Commit Graph

4834 Commits

Author SHA1 Message Date
mtm
619355f258 Generally, anything that runs rc.d scripts internally should
start using the quiet prefix (i.e. quietstart, quietstop, etc...).
2008-01-26 13:50:38 +00:00
mtm
bf5451f3d4 Use 'quietstart' so as not to get spammed with informational diagnostics. 2008-01-26 13:37:48 +00:00
mtm
128f4ab0d5 Re-implement: do not silently fail when a command is not carried
out because the rc.conf(5) variable was not enabled. Display a
message that the command wasn't run and offer suggestions on
what the user can do.

Implement a quiet prefix, which will disable some diagnostics. The
fast prefix also implies quiet. During boot we use either fast or
quiet. For shutdown we already use 'faststop'. So, this informational
message should only appear during interactive use.

An additional benefit of having a quiet prefix is that we can start
putting some of our diagnostic messages behind this knob and start
"de-cluttering" the console during boot and shutdown.
2008-01-26 11:22:12 +00:00
mtm
62d20a5f39 Backout previous commit. It's going to clutter the console
during boot and shutdown. I think I'll hide it behind autoboot or
maybe take brooks@ suggestion and implement a different command
prefix for booting/shutdown purposes, but in any case it needs more
thought and attention.

Noticed by: ceri
Pointyhat to: mtm
2008-01-25 16:44:34 +00:00
mtm
b46fecfe29 If the rc.conf(5) variable for a script is not enabled do not fail
silently. Display a message that the command wasn't run and make
possible suggestions for what to do.

PR:	   conf/118770
MFC after: 1 week
2008-01-25 15:06:26 +00:00
mtm
17279cebaf Rev. 1.6 made it impossible to use rc.d/kerberos with the krb5 port.
Re-implement the change so that the script once again works with
the krb5 port.

Submitted by: kensmith (slightly modified)
MFC after: 3 days
2008-01-25 05:23:01 +00:00
ru
3fcb96106a Shorter equivalent of the command. 2008-01-24 07:04:12 +00:00
rafan
d70dd9e5a0 Improve kernel NAT support in rc.firewall
- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
  firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf

Tested by:	Albert B. Wang <abwang at gmail.com>
MFC after:	1 month
2008-01-21 04:41:18 +00:00
simon
28827547bb Add warning about this script dealing with untrusted data.
MFC after:	1 week
2008-01-13 14:27:53 +00:00
maxim
02be9380b7 o From the Problem Report: the TCP_DROP_SYNFIN kernel option is now
included in the kernel by default.  Remove reference to this option
from defaults/rc.conf and rc.conf(5).

PR:		conf/119098
Submitted by:	Beat Gaetzi
MFC after:	1 week
2008-01-12 20:52:30 +00:00
maxim
74720d8946 o Correct an info about "Firewalls and Internet Security" book: name,
authors list, ISBN, URLs.

PR:		conf/119590
MFC after:	1 week
2008-01-12 19:02:09 +00:00
dougb
171437d67c Remove from the default empty zone list zones that, unlike the others,
could theoretically be allocated one day.
2008-01-11 22:41:21 +00:00
dds
1484f84905 A new configuration variable, daily_status_mail_rejects_shorten, allows
the rejected mail reports to tally the rejects per blacklist without
providing details about individual sender hosts.  The default configuration
keeps the reports in their original form.

MFC after:	1 week
2008-01-08 07:22:43 +00:00
dougb
b72597c775 Update pkg_version_index to INDEX-8 2007-12-20 20:37:22 +00:00
jhb
97271d799c Only pass paths to directories or config files that exist for ldconfig for
32-bit binaries.

