bruce.dubbs at gmail.com
Wed Feb 29 16:50:13 PST 2012
> HTTP link points to the homepage, not the actual download.
Upstream redirects to the home page if it can't find the file. They
don't keep historical versions, so that's why we get the home page.
Evidently they've upgraded from 4.46 to 4.52 since November - more than
once a month. That makes it pretty hard for us to keep up.
> Why does BLFS install an /etc/stunnel/stunnel.conf that has this line:
> chroot = /var/lib/stunnel
> Other services (e.g., BIND), along with LSB/FSB stating that services
> should now be run in /srv. Thoughts about moving the chroot jail?
Well it's pretty much up to the user. We look at /srv for data that may
be served: ftp, http, svn, mailman, bind, etc. A service like stunnel
seems more appropriate for /var, but that's just a personal preference.
> useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
> -g stunnel -s /bin/false -u 51 stunnel
> Typically, chroot daemon users get a home dir of /dev/null, which is
typically *after* root chroots. From the look of things, it looks like
there's a host chroot-jail of /var/lib/stunnel, and then a user stunnel
that lives inside that chroot, and expects its home dir to be
/var/lib/stunnel once inside the chroot.
> So...Does the daemon run as the stunnel user *BEFORE* the chroot??
That would be the only reason the stunnel user needs a home directory
that's in /var/lib/stunnel of the host (and thus having an absolute path
of /var/lib/stunnel/var/lib/stunnel)? If not, shouldn't that be changed
I don't really know the answers to your question. The home directory
has been that way since stunnel was first added (7 years ago). AFAIK it
works. Most other howtos I've seen use the user nobody, but that is
also used by things like nfs. We've chosen to give stunnel a unique
user. I doubt the home directory is used by stunnel at all.
Why don't you test it with a home dir of /dev/null. If it works OK,
I'll change it.
More information about the blfs-dev