o Introduce /var/log/authentication.log, which will be the target for
auth.info and authpriv.info by default. Rotate on the same schedule
as most other logs. Create at installation.
o Remove logging of auth.info from /var/log/security.log, which will
return to being only for security feature subsystems (such as ipfw,
and so on).
This creates a special authentication log, which can now be searched
by scripts for authentication events.
/usr/share/examples/pppd.
Update pppd(8) documentation to reflect this, usr.sbin/pppd/pppd.8.
Remove the out-of-place pppd(8) configuration files in etc/ppp,
ppp.shells.sample and ppp.deny.
Make the appropriate changes to the build process, etc/Makefile and
etc/mtree/BSD.usr.mtree, so it all works.
The files from etc/ppp, ppp.shells.sample and ppp.deny, were moved
with a repo copy. Note it in the logs with a forced commit to these
two.
Submitted by: Maxim Konovalov <maxim@macomnet.ru> provided the new samples.
to have backward compatibility symbolic links.
This code should check existence of deprecated locales and
fix them using following scheme:
. if new locale directory exisists and is a symlink -- remove it
. if old locale directory exists and not a symlink -- rename it to
its new name
This should allow to mtree(1) and existing locale aliases make(1)
rules to setup locale dirs correctly (avoid self-referenced symlinks)
BTW, this commit brings in backward compatibility support for ru_SU
locales (aliased to appropriate ru_RU ones).
LC_MESSAGES related data was installed to <locale>/LC_MESSAGES file.
Now it go to <locale>/LC_MESSAGES/SYS_LC_MESSAGES file. LC_MESSAGES
directory is supposed to be storage of message catalogs of userland tools.
This should allow us to avoid many potential problems with future
libintl related functionality introduction.
Thanks for useful suggestions about correct way how to replace plain
files with directories at installworld stage to: Ruslan Ermilov <ru>
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.
Reviewed by: ru
Approved by: ru
installed instead of pam.conf. This is for testing; the conditionals will
be removed once we are confident that pam.d works as intended.
Sponsored by: DARPA, NAI Labs
discussed on the arch@ mailinglist (after repo-copy).
sys.mk will .error if it finds /etc/defaults/make.conf but include
it anyways (this is the same behaviour as with the make.conf.local
removal).
/usr/share/examples/etc/make.conf has BDEFLAGS commented out now,
since it's only an example file.
Adjust all textes that talk about make.conf or defaults/make.conf to
match the new situation.
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN. The former implying the latter.
The names imply what they do. The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV. This should satisfy both parties on the MAKEDEV
challenge.
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
Makefile to the etc/sendmail Makefile to be consistent with all of the
other /var file creations. In doing so, change the Makefile target from
etc-sendmail.cf to distribution as it installs more than just the sendmail.cf.
configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.
= Hesiod has been added to libc (see hesiod(3)).
= A library routine for parsing nsswitch.conf and invoking callback
functions as specified has been added to libc (see nsdispatch(3)).
= The following C library functions have been modified to use nsdispatch:
. getgrent, getgrnam, getgrgid
. getpwent, getpwnam, getpwuid
. getusershell
. getaddrinfo
. gethostbyname, gethostbyname2, gethostbyaddr
. getnetbyname, getnetbyaddr
. getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr
= host.conf has been removed from src/etc. rc.network has been modified
to warn that host.conf is no longer used at boot time. In addition, if
there is a host.conf but no nsswitch.conf, the latter is created at boot
time from the former.
Obtained from: NetBSD
build process in too many cases. Adding mtree to bootstrap-tools
to solve this breaks the upgrade path because mtree needs a
libc that has strtofflags and fflagstostr.
wheel to trash logfiles is not exactly good security policy. There have
been several gid wheel holes in ports. Various other files were changed
as well (eg: the locate database were set to more restrictive modes (444)
by their generation scripts) so this should be safe for them. utmp and
wtmp are mode 644 already on all the systems we checked.
Submitted by: jkb
Reviewed by: kris
The only change in the default functionality should be that
the output reports are slightly more verbose WRT files deleted.
Not objected to by: freebsd-arch
for pccardd.
Please install /etc/defaults/pccard.conf and update /etc/defaults/rc.conf
as well.
Note that old pccard.conf.sample still remains for while but
no longer to be maintained.
Reviewed by: imp, -mobile ML and nomads ML in Japan.
new sample database files, so that they will be installed with make
distribution. NOSPAM probably ought to be renamed to MAIL.
Reviewed by: peter
Approved by: jkh
/etc/Makefile so that if it is defined, MAKEDEV all is not called
during a make distribution. This helps clean up the messy userland
in jail(), by reducing the number of devices exposed in jail.
