The periodic 200.backup-passwd script outputs any differences it finds
in master.passwd, relative to the previous backup. It intends to elide
the encrypted password field, but previously did so only for changed
lines (i.e., those beginning with - or + in the diff).
Apply the sed expression also to unchanged lines to also elide their
passwords.
PR: 223461
Reported by: Andre Albsmeier
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.
Unfortunately some ports still use their own sleeps so, this commit
doesn't address the complete problem which is compounded by every
port that uses its own anticongestion mechanism.
Discussed with: asomers
/etc/{group,master.passwd}. This was originally turned on for all of
/etc/{aliases,group,master.passwd} in r55196, but then backed out
only for the latter two in r56697, as the adaption of the sed(1)ing
done in r56308 was incorrect. This left us with inconsistent diff(1)
formats in the daily output of periodic(8) ever since, despite in
r56697 having been promised to be revisited. So properly adapt the
password hash filtering to the unified format and turn the later on
again for /etc/{group,master.passwd}, too.
r322277 moved rwho* and ruptime out of the MK_RCMDS conditional including
updating the obsolete files entries to not remove these scripts due to
WITHOUT_RCMDS=yes. However, the initial installation was still conditional
on MK_RCMDS, so new installs did not include these scripts and upgrades via
mergemaster or etcupdate removed them.
PR: 220953
MFC after: 1 month
Previously, 450.status-security would always set rc=3 in inline mode,
because it doesn't know whether "periodic security" is going to find
anything interesting. But this annoyingly results in daily reports that
simply say "Security check: \n\n-- End of daily output --".
This change fixes that by testing whether "periodic security" printed
anything, and setting 450.status-security's exit status to 3 if it did. An
alternative would be to change the exit status of periodic(8) to be the
worst of its scripts' exit statuses, but that would be a more intrusive
change.
Reviewed by: brian
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D10267
Multiple periodic scripts sleep for a random amount of time in order to
mitigate the thundering herd problem. This is bad, because the sum of
multiple uniformly distributed random variables approaches a normal
distribution, so the problem isn't mitigated as effectively as it would be
with a single sleep.
This change creates a single configurable anticongestion sleep. periodic
will only sleep if at least one script requires it, and it will never sleep
more than once per invocation. It also won't sleep if periodic was run
interactively, fixing an unrelated longstanding bug.
PR: 217055
PR: 210188
Reviewed by: cy
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D10211
If one of the scripts listed in (daily|weekly|monthly)_local is executable,
999.local should simply execute it. Only if the script isn't executable
should 999.local assume it needs /bin/sh.
Reviewed by: brian
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
24 hours is too long. Periodic scripts are executed serially, so when
combined with the sleep in 410.pkg-audit periodic could actually take more
than 24 hours and block the next invocation.
Reviewed by: cy
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D7481
The working copy of leapfile resides in /var/dbntpd.leap-seconds.list.
/etc/ntp/leap-seconds (periodically updated from ftp://time.nist.gov/pub/
or ftp://tycho.usno.navy.mil/pub/ntp/) contains the master copy should
automatic leapfile updates be disabled (default).
Automatic leapfile updates are fetched from $ntp_leapfile_sources,
defaulting to https://www.ietf.org/timezones/data/leap-seconds.list,
within $ntp_leapfile_expiry_days (default 30 days) from leap-seconds
file expiry. Automatic updates can be enabled by setting
$daily_ntpd_leapfile_enable="YES" in periodic.conf. To avoid congesting
the ntp leapfile source the automatic update randomized by default but
can be disabled through daily_ntpd_avoid_congestion="NO" in
periodic.conf.
Suggested by: des
Reviewed by: des, roberto, dwmalone, ian, cperciva, glebius, gjb
MFC after: 1 week
X-MFC with: r289421, r293037
output from df, similar to what security/200.chkmounts does. This can be
useful to avoid listing automounted ZFS snapshots, for instance.
MFC after: 1 week
The command was checking local/remote system uptime, so rename the script to
match its function and to avoid confusion
The controlling variable in /etc/periodic.conf has been renamed from
daily_status_rwho_enable to daily_status_uptime_enable.
MFC after: 3 days
Reported by: Peter Jeremy <peter@rulingia.com>
Relnotes: yes
Sponsored by: EMC / Isilon Storage Division
In particular, this allows an administrator to specify "-h" for human
readable output if that is preferred.
The default setting passes "-d", so that can be excluded by using a custom
setting.
Differential Revision: https://reviews.freebsd.org/D2034
Submitted by: Lystopad Aleksandr <laa@laa.zp.ua>
(patch to add option for -h)
Reviewed by: bz
MFC after: 1 week
periodic(8) run, taken from uname(1) '-U' and '-K'
flags.
Reviewed by: allanjude, dvl
Differential Revision: https://reviews.freebsd.org/D1541
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Mounting something in /tmp such as a build jail with nullfs mounts for
some directories can result in very surprising results the next day.
MFC after: 2 weeks
Relnotes: yes
forced to 3 so that the output of this script is always displayed.
In fact, setting this flag is identical to setting
daily_status_security_output to an empty string. To make the logic
less confusing, change the behavior of daily_status_security_inline
such that it just forces daily_status_security_output to an empty
string and then applies the normal logic.
PR: conf/178611
Submitted by: Jason Unovitch <jason.unovitch@gmail.com>
MFC after: 3 days
only 1 old file to be saved, so fix this. Problem raised in the PR,
but actually required a different solution.
While I'm here, fix a very old off-by-one error causing 1 more file
than specified in daily_accounting_save to be saved because acct.0
was not taken into account (pun intended). Change that, and use a more
thorough method of finding old files to delete. Partly just because this
is the right thing to do, but also to silently fix the extra log that
would have been left behind forever with the previous method.
PR: conf/160848
Submitted by: Andrey Zonov <andrey@zonov.org>
to avoid causing errors in the shell script.
Submitted by: William Grzybowski <william88@gmail.com>
Approved by: kib (mentor)
MFC after: 7 days
Sponsored by: iXsystems
2. Add the -H flag to tar in case /var/db/pkg itself is a symlink
3. Direct stderr to /dev/null to suppress the leading slash warning [1]
PR: ports/156810 [1]
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com> [1]
tell that there is a separate email or that the output is logged to a file.
This commit changes the return code for the non-inline case to tell that
this message is not important enough and can be masked if necessary. The
messages from the security checks themself are not affected by this and
show up as before in the periodic security email/file.
The inline case still requests to not mask the output, as with the current
way of handling this there is no easy way to handle this.
PR: 138692
Analysis/patch atch by: Chris Cowart <ccowart@timesinks.net>
X-MFC after: on request
The final product contains work from the originator, and
Florent Thoumie <florent.thoumie@gmail.com>. The final
product contains considerable re-working by me, so all
responsibility for bugs rests under my pointy hat.
PR: ports/145957
Submitted by: Eitan Adler <EitanAdlerList@gmail.com>
