rc.conf[.local]. Fix this, and leave the default as 2048.
Update the copyright year to include the present.
Update the assignment of the copyright to be me personally,
instead of "The FreeBSD Project" which is not a legal entity,
and therefore not a proper assignee. My intention remains the
same however, that this code continue to be BSD licensed, and
freely available to anyone that wants it under those terms.
PR: conf/75722
Submitted by: Nicolas Rachinsky <list@rachinsky.de>
during authentication. Thus we need to call getpwnam *after* the user
has been authenticated. Colin mentioned that we should also move the
check for root in that case.
are initialised to zero. When freeing TLS, don't attempt to free DTV
slots which were not used.
Pointed out by: Joerg Sonnenberger
X-MFC-After: After the branch, probably
5.0-RELEASE), a visually elusive bug was introduced. A comparison
operator was changed to assignment. As a result, rexecd behaved
always as if the `-i' option had been specified. It would allow root
logins. This commit corrects the situation in the obvious way.
A separate bug was introduced at the same time. The PAM library
functions are called between the invocation of getpwnam(3) and the use
of the returned static object. Since many PAM library functions
result in additional getpwnam(3) calls, the contents of the returned
static object could be changed from under rexecd. With this commit,
getpwnam_r(3) is used instead.
Other PAM-using applications should be reviewed for similar errors in
getpw* usage.
Security: rexecd's documented default policy of disallowing root
logins was not enforced.
Reviewed by: cperciva
LD_LIBMAP_DISABLE, LD_LIBRARY_PATH) are used, then make sure the
libraries being loaded aren't on a noexec-mounted filesystem.
This is a compromise position: I'm assuming that nobody will be silly
enough to set the noexec mount flag on part of the default library
path, in order to avoid adding extra overhead into the common case
(where those environment variables aren't used).
Discussed with: csjp, secteam
MFC after: 1 week
Another handy libmap patch. Lets you do stuff like this:
LD_LIBMAP="libpthread.so.1=libthr.so.1" mythreadedapp
If you already have a program-specific override in libmap.conf, note
that you must use a program-specific override in LD_LIBMAP:
LD_LIBMAP="[mythreadedapp],libpthread.so.1=libthr.so.1" mythreadedapp
PR: bin/74471
Submitted by: Dan Nelson <dnelson AT allantgroup.com>
MFC after: 2 weeks
The major change is to process STAT sent as an OOB command w/o
breaking the current data transfer. As a side effect, this gives
better error checking in the code performing data transfers.
A lesser, but in no way cosmetic, change is using the flag `recvurg'
in the only signal-safe way that has been blessed by SUSv3. The
other flag, `transflag,' becomes private to the SIGURG machinery,
serves debugging purposes only, and may be dropped in the future.
The `byte_count' global variable is now accounting bytes actually
transferred over the network. This can give status messages looking
strange, like "X of Y bytes transferred," where X > Y, but that has
more sense than trying to compensate for combinations of data formats
on the server and client when transferring ASCII type data. BTW,
getting the size of a file in advance is unreliable for a number of
reasons in the first place. See question 18.8 of the Infrequently
Asked Questions in comp.lang.c for details.
PR: bin/52072
Tested by: Nick Leuta (earlier versions), a stress-testing tool (final)
MFC after: 1 month
- Convert the (char *) cast+cast backs magic to
memcpy(3). Without this, the resulting code
is potentially risky with higher optimization
levels.
- Avoid same name when calling local variables,
as well as global symbols. This reduces
confusion for both human and compiler.
- Add necessary casts, consts
- Use new style function defination.
- Minor style.Makefile(5) tweak
- Bump WARNS?= from 0 to 6
** for the aout code: changes are intentionally limited
to ease maintaince.
build over two years ago by peter.
The binary a.out version of ld.so can be obtained from misc/compat22 or
src/lib/compat/compat22.
Discussed on: -arch
Voted yes: jhb, ru, linimon, delphij
When in inetd mode, this prevents bogus messages from
appearing on the control channel. When running as a
daemon, we shouldn't write to the terminal we used to
have at all.
PR: bin/74823
MFC after: 1 week
Log it once at the beginning of the session instead. OTOH, log wd each
time for the sake of better auditing and consistent log format.
Proposed by: Nick Leuta <skynick -at- mail.sc.ru>
add the working directory pathname to the log message if any of
such arguments isn't absolute. This has advantage over the old
way of logging that an admin can see what users are actually trying
to do, and where. The old code was also not too robust when it
came to a chrooted session and an absolute pathname.
Pointed out by: Nick Leuta
MFC after: 2 weeks
In the old world (as the surrounding comment in makefile says), there
was the /usr/libexec/ld-elf.so.1 binary which is now a symlink to
/libexec/ld-elf.so.1. To symlink, we need to make sure that the
_target_ (and the target is /usr/libexec/ld-elf.so.1) doesn't have
"schg" flag set. A real solution is to protect the chflags call only if
target exists, like we do in usr.bin/tip/tip/Makefile.
