Chain caching is a feature of Linux-PAM, where pam_authenticate() and
pam_open_session() "freeze" the chain so that their companion
primitive (pam_setcred() and pam_close_session() respectively) will
call the exact same modules, skipping those that failed in the
previous call.
There are several reasons not to do this, the most prominent of which
is that it makes it impossible to call pam_setcred() without first
calling pam_authenticate() - which is perfectly valid according to
DCE/RFC 86.0 and XSSO, and is necessary to make 'login -f' work.
Instead of chain caching, implement something similar to the way
Solaris' libpam behaves: pam_setcred treats "sufficient" modules as if
they were "required", i.e. does not break the chain when they succeed.
PAM modules whose pam_sm_setcred() should not be called unless their
pam_sm_authenticate() succeeded can simply set a state variable using
pam_set_data() in pam_sm_authenticate(), and use pam_get_data() to
check it in pam_sm_setcred().
Sponsored by: DARPA, NAI Labs
: 2002-01-17 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc.common: Initialize %I register for the %I macro to
: avoid (harmless) warning.
: * tmac/doc.tmac (Bd): There is no reason to enforce -compact
: when in the SYNOPSIS section.
interaction between the leftright and number options.
PR: bin/23912
Reported by: "Stephen D. Spencer" <gladiatr@boneyard.lawrence.ks.us>
Obtained from: skimo@kotnet.org
: 2001-12-22 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc-common, tmac/doc-syms: Small updates.
This adds support for FreeBSD 4.4, FreeBSD 4.5, NetBSD 1.6,
and POSIX.1-2001.
the same way in the cygnus base source. The problem was that bfd was
writing to memory obtained from malloc(0). The next import will update
this if necessary. I'm not sure of the origins of this patch.
Discussed with: obrien
this case 16). Use dynamic FD_SETs and calculated high-water marks
throughout. There are also too many versions of telnet in the tree.
Obtained from: OpenBSD and Apple's Radar database
MFC after: 2 days
problem, it still didn't DTRT for services that did not have a service-
specific policy if /etc/pam.d existed but did not contain an "other"
policy. This fixes the problems some people have experienced with sudo.
And I almost didn't have to use goto.
The current configuration sequence is:
1) Look for /etc/pam.d/foo
2) If PAM_READ_BOTH_CONFS is defined, or step 1) failed, look for
foo in /etc/pam.conf
3) Look for /etc/pam.d/other (to fill in the gaps)
4) If PAM_READ_BOTH_CONFS is defined, or step 3) failed, look for
other in /etc/pam.conf
I believe this is the intended behaviour of the original code. The least
surprising behaviour seems to be when PAM_READ_BOTH_CONFS is not defined -
/etc/pam.d/foo will be preferred over /etc/pam.conf, but the latter will
serve as a backup if the former does not exist.
Sponsored by: DARPA, NAI Labs
1) ANSIfy.
2) Clean up ifdefs so that
a) ones that never/always apply are appropriately either
fully removed, or just the #if junk is removed.
b) change #if defined(FOO) for appropiate values of FOO.
(currently AUTHENTICATION and ENCRYPTION)
3) WARNS=2 fixing
4) GC other unused stuff
This code can now be unifdef(1)ed to make non-crypto telnet.
RTLD_NOW got incorrectly defined to 1 (which is RTLD_LAZY in FreeBSD).
In addition, the comment about FreeBSD requiring SHLIB_SYM_PREFIX to
be "_" is incorrect.
Submitted by: tobez (except for the bit about the incorrect comment)
instead of recovering, which happens in particular during a rapid series
of SIGWINCH's. This change forces nvi to loop on the call in the event
that the call is interrupted.
Interestingly, I submitted this bug report in 1998, and a solution was
posted shortly thereafter by Matthias Buelow; it's been sitting in the
PR database ever since.
Note: this takes this file off the vendor branch. If and when we find
a vendor for this code, the fix should be given back to them.
PR: bin/8438
Submitted by: Matthias Buelow <mkb@altair.mayn.de>
MFC after: 1 month
affect only lower bits of seed which would resulte in the same seed for
sequences of fast-started awk's resulting the same random sequence.
