Commit Graph

10940 Commits

Author SHA1 Message Date
Pav Lucistnik
1572020a71 - Fix markup
PR:		docs/98471
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
MFC after:	1 day
2006-06-04 15:39:19 +00:00
Markus Brueffer
02afd3d137 - Only print a clarifying message about which HCI node has been used if there
is more than one HCI node present
- Use errx(3) instead of err(3) if there is no HCI node present as errno
  is 0 in this case and the resulting error message wouldn't make much sense

Approved by:	emax (mentor)
2006-06-02 00:29:01 +00:00
Maxim Konovalov
bb0aa1a544 o Better be safe than sorry: check return code from setuid(2),
setgid(2), setlogin(2) and initgroups(3).  In theory they could
fail for root with some third party mac(4) policies.

Submitted by:	Kostik Belousov
MFC after:	1 month
2006-06-01 15:03:06 +00:00
Colin Percival
72f6a0fa7a Enable inadvertantly disabled "securenet" access controls in ypserv. [1]
Correct a bug in the handling of backslash characters in smbfs which can
allow an attacker to escape from a chroot(2). [2]

Security:	FreeBSD-SA-06:15.ypserv [1]
Security:	FreeBSD-SA-06:16.smbfs [2]
2006-05-31 22:32:22 +00:00
Ceri Davies
4ec07c5e93 Bring the "just copy" hit list closer to date.
Approved by:	jhb
MFC after:	1 month
2006-05-31 19:16:34 +00:00
Ceri Davies
04e273bfb1 Update the location of the kernel for upgrades.
I considered leaving /boot/kernel out of the chflags noschg line, but I
seem to remember that there was a period where /boot/kernel was schg, so
have left it in for safety's sake.

Approved by:	jhb
MFC after:	1 month
2006-05-31 19:15:20 +00:00
Colin Percival
2a569ec900 Use some features of sh(1) which I didn't know about until today ("read"
can read two variables at once; and suffix pattern deletion) to make the
extract command fork fewer processes.

With the portsnap snapshot and the ports tree in swap-backed memory
disks on my 1.4GHz laptop, this reduces 178800 processes and 195/56/126
seconds of real/user/sys time to 44600 processes and 103/34/60 seconds.
2006-05-30 07:08:41 +00:00
Craig Rodrigues
8f716f89cf Do not log "can't delete export" messages if nmount() returns ENOTSUP.
This eliminates spurious log entries for trying to delete exports
for filesystems like devfs and procfs.
2006-05-28 18:59:28 +00:00
Simon L. B. Nielsen
0f9fc191de Revert 1.73, since mounting devfs without a devfs ruleset inside a
jail is a very bad idea security wise.

Approved by:	trhodes (jcamou mentor)
No response:	jcamou
2006-05-28 09:44:13 +00:00
Matteo Riondato
fdf1353cec Mention ruleset #4 (devfsrules_jail) in jail's man page.
MFC after:	3
2006-05-28 08:29:49 +00:00
Sam Leffler
c824b333f6 avoid null ptr deref
Obtained from:	netbsd
2006-05-27 23:04:30 +00:00
Sam Leffler
2767a3d79c correct static array overrun
Obtained from:	netbsd
2006-05-27 23:03:08 +00:00
Craig Rodrigues
e91db40c18 Move call to ignore SIGPIPE signals before calling fork(),
so that both parent and child processes ignore this signal.

PR:             bin/97768
Submitted by:   Gea-Suan Lin <gslin at csie dot nctu dot edu dot tw>
MFC after:      3 days
2006-05-27 02:37:37 +00:00
Craig Rodrigues
a856bed399 Ignore SIGPIPE signals on write() failures.
We already check for write() failures and handle EPIPE.
Failure to handle SIGPIPE was resulting in rpc.lockd terminating.

PR:		bin/97768
Reported by:	Gea-Suan Lin <gslin at csie dot nctu dot edu dot tw>
MFC after:	1 day
2006-05-25 22:12:05 +00:00
Gleb Smirnoff
78cdd8ed1b Unnest includes before forthcoming editing. 2006-05-24 14:46:55 +00:00
Craig Rodrigues
9857865b55 Convert to nmount() and remove hardcoded checks for ufs, msdosfs, ntfs,
and cd9660.

PR:	bin/97642
2006-05-24 11:49:39 +00:00
Colin Percival
2cb56dabe9 If the user asks for "kernel sources" to be installed, extract the
SRC_BASE package (src/[A-Z]*) as well as SRC_SYS (src/sys/*).  This
allows users who only install the kernel source code to use the
modern "make buildkernel" approach.

