PERFORCE change 20131 for review
Robert Watson
rwatson at freebsd.org
Fri Oct 25 17:05:36 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20131
Change 20131 by rwatson at rwatson_tislabs on 2002/10/25 10:04:37
Bring in various changes since last TrustedBSD base integ:
largely sysinstall fixes, some Kirk fixes, etc.
Affected files ...
.. //depot/projects/trustedbsd/base/UPDATING#19 integrate
.. //depot/projects/trustedbsd/base/bin/ls/ls.c#13 integrate
.. //depot/projects/trustedbsd/base/contrib/groff/tmac/troffrc#6 integrate
.. //depot/projects/trustedbsd/base/etc/MAKEDEV#19 integrate
.. //depot/projects/trustedbsd/base/etc/defaults/periodic.conf#6 integrate
.. //depot/projects/trustedbsd/base/etc/inetd.conf#7 integrate
.. //depot/projects/trustedbsd/base/etc/mtree/BSD.include.dist#11 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/100.chksetuid#6 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/200.chkmounts#5 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/500.ipfwdenied#4 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/510.ipfdenied#1 branch
.. //depot/projects/trustedbsd/base/etc/periodic/security/600.ip6fwdenied#4 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/700.kernelmsg#5 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/Makefile#3 integrate
.. //depot/projects/trustedbsd/base/etc/periodic/security/security.functions#1 branch
.. //depot/projects/trustedbsd/base/gnu/usr.bin/groff/tmac/Makefile#7 integrate
.. //depot/projects/trustedbsd/base/include/Makefile#20 integrate
.. //depot/projects/trustedbsd/base/lib/libc/locale/wcrtomb.c#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/net/getaddrinfo.c#8 integrate
.. //depot/projects/trustedbsd/base/lib/libc/posix1e/mac.c#2 integrate
.. //depot/projects/trustedbsd/base/lib/libc/posix1e/mac_free.3#2 integrate
.. //depot/projects/trustedbsd/base/lib/libc/stdio/local.h#7 integrate
.. //depot/projects/trustedbsd/base/lib/libc/string/strerror.3#6 integrate
.. //depot/projects/trustedbsd/base/lib/libc/string/wcsncpy.c#7 integrate
.. //depot/projects/trustedbsd/base/lib/libc/string/wcsstr.c#6 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_cancel.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_error.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_read.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_return.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_suspend.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_waitcomplete.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/aio_write.2#3 integrate
.. //depot/projects/trustedbsd/base/lib/libc/sys/sigaction.2#7 integrate
.. //depot/projects/trustedbsd/base/lib/libdisk/disk.c#12 integrate
.. //depot/projects/trustedbsd/base/lib/libfetch/ftp.c#11 integrate
.. //depot/projects/trustedbsd/base/libexec/ftpd/ftpd.c#15 integrate
.. //depot/projects/trustedbsd/base/libexec/lukemftpd/Makefile#5 integrate
.. //depot/projects/trustedbsd/base/release/Makefile#26 integrate
.. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#47 integrate
.. //depot/projects/trustedbsd/base/sbin/gpt/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/sbin/gpt/create.c#1 branch
.. //depot/projects/trustedbsd/base/sbin/gpt/gpt.c#2 integrate
.. //depot/projects/trustedbsd/base/sbin/gpt/gpt.h#2 integrate
.. //depot/projects/trustedbsd/base/sbin/ifconfig/ifconfig.c#11 integrate
.. //depot/projects/trustedbsd/base/sbin/ipfw/ipfw2.c#9 integrate
.. //depot/projects/trustedbsd/base/share/doc/papers/fsinterface/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/papers/newvm/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/papers/sysperf/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/01.cacm/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/01.cacm/p1#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/01.cacm/ref.bib#1 branch
.. //depot/projects/trustedbsd/base/share/doc/psd/02.implement/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/02.implement/implement#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/02.implement/ref.bib#1 branch
.. //depot/projects/trustedbsd/base/share/doc/psd/06.Clang/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/13.rcs/rcs/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/15.yacc/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/15.yacc/ref.bib#1 branch
.. //depot/projects/trustedbsd/base/share/doc/psd/15.yacc/ss..#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/16.lex/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/16.lex/lex.ms#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/psd/17.m4/m4.ms#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/smm/10.named/Makefile#2 delete
.. //depot/projects/trustedbsd/base/share/doc/smm/18.net/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/smm/contents/contents.ms#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/10.exref/Makefile.inc#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/10.exref/summary/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/12.vi/Makefile.inc#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/12.vi/summary/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/12.vi/vi/Makefile#2 integrate
