is implemented in pam_opie module
For non-PAM variant rewrite empty password checking code to do the right thing
and not disallow empty passwords in all cases.
Hiroyuki YAMAMORI gave a patch for the EPRT command in the
PR below. Problems with the rest of the patch are my fault.
PR: 33268
Reviewed by: iedowse, sheldonh
handed a integer, not void).
- No need to set flags to zero when they already will be.
- It was also noted the manner in which the signal handling has changed
might possibly generate some problems (hangs possibly) -- these, while
remaining in the code, will be fixed shortly (within a day).
Submitted by: bde
negotiation rather than rejecting the request.
Apple OpenFirmware 3.0f3 (the version in my iMac) adds trailing garbage to the
end of an otherwise valid request. Without this change, the requests were
rejected which prevented me from booting.
Reviewed by: obrien
DoS bug that the select(2)/accept(2) pair is called on
a socket that is in the blocking I/O mode. The bug is
triggered if a selected connection dies before the accept(2)
leading to the accept(2) blocking virtually forever.
MFC after: 1 week
DT_INIT and DT_FINI tags pointed to fptr records. In 2.11.2, it points
to the actuall address of the function. On IA64 you cannot just take
an address of a function, store it in a function pointer variable and
call it.. the function pointers point to a fptr data block that has the
target gp and address in it. This is absolutely necessary for using
the in-tree binutils toolchain, but (unfortunately) will not work with
old shared libraries. Save your old ld-elf.so.1 if you want to use
old ones still. Do not mix-and-match.
This is a no-op change for i386 and alpha.
Reviewed by: dfr
for negotiation of timeout and file size to the tftp protocol. This
is required by some firmware like EFI boot managers (at least on
HP i2000 Itanium servers) in order to boot an image using tftp. The
attached patch implements the RFC, and in doing so also implements
RFC2347; a generic tftp option extension.
PR: 30710
Submitted by: Espen Skoglund <esk@ira.uka.de>
refers to the size of the whole ethernet packet, just the DHCP
message within the UDP payload, or something else. bootpd interpreted
it as a maximum UDP payload size, so it could end up sending
fragmented packets to clients (such as some versions of Etherboot)
that used different interpretations of the maximum message size.
Switch to the most conservative interpretation: ensure that the
ethernet packet containing the response is no larger than the
specified maximum message size. This matches the behaviour of
the ISC dhcpd.
MFC after: 1 week
in the SYNOPSIS and DESCRIPTION.
Note that -l remains an ugly exception, to which no known rules apply,
since the specification of a single option multiple times isn't normal
standards-compliant CLI behaviour.
While here, mark AF_INET* and LOG_* defined values up with Dv.
atoi -> strtoll
fseek -> fseeko
NOTE: that fseek not works for >long offsets per POSIX:
[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.
Fix minor cast too.
-O, which limits the impact of the write-only restriction to guest
users.
*) The existing manual page's SYNOPSIS and option listing in the
DESCRIPTION are already horribly disordered. No attempt has been
made to fix this.
*) The existing source's getopt() optstring and option handling switch
are already horribly disordered. No attempt has been made to fix
this.
Discussed with: nik, -audit
long -> time_t
%ld -> %qd
fseek -> fseeko
NOTE: that fseek not works for >long offsets per POSIX:
[EOVERFLOW] For fseek( ), the resulting file offset would be a value which
cannot be represented correctly in an object of type long.
preventing anyone from downloading files. In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.
The more obvious "-w" flag is already taken by NetBSD's ftpd. "-o" was
available as an option letter in all three BSDs.
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
Prevents simultaneous calls to updatestat() as function is not reentrant.
PR: bin/24857
Submitted by: Martin Butkus <mb@bagheera.thgwf.de>
MFC after: 1 month
with NetBSD and OpenBSD. glob(3) will now return GLOB_NOSPACE with
errno set to 0 instead of GLOB_LIMIT when we match more than `gl_matchc'
patterns. GLOB_MAXPATH has been left as an alias of GLOB_LIMIT to
maintain backwards compatibility.
Reviewed by: sheldonh, assar
Obtained from: NetBSD/OpenBSD
with the conversation function and challenges which needs to be
revisited, so in the interim a hack is introduced to provide
an OPIE challenge (which is random if OPIE does not apply)
at all non-anonymnous logins.
as the current time. It's nice to know whether the talk request you
see was sent just a few minutes ago (assuming you didn't hear the
bell), or if it's been decaying for days (weeks?).
particularly help programs which load many shared libraries with
a lot of relocations. Large C++ programs such as are found in KDE
are a prime example.