Discussed with:	re (scottl, kensmith)
MFC after:	3 days
2006-05-24 03:34:57 +00:00
Craig Rodrigues
6a09faf2cb Convert mountd to nmount(). Remove some hardcoded dependencies
on ufs, cd9660, msdosfs, and ntfs, but not all dependencies.
2006-05-23 17:10:17 +00:00
Markus Brueffer
a9f8b02b01 - Document the new Read_Node_List command, autodetection of HCI nodes and
that the '-n' parameter is now optional
- Grammar fixes

Reviewed by:	emax
Approved by:	emax
MFC after:	1 week
2006-05-22 17:58:19 +00:00
Markus Brueffer
fc5806eda9 - Add HCI node autodetection. As a consequence of this, make the '-n'
parameter optional.
- Add Read_Node_List command which prints a list of available HCI nodes,
  their Netgraph IDs and connected hooks

Reviewed by:	emax
Approved by:	emax
MFC after:	1 week
2006-05-22 17:58:09 +00:00
Joel Dahl
c4d39d8076 s/packages/packets/
Noticed by:	maxim
2006-05-22 07:36:45 +00:00
Joel Dahl
3105ed4eac Add manual page for ipfwpcap(8).
Reviewed by:	phk, brueffer
Submitted by:	Niclas Zeising <lothrandil@n00b.apagnu.se>
2006-05-22 07:14:54 +00:00
Simon L. B. Nielsen
711385c9d0 - Add support for filtering the the list of providers by a regular
expression, which makes it possible to only see interesting
  providers.  "f" is used inside gstat to set a filter, "F" is used to
  remove current filter.
- Do not print some uninteresting values in the gstat title line.
- Do not print past the end of the screen.
- Read multiple keystrokes per "wait" when gstat is running.
- Remove a redundant != check, right after check of NULL against the
  same variable ("gid").
- Use sysexits.h.
- Do not link against libkvm and libsbuf, they are not actually used.
- Fix a few style(9) issues where I had to touch nearby code anyway.

Approved by:	cperciva (mentor)
MFC after:	2 weeks
2006-05-20 19:17:47 +00:00
Maxim Konovalov
27e42e6a7e o SIOCGIFCONF -> getifaddrs(3) conversion. As a side effect fix
bin/95041: subnet mask mismatch.

PR:		bin/95041
Obtained from:	NetBSD
Tested by:	Hans Lambermont
MFC after:	2 months
2006-05-17 18:41:05 +00:00
Pav Lucistnik
a0ff005ba5 - Update to ntp-4.2.0
PR:		docs/79857
Submitted by:	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
2006-05-17 10:50:35 +00:00
Poul-Henning Kamp
f6ce2a64f7 Send the pcvt(4) driver off to retirement. 2006-05-17 09:33:15 +00:00
Maksim Yevmenkin
0c3420df68 Fix formatting. Add missing break;
Submitted by:	Iain Hibbert
MFC after:	3 days
2006-05-14 22:19:38 +00:00
Colin Percival
1e1de0e499 Fix typo.
Pointed out by:	ceri
2006-05-13 18:04:48 +00:00
Colin Percival
d600d37002 Add a mechanism for constructing INDEX files which include local ports.
Requested by:	brooks
2006-05-13 15:56:35 +00:00
Hellmuth Michaelis
c6a39ce216 PR: bin/71663
Submitted by:   Dan Lukes
Reviewed by:    hm@
fix compile warnings in isdnd and isdntest. some more
compile time warnings also mentioned in this PR were
already fixed in an earlier commit today.
2006-05-13 14:59:58 +00:00
Hellmuth Michaelis
93ad0725db fix conflicting types for log(), add some prototypes to isdnd.h 2006-05-13 12:42:55 +00:00
Matteo Riondato
b484e04bf9 correct strtol(3) usage and style(9)
Reviewed by:	maxim
MFC after:	2 weeks
2006-05-12 15:14:43 +00:00
Colin Percival
343c554c88 Use 'rm -rf foo/bar' to remove a port instead of 'rm -rf foo/bar/'.
When /usr/ports/foo/bar is a symlink pointing outside the tree, this
deletes the symlink instead of the directory it points to.

