Commit Graph

4920 Commits

Author SHA1 Message Date
Giorgos Keramidas
00935aacf5 Add defaults for /etc/rc.d/gssd
Approved by:	dfr
2008-11-05 10:20:33 +00:00
Xin LI
cef3930d7c Correct a typo that prevented my laptop from starting
devd.
2008-11-04 23:03:36 +00:00
Rui Paulo
31fb990621 Add support for Asus A8Sr notebooks.
PR:		128553
Submitted by:	Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Reviewed by:	philip
MFC after:	2 months
2008-11-04 11:52:50 +00:00
Doug Rabson
a9148abd9d Implement support for RPCSEC_GSS authentication to both the NFS client
and server. This replaces the RPC implementation of the NFS client and
server with the newer RPC implementation originally developed
(actually ported from the userland sunrpc code) to support the NFS
Lock Manager.  I have tested this code extensively and I believe it is
stable and that performance is at least equal to the legacy RPC
implementation.

The NFS code currently contains support for both the new RPC
implementation and the older legacy implementation inherited from the
original NFS codebase. The default is to use the new implementation -
add the NFS_LEGACYRPC option to fall back to the old code. When I
merge this support back to RELENG_7, I will probably change this so
that users have to 'opt in' to get the new code.

To use RPCSEC_GSS on either client or server, you must build a kernel
which includes the KGSSAPI option and the crypto device. On the
userland side, you must build at least a new libc, mountd, mount_nfs
and gssd. You must install new versions of /etc/rc.d/gssd and
/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.

As long as gssd is running, you should be able to mount an NFS
filesystem from a server that requires RPCSEC_GSS authentication. The
mount itself can happen without any kerberos credentials but all
access to the filesystem will be denied unless the accessing user has
a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There
is currently no support for situations where the ticket file is in a
different place, such as when the user logged in via SSH and has
delegated credentials from that login. This restriction is also
present in Solaris and Linux. In theory, we could improve this in
future, possibly using Brooks Davis' implementation of variant
symlinks.

Supporting RPCSEC_GSS on a server is nearly as simple. You must create
service creds for the server in the form 'nfs/<fqdn>@<REALM>' and
install them in /etc/krb5.keytab. The standard heimdal utility ktutil
makes this fairly easy. After the service creds have been created, you
can add a '-sec=krb5' option to /etc/exports and restart both mountd
and nfsd.

The only other difference an administrator should notice is that nfsd
doesn't fork to create service threads any more. In normal operation,
there will be two nfsd processes, one in userland waiting for TCP
connections and one in the kernel handling requests. The latter
process will create as many kthreads as required - these should be
visible via 'top -H'. The code has some support for varying the number
of service threads according to load but initially at least, nfsd uses
a fixed number of threads according to the value supplied to its '-n'
option.

Sponsored by:	Isilon Systems
MFC after:	1 month
2008-11-03 10:38:00 +00:00
Pawel Jakub Dawidek
3239bc5923 ifconfig(8) can take only one interface at a time. 2008-10-30 20:24:25 +00:00
Mark Peek
3f2459c989 Explicitly set the shell to /bin/sh when MK_TCSH == no.
Not objected to by:	sam
2008-10-29 18:46:47 +00:00
Andrew Thompson
5e3b315e31 Add ucomX shortcuts just like its uart sibling. 2008-10-27 17:19:14 +00:00
Andrew Thompson
9b35f11ea5 Make a note about the notify codes for the four special function keys above the
keyboard on the EeePC.
2008-10-27 16:20:40 +00:00
Sam Leffler
5b6f501657 o fix MK_TCSH == no: the default master.passwd sets up root to use /bin/csh
but there won't be one so root won't be able to login; edit the installed
  file to use /bin/sh in this case.
o while here split csh-related files apart from sh and only install them
  when requested
2008-10-27 16:13:28 +00:00
Andrew Thompson
02c7950097 Show which rc script is running since the default ^T just shows 'sh' as the
process.
2008-10-27 01:05:09 +00:00
Ed Schouten
53cb00a92b Sort `mount -p' output by name before checking for any differences.
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.

If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
2008-10-25 18:45:40 +00:00
Warner Losh
64bf633eec Add entries for uart based serial ports. All the serial ports on mips
so far are uart subclasses.  Also, turn uart0 on by default.
2008-10-12 06:58:03 +00:00
Dag-Erling Smørgrav
0a25b2e007 Create separate cat directories for en.UTF-8. This, together with r183697,
allows users in en.UTF-8 locales to see non-ascii characters in man pages.