.. //depot/projects/trustedbsd/base/share/doc/usd/22.trofftut/tt.mac#2 integrate
.. //depot/projects/trustedbsd/base/share/man/man3/assert.3#3 integrate
.. //depot/projects/trustedbsd/base/share/man/man3/stdarg.3#3 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/Makefile#20 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/acpi.4#4 integrate
.. //depot/projects/trustedbsd/base/share/man/man4/aio.4#1 branch
.. //depot/projects/trustedbsd/base/share/man/man5/periodic.conf.5#7 integrate
.. //depot/projects/trustedbsd/base/sys/alpha/alpha/trap.c#16 integrate
.. //depot/projects/trustedbsd/base/sys/boot/efi/libefi/bootinfo.c#4 integrate
.. //depot/projects/trustedbsd/base/sys/boot/efi/libefi/efiboot.h#3 integrate
.. //depot/projects/trustedbsd/base/sys/boot/efi/libefi/elf_freebsd.c#5 integrate
.. //depot/projects/trustedbsd/base/sys/conf/NOTES#22 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files#44 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.i386#21 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.ia64#13 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.pc98#18 integrate
.. //depot/projects/trustedbsd/base/sys/conf/options#25 integrate
.. //depot/projects/trustedbsd/base/sys/conf/options.ia64#6 integrate
.. //depot/projects/trustedbsd/base/sys/dev/acpica/acpi_ec.c#11 integrate
.. //depot/projects/trustedbsd/base/sys/fs/specfs/spec_vnops.c#15 integrate
.. //depot/projects/trustedbsd/base/sys/geom/geom_subr.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/i386/conf/NOTES#26 integrate
.. //depot/projects/trustedbsd/base/sys/i386/i386/trap.c#19 integrate
.. //depot/projects/trustedbsd/base/sys/i386/include/float.h#2 integrate
.. //depot/projects/trustedbsd/base/sys/ia64/conf/GENERIC#16 integrate
.. //depot/projects/trustedbsd/base/sys/ia64/ia64/machdep.c#23 integrate
.. //depot/projects/trustedbsd/base/sys/ia64/ia64/trap.c#13 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_condvar.c#15 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_mutex.c#20 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_proc.c#25 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_synch.c#17 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_thread.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_default.c#11 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_subr.c#29 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_vnops.c#30 integrate
.. //depot/projects/trustedbsd/base/sys/modules/Makefile#32 integrate
.. //depot/projects/trustedbsd/base/sys/modules/mac_partition/Makefile#1 branch
.. //depot/projects/trustedbsd/base/sys/modules/vinum/Makefile#3 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/ip_divert.c#12 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/ip_fw.h#8 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/ip_fw2.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/netinet/tcp_usrreq.c#12 integrate
.. //depot/projects/trustedbsd/base/sys/sparc64/include/trap.h#4 integrate
.. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/machdep.c#23 integrate
.. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/rwindow.c#6 integrate
.. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/trap.c#17 integrate
.. //depot/projects/trustedbsd/base/sys/sys/conf.h#10 integrate
.. //depot/projects/trustedbsd/base/sys/sys/proc.h#27 integrate
.. //depot/projects/trustedbsd/base/sys/sys/vnode.h#29 integrate
.. //depot/projects/trustedbsd/base/sys/ufs/ffs/ffs_snapshot.c#15 integrate
.. //depot/projects/trustedbsd/base/sys/ufs/ffs/ffs_vfsops.c#18 integrate
.. //depot/projects/trustedbsd/base/sys/vm/uma_core.c#12 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T000/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T001/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T002/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T003/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T004/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T005/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T006/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T007/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T008/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T009/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T011/ref.conf#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T012/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T013/ref.conf#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/Test/T014/ref.conf#7 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/geom_sim.h#5 integrate
.. //depot/projects/trustedbsd/base/tools/regression/geom/geom_simdisk.c#6 integrate
.. //depot/projects/trustedbsd/base/tools/regression/usr.bin/make/Makefile#6 integrate
.. //depot/projects/trustedbsd/base/usr.bin/make/var.c#9 integrate
.. //depot/projects/trustedbsd/base/usr.bin/stat/stat.c#4 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/pkg_install/info/show.c#5 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/quot/quot.c#5 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/sysinstall/dev2c.sh#3 delete
.. //depot/projects/trustedbsd/base/usr.sbin/sysinstall/dist.c#10 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/sysinstall/install.c#13 integrate
Differences ...