Requested by: ru
If turned on no NIS support and related programs will be built.
Lost parts rediscovered by: Danny Braniss <danny at cs.huji.ac.il>
PR: bin/68303
No objections: des, gshapiro, nectar
Reviewed by: ru
Approved by: rwatson (mentor)
MFC after: 2 weeks
The size_t type is better suited for that, particularly because
the "blksize" argument is to be passed to malloc() and read().
On 64-bit archs it's more to a style issue, but the good style
of coding in C is also important.
to PRECIOUSLIB from bsd.lib.mk. The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.
Reviewed by: oliver
Previously logxfer() used to record bogus pathnames to the log
in some cases, namely, when cwd was / or "name" was absolute.
Noticed by: Nick Leuta
MFC after: 2 weeks
that the creation of a PAM context has failed.
N.B. This does not apply to pam_strerror() in RELENG_4, it
will mishandle a NULL "pamh".
Discussed with: des
instead of the disk size of the file sent. Since the log file
is intended to provide data for anonymous ftp traffic accounting,
the disk size of the file isn't really informative in this case.
PR: bin/72687
Submitted by: Oleg Koreshkov
MFC after: 1 week
if sendfile() transferred some data before throwing
a error condition because sendfile() won't move the
file offset for read() to start from.
MFC after: 2 weeks
Do not unconditionally fork() after accept(). accept() can
return -1 due to an interrupted system call (i.e. SIGCHLD).
If we fork in that case ftpd can get into an
accept()/SIGCHLD/fork/[fail]/repeat loop.
Reported-by: fabian <fabian.duelli@bluewin.ch>
Obtained from: DragonflyBSD
MFC after: 1 month
of releases. The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.
Approved by: re (scottl), markm
Discussed on: freebsd-current, in late April 2004
(and it appears possible throughout ftpd(8) source.)
It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.
of the current user, not root. This will allow neat things
like matching anonymous FTP data traffic with a single ipfw(8)
rule:
ipfw add ... tcp from any to any uid ftp
Note that the control connection socket still belongs to the
user ftpd(8) was started from, usually root.
PR: bin/65928
Submitted by: Eugene Grosbein <eugen at grosbein.pp.ru>
MFC after: 1 month
Reducing "/+./" strings to "/"
Reducing "/[^/]+/../" to "/"
o Don't send an OACK when the result of the [RW]RQ is an error.
These changes allow tftpd to interact with pxelinux.bin from the syslinux
package.
Whilst the path reducing code doesn't properly handle situations where the
path component before the "/../" is a symlink to (say) ".", I would suggest
that it does the right thing in terms of the clients perception of what
their path string actually represents. This seems better than using
realpath() and breaking environments where symlinks point outside of the
directory hierarchy that tftpd is configured to allow.
(and that is for now being worked around by a binutils patch).
The rtld code tested &_DYNAMIC against 0 to see whether rtld itself
was built as PIC or not. While the sparc64 MD code did not rely
on the preset value of the GOT slot for _DYNAMIC any more due
to previous binutils changes, it still used to not be 0, so
that this check did work. The new binutils do however initialize
this slot with 0. As a consequence, rtld would not properly initialize
itself and crash.
Fix that by introducing a new macro, RTLD_IS_DYNAMIC, to take the role
of this test. For sparc64, it is implemented using the rtld_dynamic()
code that was already there. If an architecture does not provide its
own implementation, we default to the old check.
While being there, mark _DYNAMIC as a weak symbol in the sparc64
rtld_start.S. This is needed in the LDSCRIPT case, which is however
not currently supported for want of an actual ldscript.
Sanity checked with md5 on alpha, amd64, i386 and ia64.
stable ld.so. We need to revisit the rtld-elf/sparc64/rtld_start.S
rev. 1.5 and rtld-elf/sparc64/rtld_machdep.h rev. 1.5, which was
suppose to allow stock Binutils 2.13 (and later) to be used.
eg:
[foo]
...
matches any executable 'foo'
[/usr/bin/foo/]
...
matches any executable under the directory /usr/bin/foo/
Exact matches continue to function as before.
PR: bin/66769
Submitted-by: Dan Nelson
with the correct alignment. This is important because this calls to
library static constructors are made from here. The bug in the old crt*.s
files hid this because in this case, two wrongs do indeed make a right.
Also, call _rtld_bind() with the correct alignment, because it calls back
into the pthread library locking functions. If things happen just
the wrong way, we get a SIG10 due to the broken stack alignment.
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.
This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.
For those who want to go without pf; it provides a NO_PF knob to make.conf.
__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.
Approved by: bms(mentor)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).
There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.
Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".
