the suggested ruleset[1].
While here use an IP from the 'test-net' prefix for docs.
PR: kern/130102 ([1] different problem in the end)
Reviewed by: simon
MFC after: 2 weeks
easier to maintain custom rules for non-system things like ACPI hotkeys.
/etc/devd.conf is already set up to check this directory, no change needed there.
newline when it fails to obtain an address via DHCP. This made the next
rc script begin its output on the same line.
PR: conf
Submitted by: Bruce Cran <bruce at cran dot org dot uk>
MFC after: 3 days
it does come back it would probably be better if users who were interested
in slip added appropriate lines instead of this being here unconditionally.
Reminded by: tut <at> nhamon <dot> com <dot> ua
does ever come back it's probably best if its log file be something that
gets added if the user decided they want to run slip instead of having
it here unconditionally.
src/sys/dev/usb2/core/usbdevs
src/sys/dev/usb2/include/urio2_ioctl.h
src/sys/dev/usb2/storage/ustorage2_fs.h
These files are not used any more.
src/usr.sbin/Makefile
src/etc/mtree/BSD.include.dist
src/include/Makefile
src/lib/Makefile
src/share/man/man7/hier.7
src/share/mk/bsd.libnames.mk
src/etc/mtree/BSD.include.dist
Make "usbconfig" and "libusb20" a part of the default build.
src/sys/dev/usb/rio500_usb.h
src/sys/dev/usb2/storage/urio2.c
Use common include file.
src/sys/dev/usb2/bluetooth/ng_ubt2.c
Make USB bluetooth depend on "ng_hci" module.
src/sys/dev/usb2/controller/ehci2.c
src/sys/dev/usb2/controller/ehci2.h
Patches for Marvell EHCI.
src/sys/dev/usb2/core/usb2_busdma.c
Bugfix for 64-bit platforms. Need to unload the previously loaded DMA
map and some cleanup regarding some corner cases.
src/sys/dev/usb2/core/usb2_core.h
src/sys/dev/usb2/core/usb2_dev.c
src/sys/dev/usb2/core/usb2_dev.h
Bugfix for libusb filesystem interface.
New feature: Add support for filtering device data at the expense of the
userland process.
Add some more comments.
Some minor code styling.
Remove unused function, usb2_fifo_get_data_next().
Fix an issue about "fifo_index" being used instead of "ep_index".
src/sys/dev/usb2/core/usb2_device.c
src/sys/dev/usb2/core/usb2_generic.c
Bugfix for Linux USB compat layer. Do not free non-generic FIFOs when
doing an alternate setting.
Cleanup USB IOCTL and USB reference handling.
Fix a corner case where USB-FS was left initialised after
setting a new configuration or alternate setting.
src/sys/dev/usb2/core/usb2_hub.c
Improvement: Check all USB HUB ports by default at least one time.
src/sys/dev/usb2/core/usb2_request.c
Bugfix: Make sure destination ASCII string is properly zero terminated
in all cases.
Improvement: Skip invalid characters instead of replacing with a dot.
src/sys/dev/usb2/core/usb2_util.c
src/sys/dev/usb2/image/uscanner2.c
Spelling.
src/sys/dev/usb2/include/Makefile
Share "usbdevs" with the old USB stack.
src/sys/dev/usb2/include/usb2_devid.h
src/sys/dev/usb2/include/usb2_devtable.h
Regenerate files.
Alfred: Please fix the RCS tag at the top.
src/sys/dev/usb2/include/usb2_ioctl.h
Fix compilation of "kdump".
src/sys/dev/usb2/serial/ubsa2.c
src/sys/dev/usb2/serial/ugensa2.c
Remove device ID's which will end up in a new 3G driver.
src/sys/dev/usb2/sound/uaudio2.c
Correct a debug printout.
src/sys/dev/usb2/storage/umass2.c
Sync with old USB stack.
src/lib/libusb20/libusb20.3
Add more documentation.
src/lib/libusb20/libusb20.c
Various bugfixes and improvements.
src/usr.sbin/usbconfig/dump.c
src/usr.sbin/usbconfig/usbconfig.c
New commands for dumping strings and doing custom USB requests from
the command line.