==== //depot/projects/trustedbsd/base/UPDATING#19 (text+ko) ====
@@ -22,6 +22,20 @@
integrity. Re-enabling write caching can substantially improve
performance.
+20021023:
+ Alphas with kernels from between 20020830 and 20021023 and/or
+ rtld (ld-elf.so.1) older than 20021023 may experience problems
+ with groff while doing a buildworld (kernel: "out of memory",
+ fixed in rev 1.129 of kern/imgact_elf.c; rtld: "too few PT_LOAD
+ segments", fixed in rev 1.8 of libexec/rtld-elf/map_object.c).
+
+ So, to successfully upgrade your Alpha, you must either
+ upgrade your kernel and rtld first (which might be a bit
+ tricky), or avoid running the bootstrapped groff during the
+ "transitional" buildworld. To avoid running groff during the
+ transitional upgrade run make buildworld with -DNOMAN,
+ -DNO_SHAREDOCS, and -DNO_LPR.
+
20020831:
gcc has been upgraded to 3.2. It is not all binary compatible
with earlier versions of gcc for c++ programs. All c++
@@ -1077,4 +1091,4 @@
Contact Warner Losh if you have any questions about your use of
this document.
-$FreeBSD: src/UPDATING,v 1.217 2002/09/03 06:13:43 imp Exp $
+$FreeBSD: src/UPDATING,v 1.218 2002/10/24 18:41:02 gallatin Exp $
==== //depot/projects/trustedbsd/base/bin/ls/ls.c#13 (text+ko) ====
@@ -46,10 +46,11 @@
#endif /* not lint */
#endif
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/bin/ls/ls.c,v 1.68 2002/10/24 00:07:30 rwatson Exp $");
+__FBSDID("$FreeBSD: src/bin/ls/ls.c,v 1.69 2002/10/24 01:01:53 rwatson Exp $");
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/syslimits.h>
#include <sys/ioctl.h>
#include <sys/mac.h>
@@ -685,6 +686,7 @@
flen = 0;
labelstr = NULL;
if (f_label) {
+ char name[PATH_MAX + 1];
mac_t label;
int error;
@@ -696,12 +698,20 @@
goto label_out;
}
+ if (cur->fts_level == FTS_ROOTLEVEL)
+ snprintf(name, sizeof(name),
+ "%s", cur->fts_name);
+ else
+ snprintf(name, sizeof(name),
+ "%s/%s", cur->fts_parent->fts_accpath,
+ cur->fts_name);
+
if (options & FTS_LOGICAL)
- error = mac_get_file(
- cur->fts_path, label);
+ error = mac_get_file(name,
+ label);
else
- error = mac_get_link(
- cur->fts_name, label);
+ error = mac_get_link(name,
+ label);
if (error == -1) {
perror(cur->fts_name);
mac_free(label);
==== //depot/projects/trustedbsd/base/contrib/groff/tmac/troffrc#6 (text+ko) ====
@@ -1,5 +1,5 @@
.\" Startup file for troff.
-.\" $FreeBSD: src/contrib/groff/tmac/troffrc,v 1.13 2002/10/23 19:04:00 ru Exp $
+.\" $FreeBSD: src/contrib/groff/tmac/troffrc,v 1.14 2002/10/24 11:05:58 ru Exp $
.
.\" This is tested by pic.
.nr 0p 0
@@ -45,4 +45,12 @@
.
.\}
.
+.\" Disable SGR support in grotty(1).
+.if n \{\
+. do nop \X'tty: sgr 0'
+. sp -1
+. nr nl 0-1
+. nr % -1
+.\}
+.
.\" Don't let blank lines creep in here.
