Commit Graph

12759 Commits

Author SHA1 Message Date
wpaul
abd2ed647c Add securenets support (uses same access control mechanism as ypserv,
also controlled by /var/yp/securenets).

Add -u flag to turn off the privileged port check done by yp_access();
some commercial systems (IRIX, Solaris 2.x, HP-UX, and probably others)
don't use a reserved port for submitting yppasswd updates. If we always
enforce the check, these client systems will be unable to submit updates
to us.

Document securenets support and -u flag in man page.

Like ypserv, you can compile rpc.yppasswdd to use the tcpwrapper package
instead of securenets if you want to.
1996-02-24 22:10:42 +00:00
wpaul
ad0849d890 Add real securenets support. By default, ypserv now uses /var/yp/securenets
in the same was as the SunOS ypserv (same format, described in ypserv man
page). If the user wants tcpwrapper style access control, they can
recompile ypserv to use that instead. This way we get securenets without
having to ship libwrap.a and tcpd.h with core FreeBSD distribution.

If /var/yp/securenets doesn't exist, ypserv allows all connections.
1996-02-24 22:01:48 +00:00
bde
8a2d37b3e5 Added support for Cyclades and Digiboard devices.
Submitted by:	Daniel O'Callaghan <danny@lynx.its.unimelb.edu.au>
                + mods by bde
1996-02-24 19:51:25 +00:00
joerg
9dbe7cd8d3 Now that we install the `flex' alias for our lex, we should also
install the `libfl' alias for libl.  Some third-party software will
expect it this way.

Submitted by:	Holm tiffe (holm@geophysik.tu-freiberg.de)
1996-02-24 16:31:31 +00:00
peter
e5c7708552 Add minherit.2 to Makefile.. (oops, forgot it before) 1996-02-24 15:32:12 +00:00
peter
4223430ef2 If the two recently added sysctl variables exist, use those rather than
the statically compiled PS_STRINGS and USRSTACK variables.  This prevents
programs using setproctitle from coredumping if the kernel VM is increased,
and stops libkvm users (w, ps, etc) from needing to be recompiled if only
the VM layout changes.
1996-02-24 14:37:30 +00:00
peter
427e11b898 Add two sysctl variables that can be read by libutil and libkvm so that
they can adapt to simple kernel VM layout changes.
1996-02-24 14:32:53 +00:00
phk
0fc9e4e31d Make the ipfw LKM work again.
This concludes this round of updates to ipfw, have at it!
1996-02-24 13:41:57 +00:00
phk
bd3794521a Update to match kernel code. 1996-02-24 13:39:46 +00:00
phk
45a7f29691 Make getsockopt() capable of handling more than one mbuf worth of data.
Use this to read rules out of ipfw.
Add the lkm code to ipfw.c
1996-02-24 13:38:28 +00:00
phk
4bcbc91c0c A new ipfw program that can set and control the new features.
An almost correct usage is printed.
1996-02-24 00:20:56 +00:00
phk
91b3fcc1e2 The new firewall functionality:
Filter on the direction (in/out).
	Filter on fragment/not fragment.
1996-02-24 00:17:35 +00:00
peter
76dbdac3af Attempt to document the recent in_pcb local port address changes.. 1996-02-23 21:01:35 +00:00
phk
f4937893f0 I overlooked this one. 1996-02-23 20:11:37 +00:00
peter
b6d5c41340 rfork/minherit glue in libc
man pages adapted from OpenBSD's versions.
1996-02-23 19:56:55 +00:00
peter
a11313c102 Add prototype for rfork(). 1996-02-23 19:45:46 +00:00
peter
aee43c65cc Garrett pointed out that the correct place for unix system call args
is <sys/unistd.h>, with the prototype in <unistd.h>.  sys/unistd.h
is visible to the kernel compile, and is #included by unistd.h.

