Subject: Re: ipmon does not start as daemon
To: Andrew Brown <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 02/27/2002 14:23:05
In message <20020227141637.A28132@noc.untraceable.net>, Andrew Brown writes:
>>> >The version in -current now has '-D' now too, but unfortunately
>>> >etc/rc.d/ipmon has not yet been fixed to use it explicitly....
>>> what do you mean? the -D flag was added to ipmon_flags in
>>> /etc/defaults/rc.conf last july, so there's no need for "explicit" use
>>> of it.
>>I mean that's the wrong way to use it. Obviously there's been an
>>problem with people not including '-D' in their own /etc/rc.conf
>>settings, and if you think about it for a tiny wee moment longer you'll
>>hopefully realise that in the way /etc/rc.d/ipmon invokes 'ipmon' the
>>'-D' will _ALWAYS_ be absolutely required, and therefore the correct
>>solution is to explicitly use '-D' in that invocation (and to not rely
>>on admins keeping it in their /etc/rc.conf settings)!
>that line of reasoning leads to believing that *all* the settings in
>/etc/defaults/rc.conf should be set in the binaries, and only be able
>to be turned *off* through the use of flags. that's just not right.
>the reason for flags and options is so that programs can serve
>multiple tasks. being started automatically at boot time is only one
>task, and only hubris would lead one to believe that that was the best
Right, but a mandatory option doesn't make much sense, either.
Perhaps the rc.d file should specify -D for ipmon, since that flag is
always required in this context? The point is to get it out of
rc.conf, where it's likely to be dropped by accident.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com