Tested on: i386 sparc64
libexec/ftp-proxy - ftp proxy for pf
sbin/pfctl - equivalent to sbin/ipf
sbin/pflogd - deamon logging packets via if_pflog in pcap format
usr.sbin/authpf - authentification shell to modify pf rulesets
Bring along some altq headers used to satisfy pfctl/authpf compile. This
helps to keep the diff down and will make it easy to have a altq-patchset
use the full powers of pf.
Also make sure that the pf headers are installed.
This does not link anything to the build. There will be a NO_PF switch for
make.conf once pf userland is linked.
Approved by: bms(mentor)
While I'm here, sync the usage() synopsis with the manual page synopsis:
make the [-i | -s] explicit and sort the options alphabetically.
Reminded by: ru
MFC after: 3 days
ever since rev. 1.1 of bootpd.c.
While I'm here, rearrange the synopsis a bit: sort the options and
clarify that -i and -s are mutually exclusive.
Reported by: Atanas Buchvarov <nasko@nove.bg>
MFC after: 3 days
says they may not modify existing files through FTP.
Renaming a file is effectively a way to modify it.
For instance, if a malicious party is unable to delete or overwrite
a sensitive file, they can nevertheless rename it to a hidden name
and then upload a troyan horse under the guise of the old file name.
contents in reply to a RETR command. Such clients consider RETR
as a way to tell a file from a directory. Mozilla is an example.
PR: bin/62232
Submitted by: Bob Finch <bob+freebsd <at> nas <dot> com>
MFC after: 1 week
- Unify the conditional assignments section so that architectural
exclusions come first, then options and !options, sorted by the
option name, also in directory order, then architecture specific
sections, sorted by the architecture name, with i386 being a
traditional exception.
Prodded by: bde
However, the code did allow deletion of files. Make deleting require the -m
flag, too.
PR: bin/60809
Submitted by: Alexander Melkov <melkov@comptek.ru>
constants NG_*SIZ that include the trailing NUL byte. This change
is mostly mechanical except for the replacement of a couple of snprintf()
and sprintf() calls with strlcpy.
(libmap available) and 1 for failure. Assign this return to the
global 'libmap_disable' variable in rtld.c.
This totally prevents any libmap functions from being called after
lm_init() if no config file is present.
Previously, there were two copies of telnet; a non-crypto version
that lived in the usual places, and a crypto version that lived in
crypto/telnet/. The latter was built in a broken manner somewhat akin
to other "contribified" sources. This meant that there were 4 telnets
competing with each other at build time - KerberosIV, Kerberos5,
plain-old-secure and base. KerberosIV is no longer in the running, but
the other three took it in turns to jump all over each other during a
"make buildworld".
As the crypto issue has been clarified, and crypto _calls_ are not
a problem, crypto/telnet has been repo-copied to contrib/telnet,
and with this commit, all telnets are now "contribified". The contrib
path was chosen to not destroy history in the repository, and differs
from other contrib/ entries in that it may be worked on as "normal"
BSD code. There is no dangerous crypto in these sources, only a
very weak system less strong than enigma(1).
Kerberos5 telnet and Secure telnet are now selected by using the usual
macros in /etc/make.conf, and the build process is unsurprising and
less treacherous.
Rationale:
SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers. However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.
A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.
Reported by: ceri
MFC after: 1 week
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
returned EOF, exit from the loop instead of using
the EOF value as a normal character.
MFC after: 1 week
rtld. When _DYNAMIC is referenced normally from C the global offset
table is used implicitly, but newer versions of binutils don't initialize
it statically in the binary, so this doesn't work until rtld is relocated,
which _DYNAMIC is needed for... So, as on other systems with the same
problem, we disassemble a call instruction to _DYNAMIC in order to get
its address.
Setting the LD_DUMP_REL_PRE or LD_DUMP_REL_POST environment variables
cause rtld-elf to output a table of all relocations.
This is useful for debugging.
as the source of defaults for terminal device parameters.
- Do duplucate code reduction and simplification enabled by
the above.
Reviewed by: green
MFC after: 1 month
A PPP login program is started _automatically_ (i.e., without
human intervention) even with the "pl" capability unset, as soon
as a PPP frame is detected. But with "pl" set, a PPP login program
is started independently of the result of PPP detection (which is
rendered unnecessary then,) i.e. _unconditionally_.
don't reveal the info in reply to the SYST command.
Get rid of using the "unix" macro at the same time. It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.) It was also sensitive to the C standard used, which caused
unnecessary trouble: With -std=c99, it should have been "__unix__",
and so on.
PR: bin/50690
Submitted by: Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after: 1 week
information could only be gleaned from the the tty descriptor itself
was neglected, so never did the tty's default settings get copied from
the kernel. Specifically, this caused all manner of ctrl-keys to not
work. Fix this by calling dogettytab() in all the proper places, and
retrieving the terminfo temporarily in dogettytab().