several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
- Fix wrong scaling in the bc.library.
- Let length(0.000) conform to what gnu bc does.
PR: bin/159227
Submitted by: AIDA Shinra <shinra at j10n dot org>
__uint16_t, we can partially undo r228668.
Note the remark "Work around a clang false positive with format string
warnings and ntohs macros (see LLVM PR 11313)" was actually incorrect.
Before r232745, on some arches, the ntohs() macros did in fact return
int, not uint16_t, so clang was right in warning about the %hu format
string.
MFC after: 2 weeks
installs clang as /usr/bin/cc, /usr/bin/c++ and /usr/bin/cpp.
Note this does *not* disable building and installing gcc, which will
still be available as /usr/bin/gcc, /usr/bin/g++ and /usr/bin/gcpp. If
you want to disable gcc completely, you must use WITHOUT_GCC.
MFC after: 2 weeks
This is harmless because srandom() is called somewhere else, with time(NULL)
as a seed, but this is more correct.
Obtained from: https://bitbucket.org/mux/csup
Pointyhat to: not mux, somebody else
MFC after: 1 week
get rid of testing explicitly for clang (using ${CC:T:Mclang}) in
individual Makefiles.
Instead, use the following extra macros, for use with clang:
- NO_WERROR.clang (disables -Werror)
- NO_WCAST_ALIGN.clang (disables -Wcast-align)
- NO_WFORMAT.clang (disables -Wformat and friends)
- CLANG_NO_IAS (disables integrated assembler)
- CLANG_OPT_SMALL (adds flags for extra small size optimizations)
As a side effect, this enables setting CC/CXX/CPP in src.conf instead of
make.conf! For clang, use the following:
CC=clang
CXX=clang++
CPP=clang-cpp
MFC after: 2 weeks
Some of new features:
- New readers: RAR, LHA/LZH, CAB reader, 7-Zip
- New writers: ISO9660, XAR
- Improvements to many formats, especially including ISO9660 and Zip
- Stackable write filters to write, e.g., tar.gz.uu in a single pass
- Exploit seekable input; new "seekable" Zip reader can exploit the Zip
Central Directory when it's available; the old "streamable" Zip reader
is still fully supported for cases where seeking is not possible.
Full release notes available at:
https://github.com/libarchive/libarchive/wiki/ReleaseNotes
If a utility called by xargs exits with status 255 or because of a signal,
POSIX requires writing an error message.
PR: 165155
Submitted by: Matthew Story matthewstory gmail com
The reasoning behind this, is that if we are consistent in our
documentation about the uint*_t stuff, people will be less tempted to
write new code that uses the non-standard types.
I am not going to bump the man page dates, as these changes can be
considered style nits. The meaning of the man pages is unaffected.
MFC after: 1 month
According to POSIX, -a is equal to -bdlprtTu. It seems this is not true
in practice, as -b normally restricts the output to BOOT_TIME entries
and all implementations that I know of don't.
rpcgen will search the current PATH for the preprocessor. This makes it
possible to run a preprocessor built during the cross-tools stage of
buildworld.
MFC after: 1 week
preprocessor to run. Previously, it always ran /usr/bin/cpp, unless you
used the -Y option, and even then you could not set the basename. It
also attempted to run /usr/ccs/lib/cpp for SVR4 compatibility, but this
is obsolete, and has been removed.
Note that setting RPCGEN_CPP to a command with arguments is supported,
though the command line parsing is simplistic. However, setting it to
e.g. "gcc46 -E" or "clang -E" will lead to problems, because both gcc
and clang in -E mode will consider files with unknown extensions (such
as .x) as object files, and attempt to link them.
This could be worked around by also adding "-x c", but it is much safer
to set RPCGEN_CPP to e.g. "cpp46" or "clang-cpp" instead.
MFC after: 1 week
update access and modification times by reading and writing the file.
chmod(2) in rw() doesn't help because utimes(2) allow owner and the
super-user to change times. Using just utimes(2) should be sufficient.
The -f option becomes no-op.
Reviewed by: jilles
checking the returned oldlen: when ENOMEM is due to the supplied
buffer being too short the return oldlen is equal to buffer size.
Without this additional check sockstat gets stuck in loop leaking the
memory if the returned ENOMEM was due the exceeded memorylocked
limit. This is easily can be observed running `limits -l 1k sockstat'.
Submitted by: Andrey Zonov <andrey zonov org>
MFC after: 1 week
