smmsp - sendmail 8.12 operates as a set-group-ID binary (instead of
set-user-ID). This new user/group will be used for command line
submissions. UID/GID 25 is suggested in the sendmail documentation and has
been adopted by other operating systems such as OpenBSD and Solaris 9.
mailnull - The default value for DefaultUser is now set to the uid and gid
of the first existing user mailnull, sendmail, or daemon that has a
non-zero uid. If none of these exist, sendmail reverts back to the old
behavior of using uid 1 and gid 1. Currently FreeBSD uses daemon for
DefaultUser but I would prefer not to use an account used by other
programs, hence the addition of mailnull. UID/GID 26 has been chosen for
this user.
This was discussed on -arch on October 18-19, 2001.
MFC after: 1 week
the idea of not masking passwords on comments in case the
administrator comments out an entry without clearing the
password. Instead completely ignore comments (since they have no
security impact) when doing the diff of the old and new passwd file.
Suggested by: rwatson
extracted and recreating device files.
Without this, you'll see following messages when 'MAKEDEV all':
[: : out of range
[: : out of range
acd0t is invalid -- can't have more than 32 devices or 169 tracks
Reported by: David Syphers <dsyphers@uchicago.edu> (at current@FreeBSD.org)
continuation lines, extra whitespace, and to use the last matching
line in the file. This syncs the host.conf generation with how
the nsswitch.conf is parsed.
Only print " host.conf" instead of a multi-line message, since this
happens on every boot.
- if nsswitch.conf exists, host.conf is auto-generated for compatibility
with legacy applications and libraries.
- if host.conf exists but nsswitch.conf does not, nsswitch.conf is auto-
generated as usual.
`localhost'. If your /etc/nsswitch.conf has ``hosts: files dns'', and
you changed `myname.my.domain' in /etc/hosts to match hostname(1), and
you run inetd(8) with the -l option, any connect to `myname' using its
real IP address through inetd(8), e.g. `ftp -a myname', will spam your
/var/log/messages with:
inetd[PID]: warning: /etc/hosts.allow, line 23: host name/name mismatch: myname.my.domain != localhost
This is especially bad for -STABLE, where /etc/host.conf defaults to
"files first then DNS" resolution order.
Noticed by: Igor Kucherenko <kivvy@sunbay.com>
MFC after: 1 week
Many people like to use generic devices in rc.syscons, etc..
So rc.devfs needs to run before those rc files.
Requested by: Jos Backus <josb@cncdsl.com>
the original commit of local_startup depended on the scripts being
executable; so there is too much precedence to change it now. About all
anyone could agree on is that rev 1.274 broke POLA and before rev 1.274
also broke POLA.
dhclient and pccard_ether, introduce the concept of a "settle time" to
pccard_ether with the new pccard_ether_delay variable. Defaults to 5
seconds, which is enough time for the ed driver to finish its
autoconfiguration for newer Linksys based cards. This also can
eliminate the ed0: timeout messages that happen at startup as well.
MFC: after RE says OK.
appears to be another OEM version of the Netgear FA411. This is a
guess, since the original didn't include the flags, but this is too
similar to my netgear card...
Submitted by: neal@nelsonnet.org
permissions on some files, and give hints as to what those permissions
might be. Note also that the current more liberal permissions might
get changed in future revisions.
discussed on the arch@ mailinglist (after repo-copy).
sys.mk will .error if it finds /etc/defaults/make.conf but include
it anyways (this is the same behaviour as with the make.conf.local
removal).
/usr/share/examples/etc/make.conf has BDEFLAGS commented out now,
since it's only an example file.
Adjust all textes that talk about make.conf or defaults/make.conf to
match the new situation.
value, it forces GCC to not optimize above this level. For intance, GCC
made with "WANT_FORCE_OPTIMIZATION_DOWNGRADE=1" is a good setting for the
Alpha platform when building ports.
rc.firewall6. Specifically, don't do anything
if [ -z ${source_rc_confs_defined} ]. Not doing this leads to a problem
with dependencies: chkdepend will set, e.g., portmap_enable to YES if
some service that needs portmap is enabled, but rc.network sources
rc.firewall, which used to source defaults/rc.conf unconditionally,
which would result in portmap_enable being set back to NO.
PR: 29631
Submitted by: OGAWA Takaya <t-ogawa@triaez.kaisei.org>
and ftpd. This more conservative default reduces the exposure of
freshly installed machines, which is especially valuable for machines
that receive minimal further configuration before being put into
production. Generally speaking, SSH has superseded the use of both
telnet and ftp in many environments. In light of recent remotely
exploitable security holes in both telnetd and ftpd, this choice
retains flexibility (both telnetd and ftpd daemons remain installed
and easily enableable) while protecting users who don't need the
additional risk. This change brings our configuration into line with
the majority of other UNIX vendors, including OpenBSD and NetBSD.
To address the concerns of those requiring remote access via telnet
from first install, changes will shortly be committed to sysinstall
to provide the ability to edit inetd.conf during the installation
process, allowing telnetd and ftp to be re-enabled during the
installation process.