Remove keyword requirements from generated files:
"head/sys/dev/usb2/include/usb2_devid.h"
"head/sys/dev/usb2/include/usb2_devtable.h"
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager. I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.
The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.
To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.
As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.
Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.
The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.
Sponsored by: Isilon Systems
MFC after: 1 month
but there won't be one so root won't be able to login; edit the installed
file to use /bin/sh in this case.
o while here split csh-related files apart from sh and only install them
when requested
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.
If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd
Reviewed by: various (posted to arch)
MFC after: 1 month
This allows the location of the configuration data to be relocated
within the filesystem containing it. A nullfs mount is used in order
to achieve this.
Obtained from: XORP, Inc.
As discussed with Robert Watson on the src-committers list, it is safer
to keep at least some pty(4) entries in /etc/ttys, for applications that
roll their own PTY allocation routine and only search for BSD-style
PTY's.
This means we've now just toggled the amount of entries for pts(4) and
pty(4).
Requested by: rwatson
Because we now use pts(4)-style PTY's exclusively, there is no use for
these entries in /etc/ttys. Right now the pts(4) entries only go from 0
to 255. Because we're going to touch these files anyway, increase the
number to 511.
Discussed with: philip (ex-mentor)
The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:
- Improved driver model:
The old TTY layer has a driver model that is not abstract enough to
make it friendly to use. A good example is the output path, where the
device drivers directly access the output buffers. This means that an
in-kernel PPP implementation must always convert network buffers into
TTY buffers.
If a PPP implementation would be built on top of the new TTY layer
(still needs a hooks layer, though), it would allow the PPP
implementation to directly hand the data to the TTY driver.
- Improved hotplugging:
With the old TTY layer, it isn't entirely safe to destroy TTY's from
the system. This implementation has a two-step destructing design,
where the driver first abandons the TTY. After all threads have left
the TTY, the TTY layer calls a routine in the driver, which can be
used to free resources (unit numbers, etc).
The pts(4) driver also implements this feature, which means
posix_openpt() will now return PTY's that are created on the fly.
- Improved performance:
One of the major improvements is the per-TTY mutex, which is expected
to improve scalability when compared to the old Giant locking.
Another change is the unbuffered copying to userspace, which is both
used on TTY device nodes and PTY masters.
Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.
Obtained from: //depot/projects/mpsafetty/...
Approved by: philip (ex-mentor)
Discussed: on the lists, at BSDCan, at the DevSummit
Sponsored by: Snow B.V., the Netherlands
dcons(4) fixed by: kan
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types. For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.
PR: bin/65258
Submitted by: Valentin Nechayev netch of netch.kiev.ua
Silence from: net
MFC after: 2 weeks
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice). Update the example settings to match.
MFC after: 2 weeks
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1]
MFC after: 1 month
to allow them to do a "clean" shutdown.
I purposely avoided making changes to network-related stuff since the
system shutting down is pretty conclusive, and there may be complicated
dependencies on the network that I would rather not try to unravel.
I also skipped kerberos-related stuff for the reasons above, and
because I have no way to test it.
The uart(4) driver has the advantage of supporting a wider variety of
hardware on a greater amount of platforms. This driver has already been
the standard on platforms such as ia64, powerpc and sparc64.
I've decided not to change anything on pc98. I'd rather let people from
the pc98 team look at this.
Approved by: philip (mentor), marcel
Give a better example if a user absolutely must use this option, and
suggest they pick something from the ephemeral port range rather than
port 53. This means that the example will not work if it is merely
uncommented, but this will hopefully encourage users to read the comment.
This includes hotkeys support and sysctl variables to control camera
and card reader. These new sysctls don't have CTFLAG_ANYBODY set.
While there add entries to devd.conf related to the Eee volume keys.