Requested by:	delphij
2006-05-12 10:42:40 +00:00
Maxim Konovalov
6dc044b45b o Style(9) the previous commit a bit. 2006-05-11 19:06:33 +00:00
Poul-Henning Kamp
31048bda0e Use sysctlbyname() instead of sysctl 2006-05-11 17:23:57 +00:00
Matteo Riondato
7deb00ccd9 Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.
PR:	bin/80242
MFC after:	2 weeks
2006-05-11 13:04:23 +00:00
John Baldwin
9aa6ce1642 Alpha doesn't support linux ABI compat now. 2006-05-10 18:44:10 +00:00
Matteo Riondato
feefdb0ceb Use .Vt for struct xprison
Suggested by: keramida
2006-05-10 14:26:53 +00:00
Matteo Riondato
f7bb71361e document security.jail.list sysctl in jail(8)
PR:	docs/96807
MFC after:	3
2006-05-08 19:55:17 +00:00
Hajimu UMEMOTO
f28aa72448 If perform-actual-lookups is enabled, getservbyname() matches an entry
even when proto is not valid.

Submitted by:	Michael Bushkov <bushman__at__rsu.ru>
2006-05-05 15:01:25 +00:00
Colin Percival
b39855baee Allow the HTTP_PROXY environment variable to be (mis)spelled as
"http_proxy", since some people apparently do this and fetch(3)
allows it.
2006-05-05 04:47:00 +00:00
Colin Percival
a414ca11d5 Fix the test for whether ${HTTP_PROXY} is set -- I got it backwards.
Pointy hat to:	cperciva
Pointed out by:	pjd
2006-05-05 03:44:13 +00:00
Ceri Davies
38e5cff20e Fix binary upgrades by accounting for the schg flag on /var/empty.
PR:		96711, 96780
Submitted by:	Nobuyuki Koganemaru, Martin Jackson
Approved by:	re (scottl)
MFC after:	1 day
2006-05-04 20:10:34 +00:00
Colin Percival
37c8250c90 Remove two lines of debugging which I forgot to remove before the last
commit.

Noticed by:     simon
2006-05-03 22:09:42 +00:00
Colin Percival
4b93a7cae2 The approach portsnap uses of "pick a random HTTP mirror" doesn't
interact very nicely with HTTP proxies: Since proxies do not know
that all the files on portsnap1.freebsd.org are identical to the
files with the same names on portsnap2.freebsd.org, said proxies end
up downloading and storing files in duplicate.

This commit uses the HTTP_PROXY environment variable, if set, to
generate a random number seed for use in selecting a mirror.  This
means that if several systems all have the same HTTP_PROXY value set,
they will ask the proxy to fetch files from the same mirror (unless
that mirror fails, in which case all the systems will use the same
second choice, et cetera).

Portsnap still doesn't interact very well with "transparent" HTTP
proxies, but there's nothing I can do about those.

Requested by:	simon
Sponsored by:   FreeBSD security development fundraiser
2006-05-03 21:29:01 +00:00
Colin Percival
1e87b57202 Instead of selecting a mirror and failing if it is inaccessible, keep
track of which mirrors we have tried and try a different mirror if we
fail when trying to download the SSL public key or the snapshot
signature.

Failures later in the download process will not result in switching to
a different mirror, for two reasons:
1. If is very unlikely that a mirror will fail partway through the
process of downloading updates.
2. If we switched from a more recently updated mirror to a less
recently updated mirror partway through the download process, we would
end up failing anyway because we would be trying to fetch files which
the second mirror didn't have yet.

PR:		bin/96288
Requested by:	lots of people
Sponsored by:	FreeBSD security development fundraiser
2006-05-03 21:19:43 +00:00
Maxim Konovalov
17d10fccac o Document security.jail.jailed sysctl.
PR:		docs/94711
Submitted by:	Andreas Kohn
MFC after:	2 weeks
2006-05-03 20:13:33 +00:00
Hajimu UMEMOTO
b947683ce1 Fix alignment problem on AMD64.
Reported by:	Pascal Hofstee <caelian__at__gmail.com>
Submitted by:	Michael Bushkov <bushman__at__rsu.ru>
Tested by:	Pascal Hofstee <caelian__at__gmail.com>
2006-05-02 23:02:32 +00:00
Giorgos Keramidas
193599122f Note that when -d flag is used, mountd(8) will not detach from the
controlling terminal.

PR:		docs/96660
Submitted by:	Jeff Ito <ijk@speakeasy.net>
MFC after:	1 week
2006-05-02 21:00:43 +00:00
Colin Percival
96b468e33b Teach portsnap to parse the output of the host(1) in BIND 8 as well as
the host(1) from BIND 9.  This doesn't matter for HEAD, but will help
people who install portsnap from the ports tree onto older versions of
FreeBSD.

PR:		ports/93901
Sponsored by:	FreeBSD security development fundraiser
2006-05-02 05:27:30 +00:00