While I'm at it, slightly improve commenting for inetd.conf so that
it's more clear to users how to enable and disable services.
Further commenting to indicate the functions of various columns would
probably also be useful.
Reviewed by: imp, chris, jake, nate, -arch, -stable
is required into rc.network.
Person failed to use a real name so both email addresses from PR included
(Sent was different to From).
PR: 22998
Submitted by: dl@leo.org/spock@empire.trek.org
us anyway because it doesn't work right on the x86 and alpha. On
K&R code, small ints would be promoted to int. ANSI-C doesn't require
this and the small ints can be passed taking 8 or 16 bits of stack
space. However, the x86 abi that we use *does* promote to 32 bit,
and the alpha ABI passes them in 64 bit registers so we dont have
that aspect of the problem here. Losing float precision by having it
cast down to int because the funtion prototype specifies int is the
least of our problems. -Wmissing-prototypes helps here anyway.
correct some ommissions of udp ports.
Update IANA web page.
Clean up/correct some comments. I went a little further than the PR.
PR: conf/23416
Submitted by: Rudolf Cejka <cejkar@dcse.fee.vutbr.cz>
install /etc/mail/sendmail.cf to /etc/mail/sendmail.cf and exits with an
error:
===> etc/sendmail
install -c -o root -g wheel -m 644 /etc/mail/sendmail.cf /etc/mail/sendmail.cf
install: /etc/mail/sendmail.cf and /etc/mail/sendmail.cf are the same file
*** Error code 64
Catch this in the Makefile and don't call install if the source and target
are the same file.
Reported by: Alexandr Listopad <laa@reis.zp.ua>
MFC after: 1 week
building a .cf file from a .mc file.
Include -D_FFR_TLS_O_T to enable tls policy control since the sendmail binary
build enables that FFR as well.
PR: conf/28361
MFC after: 1 week
for separating the startup scripts' list into individual filenames.
Run the shutdown scripts in reverse alphabetical order, so dependent
services are stopped before the services they depend upon.
Reviewed by: -arch, -audit
MFC after: 3 weeks
non-printable characters to sneak into /var/log/messages (e.g.
someone aims a Solaris/Linux RCP exploit at your FreeBSD box and
you end up with his shellcode as part of a log entry). You might
get something like,
host.mydom.org login failures:
Binary file (standard input) matches
In the daily security script as a result. Allowing attackers to
mess with your security script's ability to accurately report
is a Bad Thing. Tell grep(1) to treat /var/log/messages like a
text file even if it has non-printable characters.
Submitted by: Tim Zingelman <zingelman@fnal.gov> on freebsd-security
Approved by: ru
MFC after: 1 week
the default section and into the papchap section.
It's really irritating when you run ppp with no arguments and end up
blowing away your default route !
the following description in RFC2461:
AdvSendAdvertisements
A flag indicating whether or not the router sends
periodic Router Advertisements and responds to
Router Solicitations.
Default: FALSE
Note that AdvSendAdvertisements MUST be FALSE by
default so that a node will not accidentally start
acting as a router unless it is explicitly
configured by system management to send Router
Advertisements.
Submitted by: JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp>
MFC after: 1 week
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks
after the network is configured.
Future remote filesystem types should be added to remote_fstypes, which
is a whitespace-delimited list of type:description pairs.
The specific problem this fixes right now is that smbfs mounts described
in /etc/ftsab were failing.
Make the default setting YES for now to get some experience with it.
Note: If people starts seeing disk errors because of this then it
should not be backed.
With a small disk being 20GB these days, chances are pretty good that
an ailing sector will not be read while still being recoverable by
the drive.
Diskcheck daemon will read disks in the background at a low rate and
that way give the diskdrive a chance to detect and correct soft read
errors before they become hard errors.
Idea by: phk
Written by: ben
about non-existent mount directories (which would come
into existence after the real mount has occured) when just
testing for if there are any NFS filesystems in /etc/fstab.
PR: bin/26597
Submitted by: Dmitry Morozovsky <marck@rinet.ru>
MFC after: 3 days
systems were repo-copied from sys/miscfs to sys/fs.
- Renamed the following file systems and their modules:
fdesc -> fdescfs, portal -> portalfs, union -> unionfs.
- Renamed corresponding kernel options:
FDESC -> FDESCFS, PORTAL -> PORTALFS, UNION -> UNIONFS.
- Install header files for the above file systems.
- Removed bogus -I${.CURDIR}/../../sys CFLAGS from userland
Makefiles.
is not set. This allows admins to create a per-machine configuration file
while leaving the freebsd.mc template pristine. Provide a rule to create
`hostname`.mc from freebsd.mc if it doesn't exist.
PR: misc/26299
MFC after: 8 days
fsck checking. Applying these changes (typically via mergemaster)
will cause your system to start running background checks on all
your soft update enabled filesystems (provided that you have
a kernel with the required functionality, e.g., one built since
the end of April). Please report any and all problems to
mckusick@mckusick.com (not mckusick@freebsd.org which I read
infrequently). See the comment above the fsck command in /etc/rc
for instructions on how to disable background checking should it
cause you too much trouble.