Reviewed by: phillip
MFC after: 1 week
Also tested by: lme (previous version)
others. In the case where it displayed warnings it would still return
succesfully. Modify it so that it returns the number of sysctls that
it was not able to set.
Make use of this in rc.d to display only *unsuccessfull* attempts to
set sysctls.
the interface name of interfaces that were configured.
This change has the added benefit that ifn_start() and
ifn_stop() in network.subr no longer write to standard output.
Whether to output and what to output is now handled entirely
in rc.d/netif.
service behind $rc_quiet. Instead, output a warning if the pre-command
routine or the command itself failed. Arguably, it's more useful to know when
a command failed to start than it is to have an endless list of
"Starting ...." lines[1].
[1] - This change actually helped me to discover a bug in rc.d/{lockd,statd}
(fixed in r179941) that used to fail silently before.
documents away from being public accessible. Replace link to
the Bluetooth specification document with the document name.
Pointed out by: SoftLover < slserg at uic dot tula dot ru >
MFC after: 3 days
parts relied on the now removed NET_NEEDS_GIANT.
Most of I4B has been disconnected from the build
since July 2007 in HEAD/RELENG_7.
This is what was removed:
- configuration in /etc/isdn
- examples
- man pages
- kernel configuration
- sys/i4b (drivers, layers, include files)
- user space tools
- i4b support from ppp
- further documentation
Discussed with: rwatson, re
NET_NEEDS_GIANT. netatm has been disconnected from the build for ten
months in HEAD/RELENG_7. Specifics:
- netatm include files
- netatm command line management tools
- libatm
- ATM parts in rescue and sysinstall
- sample configuration files and documents
- kernel support as a module or in NOTES
- netgraph wrapper nodes for netatm
- ctags data for netatm.
- netatm-specific device drivers.
MFC after: 3 weeks
Reviewed by: bz
Discussed with: bms, bz, harti
non-dhcp interfaces to negotiate/associate this will make more sense.
This also correctly gets run after both devd and netif are run so it has
a chance of working.
The rc.initdiskless functionality is used by NanoBSD to allow configuration
files to live on a separate configuration slice, which acts as NVRAM, whilst
the system image is mounted read-only.
Normally, if the remount command fails during boot, this is regarded as
a fatal error. If /conf/T/M/remount_optional is present, this error is
non-fatal. If the file is not present, the default behaviour is unchanged.
This is very useful for people building live CD images using FreeBSD,
where the NVRAM lives somewhere completely differently from the system image,
and may be present on removable media which is not present during the
initial boot.
To preserve the existing behavior of etc/rc.d/netif, add code to wait
up to if_up_delay seconds (30 seconds by default) for a default route to
be configured if there are any dhcp interfaces. This should be extended
to test that the interface is actually up.
X-MFC after:
none or if the file doesn't exist (there's no ntp.conf in the base install).
PR: conf/119592
Submitted by: Renaud Waldura <renaud+freebsd@waldura.org>
MFC after: 1 week
more wlans_<ifn> and create_args_<ifn>
Add documentation for these variants and generally update the wireless
device example.
There is are very short lived shim from vaps_<ifn> which produces
a warning and vap_create_<ifn> which does not. Misuse the MFC
notification service to remind me to remove them.
MFC after: 3 weeks
only work if there's just one interface doing dhcp. This version implements
the same logic as the version in the PR, but uses pgrep to be less verbose.
PR: conf/95905
MFC after: 1 week
mode at boot time. Multiple profiles can be started at the same time.
The whole idea is very similar to the ppp rc script.
Document Bluetooth knobs in rc.conf(5)
MFC after: 1 week
and config file
o change default logging options from -q to -s (log to syslog); this
is currently broken for boot-time startup as syslogd is started too
late but that'll be dealt with separately
MFC after: 2 weeks
mountcritremote REQUIREs FILESYSTEMS, and that script REQUIREs zfs,
so this change is a noop. By removing it we make life a little easier
both for rcorder(8) and for debugging down the road.