MFC after:	1 week
2008-10-08 13:28:02 +00:00
Brooks Davis
4c8b092e18 Remove compat support for vaps_<ifn> and vap_create_<ifn> variables as
promised in r178527.  These variables were never in a release version.

Reminded by:	sam
2008-10-01 18:46:46 +00:00
Ruslan Ermilov
85e5290d11 Allow a jail's IP alias to be created with an arbitrary netmask.
MFC after:	3 days
2008-09-24 15:18:27 +00:00
Sam Leffler
e8d1aafbed add back regdomain.xml
Noticed by:	jhay
2008-09-22 15:37:47 +00:00
Sam Leffler
690f477d75 add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by:	various (posted to arch)
MFC after:	1 month
2008-09-21 22:02:26 +00:00
Andrew Thompson
51e1463035 Allow a jail to be started with a specific route fib.
Reviewed by:	secteam (simon)
Reviewed by:	brooks, bz
2008-09-16 20:18:25 +00:00
Bruce M Simpson
1f7f299117 Add support to rc.initdiskless for /conf/T/M/remount_subdir.
This allows the location of the configuration data to be relocated
within the filesystem containing it. A nullfs mount is used in order
to achieve this.

Obtained from:	XORP, Inc.
2008-09-09 18:40:50 +00:00
Gregory Neil Shapiro
3d7a6823f7 A no-op commit to simulate the effect of a forced commit so the file
has a new timestamp as needed for mergemaster.  A more long term
solution to this is needed since svn doesn't support forced commits.
2008-08-31 18:21:15 +00:00
John Baldwin
a0f01ecb62 Add the ability to run /usr/sbin/crashinfo on a new core dump automatically
during boot.  Right now this is disabled by default, but it can be enabled
by setting 'crashinfo_enable=YES' in rc.conf.

MFC after:	2 weeks
2008-08-29 20:30:30 +00:00
Gregory Neil Shapiro
523069c84e Google changed the location of the blacklists again.
Submitted by:	Tim Pozar
2008-08-28 07:03:13 +00:00
Dag-Erling Smørgrav
c02d68217d Make obrien happy #2 2008-08-25 16:31:53 +00:00
Dag-Erling Smørgrav
e64eb994bf Make obrien happy 2008-08-25 16:28:54 +00:00
Ed Schouten
0a3bd811c6 Restore 256 pty(4) entries.
As discussed with Robert Watson on the src-committers list, it is safer
to keep at least some pty(4) entries in /etc/ttys, for applications that
roll their own PTY allocation routine and only search for BSD-style
PTY's.

This means we've now just toggled the amount of entries for pts(4) and
pty(4).

Requested by:	rwatson
2008-08-24 08:41:29 +00:00
Ed Schouten
fa38c73642 Remove old BSD-style entries from /etc/ttys and increase pts(4) to 512.
Because we now use pts(4)-style PTY's exclusively, there is no use for
these entries in /etc/ttys. Right now the pts(4) entries only go from 0
to 255. Because we're going to touch these files anyway, increase the
number to 511.

Discussed with:	philip (ex-mentor)
2008-08-23 14:36:39 +00:00
Rui Paulo
20c78c6e69 Cope with the file rename by changing rc variables. 2008-08-21 00:04:19 +00:00
Ed Schouten
bc093719ca Integrate the new MPSAFE TTY layer to the FreeBSD operating system.
The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

  The old TTY layer has a driver model that is not abstract enough to
  make it friendly to use. A good example is the output path, where the
  device drivers directly access the output buffers. This means that an
  in-kernel PPP implementation must always convert network buffers into
  TTY buffers.

  If a PPP implementation would be built on top of the new TTY layer
  (still needs a hooks layer, though), it would allow the PPP
  implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

  With the old TTY layer, it isn't entirely safe to destroy TTY's from
  the system. This implementation has a two-step destructing design,
  where the driver first abandons the TTY. After all threads have left
  the TTY, the TTY layer calls a routine in the driver, which can be
  used to free resources (unit numbers, etc).

  The pts(4) driver also implements this feature, which means
  posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

  One of the major improvements is the per-TTY mutex, which is expected
  to improve scalability when compared to the old Giant locking.
  Another change is the unbuffered copying to userspace, which is both
  used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from:		//depot/projects/mpsafetty/...
Approved by:		philip (ex-mentor)
Discussed:		on the lists, at BSDCan, at the DevSummit
Sponsored by:		Snow B.V., the Netherlands
dcons(4) fixed by:	kan
2008-08-20 08:31:58 +00:00
David E. O'Brien
55a738ec2b Rename the RCng 'kernel' script to 'kernel_symlink'. 2008-08-20 03:02:06 +00:00
David E. O'Brien
5241279fa1 Rename the RCng 'kernel' script to 'kernel_symlink'.
Requested by: many
2008-08-19 14:23:31 +00:00
John Baldwin
66f8d384cf Allow the network addresses and interface names for the "client" and
"workstation" firewall types to be set from rc.conf so that rc.firewall
no longer needs local patching to be usable for those types.  For now
I've set the variables in /etc/defaults/rc.conf to the previous defaults
in /etc/rc.firewall.

