o Introduce /var/log/authentication.log, which will be the target for
auth.info and authpriv.info by default. Rotate on the same schedule
as most other logs. Create at installation.
o Remove logging of auth.info from /var/log/security.log, which will
return to being only for security feature subsystems (such as ipfw,
and so on).
This creates a special authentication log, which can now be searched
by scripts for authentication events.
/usr/share/examples/pppd.
Update pppd(8) documentation to reflect this, usr.sbin/pppd/pppd.8.
Remove the out-of-place pppd(8) configuration files in etc/ppp,
ppp.shells.sample and ppp.deny.
Make the appropriate changes to the build process, etc/Makefile and
etc/mtree/BSD.usr.mtree, so it all works.
The files from etc/ppp, ppp.shells.sample and ppp.deny, were moved
with a repo copy. Note it in the logs with a forced commit to these
two.
Submitted by: Maxim Konovalov <maxim@macomnet.ru> provided the new samples.
to have backward compatibility symbolic links.
This code should check existence of deprecated locales and
fix them using following scheme:
. if new locale directory exisists and is a symlink -- remove it
. if old locale directory exists and not a symlink -- rename it to
its new name
This should allow to mtree(1) and existing locale aliases make(1)
rules to setup locale dirs correctly (avoid self-referenced symlinks)
BTW, this commit brings in backward compatibility support for ru_SU
locales (aliased to appropriate ru_RU ones).
LC_MESSAGES related data was installed to <locale>/LC_MESSAGES file.
Now it go to <locale>/LC_MESSAGES/SYS_LC_MESSAGES file. LC_MESSAGES
directory is supposed to be storage of message catalogs of userland tools.
This should allow us to avoid many potential problems with future
libintl related functionality introduction.
Thanks for useful suggestions about correct way how to replace plain
files with directories at installworld stage to: Ruslan Ermilov <ru>
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.
Reviewed by: ru
Approved by: ru
installed instead of pam.conf. This is for testing; the conditionals will
be removed once we are confident that pam.d works as intended.
Sponsored by: DARPA, NAI Labs
discussed on the arch@ mailinglist (after repo-copy).
sys.mk will .error if it finds /etc/defaults/make.conf but include
it anyways (this is the same behaviour as with the make.conf.local
removal).
/usr/share/examples/etc/make.conf has BDEFLAGS commented out now,
since it's only an example file.
Adjust all textes that talk about make.conf or defaults/make.conf to
match the new situation.
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN. The former implying the latter.
The names imply what they do. The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV. This should satisfy both parties on the MAKEDEV
challenge.
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
Makefile to the etc/sendmail Makefile to be consistent with all of the
other /var file creations. In doing so, change the Makefile target from
etc-sendmail.cf to distribution as it installs more than just the sendmail.cf.
configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.
= Hesiod has been added to libc (see hesiod(3)).
= A library routine for parsing nsswitch.conf and invoking callback
functions as specified has been added to libc (see nsdispatch(3)).
= The following C library functions have been modified to use nsdispatch:
. getgrent, getgrnam, getgrgid
. getpwent, getpwnam, getpwuid
. getusershell
. getaddrinfo
. gethostbyname, gethostbyname2, gethostbyaddr
. getnetbyname, getnetbyaddr
. getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr
= host.conf has been removed from src/etc. rc.network has been modified
to warn that host.conf is no longer used at boot time. In addition, if
there is a host.conf but no nsswitch.conf, the latter is created at boot
time from the former.
Obtained from: NetBSD
build process in too many cases. Adding mtree to bootstrap-tools
to solve this breaks the upgrade path because mtree needs a
libc that has strtofflags and fflagstostr.
wheel to trash logfiles is not exactly good security policy. There have
been several gid wheel holes in ports. Various other files were changed
as well (eg: the locate database were set to more restrictive modes (444)
by their generation scripts) so this should be safe for them. utmp and
wtmp are mode 644 already on all the systems we checked.
Submitted by: jkb
Reviewed by: kris
The only change in the default functionality should be that
the output reports are slightly more verbose WRT files deleted.
Not objected to by: freebsd-arch
for pccardd.
Please install /etc/defaults/pccard.conf and update /etc/defaults/rc.conf
as well.
Note that old pccard.conf.sample still remains for while but
no longer to be maintained.
Reviewed by: imp, -mobile ML and nomads ML in Japan.
new sample database files, so that they will be installed with make
distribution. NOSPAM probably ought to be renamed to MAIL.
Reviewed by: peter
Approved by: jkh
/etc/Makefile so that if it is defined, MAKEDEV all is not called
during a make distribution. This helps clean up the messy userland
in jail(), by reducing the number of devices exposed in jail.
Modifications to jail(2) to follow.
Approved by: jkh-arius
should be used from now on for anything security but not auth-related.
Included are updates for all relevant manpages and also to /etc files,
creating a new /var/log/security. Nothing in the system logs to
/var/log/security yet as of the time of this commit.
Reviewed by: rgrimes, imp, chris
Originally submitted by: Wayne Self <wself@cdrom.com>
Allow a ppp startup option in rc.conf.
Adjust sysinstall so that it appends to the end of ppp.conf
and uses the generated profile to start ppp in auto mode on
boot.
Submitted by: Josef L. Karthauser <joe@uk.FreeBSD.org>
he moved rc.conf. Then he deleted rc.diskless when it ( of course ) didn't
work. Now I'm putting the originally accidently removed rc.diskless{1,2}
back in.
(3?) people will make an effort to help those who would have benefitted from
this change. And just telling them that they should read and understand
the significance of each message posted to -current is not really good
enough IMHO.
${DESTDIR}/etc and an install target to install the missing ones. This
allows new files like pam.conf to be installed by the first installworld
after the file is added, but avoid clobbering files that might be
customized. This should save some support questions.
methods used by login. Changes to "/usr/bin/login" to use it will
be committed later today. The format of the file is described in
pam(8).
This sample file makes login behave in the traditional way. To
wit, it enables authentication via S/Key and passwd/NIS lookups.
KerberosIV authentication is present in the sample file but commented
out.
As a safety net and a transition aid, login will fall back on
built-in passwd/NIS authentication if this configuration file is
missing or if some other fatal PAM error occurs.
This file will eventually replace "/etc/auth.conf", but not until
I've finished converting the other utilities, such as passwd and su.
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.