Also, I missed a reference to a static int in the midst of my other diffs.
1996-02-23 19:44:10 +00:00
peter
5239b23b5d kern_descrip.c: add fdshare()/fdcopy()
kern_fork.c: add the tiny bit of code for rfork operation.
kern/sysv_*: shmfork() takes one less arg, it was never used.
sys/shm.h: drop "isvfork" arg from shmfork() prototype
sys/param.h: declare rfork args.. (this is where OpenBSD put it..)
sys/filedesc.h: protos for fdshare/fdcopy.
vm/vm_mmap.c: add minherit code, add rounding to mmap() type args where
it makes sense.
vm/*: drop unused isvfork arg.

Note: this rfork() implementation copies the address space mappings,
it does not connect the mappings together.  ie: once the two processes
have split, the pages may be shared, but the address space is not. If one
does a mmap() etc, it does not appear in the other.  This makes it not
useful for pthreads, but it is useful in it's own right for having
light-weight threads in a static shared address space.

Obtained from: Original by Ron Minnich, extended by OpenBSD
1996-02-23 18:49:25 +00:00
peter
834adf89dc Run makesyscalls to regen the tables. 1996-02-23 18:31:34 +00:00
peter
f558684e98 Add hooks for rfork/minherit pair, and reset args of vfork in preperation
for adding the syscalls.
1996-02-23 18:20:44 +00:00
peter
1088566d7f Note the syscall numbers used in BSD/OS 2.x. We dont want to
accidently use one of these ourselves as it'd make it harder to run
their binaries.
Also, remove the now-defunct #include "opt_sysvipc.h".
1996-02-23 18:03:08 +00:00
pst
e51a913788 If a .db file is 0 length, initialize it as if it did not exist.
Reviewed by:	wollman
1996-02-23 17:57:32 +00:00
wpaul
fe4185f027 Merge in changes to support the new rpc.yppasswdd(8) and fix a few bugs.
In passwd(1):

- Gut most of yp_passwd.c and leave only a few things that aren't common
  to pw_yp.c.

- Add support for -d and -h flags to select domains and NIS server hosts
  to use when updating NIS passwords. This allows passwd(1) to be used
  for changing NIS passwords from machines that aren't configured as
  NIS clients. (This is mostly to allow passwd(1) to work on NIS master
  servers that aren't configured as clients -- an NIS server need not
  necessarily be configured as a client itself.)

  NOTE: Realize that having the ability to specify a domain and hostname
  lets you use passwd(1) (and chpass(1) too) to submit update requests
  to yppasswd daemons running on remote servers in remote domains which
  you may not even be bound to. For example, my machine at home is not
  an NIS client of the servers on the network that I manage, yet I can
  easily change my password at work using my FreeBSD box at home by doing:
  'passwd -d work.net.domain -h any.nis.server.on.my.net wpaul'. (Yes,
  I do use securenets at work; temporarily modified my securenets file
  to give my home system access.) Some people may not be too thrilled
  with this idea. Those who don't like this feature can recompile passwd(1)
  and chpass(1) with -DPARANOID to restrict the use of these flags to
  the superuser.

  (Oh, I should be adding proper securenets support to ypserv(8) and
  rpc.yppasswdd(8) over the weekend.)

- Merge in changes to allow root on the NIS master server to bypass
  authentication and change any user's NIS password. (The super-user
  on the NIS master already has privileges to do this, but doing it
  through passwd(1) is much easier than updating the maps by hand.)
  Note that passwd(1) communicates with rpc.yppasswdd(8) via a UNIX
  domain socket instead of via standard RPC/IP in this case.

- Update man page.

In chpass(1):

- Fix pw_yp.c to work properly in environments where NIS client
  services aren't available.

- Use realloc() instead of malloc() in copy_yp_pass() and copy_local_pass().

- Fix silly bug in copy_yp_pass(); some of the members of the passwd
  structure weren't being filled in correctly. (This went unnoticed
  for a while since the old yppasswdd didn't allow changes to the
  fields that were being botched.)

- chpass(1) now also allows the superuser on the NIS master server to
  make unrestricted changes to any user's NIS password information.