Submitted by: ache
had an error in it), and applied it by hand to awkgram.c (getting it right)
rather than really generating an new awkgram.c properly using Bison/YACC...
Fix his mistake here.
took about 15 files off the vendor branch for what turned out to be
good reason a Gawk update takes an order of magnitude more effort than
it should...
This is by the kind permission of Dave Safford, formerly of TAMU who wrote the
original code. Here is an excerpt of the e-mail exchange concerning this
issue:
Dave Safford wrote:
>Nick Sayer wrote:
>> Some time ago we spoke about SRA and importing it into FreeBSD. I forgot to
>> ask if you had a prefered license boilerplate for the top of the files. It
>> has come up recently, and the SRA code in FreeBSD doesn't have one.
>I really have no preference - use whatever is most convenient in the
>FreeBSD environment.
>dave safford
This is the standard BSD license with clause 3 removed and clause 4
suitably renumbered.
MFC after: 1 day
: 2001-10-19 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc.tmac (doc-flag-recursion): Protect arguments against
: being handled as end-of-sentence characters,
This fixes ".Fl \&?". Previously, it produced an additional whitespace.
There were no precedents in FreeBSD manpages. That's why it was
Noticed by: Thomas Klausner <wiz@netbsd.org>
__FBSDID() and ifdefed away all vendor id stuff.
This file should never have left the vendor branch; it is now identical
with the vendor's version except for id fiddling.
support that already exists for checkout. The -T option for cvs update
and cvs checkout may be used to cause CVS to retrieve/update the checkin
template when possible.
MFC after: 1 week
+ The bufov vulnerability was fixed in the vendor sources.
+ The vendor sources are now POSIX [me harder] compliant.
+ The db vs. dbm files issue was fixed in the vendor sources.
I don't recall why the rev 1.2 hack is needed. It looks like Amd was
already using our local headers. I no longer have a FreeBSD 2.x box to
test this on, and this will never be MFC'ed to RELENG_2_2. So lets just
decrease the maintenance effort.
+ The rev 1.4 addition was taken from a snapshot previous to 6.0.7, so
it is included in 6.0.7.
+ The vendor sources are now POSIX [me harder] compliant.
When rtld runs the .fini section in a shared lib (C++), the code in
question from .../contrib/gdb/config/alpha/crtbegin.asm first calls
__do_globals_dtors_aux and then __do_frame_takedown. Unfortunately, the
value of gp after a jsr is undefined and in this case had changed from before
the call, probably as a result of calling code in some other shared library.
The normal calling convention for alpha is to re-initialize gp using
'ldgp gp,0(ra)' after a jsr instruction but in this case no such
re-initialization is done. This leads to a bogus value being read for the
address of __do_frame_takedown and a quick segfault.
Submitted by: dfr
Obtained from: GCC 3.0
value, it forces GCC to not optimize above this level. For intance, GCC
made with "WANT_FORCE_OPTIMIZATION_DOWNGRADE=1" is a good setting for the
Alpha platform when building ports.
: 2001-08-14 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc.tmac (Ex): New implementation.
: * tmac/doc-common, tmac/groff_tmac.man: Updated.
This adds a new macro, .Ex (Exit Status), for use in the
DIAGNOSTICS section of section 1, 6 and 8 manpages.
Prodded by: dd
o Because of export controls, TELNET ENCRYPT option is not supported outside
of the United States and Canada.
o Because of export controls, data encryption
is not supported outside of the United States and Canada.
src/crypto/README revision 1.5 commit log says:
> Crypto sources are no longer export controlled:
> Explain, why crypto sources are still in crypto/.
and actually telnet encryption is used outside of US and Canada now.
Pointed out by: OHSAWA Chitoshi <ohsawa@catv1.ccn-net.ne.jp>
Reviewed by: no objection on doc
: 2001-08-13 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/doc.tmac (Rv): Implement support for 0 or more than 1
: argument.
: * tmac/groff_tmac.man: Updated.
All of the following are now valid:
.Rv -std f1
.Rv -std f1 f2
.Rv -std f1 f2 f3
.Rv -std
The last form is useful where the standard return behavior is applicable
to all of the functions described in this particular manpage. Look, for
example, at the stat(2), setresuid(2), and utimes(2) manpages.