==== //depot/projects/trustedbsd/base/etc/MAKEDEV#19 (text+ko) ====
@@ -20,7 +20,7 @@
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
# @(#)MAKEDEV 5.2 (Berkeley) 6/22/90
-# $FreeBSD: src/etc/MAKEDEV,v 1.331 2002/10/20 08:17:34 scottl Exp $
+# $FreeBSD: src/etc/MAKEDEV,v 1.332 2002/10/24 17:59:58 luigi Exp $
#
# Device "make" file. Valid arguments:
# all makes all known devices, standard number of units (or close)
@@ -916,8 +916,8 @@
;;
usb)
- mknod usb$unit c 108 255 root:operator
- chmod 0660 usb$unit
+ mknod usb c 108 255 root:operator
+ chmod 0660 usb
;;
usb*)
==== //depot/projects/trustedbsd/base/etc/defaults/periodic.conf#6 (text+ko) ====
@@ -10,7 +10,7 @@
# values set in this file. This eases the upgrade path when defaults
# are changed and new features are added.
#
-# $FreeBSD: src/etc/defaults/periodic.conf,v 1.21 2002/09/25 03:01:42 brian Exp $
+# $FreeBSD: src/etc/defaults/periodic.conf,v 1.22 2002/10/25 15:16:54 thomas Exp $
#
# What files override these defaults ?
@@ -150,6 +150,9 @@
# 500.ipfwdenied
daily_status_security_ipfwdenied_enable="YES"
+# 510.ipfdenied
+daily_status_security_ipfdenied_enable="YES"
+
# 550.ipfwlimit
daily_status_security_ipfwlimit_enable="YES"
==== //depot/projects/trustedbsd/base/etc/inetd.conf#7 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/etc/inetd.conf,v 1.58 2002/08/09 17:34:13 gordon Exp $
+# $FreeBSD: src/etc/inetd.conf,v 1.59 2002/10/24 15:46:10 rwatson Exp $
#
# Internet server configuration database
#
@@ -6,7 +6,12 @@
# To disable a service, comment it out by prefixing the line with '#'.
# To enable a service, remove the '#' at the beginning of the line.
#
+# WARNING: lukemftpd does not support PAM, MAC, per-class nologin files,
+# or any login.conf resource limits or features; use it only if this is
+# appropriate for your environment. If you require these features, use
+# the regular FreeBSD ftpd below.
#ftp stream tcp nowait root /usr/libexec/lukemftpd ftpd -l -r
+#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
==== //depot/projects/trustedbsd/base/etc/mtree/BSD.include.dist#11 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/etc/mtree/BSD.include.dist,v 1.60 2002/10/18 15:30:50 tmm Exp $
+# $FreeBSD: src/etc/mtree/BSD.include.dist,v 1.61 2002/10/24 15:25:37 rwatson Exp $
#
# Please see the file src/etc/mtree/README before making changes to this file.
#
@@ -142,6 +142,8 @@
..
mac_mls
..
+ mac_partition
+ ..
..
sys
..
==== //depot/projects/trustedbsd/base/etc/periodic/security/100.chksetuid#6 (text+ko) ====
@@ -24,7 +24,7 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.6 2002/09/24 18:53:46 ache Exp $
+# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.7 2002/10/25 15:14:16 thomas Exp $
#
# If there is a global system configuration file, suck it in.
@@ -35,12 +35,12 @@
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
rc=0
case "$daily_status_security_chksetuid_enable" in
[Yy][Ee][Ss])
- TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
echo ""
echo 'Checking setuid files and devices:'
# XXX Note that there is the possibility of overrunning the args to ls
@@ -54,24 +54,10 @@
find $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -print0
- done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 > ${TMP}
- fi
-
- if [ ! -f ${LOG}/setuid.today ]; then
- rc=1
- echo "No ${LOG}/setuid.today"
- cp ${TMP} ${LOG}/setuid.today || rc=3
- fi
-
- if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
- then
- [ $rc -lt 1 ] && rc=1
- echo "${host} setuid diffs:"
- diff -b ${LOG}/setuid.today ${TMP}
- mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
- mv ${TMP} ${LOG}/setuid.today || rc=3
- fi
- rm -f ${TMP};;
+ done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 |
+ check_diff setuid - "${host} setuid diffs:"
+ rc=$?