PR:		bin/65258
Submitted by:	Valentin Nechayev  netch of netch.kiev.ua
Silence from:	net
MFC after:	2 weeks
2008-08-15 19:20:59 +00:00
John Baldwin
176baffe3f For the "client" and "simple" network types, collapse the separate "net"
and "mask" variables into a single "net" variable that contains a full
network address (including either a netmask or prefix length at the user's
choice).  Update the example settings to match.

MFC after:	2 weeks
2008-08-15 19:14:25 +00:00
John Baldwin
228835b658 Use 'me' rather than explicit IP addresses for the "simple" and "client"
firewall configurations.

PR:		bin/65258
Silence on:	net@
MFC after:	1 week
2008-08-15 18:58:15 +00:00
John Baldwin
7b0b86a726 For the firewall_* variables that are specific to the "workstation"
firewall type, note that property in their description.

MFC after:	1 week
2008-08-15 18:48:29 +00:00
Antoine Brodin
86e82d6ef7 Improve periodic/security/550.ipfwlimit a bit:
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")

PR:		conf/126060 [1]
MFC after:	1 month
2008-08-10 18:11:24 +00:00
David E. O'Brien
01faf7789b Only symlink booted kernel directory to /boot/kernel if user has explicitly
requested it.  This is too dangerous to just do behind the admin's back.
2008-08-09 01:19:00 +00:00
Colin Percival
9c4ca95bf7 Add /usr/share/man/whatis, /var/db/locate.database, and /var/log to the
list of paths which `freebsd-update IDS` should ignore by default.
2008-08-08 10:36:16 +00:00
Daniel Gerzo
1f696cd2bc - back out my last commit as it seems to be wrong.
Spotted by: das
2008-08-03 19:01:07 +00:00
Colin Percival
a7fbbdf0a4 Make freebsd-update IDS not complain about /usr/share/man/cat* by
default.
2008-08-02 00:11:43 +00:00
Doug Barton
c1f84335c4 When using SRV records the protocols and services files need to be in the
chroot /etc directory.

PR:		conf/121101
Submitted by:	Stefan `Sec` Zehl <sec@42.org>
2008-08-01 06:11:33 +00:00
Doug Barton
d25761ca5b Add the -c option for named_flags (still commented out) that is
relevant for ports users, and change the comment to match.

While I'm here fix the capitalization of the named_program comment.
2008-08-01 05:15:54 +00:00
John Baldwin
4746c560a4 Oops, restore the recent changes to make startup messages quieter. 2008-07-31 22:13:14 +00:00
John Baldwin
4ceda705b7 Parse sysctl settings from /etc/sysctl.conf.local after /etc/sysctl.conf
if it exists.  This mirrors similar behavior for /boot/loader.conf and
/etc/rc.conf.

Obtained from:	Yahoo!
MFC after:	1 week
2008-07-31 21:57:35 +00:00
Antoine Brodin
c9853f4659 Remove an empty directory that is already in ObsoleteFiles.inc from
mtree/BSD.usr.dist
2008-07-28 17:42:37 +00:00
Andrew Thompson
c7971a92ea Change the module example to kldload since this is the resume side. 2008-07-21 22:55:40 +00:00
Marcel Moolenaar
8941d4ae1d Remove sioX as an alias for uartX. It is believed to be
more confusing than helpful.

Suggested by: jhb
2008-07-21 22:38:00 +00:00
Marcel Moolenaar
ba5e45704b With uart(4) default, change sio# to uart# so that
out-of-the-box FreeBSD is consistent.
2008-07-19 20:12:33 +00:00
Marcel Moolenaar
9005d65e46 With uart(4) default, change /dev/cuad# to /dev/cuau# and
sio# to uart# so that out-of-the-box FreeBSD is consistent.
2008-07-19 20:12:02 +00:00
Marcel Moolenaar
7fc2c2bc83 With uart(4) default, change /dev/cuad# to /dev/cuau# and
sio# to uart# so that out-of-the-box FreeBSD is consistent.
2008-07-19 20:11:33 +00:00
Marcel Moolenaar
abc45eb8f5 With uart(4) default, change /dev/cuad# to /dev/cuau# so that
out-of-the-box FreeBSD is consistent.
2008-07-19 20:00:18 +00:00