MFC after:	3 days
2007-12-13 00:51:01 +00:00
dougb
8b27e899e4 Add an empty stop_cmd to the remaining scripts that don't start
daemons and don't already have one.
2007-12-08 23:00:28 +00:00
dougb
3a306344f7 Remove a meaningless KEYWORD 2007-12-08 22:40:31 +00:00
dougb
4c320b2623 Remove the bootconf.sh script. It was never used on FreeBSD, and was
removed from the Makefile in version 1.5 (2002/09/02) but never GC'ed.
2007-12-08 22:33:11 +00:00
dougb
436c8fbd62 Remove spurious # marks to be more consistent with existing style. 2007-12-08 22:27:18 +00:00
dougb
92008444a3 Remove empty REQUIRE line 2007-12-08 22:26:30 +00:00
dougb
127c69bf43 Remove $NetBSD$ CVS tags. We no longer attempt to synch our rc.d files
with theirs, so this information doesn't need to be in the live file.
Having it in our CVS history is enough.
2007-12-08 07:20:23 +00:00
cperciva
7891fefb70 Add /root/, /.cshrc, and /.profile to the default UpdateIfUnmodified
directive.  Users get irritated if FreeBSD Update steps on these while
upgrading to a new release.

MFC after:	3 days
2007-11-28 22:45:09 +00:00
jhb
5902950f35 Don't delete files in the X11 socket directories under /tmp (.X11-unix,
.ICE-unix, .font-unix, .XIM-unix) when purging files from /tmp via the
daily 100.clean-tmps job.  If you are logged into an X session longer
than the timeout period (default of 3 days), then this job can delete
the X11 sockets out from under the session without this fix.

MFC after:	3 days
2007-11-28 17:31:11 +00:00
jhb
3a88ba0aa7 Update the shlib version for libgssapi_krb5. This file needs to be updated
anytime that library version is bumped.

XXX: I wonder if this breaks any 6.x binaries using Kerberos5 via GSSAPI.
2007-11-27 21:47:56 +00:00
ru
df014ee1ed Also check setuid executables on ZFS. 2007-11-23 13:00:31 +00:00
jhb
3c82b6a5c7 Bump up the number of ttys supported by pty(4) to 512 by making use of
[pt]ty[lmnoLMNO][0-9a-v].

MFC after:	3 days
Reviewed by:	rwatson
2007-11-19 20:49:42 +00:00
rwatson
ade0868a44 Add ttys lines for pts/0-pts/255.
MFC after:	3 days
2007-11-15 16:22:59 +00:00
brix
2bf11aa6d0 Add reload functionality.
PR:		conf/116659
Approved by:	sam, erwin (mentor)
2007-11-14 21:19:15 +00:00
cperciva
e1798e6b44 Add support for "freebsd-update -r newrelease upgrade" -- binary
upgrading to new releases.  Important parts of this code include
 * automatically determining which optional components (e.g., src,
info, proflibs) are installed.
 * merging changes in files which are modified locally and have
changed between the currently running and new release.
 * prompting the user to rebuild all 3rd party software before
deleting old shared libraries.

Yes, this is compatible with "freebsd-update rollback" -- you can
test a new -BETA and roll back to the old release if you don't
like it.

Subject to re@ approval, this will be MFCed before 7.0-BETA3 and
6.3-RC1.

MFC after:	2 days
2007-11-12 04:47:57 +00:00
mlaier
439399edf8 Update pf examples from OpenBSD to catch up with new stateful defaults and
other syntax changes.  Move pf.conf from /etc to examples, too.
2007-11-11 01:16:51 +00:00
sam
38ba9268aa spaces are preferred to tabs
Noted by:	simon
2007-11-10 22:47:46 +00:00
sam
6c2390d8c2 add wpa_supplicant + hostapd directories to examples
MFC after:	1 week
2007-11-10 20:23:07 +00:00
benjsc
f9553858df Link wpi(4) into the build.
This includes:
    o mtree (for legal/intel_wpi)
    o manpage for i386/amd64 archs
    o module for i386/amd64 archs
    o NOTES for i386/amd64 archs

Approved by: mlaier (comentor)
2007-11-08 22:09:37 +00:00
imp
1f838bcfdd Another vestige of OLDCARD that needs to be retired.
Prodded by: jhb@
2007-11-08 17:41:35 +00:00
thompsa
e44e0b612b Change wpa_supplicant to down the interface at the start of the init routine.
wpa_supplicant expects that it has exclusive access to the net80211 state so
when its starts poking in the WEP/WPA settings and the card is already
scanning it can cause net80211 to try and associate incorrectly with a
protected AP.

