From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EB92U-00089m-Sf for garchives@archives.gentoo.org; Fri, 02 Sep 2005 10:44:55 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j82AfANN005546; Fri, 2 Sep 2005 10:41:10 GMT Received: from ctb-mesg8.saix.net (ctb-mesg8.saix.net [196.25.240.88]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j82AcdQd015870 for ; Fri, 2 Sep 2005 10:38:39 GMT Received: from gateway.lan (wblv-146-249-139.telkomadsl.co.za [165.146.249.139]) by ctb-mesg8.saix.net (Postfix) with ESMTP id 6B0DEC2AB for ; Fri, 2 Sep 2005 12:40:43 +0200 (SAST) Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway.lan (Postfix) with ESMTP id 59A853A2482 for ; Fri, 2 Sep 2005 12:14:48 +0200 (SAST) Received: from gateway.lan ([127.0.0.1]) by localhost (gateway.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22955-02 for ; Fri, 2 Sep 2005 12:14:33 +0200 (SAST) Received: from lycan.lan (lycan.lan [192.168.0.5]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by gateway.lan (Postfix) with ESMTP id C8E2E3A241D for ; Fri, 2 Sep 2005 12:14:33 +0200 (SAST) Subject: Re: [gentoo-dev] Re: init.d-scripts don't see stuff from /etc/profile.env From: Martin Schlemmer To: gentoo-dev@lists.gentoo.org In-Reply-To: <1125473129.7443.35.camel@lycan.lan> References: <200508302157.52550.vapier@gentoo.org> <1125454523.7443.28.camel@lycan.lan> <200508302221.22868.vapier@gentoo.org> <1125473129.7443.35.camel@lycan.lan> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-2ABFUM7PET2ZDwuWLQQk" Organization: Gentoo Foundation Date: Fri, 02 Sep 2005 12:41:12 +0200 Message-Id: <1125657672.11345.32.camel@lycan.lan> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.3.8 X-Virus-Scanned: by amavisd-new using ClamAV at nosferatu.za.org X-Archives-Salt: 2a4bcb9d-daba-481e-8e37-ae01acfea384 X-Archives-Hash: d15eb2ce48d29c87945364dab1b0c69d --=-2ABFUM7PET2ZDwuWLQQk Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, 2005-08-31 at 09:25 +0200, Martin Schlemmer wrote: > On Tue, 2005-08-30 at 22:21 -0400, Mike Frysinger wrote: > > On Tuesday 30 August 2005 10:15 pm, Martin Schlemmer wrote: > > > On Tue, 2005-08-30 at 21:57 -0400, Mike Frysinger wrote: > > > > On Tuesday 30 August 2005 09:41 pm, Sven K=C3=B6hler wrote: > > > > > > init.d scripts should have a pure env given to them ... which m= eans, > > > > > > they should be run with `env -i` and have only whitelisted vari= ables > > > > > > given to them (and everything that appears in /etc/conf.d/$serv= ice > > > > > > /etc/conf.d/rc and /etc/rc.conf) ... > > > > > > > > > > Now that may be too few variables. At least the variable LANG (or > > > > > whatever the system-admin may chose to set) could be seen as a > > > > > system-wide language-setting. It could be intentional, that at le= ast > > > > > some variables are available to the started server-processes. > > > > > Especially a system-wide language-setting would be a good idea. > > > > > > > > that is the point of the whitelist idea ... we gather a 'full > > > > env' (source /etc/profile i guess) and rip out just the whitelisted > > > > variables to pass on to init scripts > > > > > > Although I agree, my personal opinion is that its going to be a major > > > PITA to maintain, and slow things down. > >=20 > > with the first run, we cache the 'scrubbed' env, and then just use that= in the=20 > > future ? > >=20 >=20 > We both know when somebody finally notice that, they will bitch because > the environment is not updated :) Damn, did I just point that out ? 8) >=20 > > > Also, not only runscript.sh=20 > > > will have to be 'whitelisted', but also /sbin/rc, which will mean tha= t > > > we now have to wrap two things. I guess a solution could have been t= o > > > use /sbin/runscript (the C thing) for both (should work fine > > > as /sbin/rc's interpreter as well), as that would buy some speed and > > > kill one bash fork, but the problem comes in when we start with a > > > vanilla environment that do not have /etc/profile sourced. > >=20 > > mmm unification is good :) >=20 > I did not argue .. was just wondering how much gain (tears?) it will > bring us :) >=20 Ok, the thing via /sbin/runscript won out - in baselayout-1.12.0_pre8. --=20 Martin Schlemmer --=-2ABFUM7PET2ZDwuWLQQk Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQBDGCxIqburzKaJYLYRAtXoAKCTeLVixr26wr/AqJBR2skzFnYKGQCbBjzd uT1CuXw3TKQ+3CXs3/iPh5c= =/QEX -----END PGP SIGNATURE----- --=-2ABFUM7PET2ZDwuWLQQk-- -- gentoo-dev@gentoo.org mailing list