Modifications to jail(2) to follow.
Approved by: jkh-arius
should be used from now on for anything security but not auth-related.
Included are updates for all relevant manpages and also to /etc files,
creating a new /var/log/security. Nothing in the system logs to
/var/log/security yet as of the time of this commit.
Reviewed by: rgrimes, imp, chris
Originally submitted by: Wayne Self <wself@cdrom.com>
Allow a ppp startup option in rc.conf.
Adjust sysinstall so that it appends to the end of ppp.conf
and uses the generated profile to start ppp in auto mode on
boot.
Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>
he moved rc.conf. Then he deleted rc.diskless when it ( of course ) didn't
work. Now I'm putting the originally accidently removed rc.diskless{1,2}
back in.
(3?) people will make an effort to help those who would have benefitted from
this change. And just telling them that they should read and understand
the significance of each message posted to -current is not really good
enough IMHO.
${DESTDIR}/etc and an install target to install the missing ones. This
allows new files like pam.conf to be installed by the first installworld
after the file is added, but avoid clobbering files that might be
customized. This should save some support questions.
methods used by login. Changes to "/usr/bin/login" to use it will
be committed later today. The format of the file is described in
pam(8).
This sample file makes login behave in the traditional way. To
wit, it enables authentication via S/Key and passwd/NIS lookups.
KerberosIV authentication is present in the sample file but commented
out.
As a safety net and a transition aid, login will fall back on
built-in passwd/NIS authentication if this configuration file is
missing or if some other fatal PAM error occurs.
This file will eventually replace "/etc/auth.conf", but not until
I've finished converting the other utilities, such as passwd and su.
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
"make distrib-dirs" target.
Neither of Andrey's two attempts have worked for me with the [ -h ..]
test both with && and ||.
I've changed it to a full
if [ -h ...]; then \
rm ... ; \
fi ; \
construct. It's much clearer what's meant to happen, and it works! :-)
patches to merge the two IPX packages to work with each other and to
not break make-world :)
IPXrouted should be working now, (or at least compiling) :)
specified in the top level Makefiles.
Previously I missed dozens of Makefiles that skip the install after
using `cmp -s' to decide that the install isn't necessary.
changes to it based upon other outstanding bug reports and commits made
after his work.
Comments:
(a) sysconfig is still used to do all configuration. I was not going to
change that out from under you.... a user never need edit netstart
or rc* unless they're being very weird.
(b) rc.maint has been folded back into rc. It is just unworkable as
a separate chunk because of ordering bogosities
(c) netstart does what it says... it starts up enough of the network to
get up, it doesn't start every bloody daemon that might talk to a
socket... netstart ifconfig's the devices and sets up routing if
configured to do so.
(d) nfs disks are mounted immediately after netstart completes
(e) syslog is started as early as possible (right after nfs) so that error
messages can get logged to remote syslog servers properly
(f) named is started (there is an argument that says that named should be
started before syslogd because if you are the dns server for your domain,
you'd like named to resolve remote hosts in syslog.conf, but this is
a minority case and the trivial workarround is to put the syslog host
in /etc/hosts or use an /etc/resolv.conf -- why? because you want syslog
to catch named errors, which is a MUCH more important and likely occurance)
(g) NOW all of the rest of the network daemons such as the time stuff, RPC,
NIS, NFS, Kerberos and inetd are started
(h) the rest of the generic stuff is done (cron/printer/sendmail)
(i) shared libraries are set
(j) /etc/rc.i386 is run (this does FreeBSD/386 specific stuff like ibcs2,
xtend, and all of the syscons stuff
(this is actually started as /etc/rc.`uname -m`
(k) the syscons stuff has gotten a serious cleaning to make it consistent
with rc conventions
(l) rc.local has had the comments about syscons removed (they are not relevant
to this file now) and the full name of the kernel has been restored to
/etc/motd
Submitted by: pts
2. Update the COPYRIGHT= to be just the COPYRIGHT file for now.
3. Fully parameterize the floppy device being used. This is needed right
now so I can at least build these on 1.44 until it all is working, then
I will have to find a way to get them back down to size.
4. Remove mount_pcfs from the filesystem floppy, we don't have that yet.
5. Update the shared libraries t obe copied. This should now work for
this and all future releases.
6. Reduce the CRYPT_SRCS down to the few static binaries that have crypt
in them.