This is an inconvenience for firmware based cards such as iwi where it can be
sent an auth instruction with incomplete security info and cause a firmware
error.

Remove the 'ifconfig up' from network.subr since wpa_supplicant will
immediately down the interface again.

Reported by:	Guy Helmer (and others)
Reviewed by:	sam, brooks, avatar
MFC after:	3 days
2007-11-05 06:13:07 +00:00
dougb
bb33337484 Update to the 1 November 2007 version of this file. The change
is to the address of l.root-servers.net, which is moving to a
new /24 in order to enable anycast routing down the road.
2007-11-02 22:37:15 +00:00
yar
17e940f736 Add support for `make -nn' dry runs to this makefile. Basically,
it's just a matter of adding a `${_+_}' prefix before each submake
invokation.  This allows a dry run to proceed down to, but not
including, leaf commands.  (See <sys.mk> for how ${_+_} is set
depending on the number of -n flags.)
2007-10-29 07:37:08 +00:00
mtm
e8e8fab208 Nuke rc.d/nfslocking which has been superceeded by rc.d/{lockd,statd} 2007-10-25 18:10:05 +00:00
mtm
39da3f5321 Remove unnecessary whitespace 2007-10-25 16:59:06 +00:00
dougb
a6a61c0d6a 1. Determine the location of the rndc* binaries relative to $command
so that when using named from the ports (or elsewhere) the proper rndc*
commands will be run.

2. Rework the stop routine using ideas from brooks and delphij.
Specifically I am duplicating a lot of code from rc.subr's stop routine
so that this one will behave more like the one in rc.subr, but use rndc
to kill the daemon (or regular kill if that fails). This also avoids
the problems related to using killall if rndc fails, which is bad if
you're running more than one named on the same box.

3. Take a concept from gshapiro and allow the rndc.key file to be
owned by root OR the named_uid user.

Although I used different solutions, this commit handles issues raised in:
PR:	conf/73929
PR:	conf/103976
PR:	conf/109409
2007-10-22 09:38:44 +00:00
mtm
4a5da6b57d The amd_map_program knob can potentially contain a command whose output
is then used as an argument to the amd program. This outpu may contain
newlines, but the script did not take care to strip those newlines before
apending it to rc_flags. Revision 1.72 of rc.subr(8) introduced changes that
exposed this problem (specifically putting the final eval'ed command in
quotes).[1]

Also, for correctness' sake, shell directives appended to the command-line
by the script should go into command_args, and not appended directly
to rc_flags.

Reported by:	John E Hein <jhein@timing.com> [1]
Tested by:	John E Hein <jhein@timing.com>
MFC after:	1 week
2007-10-19 22:55:42 +00:00
mtm
f8785ef32c Partial backout of rev. 1.6, but instead of putting kerberos5_server_flags
back in command_args, put it where rc.subr(8) expects it: kerberos5_flags.
2007-10-19 08:59:59 +00:00
emax
8cbbb2bafc Teach /etc/rc.d/ppp how to start/stop individual instances
of ppp. This is an extension of previous commit.

Submitted by:	Yuri Kurenkov < y dot kurenkov at init dot ru >
Reviewed by:	mtm
MFC after:	3 days
2007-10-18 17:10:40 +00:00
bushman
04367a31e7 Removing obsolete etc/cached.conf.
Approved by:	brooks (mentor)
2007-10-18 09:09:22 +00:00
bushman
203345b0a4 Forced commit to note cached.conf -> nscd.conf repocopy. etc/Makefile
changed accordingly.