The form with >1 functions is useful in a mixed environment. See the
fhopen(2) manpage for an example.
Prodded by: yar
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
I am not sure who thought that making FreeBSD depend on ISC's libbsd
was a sensible thing to do.
Thus I have ripped out the define of gettimeofday() and isc__gettimeofday()
out of this file, since we:
1) Don't use nor build libbsd (FreeBSD might give a hint in its name as to
why)
2) Our gettimeofday() is the same in semantics as prototyped in ISC's
libbsd.
This was something which could have been fixed before it was released if
we had at least some insight into the development process. But my praying
fell on deaf ears it seems.
Of course, if I am wrong I welcome the corrections to my thinking, gladly
even.
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that this entire copyright notice
+* is duplicated in all such copies.
Obtained from: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license
to do what they are supposed to: under some circumstances output data would
be truncated, or the buffer would not actually be flushed (possibly leading
to overflows when the caller assumes the operation succeeded). Change the
semantics so that these functions ensure they complete the operation before
returning.
Comment out diagnostic code enabled by '-D reports' which causes an
infinite recursion and an eventual crash.
Patch developed with assistance from ru and assar.
o Fixed `nfrontp' calculations in output_data(). If `remaining' is
initially zero, it was possible for `nfrontp' to be decremented.
Noticed by: dillon
o Replaced leaking writenet() with output_datalen():
: * writenet
: *
: * Just a handy little function to write a bit of raw data to the net.
: * It will force a transmit of the buffer if necessary
: *
: * arguments
: * ptr - A pointer to a character string to write
: * len - How many bytes to write
: */
: void
: writenet(ptr, len)
: register unsigned char *ptr;
: register int len;
: {
: /* flush buffer if no room for new data) */
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: if ((&netobuf[BUFSIZ] - nfrontp) < len) {
: /* if this fails, don't worry, buffer is a little big */
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: netflush();
: }
:
: memmove(nfrontp, ptr, len);
: nfrontp += len;
:
: } /* end of writenet */
What an irony! :-)
o Optimized output_datalen() a bit.
(ironically, the assumption is in a code block which is conditional on its
converse). This isn't strictly the correct fix; it's more of a workaround
to prevent an infinite loop. The correct fix (see
ports/editors/nvi-devel/files/patch-vi-relative r1.1) would take a file off
the vendor branch, but since the result for this version of nvi is
identical, this route was elected.
PR: 28687
Approved by: -developers
: 2001-07-18 Ruslan Ermilov <ru@FreeBSD.org>
:
: * tmac/groff_mdoc.man: Document new -width and -column syntax.
: Some other minor fixes.
: * tmac/an-old.tmac: Add `AT' and `UC' macros.
to std{err,out} will not spam /etc/resolv.conf.
Ted Lemon fixed the problem in version 3 of the client, but only for the
pre-daemonized case. Thanks to Brian for pointing that out and helping
to make our future dhclient (v3) better.
Submitted by: brian
Fold -xwidth functionality into -width. .Bl now tests whether
string immediately following a leading dot starts with a valid
macro name.
Added similar functionality to the -column list's column width
specifiers. For example, the following now works as expected:
.Bl -column ".Va hw.crusoe.percentage" ".Vt integer" "Changeable"
.It Sy "Name\tType\tChangeable\tDescription"
.It Va hw.crusoe.longrun Ta Vt integer Ta yes Ta "LongRun mode:"
.It Ta Ta Ta "0: minimum frequency mode"
.It Ta Ta Ta "1: power-saving mode"
.It Ta Ta Ta "2: performance mode"
.It Ta Ta Ta "3: maximum frequency mode"
.It Va hw.crusoe.frequency Ta Vt integer Ta no Ta "Current frequency (MHz)."
.It Va hw.crusoe.voltage Ta Vt integer Ta no Ta "Current voltage (mV)."
.It Va hw.crusoe.percentage Ta Vt integer Ta no Ta "Processing performance (%)."
.El
This is especially useful for groff devices with variable width
fonts, like -Tps or -TX100.