While relocating a shared object, maintain a vector of symbols
which have already been looked up, directly indexed by symbol
number. Typically, symbols which are referenced by a relocation
entry are referenced by many of them. This is the same optimization
I made to the a.out dynamic linker in 1995 (rtld.c revision 1.30).
Also, compare the first character of a sought-after symbol with its
symbol table entry before calling strcmp().
On a PII/400 these changes reduce the start-up time of a typical
KDE program from 833 msec (elapsed) to 370 msec.
MFC after: 5 days
longer includes machine/elf.h.
* consumers of elf.h now use the minimalist elf header possible.
This change is motivated by Binutils 2.11.0 and too much clashing over
our base elf headers and the Binutils elf headers.
There are protocol issues to deal with.
Bring back this routine (renamed to avoid a library conflict in libssh)
and overhaul it for more 21st Century style coding.
Pointed out by: bde
Limit the "pathname" glob to one item, as that is what all users of it
are expecting, except for LIST.
Always glob, instead of when the first character is a ~. For example,
if you had directories ~/x1, and ~/x2, then "cwd x[1]" would fail, but
"cwd ~/x[1]" would work since it was globbed due to the ~ character.
Also, "cwd ~/x[12]" used to arbitarily work as it used the first
expansion (ie: x1) without an error. Make it return '550 ambiguous'
instead of '550 not found' so that the user can see the difference.
For LIST, just use the user supplied string as the popen does the glob.
Problem noticed by: Ajay Mittal <amittal@iprg.nokia.com>
This allows you to determine if the file on the other side is the same
as the one you have without transferring the entire file to compare.
Needless to say, if the server end lies to you this check doesn't work,
but on the other hand, if it lies to you about the files checksum,
what can you trust from it ?
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c
Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>
The PR also included documentation for other options, but upon
inspection of the source these options aren't used.
PR: docs/24149
Submitted by: Jesse Monroy, Jr. <opentrax@email.com>
it at boot time closer to the way we want it to be in the final version.
* Move the default directory to /var/db/entropy
* Run the entropy saving cron job every 11 minutes. This seems
to be a better default, although still bikeshed material.
* Feed /dev/random some cheesy "entropy" from various commands
and files before the disks are mounted. This gives /dev/random
a better chance of running without blocking early.
* Move the reseeding with previously stored entropy to the point
immediately after the disks are mounted.
* Make the harvesting script a little safer in regards to the
possibility of accidentally overwriting something other
than a regular file.
it can be used to reseed at boot time. This will greatly increase
the chances that there will be sufficient entropy available at
boot time to prevent long delays.
For /etc/rc, remove the vmstat and iostat runs from the attempt
to provide some cheesy randomness if the files fail, since
those programs are dynamically linked, and ldd seems to want
some randomness to do its magic.
Guidance and parameters for this project were provided by
Mark Murray, based on the requirements of the Yarrow
algorithm. Some helpful suggestions for implementation
(including the tip about iostat and vmstat) were provided
by Sheldon Hearn. All blame for problems or mistakes is
mine of course.
PADI packet contains a NULL service. This is apparently the desired
behaviour in this case, though we only allow advertising one
service. You could run multiple pppoeds to advertise multiple services.
files. Mostly -I${.CURDIR} was needed -- especially for YACC generated
files as the new cpp does not look in the ultimate source file
(ie, the .y file)'s directory as told by the "#line" directive. Some were
misspellings of "-I${.CURDIR}" as "-I.".
The function's callers generate the error message when appropriate.
This eliminates the message ``Undefined symbol "__register_frame_info"''
which was bogusly returned by dlerror() in some cases.
with telnetd. This should really be done with a positive filter - i.e.
only allow through a configured list of variables.
Also do some buffer-safety cleanups while I'm here - I don't think these
are exploitable.
not allocate a pty(4) so it is not suitable at all for interactive
PAM modules. rlogind calls login(1) which is already PAM enabled.
Approved by: markm
used not to be necessary).
o Allow ``-n ngdebug'' to specify something to pass to NgSetDebug()
and redirect NgSetDebug() output to syslog(8) in daemon() mode.
o Xref ng_ether(8) and NgSetDebug(4).
o Correct the type of the response passed to NgRecvData.
Update documentation to reflect new option. Also fix documentation
style and add missing references.
PR: 21268
Submitted by: "Aleksandr A. Babaylov" <babolo@links.ru>
Reviewed by: imp