+ fi;;
*) rc=0;;
esac
==== //depot/projects/trustedbsd/base/etc/periodic/security/200.chkmounts#5 (text+ko) ====
@@ -24,7 +24,7 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: src/etc/periodic/security/200.chkmounts,v 1.4 2002/08/25 04:09:17 cjc Exp $
+# $FreeBSD: src/etc/periodic/security/200.chkmounts,v 1.5 2002/10/25 15:14:16 thomas Exp $
#
# Show changes in the way filesystems are mounted
@@ -38,35 +38,21 @@
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
ignore="${daily_status_security_chkmounts_ignore}"
rc=0
case "$daily_status_security_chkmounts_enable" in
[Yy][Ee][Ss])
- TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
case "$daily_status_security_noamd" in
[Yy][Ee][Ss])
ignore="${ignore}|^amd:"
esac
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
- if mount -p | ${cmd} > ${TMP}; then
- if [ ! -f ${LOG}/mount.today ]; then
- rc=1
- echo ""
- echo "No ${LOG}/mount.today"
- cp ${TMP} ${LOG}/mount.today || rc=3
- fi
- if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
- [ $rc -lt 1 ] && rc=1
- echo ""
- echo "${host} changes in mounted filesystems:"
- diff -b ${LOG}/mount.today ${TMP}
- mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
- mv ${TMP} ${LOG}/mount.today || rc=3
- fi
- fi
- rm -f ${TMP};;
+ mount -p | ${cmd} |
+ check_diff mount - "${host} changes in mounted filesystems:"
+ rc=$?;;
*) rc=0;;
esac
==== //depot/projects/trustedbsd/base/etc/periodic/security/500.ipfwdenied#4 (text+ko) ====
@@ -24,13 +24,9 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: src/etc/periodic/security/500.ipfwdenied,v 1.3 2002/08/25 04:09:17 cjc Exp $
+# $FreeBSD: src/etc/periodic/security/500.ipfwdenied,v 1.4 2002/10/25 15:14:16 thomas Exp $
#
-# Show denied packets
-#
-
-
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
@@ -39,29 +35,17 @@
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
rc=0
case "$daily_status_security_ipfwdenied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- if [ ! -f ${LOG}/ipfw.today ]; then
- rc=1
- echo ""
- echo "No ${LOG}/ipfw.today"
- cp ${TMP} ${LOG}/ipfw.today || rc=3
- fi
-
- if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
- [ $rc -lt 1 ] && rc=1
- echo ""
- echo "${host} denied packets:"
- diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
- mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
- mv ${TMP} ${LOG}/ipfw.today || rc=3
- fi
+ check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
fi
+ rc=$?
rm -f ${TMP};;
*) rc=0;;
esac
==== //depot/projects/trustedbsd/base/etc/periodic/security/600.ip6fwdenied#4 (text+ko) ====
@@ -24,12 +24,9 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.3 2002/08/25 04:09:17 cjc Exp $
+# $FreeBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.4 2002/10/25 15:14:16 thomas Exp $
#
-# Show IPv6 denied packets
-#
-
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
@@ -38,30 +35,17 @@
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
rc=0
case "$daily_status_security_ip6fwdenied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- if [ ! -f ${LOG}/ip6fw.today ]; then
- rc=1
- echo ""
- echo "No ${LOG}/ip6fw.today"
- cp ${TMP} ${LOG}/ip6fw.today || rc=3
- fi
-
- if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
- [ $rc -lt 1 ] && rc=1
- echo ""
- echo "${host} IPv6 denied packets:"
- diff -b ${LOG}/ip6fw.today ${TMP} |
- egrep "^>"
- mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
- mv ${TMP} ${LOG}/ip6fw.today || rc=3
- fi
+ check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:"
fi
+ rc=$?