Several FAQs:
1) Can I reboot before the background checks are done?
Ans) Yes, when the system restarts the checks will pick up
where they left off.
2) Can a crash during checking corrupt my filesystem?
Ans) No, recovered resources are returned to the system using soft
updates which ensure that the freeing is done in a safe order.
3) How will I know if any background checks are being done?
Ans) Filesystems that are to be checked in background will be listed
as `DEFER FOR BACKGROUND CHECKING' at the usual fsck check time
during system startup.
4) What happens to the output of the background checks?
Ans) It is sent to syslog `daemon' facility log level `notice'.
5) When will this feature be available in the 4.X kernel?
Ans) Never. It is much too radical and extensive a change to be
MFC'ed. Besides, it needs many months of experience and
tuning before it is ready for widespread use.
6) What happens if a background fsck fails (i.e., fsck finds
errors that would normally require a manual fsck)?
Ans) The filesystem will be marked as needing a manual fsck.
At the next system reboot, the check will be done in
foreground and the usual actions taken (usually a failure
to go multi-user until fsck has been run by hand on the
affected filesystem).
the null mount, we currently create a temporary mfs on /tmp, copy
/etc to /tmp, then mount /etc as mfs and copy everything back from
/tmp, then delete the /tmp mfs.
The patch eliminates the temporary /tmp mfs and the subsequent
copying and simply populates the /etc mfs by copying from
/conf/default/etc. This requires that /conf/default/etc contain a
complete copy of all the /etc stuff instead of just overrides. I
don't think that is too much of an extra step in setting up a
diskless environment.
* Provide the ability to make /tmp a memory filesystem independent
of /var. This removes the requirement that /tmp be a symlink to
/var/tmp and this makes the diskless code work with the default
filesystem layout. If a seperate /tmp memory filesystem is
created, the 'tmpsize' environment variable is used to determine
its size (default to 10 Meg).
* Reduce diffs between the -current and -stable versions of these
files to a bare minimum. Only the definition of the shell
function 'mount_md' is different.
Not Objected to by: -arch@, -small@
MFC after: 2 days
This driver supports PCI Xr-based and ISA Xem Digiboard cards.
dgm will go away soon if there are no problems reported. For now,
configuring dgm into your kernel warns that you should be using
digi. This driver is probably close to supporting Xi, Xe and Xeve
cards, but I wouldn't expect them to work properly (hardware
donations welcome).
The digi_* pseudo-drivers are not drivers themselves but contain
the BIOS and FEP/OS binaries for various digiboard cards and are
auto-loaded and auto-unloaded by the digi driver at initialisation
time. They *may* be configured into the kernel, but waste a lot
of space if they are. They're intended to be left as modules.
The digictl program is (mainly) used to re-initialise cards that
have external port modules attached such as the PC/Xem.
o create a simple wrapper function mount_md that makes it easy to
move from mount_mfs.
# NOTE: you will need to MAKEDEV md[0123] in order for this to work.
Reviewed by: bsd, keichii
/dev/log like this: if [ ! -h /dev/log ];
The man page for test(1) says that the -h switch is depracated and that
users should NOT rely on it being available. It suggest the -L switch instead.
They both do the same thing: check for the existence of the symbolic link.
PR: 26596
Submitted by: mikem <mike_makonnen@yahoo.com>
BSDPAN is the collection of modules that provides tighter than ever
integration of Perl into BSD Unix.
Currently, BSDPAN does the following:
o makes p5- FreeBSD ports PREFIX-clean;
o registers Perl modules in the FreeBSD package database with a
package name derived from the module name.
The name is of the form: bsdpan-ModuleName-V.VV.
Anyone interested in where BSDPAN is developing should read Anton's
message to the ports mailling list:
Message-ID: <20010105040828.A26011@heechee.tobez.org>
Submitted by: Anton Berezin <tobez@tobez.org>
default first, then network-specific files, then host-specific files.
I think this was the original intent, as Matt indicated the previous
code appeared to be a bug.
out of sync. A similar change was made by itojun on the OpenBSD tree
a few weeks ago. This should stop people disabling one server and
forgetting the other one (eg: ftp and/or telnet)
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN. The former implying the latter.
The names imply what they do. The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV. This should satisfy both parties on the MAKEDEV
challenge.
Note that "right" in this case is not universally recognized, but
NTP-practittioners as opposed to theoretians generally agree that
getting "inside the window" using ntpdate is TRTTD on PC hardware.
PR: 25514
Submitted by: Chris Johnson <cjohnson-pr@palomine.net>
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c
Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>
very specific scenarios, and now that we have had net.inet.tcp.blackhole for
quite some time there is really no reason to use it any more.
(second of three commits)
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
Xircom CreditCard Netwave cnw
Intel PRO/Wireless 2011 (PRISM II) wi
3COM 3CRWE737A (PRISM II) wi
Note: I've had some reports that the latter two cards work, but I've not
been able to get them to work for me.