Approved by:	brooks (mentor)
2007-10-18 08:26:20 +00:00
netchild
21c6e78ea7 Backout sensors framework.
Requested by:	phk
Discussed on:	cvs-all
2007-10-15 20:00:24 +00:00
netchild
4af9918bc0 Import OpenBSD's sysctl hardware sensors framework.
This commit includes the following core components:

 * sample configuration file for sensorsd
 * rc(8) script and glue code for sensorsd(8)
 * sysctl(3) doc fixes for CTL_HW tree
 * sysctl(3) documentation for hardware sensors
 * sysctl(8) documentation for hardware sensors
 * support for the sensor structure for sysctl(8)
 * rc.conf(5) documentation for starting sensorsd(8)
 * sensor_attach(9) et al documentation
 * /sys/kern/kern_sensors.c
   o sensor_attach(9) API for drivers to register ksensors
   o sensor_task_register(9) API for the update task
   o sysctl(3) glue code
   o hw.sensors shadow tree for sysctl(8) internal magic
 * <sys/sensors.h>
 * HW_SENSORS definition for <sys/sysctl.h>
 * sensors display for systat(1), including documentation
 * sensorsd(8) and all applicable documentation

The userland part of the framework is entirely source-code
compatible with OpenBSD 4.1, 4.2 and  -current as of today.

All sensor readings can be viewed with `sysctl hw.sensors`,
monitored in semi-realtime with `systat -sensors` and also
logged with `sensorsd`.

Submitted by:	Constantine A. Murenin <cnst@FreeBSD.org>
Sponsored by:	Google Summer of Code 2007 (GSoC2007/cnst-sensors)
Mentored by:	syrinx
Tested by:	many
OKed by:	kensmith
Obtained from:	OpenBSD (parts)
2007-10-14 10:45:31 +00:00
emax
42544287c5 Teach /etc/rc.d/ppp to start multiple instances of ppp.
ppp_profile variable can now contain multiple profiles.
Overrides for ppp mode and nat can go into ppp_$profile_mode
and ppp_$profile_nat variables respectively. If those are
not specified, defaults from ppp_mode and ppp_nat are used.

Submitted by:	Yuri Kurenkov < y dot kurenkov at init dot ru >
Reviewed by:	mtm
MFC after:	1 week
2007-10-12 16:35:36 +00:00
csjp
f0a91906f8 Add pts/pty to the un-hidden devices for logins. This un-breaks
logins to jailed environments when the system is using PTS style
ptys (kern.pts.enable=1).

Discussed with:	rwatson
MFc after:	1 week
2007-10-12 14:55:41 +00:00
dougb
53e91b664f Deprecate use of the early.sh script as advertised when the support for
local rc.d scripts in the overall boot order was added.

Proper rc.d scripts are run by rc.subr in a subshell, whereas scripts that
end in .sh are sourced into rc's shell. The latter has potential to create
serious boot problems, and there is no reason that the same functionality
cannot be added by the user in the form of a proper rc.d script (as
opposed to being added by the user in the form of /etc/rc.early).

This script will be removed prior to the 8.0 branch.

Approved by:	re (kensmith)
2007-10-09 07:30:14 +00:00
dougb
1f3d8b6576 Remove pre-rc.d compatibility shims that were added before the 5.0 branch
for pre-5.0 variable names.

Remove two dhcp compatibility variables added after the 5.1-RELEASE.

Remove the now-unused support for these shims.

Approved by:	re (kensmith)
2007-10-09 07:20:44 +00:00
ru
67b0c6b485 Sort as per README.
Approved by:	re (kensmith)
2007-10-03 05:51:20 +00:00
ru
da20e23951 Removed "tail +5" from the command used to sanity check changes to
mtree files -- the 5-line header is no longer printed when mtree(8)
is run with -n (as of mtree/create.c,v 1.34).