Approved by: 2 weeks of silence from pjd
per-profile variables of the form ppp_<profile>_unit. No ppp_unit
variable is supported since tying the same unit to more than one profile
won't work.
PR: conf/122127
MFC after: 1 week
to _ when evaluating ppp_<profile>_nat and ppp_<profile>_mode. Document
the per-profile variables.
PR: conf/121452, conf/122127 (partial)
MFC after: 1 week
modifications merged. I had initially expected that people would
put any local changes into /boot/loader.conf, but it turns out that
editing /boot/device.hints is something many people do.
Suggested by: Jaakko Heinonen
MFC after: 1 week
we can remove the file as early as possible, but shut up nextboot at this moment
if the operation is failed, because /boot is not necessarily a part of /; the
newly added second run is placed in rc.d/mountlate after all filesystems were
mounted.
Discussed at: -rc@
Suggestions from: brooks, mtm
MFC after: 1 month
because another command (echo) is executed between the mount command
and the check.
Reported by: Sergey Baturov <sergey@toor.org.ru>
MFC after: 2 weeks
specific one. Instruct it to listen on all interfaces so that enabling
it in rc.conf(5) works "out of the box."
PR: conf/121406
Submited by: trasz
MFC after: 1 week
scripts at boot. This is currently disabled by default. /etc/ddb.conf
contains some potentially reasonable default scripts.
PR: conf/119995
Submitted by: Scot Hetzel <swhetzel at gmail dot com> (Earlier version)
X-MFC after: textdumps
find | sort. As a bonus, this simplifies the logic considerably. Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.
Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm. I haven't seen this during testing, but others might.
MFC after: 2 weeks
rapid wireless association changes in my experience), there is a race
where dhclient is in the process of exiting due to the link going down
when the link coming up causes devd to try and start a new one. This
results is the link being up, but no dhclient running.
Work around this race by checking a second time after a one second delay
before refusing to start a dhclient instance due to one already being
running.
MFC after: 1 week
out because the rc.conf(5) variable was not enabled. Display a
message that the command wasn't run and offer suggestions on
what the user can do.
Implement a quiet prefix, which will disable some diagnostics. The
fast prefix also implies quiet. During boot we use either fast or
quiet. For shutdown we already use 'faststop'. So, this informational
message should only appear during interactive use.
An additional benefit of having a quiet prefix is that we can start
putting some of our diagnostic messages behind this knob and start
"de-cluttering" the console during boot and shutdown.
during boot and shutdown. I think I'll hide it behind autoboot or
maybe take brooks@ suggestion and implement a different command
prefix for booting/shutdown purposes, but in any case it needs more
thought and attention.
Noticed by: ceri
Pointyhat to: mtm
- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf
Tested by: Albert B. Wang <abwang at gmail.com>
MFC after: 1 month
included in the kernel by default. Remove reference to this option
from defaults/rc.conf and rc.conf(5).
PR: conf/119098
Submitted by: Beat Gaetzi
MFC after: 1 week
the rejected mail reports to tally the rejects per blacklist without
providing details about individual sender hosts. The default configuration
keeps the reports in their original form.
MFC after: 1 week
.ICE-unix, .font-unix, .XIM-unix) when purging files from /tmp via the
daily 100.clean-tmps job. If you are logged into an X session longer
than the timeout period (default of 3 days), then this job can delete
the X11 sockets out from under the session without this fix.
MFC after: 3 days
upgrading to new releases. Important parts of this code include
* automatically determining which optional components (e.g., src,
info, proflibs) are installed.
* merging changes in files which are modified locally and have
changed between the currently running and new release.
* prompting the user to rebuild all 3rd party software before
deleting old shared libraries.
Yes, this is compatible with "freebsd-update rollback" -- you can
test a new -BETA and roll back to the old release if you don't
like it.
Subject to re@ approval, this will be MFCed before 7.0-BETA3 and
6.3-RC1.
