /etc/rc.conf to enable kstart:

The LOGIN script, however, requires DAEMON, so LOGIN can't run before DAEMON:

  root@host:~ # head -9 /etc/rc.d/LOGIN
  #!/bin/sh
  #
  # $FreeBSD: releng/12.0/libexec/rc/rc.d/LOGIN 278706 2015-02-13 20:52:23Z ngie $
  #
  
  # PROVIDE: LOGIN
  # REQUIRE: DAEMON
  
  #       This is a dummy dependency to ensure user services such as xdm,

I worked around the problem by changing REQUIRE: DAEMON to REQUIRE: cleartmp
in /usr/local/etc/rc.d/kstart, after which the rcorder output was as expected:

  root@host:/etc/rc.d # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* | grep -E 'DAEMON|LOGIN|cleartmp|kstart|nslcd'
  rcorder: requirement `slapd' in file `/usr/local/etc/rc.d/nslcd' has no providers.
  /etc/rc.d/cleartmp
  /usr/local/etc/rc.d/kstart
  /usr/local/etc/rc.d/nslcd
  /etc/rc.d/DAEMON
  /etc/rc.d/LOGIN