Approved by:	re (kensmith)
2007-10-03 05:44:27 +00:00
bushman
23d44f1bb5 Removing obsolete cached files after cached->nscd renaming.
Approved by:	re (kensmith), brooks (mentor)
2007-10-02 07:51:43 +00:00
bushman
a947d50315 Finishing renaming of cached into nscd. etc/rc.d and usr.sbin/Makefile
updated. Note added to UPDATING.

Approved by:	re (kensmith, bmah), brooks (mentor)
2007-09-28 10:38:08 +00:00
pjd
27bd800e61 Bring in the GEOM Virtualisation class, which allows to create huge GEOM
providers with limited physical storage and add physical storage as
needed.

Submitted by:	Ivan Voras
Sponsored by:	Google Summer of Code 2006
Approved by:	re (kensmith)
2007-09-23 07:34:23 +00:00
brooks
a9d79aef66 Use the udp protocol in favor of the nonexistant upd protocol in the
sge_execd entry.

Reported by:	emaste
Pointy hat to:	brooks
Approved by:	re (kensmith)
2007-09-21 01:26:00 +00:00
mr
8c4e364ee0 Add IANA assigned iscsi-target port as its the default port
according RFC 3720.

Approved by:	re (bmah)
2007-09-08 08:56:01 +00:00
mlaier
78e4a0814c Add the startup script for ftp-proxy(8) to the Makefile as well.
Approved by:	re (bmah - implicit)
Reminded by:	mtm
2007-09-07 15:44:09 +00:00
mlaier
88b18f542f Add a startup script for ftp-proxy(8) now that it is no longer started as
part of inetd(8).

Approved by:	re (bmah)
Reviewed by:	freebsd-rc (a while back)
Reminded by:	kevlo
2007-09-06 21:00:48 +00:00
brooks
f63df7a950 Add service entries for Sun Grid Engine's qmaster and execution service
as per IANA assignments to simplify the installation of the sysutils/sge
port.

Approved by:	re (bmah)
2007-09-06 19:04:47 +00:00
mtm
2128419ce0 Start lockd after statd.
Approved by:	re (bmah)
Noticed by:	Ted Faber <faber@ISI.EDU>
2007-09-03 02:02:31 +00:00
matteo
ca68d57012 sleep 2 seconds after having loaded g_uzip.ko. We need this because
otherwise the /dev/mdX.uzip won't be created immediately, which is
needed because we issue a mount right afterwards.

Approved by:	re@ (bmah@)
MFC after:	2 days
2007-08-25 00:19:17 +00:00
mtm
5c65a0ed5e My forced commit to note the repo-copy (naturally) changed the $FreeBSD$ keyword line,
so that when I applied the patch to my check-in tree the top half of my patch failed to
apply.  Off course I saw what I *expected* to see (the bottom half succeeded) and
didn't notice that it had failed to apply cleanly.

Approved by: re (bmah)
2007-08-18 04:08:53 +00:00
mtm
ccb2d02a33 The rc.d/nfslocking file controls two servers: rpc.statd and rpc.lockd. It worked well
in most cases, except one. The 'restart' case was not working as expected. Specifically,
it would stop both lockd and statd, but it would restart only statd (which appears first
in the script). This is because rc.subr(8) contains code to guard against infinite
recursion in the 'restart' casae.

To fix this use the traditional approach of controlling only one server from one script by
breaking out rc.d/nfslocking into its contituent parts: rc.d/lockd and rc.d/statd. Keep
rc.d/nfslocking around but don't include it in the boot rcorder(8)ing.

PR:	     conf/107316
Approved by: re (bmah)
MFC after:   2 weeks
2007-08-17 07:58:26 +00:00
dougb
501b1be8fa 1. Remove root name servers from the list of possible masters in the
commented out example who have either not responded, or specifically
asked not to participate because they do not view AXFR as "a production
service."