7. Change all references for the kernel from /386bsd to /kernel.
8. For some reason umount is returning 1, use a - until I can find out why.
9. Update the disklabel commands to be 4.4 syntax.
10. Remove the ugly elvis wart, we don't have elvis anymore.
11. Use the -d (directories only) option on the mtree commands. This
greatly reduces the noise from distrib-dirs:.
12. Note the fact that the mtree commands need a wrapper around them as they
return a status of 2 if the tree was modified and the make should not
exit on that condition.
13. Add a trailing slash on the chflags command as ${RELEASEDIR} may be
a symbolic link.
some file names.
2. Add MAKEDEVS= that does all the /dev population so that this is not
duplicated in 2 or 3 places. Helps to keep it in sync too. Cleaned
up and fixed to not overflow inode tables.
3. Fix paths to the 2 crypt versions.
4. Init is sbin/init now instead of sbin/init.bsdi.
5. bdes is now in secure/usr.bin, will need to do something about telnet.
6. Incorporate 1.1.5.1 patches for EXTRACT.sh files.
7. Correct calls to make kcopy-flooppy to work with or without obj/.
8. Reorder src-clean: target so that it does not destroy the real obj
tree, but does rip out junk and obj links.
9. Incorporate 1.1.5.1 patche for srcbin tarball name.
10. Add chflags command to release-dirs target so the rm -rf can have a
chance to work.
With this and a few more commits I will have 2.0 bin tarballs.
the choice of building with the password scrambler or the DES
libraries. Folks outside the US can simply drop in the other
DES libraries. (stupid laws...)
Everything still keys off of the old NOCRYPT variable so building
a portable distribution remains the same.
Submitted by: pst
1. Use ${MAKE} everywhere again. Whoops.
2. Replace multiple invocations of gzip ... split ... with one variable.
3. Add src-clean target for making the src tree presentable before
making a src tarball out of it.
2. Get kcopy and filesystem images from current directory since we
now build them here; a clean rule is now all that's needed to make
the crunch stuff complete.
1. Properly use ${.CURDIR} now instead of hardcoded relative dirs.
2. Use ${BINOWN} and ${BINGRP} everywhere instead of root/wheel
3. Add target for copying over EXTRACT scripts (and add them here).
4. Start thinking about crunched floppy target (not in yet, next commit).
2 Added optional excessive login logging.
3) Added login acces control on a per host/tty base.
4) See skey(1) for skey descriptions and src/usr.bin/login/README
for the logging and access control features.
-Guido
----------------------------
revision 1.53.2.3
date: 1994/04/10 20:19:37; author: rgrimes; state: Exp; lines: +12 -3
Must have etc and usr directories on the cdinstall floppies.
Need to have device files for mcd1.
Create links for usr/libexec and usr/lib on cdinstall floppies so that
shared library code is loaded from cdrom.
pair of crunched binaries that are not built by this, but other than
that it is back to an automated procedure. So many changes it is
hard to describe.
Use freefall.cf as sendmail prototype file, it is more realistic than the
tcpproto.cf file for a FreBSD system. Fix so that obj dir is created in
sendmail/cf/cf as to not polute the source tree and to have the Makefile
in there do the right things.
Remove all the extra /dev/fd0?* entries on the floppies, they where using
up all the inodes and are not needed at this time.
Temporarily remove the floppy target from release: untilit is
fixed.
This file has lots more work coming, but to get the 1.1 BETA out I am
going to hand craft the floppies :-(.
Subject: Bug & Fix for etc/Makefile cpio-floppy: re /tmp creation.
Date: Fri, 26 Nov 1993 11:35:04 +0100
Editors Note: tmp was listed in the CPIO_FILES section and thus the
entire contents of ${DESTDIR}/tmp would end up on the cpio floppy. This fix
moves tmp to CPIO_DIRS so that no longer happens.
with a Makefile override. The default is floppy5 since all distribution
floppies must be <= 1.2Mb so that every one can use them.
If you want to make 1.44MB floppies with more space on them do a
setenv FLOPPY floppy3
before running make.
>From: "Jordan K. Hubbard" <jkh%whisker.lotus.ie@dec4ie.ieunet.ie>
Date: Sun, 10 Oct 1993 05:11:51 -0700
I went to make myself some boot floppies straight off the dist
today and ran into the fact that I'm using a 3.5" floppy as my drive A,
so I did the following (you can still use floppy5 as your default -
I just have it set to floppy3 for my machine).
after all. Removed it from DOS floppy.
Added COPYRIGHT to DOS floppy since it does have *BSD binaries on it!
Fixed missing ; \ when creating dev entries on filesystem floppy
Fixed rm in wrong directory, please don't rm in the DESTDIR area!!