MFC after: 2 days
This includes:
o mtree (for legal/intel_wpi)
o manpage for i386/amd64 archs
o module for i386/amd64 archs
o NOTES for i386/amd64 archs
Approved by: mlaier (comentor)
wpa_supplicant expects that it has exclusive access to the net80211 state so
when its starts poking in the WEP/WPA settings and the card is already
scanning it can cause net80211 to try and associate incorrectly with a
protected AP.
This is an inconvenience for firmware based cards such as iwi where it can be
sent an auth instruction with incomplete security info and cause a firmware
error.
Remove the 'ifconfig up' from network.subr since wpa_supplicant will
immediately down the interface again.
Reported by: Guy Helmer (and others)
Reviewed by: sam, brooks, avatar
MFC after: 3 days
it's just a matter of adding a `${_+_}' prefix before each submake
invokation. This allows a dry run to proceed down to, but not
including, leaf commands. (See <sys.mk> for how ${_+_} is set
depending on the number of -n flags.)
so that when using named from the ports (or elsewhere) the proper rndc*
commands will be run.
2. Rework the stop routine using ideas from brooks and delphij.
Specifically I am duplicating a lot of code from rc.subr's stop routine
so that this one will behave more like the one in rc.subr, but use rndc
to kill the daemon (or regular kill if that fails). This also avoids
the problems related to using killall if rndc fails, which is bad if
you're running more than one named on the same box.
3. Take a concept from gshapiro and allow the rndc.key file to be
owned by root OR the named_uid user.
Although I used different solutions, this commit handles issues raised in:
PR: conf/73929
PR: conf/103976
PR: conf/109409
is then used as an argument to the amd program. This outpu may contain
newlines, but the script did not take care to strip those newlines before
apending it to rc_flags. Revision 1.72 of rc.subr(8) introduced changes that
exposed this problem (specifically putting the final eval'ed command in
quotes).[1]
Also, for correctness' sake, shell directives appended to the command-line
by the script should go into command_args, and not appended directly
to rc_flags.
Reported by: John E Hein <jhein@timing.com> [1]
Tested by: John E Hein <jhein@timing.com>
MFC after: 1 week
This commit includes the following core components:
* sample configuration file for sensorsd
* rc(8) script and glue code for sensorsd(8)
* sysctl(3) doc fixes for CTL_HW tree
* sysctl(3) documentation for hardware sensors
* sysctl(8) documentation for hardware sensors
* support for the sensor structure for sysctl(8)
* rc.conf(5) documentation for starting sensorsd(8)
* sensor_attach(9) et al documentation
* /sys/kern/kern_sensors.c
o sensor_attach(9) API for drivers to register ksensors
o sensor_task_register(9) API for the update task
o sysctl(3) glue code
o hw.sensors shadow tree for sysctl(8) internal magic
* <sys/sensors.h>
* HW_SENSORS definition for <sys/sysctl.h>
* sensors display for systat(1), including documentation
* sensorsd(8) and all applicable documentation
The userland part of the framework is entirely source-code
compatible with OpenBSD 4.1, 4.2 and -current as of today.
All sensor readings can be viewed with `sysctl hw.sensors`,
monitored in semi-realtime with `systat -sensors` and also
logged with `sensorsd`.
Submitted by: Constantine A. Murenin <cnst@FreeBSD.org>
Sponsored by: Google Summer of Code 2007 (GSoC2007/cnst-sensors)
Mentored by: syrinx
Tested by: many
OKed by: kensmith
Obtained from: OpenBSD (parts)
ppp_profile variable can now contain multiple profiles.
Overrides for ppp mode and nat can go into ppp_$profile_mode
and ppp_$profile_nat variables respectively. If those are
not specified, defaults from ppp_mode and ppp_nat are used.
Submitted by: Yuri Kurenkov < y dot kurenkov at init dot ru >
Reviewed by: mtm
MFC after: 1 week
local rc.d scripts in the overall boot order was added.