2. Add f.root-servers.net to the example after confirmation from
Paul Vixie.

3. Add a warning to the commented out "root zone slave" example to the
effect that it requires more attention than a hints file, and provides
more benefit to larger sites than individual hosts.

4. Correct a typo copied from RFC 2544 which was corrected in a later
errata, and confirmed in RFC 3330. Update the comment to reflect that
RFC 3330 got it right and to avoid confusion down the road. 3330 also
contains a reference back to 2544 for anyone interested in pursuing the
history. [1]

PR:             conf/115573 [1]
Submitted by:   Oliver Fromme <olli@secnetix.de> [1]

Approved by:	re (kensmith)
2007-08-17 04:37:02 +00:00
cognet
f7582f9f8e Use ttyu instead of ttyd for arm, since we will probably never use sio(4).
Approved by:	re (blanket)
2007-08-12 17:13:06 +00:00
bushman
134f3ad3d3 - Renaming repocopied cached to nscd
Approved by:	re (kensmith), brooks (mentor)
2007-08-09 13:06:12 +00:00
dougb
5c7ee3e6d3 1. Move the disable-empty-zone stuff down below the first 25 lines so
that the listen-on stuff floats up to the first "page" of text. This
makes it very obvious what's going on so that someone trying to enable
a server for use on a network can easily see how to do that.

2. Change the default behavior back to using a hint zone for the root.

3. Leave the root slave zone config as a commented out example.

4. Remove the B and F root servers from the example at the request of
their operators.

Requested by:	he-who-must-not-be-named [1]
Requested by:	many [2]

Approved by:	re (rwatson)
2007-08-02 09:18:53 +00:00
jhb
e447c8529b Require 'cleanvar' so that files and sockets created in /var/run by
wpa_supplicant and other programs started by 'netif' don't get erased
by a subsequent 'cleanvar'.

Approved by:	re (bmah)
Reviewed by:	dougb
MFC after:	1 week
2007-07-25 18:08:01 +00:00
scottl
d8e6f45dcb Fix a whitespace mistake from the last commit.
Submitted by: far too many to list
Approved by: re
2007-07-25 13:37:33 +00:00
scottl
08b4d87cfe Introduce Danny Braniss' iSCSI initiator, version 2.0.99. Please read the
included man pages on how to use it.  This code is still somewhat experimental
but has been successfully tested on a number of targets.  Many thanks to
Danny for contributing this.

Approved by: re
2007-07-24 15:35:02 +00:00
rwatson
ea4d9ac0d1 Disconnect netatm from the build as it is not MPSAFE and relies on
NET_NEEDS_GIANT, which will shortly be removed.  This is done in a
away that it may be easily reattached to the build before 7.1 if
appropriate locking is added.  Specifics:

- Don't install netatm include files
- Disconnect netatm command line management tools
- Don't build libatm
- Don't include ATM parts in rescue or sysinstall
- Don't install sample configuration files and documents
- Don't build kernel support as a module or in NOTES
- Don't build netgraph wrapper nodes for netatm

This removes the last remaining consumer of NET_NEEDS_GIANT.

Reviewed by:	harti
Discussed with:	bz, bms
Approved by:	re (kensmith)
2007-07-14 21:49:24 +00:00
imp
3220a0fc84 Arm doesn't have GENERIC.hints, so don't install it if it doesn't exist.
Approved by: re (kensmith)
2007-07-13 14:28:10 +00:00
bz
5647bf0624 I4B header files were repo-copied from sys/i386/include to
sys/i4b/include/ so they will be available to all architectures
once I4B compiles on those.

I4B header files are now installed in include/i4b/ and no longer
in include/machine/.

For now we still install the headers for i386 only.

Approved by:	re (kensmith)
2007-07-06 07:20:59 +00:00
delphij
6b02b0c4da Remove reference to the old ftp-proxy implementation,
which was replaced during the pf 4.1 import.