- Use UNIX domain comm channel to rpc.yppasswdd(8) when run by the
  superuser on the NIS master. This allows several new things:

   o superuser can update an entire master.passwd.{byname,byuid} entry
   o superuser can update records in arbitrary domains using -d flag to
     select a domain (before you could only change the default domain)
   o superuser can _add_ records to the NIS master.passwd maps, provided
     rpc.yppasswdd(8) has been started with the -a flag (to do this,
     the superuser must force NIS operation by specifying the -y flag
     to chpass(1) along with -a, i.e. 'chpass -y -a 'foo:::::::::')

- Back out the 'chpass -a <new password entry> breaks with NIS' fix
  from the last revision and fix it properly this time. The previous
  revision fixed the immediate problem but broke NIS operation in
  some cases.

- In edit.c, be a little more reasonable about deciding when to
  prevent the shell field from being changed.

  Submitted by Charles Owens <owensc@enc.edu>, who said:

  "I made a minor (one-line) modification to chpass, with regards
   to whether or not it allows the changing of shells.  In the 2.0.5 code,
   field changing follows the settings specified in the "list" structure
   defined in table.c .  For the shell, though, this is ignored.  A quick
   look in edit.c showed me why, but I don't understand why it was written as
   such.  The logic was

        if shell is standard shell, allow changing

   I changed it to

        if shell changing is allowed (per table.c) and it is a standard shell
             OR if uid=0, then allow changing."

   Makes sense to me.

- Update man page.
1996-02-23 16:08:59 +00:00
phk
d2379a0d6e Update -current ipfw program as well.
I hope it all compiles...
1996-02-23 15:52:28 +00:00
phk
37d6472c4f Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.

Code in -current & -stable is now the same.
1996-02-23 15:47:58 +00:00
adam
8b3d623d79 rpc.yppasswdd instead of yppasswdd 1996-02-23 10:44:49 +00:00
peter
67294f93a6 Add a dire warning about misusing the setlogin() system call. Be very
explicit that it is global to the entire "session", and that setsid() or
daemon() are need to have been called at some point.

The most notable offender of setlogin() misuse is XFree86's xdm.
1996-02-23 10:28:01 +00:00
ache
e381a36539 Kill gets() found 1996-02-23 03:01:53 +00:00
joerg
ea79e2eb48 Add a note about the RFC-1535 compliant behaviour of the recent BIND
version that's now shipping with FreeBSD.

Pointed-out by: Holm Tiffe <holm@geophysik.tu-freiberg.de>
1996-02-22 23:34:13 +00:00
peter
fe35eac01c Make the default behavior of local port assignment match traditional
systems (my last change did not mix well with some firewall
configurations).  As much as I dislike firewalls, this is one thing I
I was not prepared to break by default.. :-)

Allow the user to nominate one of three ranges of port numbers as
candidates for selecting a local address to replace a zero port number.
The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg)
call.  The three ranges are: default, high (to bypass firewalls) and
low (to get a port below 1024).

The default and high port ranges are sysctl settable under sysctl
net.inet.ip.portrange.*

This code also fixes a potential deadlock if the system accidently ran out
of local port addresses. It'd drop into an infinite while loop.

The secure port selection (for root) should reduce overheads and increase
reliability of rlogin/rlogind/rsh/rshd if they are modified to take
advantage of it.

Partly suggested by: pst
Reviewed by: wollman
1996-02-22 21:32:23 +00:00
peter
f7cfae926e Remove useless (for us) Makefiles. There were already other "Makefile.dist"
files missing, so these shouldn't hurt.  If somebody wanted to use sendmail
8.7 on their machine, they should use a clean dist anyway, not this one.