Proper rc.d scripts are run by rc.subr in a subshell, whereas scripts that
end in .sh are sourced into rc's shell. The latter has potential to create
serious boot problems, and there is no reason that the same functionality
cannot be added by the user in the form of a proper rc.d script (as
opposed to being added by the user in the form of /etc/rc.early).
This script will be removed prior to the 8.0 branch.
Approved by: re (kensmith)
for pre-5.0 variable names.
Remove two dhcp compatibility variables added after the 5.1-RELEASE.
Remove the now-unused support for these shims.
Approved by: re (kensmith)
providers with limited physical storage and add physical storage as
needed.
Submitted by: Ivan Voras
Sponsored by: Google Summer of Code 2006
Approved by: re (kensmith)
otherwise the /dev/mdX.uzip won't be created immediately, which is
needed because we issue a mount right afterwards.
Approved by: re@ (bmah@)
MFC after: 2 days
so that when I applied the patch to my check-in tree the top half of my patch failed to
apply. Off course I saw what I *expected* to see (the bottom half succeeded) and
didn't notice that it had failed to apply cleanly.
Approved by: re (bmah)
in most cases, except one. The 'restart' case was not working as expected. Specifically,
it would stop both lockd and statd, but it would restart only statd (which appears first
in the script). This is because rc.subr(8) contains code to guard against infinite
recursion in the 'restart' casae.
To fix this use the traditional approach of controlling only one server from one script by
breaking out rc.d/nfslocking into its contituent parts: rc.d/lockd and rc.d/statd. Keep
rc.d/nfslocking around but don't include it in the boot rcorder(8)ing.
PR: conf/107316
Approved by: re (bmah)
MFC after: 2 weeks
commented out example who have either not responded, or specifically
asked not to participate because they do not view AXFR as "a production
service."
2. Add f.root-servers.net to the example after confirmation from
Paul Vixie.
3. Add a warning to the commented out "root zone slave" example to the
effect that it requires more attention than a hints file, and provides
more benefit to larger sites than individual hosts.
4. Correct a typo copied from RFC 2544 which was corrected in a later
errata, and confirmed in RFC 3330. Update the comment to reflect that
RFC 3330 got it right and to avoid confusion down the road. 3330 also
contains a reference back to 2544 for anyone interested in pursuing the
history. [1]
PR: conf/115573 [1]
Submitted by: Oliver Fromme <olli@secnetix.de> [1]
Approved by: re (kensmith)
that the listen-on stuff floats up to the first "page" of text. This
makes it very obvious what's going on so that someone trying to enable
a server for use on a network can easily see how to do that.
2. Change the default behavior back to using a hint zone for the root.
3. Leave the root slave zone config as a commented out example.
4. Remove the B and F root servers from the example at the request of
their operators.
Requested by: he-who-must-not-be-named [1]
Requested by: many [2]
Approved by: re (rwatson)
wpa_supplicant and other programs started by 'netif' don't get erased
by a subsequent 'cleanvar'.
Approved by: re (bmah)
Reviewed by: dougb
MFC after: 1 week
included man pages on how to use it. This code is still somewhat experimental
but has been successfully tested on a number of targets. Many thanks to
Danny for contributing this.
Approved by: re
NET_NEEDS_GIANT, which will shortly be removed. This is done in a
away that it may be easily reattached to the build before 7.1 if
appropriate locking is added. Specifics:
- Don't install netatm include files
- Disconnect netatm command line management tools
- Don't build libatm
- Don't include ATM parts in rescue or sysinstall
- Don't install sample configuration files and documents
- Don't build kernel support as a module or in NOTES
- Don't build netgraph wrapper nodes for netatm
This removes the last remaining consumer of NET_NEEDS_GIANT.
Reviewed by: harti
Discussed with: bz, bms
Approved by: re (kensmith)
sys/i4b/include/ so they will be available to all architectures
once I4B compiles on those.
