[Pkg-sysvinit-devel] Bug#546401: sysvinit/sysv-rc drops support for /etc/rc.boot

Craig Sanders cas at taz.net.au
Sun Sep 13 03:18:39 UTC 2009


Package: sysvinit
Version: 2.87dsf-3
Severity: critical

from the changelog:

  * Drop execution of files in /etc/rc.boot from sysv-rc.  This feature
    have been obsolete since before 1999.  Remove the rc.boot(5) manual
    page from the source as well.

WTF?

WHY?

this bone-headed decision just left my entire network wide open to
the internet because my /etc/rc.boot/00firewall script didn't run
after rebooting to upgrade to kernel 2.6.31, and the flood of spambots
took down my mail server along with associated load-related problems
(hundreds of CRON jobs starved for CPU, rsyslog and named maxed out)

and it was only "luck" that one of my testing accounts (with an insecure
dictionary-word password) had /bin/false as the shell - otherwise the
machine would have been compromised via ssh.

Sep 12 20:44:21 taz sshd[21285]: Accepted password for USERNAME_CENSORED from 70.90.124.130 port 57020 ssh2


similarly, my /etc/rc.boot/ scripts to mail dmesg to root, and to use
blockdev to setra on all my drives didn't run either.


where the hell else am i supposed to put such scripts?

/etc/rc.boot hasn't been OK for packages to use for years, but it is THE
location for local boot scripts to exist, with all the usual benefits
of being run by run-parts (e.g. files with "." in them not executed).

it's listed in the Debian FAQ /usr/share/doc/debian/FAQ/debian-faq.en.txt.gz
at around line 3500:

     "Then, for compatibility, it runs the files (except those with a
     `.'in the filename) in `/etc/rc.boot/' too.  Any scripts in the
     latter directory are usually reserved for system administrator use,
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     and using them in packages is deprecated."


please revert this change, or at least provide an equivalent alternative.
you can't just take away useful - even vital - functionality like this
without warning.



flagged as critical because of the security problems this causes.

craig

-- 
craig sanders <cas at taz.net.au>





More information about the Pkg-sysvinit-devel mailing list