Submitted by: wollman
1996-02-22 19:58:32 +00:00
peter
53bd532d4b Merge 8.7.3->8.7.4 changes onto mainline. 1996-02-22 18:57:52 +00:00
peter
9c30a5e26b This commit was generated by cvs2svn to compensate for changes in r14182,
which included commits to RCS files with non-trunk default branches.
1996-02-22 18:49:13 +00:00
peter
550e941668 Update to sendmail-8.7.4. This fixes a DNS related security vulnerabilty. 1996-02-22 18:49:13 +00:00
dg
41aff73dfb Fixed bug in Path MTU Discovery that caused the system to have to re-
discover the Path MTU for each connection if the connecting host didn't
offer an initial MSS.

Submitted by:	davidg & olah
1996-02-22 11:46:39 +00:00
tg
de7b925ea4 Add Bernd Rosauer to contributors. 1996-02-22 11:08:57 +00:00
dg
f54e4705e6 Add a "NO_SWAPPING" option to disable swapping. This was originally done
to help diagnose a problem on wcarchive (where the kernel stack was
sometimes not present), but is useful in its own right since swapping
actually reduces performance on some systems (such as wcarchive).
Note: swapping in this context means making the U pages pageable and has
nothing to do with generic VM paging, which is unaffected by this option.

Reviewed by:	 <dyson>
1996-02-22 10:57:37 +00:00
dyson
60f52cc4c1 Fix a problem that select did not work with direct writes. Make
wakeup channels more consistant also.
1996-02-22 03:33:52 +00:00
joerg
c5181fe0d9 . cast the error and status registers properly to (unsigned short),
to avoid misinterpreting the 0x8000 bit as a negative sign,

. use the <machine/wtio.h> register def's to print them.
1996-02-22 00:33:35 +00:00
joerg
0e9d63c38b . move out the error and status register def's for wt into
<machine/wtio.h>, so mt(1) can print them,

. cosmetics: put the return type and the function name onto
  different lines.
1996-02-22 00:31:49 +00:00
nate
ce6232a085 Removed un-used code. 1996-02-21 23:31:03 +00:00
nate
9bcadeb83a Updated PC-CARD support to contain most of the code from the latest
Japanese BSD-Nomad release.

Reviewed by:    phk
Submitted by:   hosokawa@mt.cs.keio.ac.jp and the rest of the Nomads
1996-02-21 23:22:27 +00:00
nate
3f825d9547 Updated PC-CARD support to contain most of the code from the latest
Japanese BSD-Nomad release.

Reviewed by:	phk
Submitted by:	hosokawa@mt.cs.keio.ac.jp and the rest of the Nomads
1996-02-21 23:20:21 +00:00
ache
98df79c169 Fix weak random number hole
Obtained from: CERT
1996-02-21 21:40:14 +00:00
mpp
bd67217d9d Print out an informative message if the verbose option is given
and an unknown uid/gid is found in the file system.  This is useful
if you wind up with a file in your file system that has a uid
that is extremely large, since quotacheck will wind up running
a very very long time due to it not handling large gaps in uids
very well (this is a problem that should be addressed some day).

Update the man page to reflect that fact the the -v flag now prints
some additional diagnostic messages.
1996-02-21 18:40:54 +00:00
jkh
10255f12e4 Add back missing crypt.3 man page. 1996-02-21 08:15:08 +00:00
roberto
f329cd3f0b Add a few questions forwarded by Jordan and one from Jörg about
XDM.

Submitted by:	geert@sun3.iaf.nl,tedm%toybox@agora.rdrop.com,joerg
1996-02-21 00:07:39 +00:00
wosch
51408189d3 option -f and -i are exclusive (Posix)
respond `Y' is equal to `y'
update usage string
prompt only if source exist
1996-02-20 23:27:57 +00:00
julian
37a78862f8 Submitted by: John Hay -- John.Hay@csir.co.za
fix broken local routing .. (broken in previous patch)
1996-02-20 23:11:24 +00:00
fenner
b2e0f850a9 Make the "arpresolve: can't allocate llinfo" error message
more useful by printing out the IP address it was trying to
resolve, since we're seeing so many complaints about this
error.
1996-02-20 17:54:17 +00:00