rm -f ${TMP};;
*) rc=0;;
esac
==== //depot/projects/trustedbsd/base/etc/periodic/security/700.kernelmsg#5 (text+ko) ====
@@ -24,7 +24,7 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $FreeBSD: src/etc/periodic/security/700.kernelmsg,v 1.5 2002/08/25 04:09:17 cjc Exp $
+# $FreeBSD: src/etc/periodic/security/700.kernelmsg,v 1.6 2002/10/25 15:14:16 thomas Exp $
#
# Show kernel log messages
@@ -38,30 +38,15 @@
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
rc=0
case "$daily_status_security_kernelmsg_enable" in
[Yy][Ee][Ss])
- TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
- if dmesg 2>/dev/null > ${TMP}; then
- if [ ! -f ${LOG}/dmesg.today ]; then
- rc=1
- echo ""
- echo "No ${LOG}/dmesg.today"
- cp ${TMP} ${LOG}/dmesg.today || rc=3
- fi
-
- echo ""
- echo "${host} kernel log messages:"
- if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
- [ $rc -lt 1 ] && rc=1
- diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
- mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
- mv ${TMP} ${LOG}/dmesg.today || rc=3
- fi
- fi
- rm -f ${TMP};;
+ dmesg 2>/dev/null > ${TMP} |
+ check_diff new_only dmesg - "${host} kernel log messages:"
+ rc=$?;;
*) rc=0;;
esac
==== //depot/projects/trustedbsd/base/etc/periodic/security/Makefile#3 (text+ko) ====
@@ -1,15 +1,17 @@
-# $FreeBSD: src/etc/periodic/security/Makefile,v 1.2 2002/07/18 12:32:57 ru Exp $
+# $FreeBSD: src/etc/periodic/security/Makefile,v 1.3 2002/10/25 15:23:26 thomas Exp $
FILES= 100.chksetuid \
200.chkmounts \
300.chkuid0 \
400.passwdless \
500.ipfwdenied \
+ 510.ipfdenied \
550.ipfwlimit \
600.ip6fwdenied \
650.ip6fwlimit \
700.kernelmsg \
800.loginfail \
- 900.tcpwrap
+ 900.tcpwrap \
+ security.functions
.include <bsd.prog.mk>
==== //depot/projects/trustedbsd/base/gnu/usr.bin/groff/tmac/Makefile#7 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/gnu/usr.bin/groff/tmac/Makefile,v 1.39 2002/10/23 19:04:00 ru Exp $
+# $FreeBSD: src/gnu/usr.bin/groff/tmac/Makefile,v 1.40 2002/10/24 11:05:58 ru Exp $
TMACOWN?= ${BINOWN}
TMACGRP?= ${BINGRP}
@@ -14,7 +14,6 @@
MLINKS+= groff_mdoc.7 mdoc.7 groff_mdoc.7 mdoc.samples.7
CLEANFILES= ${MAN} ${MDOCFILES:S/$/-s/} ${STRIPFILES:S/$/-s/} ${SPECIALFILES:S/$/-s/}
-CLEANFILES+= troffrc-end.patched
NORMALFILES= mandoc.tmac andoc.tmac an-old.tmac \
me.tmac \
@@ -33,7 +32,7 @@
lbp.tmac \
html.tmac www.tmac \
eqnrc \
- troffrc \
+ troffrc troffrc-end \
hyphen.us
SPECIALFILES= an.tmac man.tmac s.tmac ms.tmac
STRIPFILES= e.tmac doc.tmac mdoc.local
@@ -41,7 +40,6 @@
fr.ISO8859-1 ru.KOI8-R
all: ${MDOCFILES:S/$/-s/} ${STRIPFILES:S/$/-s/} ${SPECIALFILES:S/$/-s/}
-all: troffrc-end.patched
.for f in ${MDOCFILES} ${STRIPFILES}
$f-s: $f
@@ -55,9 +53,6 @@
${.ALLSRC} > ${.TARGET}
.endfor
-troffrc-end.patched: troffrc-end
- (cat ${.ALLSRC}; echo ".if n .do nop \X'tty: sgr 0'\c") > ${.TARGET}
-
beforeinstall:
cd ${DIST_DIR}; \
${INSTALL} -o ${TMACOWN} -g ${TMACGRP} -m ${TMACMODE} \
@@ -66,8 +61,6 @@
${INSTALL} -o ${TMACOWN} -g ${TMACGRP} -m ${TMACMODE} \
hyphen.ru ${DESTDIR}${TMACDIR}
cd ${.OBJDIR}
- ${INSTALL} -o ${TMACOWN} -g ${TMACGRP} -m ${TMACMODE} \
- troffrc-end.patched ${DESTDIR}${TMACDIR}/troffrc-end
.for f in ${STRIPFILES} ${SPECIALFILES}
${INSTALL} -o ${TMACOWN} -g ${TMACGRP} -m ${TMACMODE} \
$f-s ${DESTDIR}${TMACDIR}/$f
==== //depot/projects/trustedbsd/base/include/Makefile#20 (text+ko) ====
@@ -1,5 +1,5 @@
# @(#)Makefile 8.2 (Berkeley) 1/4/94
-# $FreeBSD: src/include/Makefile,v 1.184 2002/10/18 15:30:45 tmm Exp $
