From nobody@FreeBSD.org  Tue Oct 28 10:03:44 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D75E1106567D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Oct 2008 10:03:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B41CA8FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Oct 2008 10:03:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m9SA3iVa053408
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 28 Oct 2008 10:03:44 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m9SA3iIA053407;
	Tue, 28 Oct 2008 10:03:44 GMT
	(envelope-from nobody)
Message-Id: <200810281003.m9SA3iIA053407@www.freebsd.org>
Date: Tue, 28 Oct 2008 10:03:44 GMT
From: Volker Theile <votdev@gmx.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] Add option to allow a full login when doing 'su' in /etc/rc.subr
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         128433
>Category:       conf
>Synopsis:       [patch] Add option to allow a full login when doing 'su' in rc.subr(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 28 10:10:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed Oct 29 15:53:33 UTC 2008
>Originator:     Volker Theile
>Release:        FreeBSD 6.4rc1
>Organization:
>Environment:
>Description:
To allow running an application using a specific user I have to modify
the /etc/rc.subr script because the current implementation does not do
a full login when using 'su'. But sometimes it is necessary to do a full
login to allow the application to read/write config data in the user home
directory.

To enable a full login when doing a 'su' the application rc-script can
be modified the following way:

xxx_user=${xxx_user:-"xyz"}
xxx_suopt=${xxx_suopt:-"-l"}

Please see also
http://lists.freebsd.org/pipermail/freebsd-rc/2008-October/001511.html

Don't know if this behaviour can be solved another way, but if not, I
think it is a useful enhancement. Anyway, I'm wondering that nobody else
had this problem till now.

Regards
Volker

>How-To-Repeat:
Try to run transmission daemon as user 'transmission'. It fails to start
the daemon because it was not possible to read/write config data in
/root/.config/transmission_daemon.

Using the patch a full login will be done when doing 'su' in rc.subr and
the daemon will read/write config data in
/home/transmission/.config/transmission_daemon

>Fix:
--- rc.subr.orig	2008-10-28 10:01:04.000000000 +0100
+++ rc.subr	2008-10-28 09:56:20.000000000 +0100
@@ -438,6 +438,8 @@
 #				to run the chrooted ${command} with.
 #				Requires /usr to be mounted.
 #
+#	${name}_suopt	n	Command parameter for 'su'. Default is '-m'.
+#
 #	${rc_arg}_cmd	n	If set, use this as the method when invoked;
 #				Otherwise, use default command (see below)
 #
@@ -595,7 +597,8 @@
 	fi
 	eval _chdir=\$${name}_chdir	_chroot=\$${name}_chroot \
 	    _nice=\$${name}_nice	_user=\$${name}_user \
-	    _group=\$${name}_group	_groups=\$${name}_groups
+	    _group=\$${name}_group	_groups=\$${name}_groups \
+		_suopt=\$${name}_suopt
 
 	if [ -n "$_user" ]; then	# unset $_user if running as that user
 		if [ "$_user" = "$(eval $IDCMD)" ]; then
@@ -603,6 +606,10 @@
 		fi
 	fi
 
+	if [ -z "$_suopt" ]; then # set default value
+		_suopt="-m"
+	fi
+
 					# if ${rcvar} is set, and $1 is not
 					# "rcvar", then run
 					#	checkyesno ${rcvar}
@@ -673,7 +680,7 @@
 ${_chdir:+cd $_chdir && }\
 $command $rc_flags $command_args"
 				if [ -n "$_user" ]; then
-				    _doit="su -m $_user -c 'sh -c \"$_doit\"'"
+				    _doit="su $_suopt $_user -c 'sh -c \"$_doit\"'"
 				fi
 				if [ -n "$_nice" ]; then
 					if [ -z "$_user" ]; then
@@ -852,7 +859,7 @@
 
 	_cmd="kill -$1 $rc_pid"
 	if [ -n "$_user" ]; then
-		_cmd="su -m ${_user} -c 'sh -c \"${_cmd}\"'"
+		_cmd="su ${_suopt} ${_user} -c 'sh -c \"${_cmd}\"'"
 	fi
 	echo "$_cmd"
 }

>Release-Note:
>Audit-Trail:
>Unformatted:
