real uid, saved uid, real gid, and saved gid to ucred, as well as the
pcred->pc_uidinfo, which was associated with the real uid, only rename
it to cr_ruidinfo so as not to conflict with cr_uidinfo, which
corresponds to the effective uid.
o Remove p_cred from struct proc; add p_ucred to struct proc, replacing
original macro that pointed.
p->p_ucred to p->p_cred->pc_ucred.
o Universally update code so that it makes use of ucred instead of pcred,
p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo,
cr_{r,sv}{u,g}id instead of p_*, etc.
o Remove pcred0 and its initialization from init_main.c; initialize
cr_ruidinfo there.
o Restruction many credential modification chunks to always crdup while
we figure out locking and optimizations; generally speaking, this
means moving to a structure like this:
newcred = crdup(oldcred);
...
p->p_ucred = newcred;
crfree(oldcred);
It's not race-free, but better than nothing. There are also races
in sys_process.c, all inter-process authorization, fork, exec, and
exit.
o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid;
remove comments indicating that the old arrangement was a problem.
o Restructure exec1() a little to use newcred/oldcred arrangement, and
use improved uid management primitives.
o Clean up exit1() so as to do less work in credential cleanup due to
pcred removal.
o Clean up fork1() so as to do less work in credential cleanup and
allocation.
o Clean up ktrcanset() to take into account changes, and move to using
suser_xxx() instead of performing a direct uid==0 comparision.
o Improve commenting in various kern_prot.c credential modification
calls to better document current behavior. In a couple of places,
current behavior is a little questionable and we need to check
POSIX.1 to make sure it's "right". More commenting work still
remains to be done.
o Update credential management calls, such as crfree(), to take into
account new ruidinfo reference.
o Modify or add the following uid and gid helper routines:
change_euid()
change_egid()
change_ruid()
change_rgid()
change_svuid()
change_svgid()
In each case, the call now acts on a credential not a process, and as
such no longer requires more complicated process locking/etc. They
now assume the caller will do any necessary allocation of an
exclusive credential reference. Each is commented to document its
reference requirements.
o CANSIGIO() is simplified to require only credentials, not processes
and pcreds.
o Remove lots of (p_pcred==NULL) checks.
o Add an XXX to authorization code in nfs_lock.c, since it's
questionable, and needs to be considered carefully.
o Simplify posix4 authorization code to require only credentials, not
processes and pcreds. Note that this authorization, as well as
CANSIGIO(), needs to be updated to use the p_cansignal() and
p_cansched() centralized authorization routines, as they currently
do not take into account some desirable restrictions that are handled
by the centralized routines, as well as being inconsistent with other
similar authorization instances.
o Update libkvm to take these changes into account.
Obtained from: TrustedBSD Project
Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).
Tor created a while ago, removes the raw I/O piece (that has cache coherency
problems), and adds a buffer cache / VM freeing piece.
Essentially this patch causes O_DIRECT I/O to not be left in the cache, but
does not prevent it from going through the cache, hence the 80%. For
the last 20% we need a method by which the I/O can be issued directly to
buffer supplied by the user process and bypass the buffer cache entirely,
but still maintain cache coherency.
I also have the code working under -stable but the changes made to sys/file.h
may not be MFCable, so an MFC is not on the table yet.
Submitted by: tegge, dillon
keep track of a joiner. POSIX only supports a single joiner, so this
simplification is acceptable.
At the same time, make sure to mark a joined thread as detached so that
its resources can be freed.
Reviewed by: deischen
PR: 24345
accidentally clobber the server address if a stray packet arrived
at the client port. This would result in any further retransmits
going to the wrong address.
For now, fix this by not saving the source address of the reply; this
matches the pre-tirpc behaviour.
there is no need to wake all waiters to assure that the highest priority
thread is run. As the semaphore code is written, there was no correctness
problem, but the change improves sem_post() performance.
Pointed out by: deischen
history info as:
: .Sh STANDARDS If the command, library function or file adheres to a
: specific implementation such as IEEE Std 1003.2
: (``POSIX.2'') or ANSI X3.159-1989 (``ANSI C'') this
: should be noted here. If the command does not adhere
: to any standard, its history should be noted in the
: HISTORY section.
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise
it fails.
pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.
There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.
+ make Open_Disk sense the sector size by trying 512, 1024 and 2048
in this order. This makes the kernel note that
dscheck(cd1): bio_bcount 512 is not on a sector boundary (ssize 2048)
dscheck(cd1): bio_bcount 1024 is not on a sector boundary (ssize 2048)
if 2048 is the sector size. If this worries anyone: the message is from
/usr/src/sys/kern/subr_diskslice.c and shutups are to be placed there.
+ Have read_block and write_block use an additional parameter, the
sector size.
+ replace all barfout calls with return NULL, 0, __LINE__, etc.
Note that this does NOT emit diagnostics. More often than not,
you don't want library functions to scribble on stderr -- it may
not even be available. The right thing is to propagate the error
condition to upper management. The app should take care of errors.
+ use d1->sector_size instead of 512 in various places. I've left many
places untouched, especially those writing MBRs. I simply added
another arg hardcoded as 512. This is because I would not know what
I'm doing... I felt this approach would be reasonably backward
compatible and not introduce any new bugs in critical software.
Famous last words. Messing with MBRs might soon put me in the same
screwup meister category as, uh, never mind. :-)
+ bump the max no of disks from 20 to 32 (due to PR 24503).
PR: 8434 / 8436 / 24503
Submitted by: Jens Schweikhardt <schweikh@schweikhardt.net>
terminates the string in all cases, based on code from netstat(1).
The path in a sockaddr_un is terminated either by a '\0', or by
the end of the sockaddr as defined by sun_len.
Previously, the code could write the "safety" '\0' beyond the end
of the sockaddr (sockaddr_un's need only be large enough to store
sun_len bytes), and writing into the the supplied sockaddr is bad
anyway.
process on fork(2).
It is the supposed behavior stated in the manpage of sigaction(2), and
Solaris, NetBSD and FreeBSD 3-STABLE correctly do so.
The previous fix against libc_r/uthread/uthread_fork.c fixed the
problem only for the programs linked with libc_r, so back it out and
fix fork(2) itself to help those not linked with libc_r as well.
PR: kern/26705
Submitted by: KUROSAWA Takahiro <fwkg7679@mb.infoweb.ne.jp>
Tested by: knu, GOTOU Yuuzou <gotoyuzo@notwork.org>,
and some other people
Not objected by: hackers
MFC in: 3 days
placed in any scheduling queue(s). The process of dispatching
signals to a thread can change its state which will attempt to add
or remove the thread from any scheduling queue to which it belongs.
This can break some assertions if the thread isn't in the queue(s)
implied by its state.
When adding dispatching a pending signal to a thread, be sure to
remove the signal from the threads set of pending signals.
PR: 27035
Tested by: brian
MFC in: 1 week
longer includes machine/elf.h.
* consumers of elf.h now use the minimalist elf header possible.
This change is motivated by Binutils 2.11.0 and too much clashing over
our base elf headers and the Binutils elf headers.
address" string to a netbuf/sockaddr "transport address". In the
case of an AF_LOCAL address, it was missing the code to actually
point the netbuf at the newly allocated sockaddr_un, so the caller
ended up with a netbuf containing junk.
Submitted by: Martin Blapp <mb@imp.ch>
required by POSIX.1e. This maintains the current 'struct acl'
in the kernel while providing the generic external acl_t
interface required to complete the ACL editing library.
o Add the acl_get_entry() function.
o Convert the existing ACL utilities, getfacl and setfacl, to
fully make use of the ACL editing library.
Obtained from: TrustedBSD Project
The devinfo library provides access to the kernel's internal device
hierarchy and to the I/O resource manager. The library uses a
sysctl(9) interface to obtain a snapshot of the kernel's state which
is then made available to the application.