+# $FreeBSD: src/include/Makefile,v 1.185 2002/10/24 15:25:37 rwatson Exp $
#
# Doing a make install builds /usr/include
#
@@ -42,7 +42,7 @@
fs/procfs fs/smbfs fs/umapfs fs/unionfs isofs/cd9660 \
netatm/ipatm netatm/sigpvc netatm/spans netatm/uni \
security/lomac security/mac_biba security/mac_bsdextended \
- security/mac_mls ufs/ffs ufs/ufs
+ security/mac_mls security/mac_partition ufs/ffs ufs/ufs
# For SHARED=symlinks, cam and netatm are symlinks, so cam/scsi and netatm/*
# are taken care of
==== //depot/projects/trustedbsd/base/lib/libc/locale/wcrtomb.c#3 (text+ko) ====
@@ -25,9 +25,10 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libc/locale/wcrtomb.c,v 1.2 2002/09/06 11:23:45 tjr Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/locale/wcrtomb.c,v 1.3 2002/10/25 13:24:45 tjr Exp $");
#include <errno.h>
+#include <limits.h>
#include <rune.h>
#include <stdlib.h>
#include <wchar.h>
@@ -36,7 +37,10 @@
wcrtomb(char * __restrict s, wchar_t wc, mbstate_t * __restrict ps __unused)
{
char *e;
+ char buf[MB_LEN_MAX];
+ if (s == NULL)
+ s = buf;
sputrune(wc, s, MB_CUR_MAX, &e);
if (e == NULL) {
errno = EILSEQ;
==== //depot/projects/trustedbsd/base/lib/libc/net/getaddrinfo.c#8 (text+ko) ====
@@ -38,12 +38,9 @@
* in the source code. This is because RFC2553 is silent about which error
* code must be returned for which situation.
* - freeaddrinfo(NULL). RFC2553 is silent about it. XNET 5.2 says it is
- * invalid.
- * current code - SEGV on freeaddrinfo(NULL)
+ * invalid. current code - SEGV on freeaddrinfo(NULL)
+ *
* Note:
- * - We use getipnodebyname() just for thread-safeness. There's no intent
- * to let it do PF_UNSPEC (actually we never pass PF_UNSPEC to
- * getipnodebyname().
* - The code filters out AFs that are not supported by the kernel,
* when globbing NULL hostname (to loopback, or wildcard). Is it the right
* thing to do? What is the relationship with post-RFC2553 AI_ADDRCONFIG
@@ -52,38 +49,21 @@
* (1) what should we do against numeric hostname (2) what should we do
* against NULL hostname (3) what is AI_ADDRCONFIG itself. AF not ready?
* non-loopback address configured? global address configured?
+ *
+ * OS specific notes for netbsd/openbsd/freebsd4/bsdi4:
* - To avoid search order issue, we have a big amount of code duplicate
* from gethnamaddr.c and some other places. The issues that there's no
* lower layer function to lookup "IPv4 or IPv6" record. Calling
* gethostbyname2 from getaddrinfo will end up in wrong search order, as
- * follows:
- * - The code makes use of following calls when asked to resolver with
- * ai_family = PF_UNSPEC:
- * getipnodebyname(host, AF_INET6);
- * getipnodebyname(host, AF_INET);
- * This will result in the following queries if the node is configure to
- * prefer /etc/hosts than DNS:
- * lookup /etc/hosts for IPv6 address
- * lookup DNS for IPv6 address
- * lookup /etc/hosts for IPv4 address
- * lookup DNS for IPv4 address
- * which may not meet people's requirement.
- * The right thing to happen is to have underlying layer which does
- * PF_UNSPEC lookup (lookup both) and return chain of addrinfos.
- * This would result in a bit of code duplicate with _dns_ghbyname() and
- * friends.
+ * presented above.
+ *
+ * OS specific notes for freebsd4:
+ * - FreeBSD supported $GAI. The code does not.
+ * - FreeBSD allowed classful IPv4 numeric (127.1), the code does not.
*/
-/*
- * diffs with other KAME platforms:
- * - other KAME platforms already nuked FAITH ($GAI), but as FreeBSD
- * 4.0-RELEASE supplies it, we still have the code here.