Approved by:	re (mux)
2007-07-05 09:46:53 +00:00
gnn
f5875f045c Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re
2007-07-01 12:08:08 +00:00
rafan
ff392b04b7 - Remove UMAP filesystem. It was disconnected from build three years ago,
and it is seriously broken.

Discussed on:   freebsd-arch@
Approved by:	re (mux)
2007-06-25 05:06:57 +00:00
njl
79d6390885 Update the suspend/resume user API while maintaining backwards compat.
Improvements:
* /etc/rc.suspend,rc.resume are always run, no matter the source of the
  suspend request (user or kernel, apm or acpi)
* suspend now requires positive user acknowledgement.  If a user program
  wants to cancel the suspend, they can.  If one of the user programs
  hangs or doesn't respond within 10 seconds, the system suspends anyway.
* /dev/apm is clonable, allowing multiple listeners for suspend events.
  In the future, xorg-server can use this to be informed about suspend
  even if there are other listeners (i.e. apmd).

Changes:
* Two new ACPI ioctls:  REQSLPSTATE and ACKSLPSTATE.  Request begins the
  process of suspending by notifying all listeners.  acpi is monitored by
  devd(8) and /dev/apm listener(s) are also counted.  Users register their
  approval or disapproval via Ack.  If anyone disapproves, suspend is vetoed.
* Old user programs or kernel modules that used SETSLPSTATE continue to
  work.  A message is printed once that this interface is deprecated.
* acpiconf gains the -k flag to ack the suspend request.  This flag is
  undocumented on purpose since it's only used by /etc/rc.suspend.  It is
  not intended to be a permanent change and will be removed once a better
  power API is implemented.
* S5 (power off) is no longer supported via acpiconf -s 5 or apm -z/-Z.
  This restores previous behavior of halt/shutdown -p being the interface.
* Miscellaneous improvements to error reporting

Approved by:	re
2007-06-21 22:50:37 +00:00
dougb
f436b9e0d3 Drop the default zones that are now covered by the new zones that
were added in the last revision.
2007-06-18 06:29:45 +00:00
dougb
37159c8d59 Bring our default named configuration more in line with current
best practices:

1. The old way of generating the localhost zones was not optimal both
because they did not exist by default, and because they were not really
aligned with BCP. There is no need to have the dynamic data that the
make-localhost script generated, and good reasons to do this more
"by the book."

2. In named.conf
	a. Clean up white space
	b. Add/clarify a few comments
	c. Slave zones from the root servers instead of using a hints
	file. This has several advantages, as described in the comments.
	d. Significantly revamp the default zones, including the
	forward localhost zone, and the reverse zones for IPv4 and IPv6
	loopback addresses. There are extensive comments describing what
	is included and why. Interested readers should take the time to
	review the RFCs mentioned in the comments. There is also relevant
	information about the motivations for hosting these zones in the
	"work in progress" Internet-Draft,
	http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
	or its successor.
	It's also worth noting that a significant number of these
	empty zones are already included by default in the named binary
	without any user configuration.
	e. Because we're including a lot of examples of both local
	forward zones and slave zones in the default configuration,
	eliminate some of those examples.

3. Add new localhost-{forward|reverse} zone files, and an "empty" zone
to support the changes in 2.d. above. The empty zone file isn't really
empty in order to avoid a warning from BIND about a zone file that
doesn't contain any A or AAAA records.
2007-06-18 05:58:23 +00:00
dougb
c2485b20cb Add a namedb/master directory for the zone files I'm about to add,
and switch to the more "normal" way of installing files for the
namedb directory so that we can pick up the new subdir.
2007-06-18 05:44:38 +00:00
yar
333d04678d Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs.  E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM.  When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made.  Then it'll be
enough to set the expire field in future for the commands to run
again.  And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default
2007-06-17 17:25:53 +00:00
yar
73c6fd823f Add PAM support to atrun(8). 2007-06-15 12:02:16 +00:00
yar
720e13085b Locked out and expired accounts shouldn't be accessible via remote
mailbox protocols.  Add pam_unix to the `account' function class, too,
for imap and pop3 to actually implement this policy.
2007-06-15 11:33:13 +00:00
yar
867bb09937 Split the FILES list across multiple lines as in rc.d/Makefile
so that the change history stays easily readable as the number
of PAM-aware services grows.
2007-06-15 11:22:10 +00:00
gshapiro
8487a6b582 Add a new rc.conf variable, sendmail_rebuild_aliases, which tells
/etc/rc.d/sendmail whether or not to run newaliases if the database
is missing or the aliases text file is newer than aliases.db.

