of sysinstall. So sysinstall may retire now, we have the important non-install part
of it covered.
ATM it doesn't understand GEOM stuff (like mirror, stripe, raid, ...), but patches
to change this and to clean it up internally are more than welcome.
Submitted by: mami@nyitolap.hu
this now compiles on i386 with WARNS?= 3. Most of the fixes included
adding missing 'static' keywords to internal functions, using fully-defined
terminators in statically defined arrays of structs, and various
signed vs unsigned mismatches. Also G/C'd unused configSecurity()
function.
by syscons.
- If we are running as init, popup the country menu before the main menu.
If a non-default country is chosen, then a second menu is brought up
to let the user choose a keymap. By default the default keymap for
the country that was selected is highlighted. If the user chooses the
default country, then the default keymap is just assumed and the user
is not presented with the keymap menu. Currently the default country
is set to "United States" except for PC98 which assumes "Japan".
PR: bin/93853
Submitted by: Seth Kingsley sethk at magnesium dot net
MFC after: 3 days
concensus seems to be that is best left for doing post-install.
Discussed on: freebsd-current@
Tested with: make release
Approved by: re@
MFC after: 3 days
install of Postfix fails since Postfix 1 is picked from INDEX instead
of Postfix 2.
The problem is that the package_add function matches multiple Postfix
packages and then installs a "random" version (the last one found in
INDEX). This does not occur with a CD-ROM install since there is only
one Postfix package on the CD-ROM.
The correct solution to this would be to check the origin field from
INDEX instead of the package name, but due to the way sysinstall is
made that is not trivial, so instead work around the problem by
hard-coding the Postfix major and minor revision (for the current
stable version) to install directly into the package_add call.
PR: misc/65426
Reported by: Harold Kachelmyer <bugs@princessharold.net>
Approved by: trhodes
that actually need it. This makes it easier for a platform porter to
find the files that may need tweaking to support whatever MD specific
partitioning is needed. It also helps to prevent that the libdisk API
gets exposed and/or used where it's not needed.
- Don't look for partitions inside a FreeBSD chunk on ia64 when mounting
the filesystems just before the chroot and install.
- Write entries out to /etc/fstab for filesystems that aren't inside a
FreeBSD chunk, but are a top-level chunk under the disk.
(Lite Edition) respectively. These "lite" packages are streamlined to
provide users with the core essentials for each desktop and to fit on the
release disc 1.
Approved by: re (scottl)
permitting the administrator to select a securelevel top operate
at. Include a helpfile summarizing some of the information from
init(8). This allows for explicit configuration of securelevels,
which was previously implicit in Security Profile selection.
Currently, there are no checkboxes for the active securelevel,
because sysinstall's facilities for deriving "current settings"
from rc.conf may use only one variable, not two, and I opted for
the simplest approach at this point.
Approved by: re (scottl)
selection is used to drive two configuration parameters:
(1) Default enable/disable for sshd
(2) Default enable/disable for securelevels
Replace this with an explicit choice to enable/disable sshd. A
follow-up commit will add a configuration option to the Security
post-install configuration menu to set the securelevel in rc.conf
explicitly. This should reduce the level of foot-shooting associated
with accidental enabling of securelevels, make the nature and
implications of the securelevel configuration options more explicit,
as well as make the choice to enable/disable sshd more explicit.
Approved by: re (scottl)
(1) Don't modify the configuration of the NFS server as a result of
selecting a profile. We already explicitly prompt for the NFS
server configuration during install, and the user may not get
much advance notice that we're turning it off again. Instead,
use profiles (for better or for worse) only for security tuning.
(2) Don't modify the sendmail setting as part of the security profile:
use the default from /etc/defaults/rc.conf rather than explicitly
specifying. Note that the default in /etc/defaults/rc.conf is
more conservative than the explicit rc.conf entry added by
sysinstall during install, as it does not permit SMTP delivery.
(3) Update "congratulations on your profile" text to reflect these
changes.
Note that security profiles now affect only the securelevel and sshd
settings. My leaning would be to make sshd an explicit configuration
option, move securelevels to the security menu, and drop security
profiles entirely. However, that requires more plumbing of sendmail
than I'm currently willing to invest.
We may want to add a "permit SMTP delivery" question to the install
process.
- Add 'enable_exim="YES"' to rc.conf(5)
- Use the default exim configuration file from the port
- When using sendmail, disable some more scripts that use sendmail specific
parameters
- Have sysinstall tweak mailer.conf(5) substitution
- Use 'N' flag for newsyslog(8)
Submitted by: Oliver Eikemeier <eikemeier@fillmore-labs.com>
Reviewed by: sheldonh, simon
Tested by: myself (trhodes) and submitter
This option adds Postfix and Exim to the list, however, qmail is not added
due to license restrictions.
Collaborated with: Simon L. Nielsen <simon@nitro.dk>
Reviewed by: jhb, re@, -audit.
the two GNOME 1-based alternatives.
While here, note that a majority of the items in this menu are not
sentences, and remove trailing dots to make the remainder consistent.
Reviewed by: marcus
Approved by: re (bmah)
With this change there's no a priori difference between EFI and
FAT partitions. With this change and the corresponding change to
libdisk, we can create EFI partitions, just like regular FAT
partitions.
all facilities that previously relied on /proc have been rewritten
to use ptrace(). procfs has presented a substantial security
hazard for years, with several user->root compromises in the last
few years. Procfs will continue to be available but will require
administrator intervention to use.
Reviewed by: scottl, jedgar, mike, tmm
o Move nfs_reserved_port_only out of security profiles (where it was
set somewhat improperly) to the Security options menu directly.
Previously, the variable was set to true for Moderate, but not for
Extreme, which is at best inconsistent.
o Update the Security Profiles help file to remove reference to the
NFS reserved port.
o Note that the kernel currently defaults the sysctl to '0', but
sysinstall has changed it to '1' as a default as of late; however,
rc.conf sets the value to NO as the default. This change brings
them relatively into sync.
Sponsored by: DARPA, NAI Labs
and pull configSecurityProfile under that menu. Add a menu option
to determine whether LOMAC is enabled at boot. Probably, eventually,
many of the 'Security Profile' menu choices should be pulled out
independently into the Security Menu, so as to make them individually
selectable.
Sponsored by: DARPA, NAI Labs