I4B header files are now installed in include/i4b/ and no longer
in include/machine/.
For now we still install the headers for i386 only.
Approved by: re (kensmith)
Improvements:
* /etc/rc.suspend,rc.resume are always run, no matter the source of the
suspend request (user or kernel, apm or acpi)
* suspend now requires positive user acknowledgement. If a user program
wants to cancel the suspend, they can. If one of the user programs
hangs or doesn't respond within 10 seconds, the system suspends anyway.
* /dev/apm is clonable, allowing multiple listeners for suspend events.
In the future, xorg-server can use this to be informed about suspend
even if there are other listeners (i.e. apmd).
Changes:
* Two new ACPI ioctls: REQSLPSTATE and ACKSLPSTATE. Request begins the
process of suspending by notifying all listeners. acpi is monitored by
devd(8) and /dev/apm listener(s) are also counted. Users register their
approval or disapproval via Ack. If anyone disapproves, suspend is vetoed.
* Old user programs or kernel modules that used SETSLPSTATE continue to
work. A message is printed once that this interface is deprecated.
* acpiconf gains the -k flag to ack the suspend request. This flag is
undocumented on purpose since it's only used by /etc/rc.suspend. It is
not intended to be a permanent change and will be removed once a better
power API is implemented.
* S5 (power off) is no longer supported via acpiconf -s 5 or apm -z/-Z.
This restores previous behavior of halt/shutdown -p being the interface.
* Miscellaneous improvements to error reporting
Approved by: re
best practices:
1. The old way of generating the localhost zones was not optimal both
because they did not exist by default, and because they were not really
aligned with BCP. There is no need to have the dynamic data that the
make-localhost script generated, and good reasons to do this more
"by the book."
2. In named.conf
a. Clean up white space
b. Add/clarify a few comments
c. Slave zones from the root servers instead of using a hints
file. This has several advantages, as described in the comments.
d. Significantly revamp the default zones, including the
forward localhost zone, and the reverse zones for IPv4 and IPv6
loopback addresses. There are extensive comments describing what
is included and why. Interested readers should take the time to
review the RFCs mentioned in the comments. There is also relevant
information about the motivations for hosting these zones in the
"work in progress" Internet-Draft,
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
or its successor.
It's also worth noting that a significant number of these
empty zones are already included by default in the named binary
without any user configuration.
e. Because we're including a lot of examples of both local
forward zones and slave zones in the default configuration,
eliminate some of those examples.
3. Add new localhost-{forward|reverse} zone files, and an "empty" zone
to support the changes in 2.d. above. The empty zone file isn't really
empty in order to avoid a warning from BIND about a zone file that
doesn't contain any A or AAAA records.
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.
In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.
The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs. E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM. When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made. Then it'll be
enough to set the expire field in future for the commands to run
again. And so on.
Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.
X-Security: should benefit as users have access to cron(8) by default
/etc/rc.d/sendmail whether or not to run newaliases if the database
is missing or the aliases text file is newer than aliases.db.
In my opinion, the aliases file should never be automatically rebuilt.
The current text form could represent a work in progress. Therefore,
in FreeBSD 7.0, this new option will default to "NO". When this rc.d
change is MFC'ed, it will need to remain "YES" to maintain backward
compatibility.
PR: conf/86252
Approved by: re (kensmith)
MFC after: 3 days
id used by sysinstall when enabling anonymous FTP.
Change the default group used by sysinstall for setting up anonymous FTP
from operator to ftp; there is no reason to use operator and there are
potential security issues when doing so.
PR: 93284
Approved by: ru (mentor)
Reviewed by: simon
instead of an authentication function. There are a design reason
and a practical reason for that. First, the module belongs in
account management because it checks availability of the account
and does no authentication. Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.
Document this change in the manpage.
Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.
Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)
PR: bin/112574
Approved by: des, re
when figuring out what the real interpreter is for an
interpreted command. That is, check whether we can read
the script file in the first place and, if so, make sure
we got a valid shebang line from it.