In my opinion, the aliases file should never be automatically rebuilt.
The current text form could represent a work in progress.  Therefore,
in FreeBSD 7.0, this new option will default to "NO".  When this rc.d
change is MFC'ed, it will need to remain "YES" to maintain backward
compatibility.

PR:		conf/86252
Approved by:	re (kensmith)
MFC after:	3 days
2007-06-12 17:33:23 +00:00
ceri
1715307402 Create group ftp by default. This is gid 14 as this is the historical
id used by sysinstall when enabling anonymous FTP.

Change the default group used by sysinstall for setting up anonymous FTP
from operator to ftp; there is no reason to use operator and there are
potential security issues when doing so.

PR:		93284
Approved by:	ru (mentor)
Reviewed by:	simon
2007-06-11 18:36:39 +00:00
yar
dac62e7ff2 Now pam_nologin(8) will provide an account management function
instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re
2007-06-10 18:57:20 +00:00
yar
68cc2f890e Be robust to a bogus script specification or contents
when figuring out what the real interpreter is for an
interpreted command.  That is, check whether we can read
the script file in the first place and, if so, make sure
we got a valid shebang line from it.
2007-06-04 11:39:35 +00:00
dougb
0f2163d639 Finish making resolv ordering deterministic by REQUIRE'ing it here. 2007-06-02 05:25:19 +00:00
dougb
9f19c3ecee Add REQUIRE netif to make ordering more deterministic, and to make sure
we have a fighting chance of having useful stuff from DHCP.

Tighten up the code a little, and fix whitespace issues.
2007-06-02 05:24:39 +00:00
ru
2962d850a3 s/tabs/spaces/ 2007-06-01 18:53:36 +00:00
dougb
39d0d8b3e6 Remove more vestiges of /usr/X11R6, but leave mtree for portmgr. 2007-05-29 06:37:58 +00:00
dougb
866e32e8a5 Remove X11R6 from the default PATH to join the new world order.
While I'm here, make the default PATH match that in the csh profile,
and login.conf.
2007-05-29 06:33:10 +00:00
dougb
cfa8629c48 Now that a separate /usr/X11R6 directory is no longer in fashion,
stop looking there for things like rc.d and periodic. This avoids
duplicating effort when /usr/X11R6 is a symlink to /usr/local,
which it is by default now.

It is not anticipated at this time that we will MFC this change, since
we'd like to avoid breaking legacy systems. However, there is a fix for
/etc/rc.subr in the works to avoid running any rc.d scripts twice which
we should be able to MFC.
2007-05-29 06:22:14 +00:00
rse
a805ec32c7 Fix indentation. 2007-05-24 06:01:06 +00:00
rse
9b4af18220 Remove two superfluous trailing semicolons. 2007-05-24 05:58:20 +00:00
rse
a1081c269a Remove two unnecessary and useless sub-shell constructs. 2007-05-24 05:54:37 +00:00
thompsa
dc97594a94 Do not attempt to load the kernel module when checking if an interface exists.
This would cause pseudo network modules to be reloaded again when trying to
unload the first time if any cloned interfaces exist.

MFC after:	2 weeks
2007-05-23 00:18:44 +00:00