- * - AI_ADDRCONFIG support is supplied
- * - some of FreeBSD style (#define tabify and others)
- * - classful IPv4 numeric (127.1) is allowed.
- */
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libc/net/getaddrinfo.c,v 1.34 2002/10/06 08:43:35 ume Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/net/getaddrinfo.c,v 1.35 2002/10/25 16:24:28 ume Exp $");
#include "namespace.h"
#include <sys/types.h>
@@ -120,19 +100,21 @@
# define FAITH
#endif
-#define SUCCESS 0
-#define ANY 0
-#define YES 1
-#define NO 0
+#define SUCCESS 0
+#define ANY 0
+#define YES 1
+#define NO 0
static const char in_addrany[] = { 0, 0, 0, 0 };
+static const char in_loopback[] = { 127, 0, 0, 1 };
+#ifdef INET6
static const char in6_addrany[] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
-static const char in_loopback[] = { 127, 0, 0, 1 };
static const char in6_loopback[] = {
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
};
+#endif
static const struct afd {
int a_af;
@@ -166,9 +148,9 @@
int e_protocol;
const char *e_protostr;
int e_wild;
-#define WILD_AF(ex) ((ex)->e_wild & 0x01)
-#define WILD_SOCKTYPE(ex) ((ex)->e_wild & 0x02)
-#define WILD_PROTOCOL(ex) ((ex)->e_wild & 0x04)
+#define WILD_AF(ex) ((ex)->e_wild & 0x01)
+#define WILD_SOCKTYPE(ex) ((ex)->e_wild & 0x02)
+#define WILD_PROTOCOL(ex) ((ex)->e_wild & 0x04)
};
static const struct explore explore[] = {
@@ -190,9 +172,9 @@
};
#ifdef INET6
-#define PTON_MAX 16
+#define PTON_MAX 16
#else
-#define PTON_MAX 4
+#define PTON_MAX 4
#endif
static const ns_src default_dns_files[] = {
@@ -240,9 +222,9 @@
static struct addrinfo *getanswer(const querybuf *, int, const char *, int,
const struct addrinfo *);
-static int _dns_getaddrinfo(void *, void *, va_list);
static void _sethtent(void);
static void _endhtent(void);
+static int _dns_getaddrinfo(void *, void *, va_list);
static struct addrinfo *_gethtent(const char *, const struct addrinfo *);
static int _files_getaddrinfo(void *, void *, va_list);
#ifdef YP
@@ -291,7 +273,7 @@
/* XXX macros that make external reference is BAD. */
-#define GET_AI(ai, afd, addr) \
+#define GET_AI(ai, afd, addr) \
do { \
/* external reference: pai, error, and label free */ \
(ai) = get_ai(pai, (afd), (addr)); \
@@ -301,7 +283,7 @@
} \
} while (/*CONSTCOND*/0)
-#define GET_PORT(ai, serv) \
+#define GET_PORT(ai, serv) \
do { \
/* external reference: error and label free */ \
error = get_port((ai), (serv), 0); \
@@ -309,7 +291,7 @@
goto free; \
} while (/*CONSTCOND*/0)
-#define GET_CANONNAME(ai, str) \
+#define GET_CANONNAME(ai, str) \
do { \
/* external reference: pai, error and label free */ \
error = get_canonname(pai, (ai), (str)); \
@@ -317,7 +299,7 @@
goto free; \
} while (/*CONSTCOND*/0)
-#define ERR(err) \
+#define ERR(err) \
do { \
/* external reference: error, and label bad */ \
error = (err); \
@@ -325,9 +307,9 @@
/*NOTREACHED*/ \
} while (/*CONSTCOND*/0)
-#define MATCH_FAMILY(x, y, w) \
+#define MATCH_FAMILY(x, y, w) \
((x) == (y) || (/*CONSTCOND*/(w) && ((x) == PF_UNSPEC || (y) == PF_UNSPEC)))
-#define MATCH(x, y, w) \
+#define MATCH(x, y, w) \
((x) == (y) || (/*CONSTCOND*/(w) && ((x) == ANY || (y) == ANY)))
char *
@@ -430,8 +412,8 @@
continue;
if (ex->e_protocol == ANY)
continue;
- if (pai->ai_socktype == ex->e_socktype
- && pai->ai_protocol != ex->e_protocol) {
+ if (pai->ai_socktype == ex->e_socktype &&
+ pai->ai_protocol != ex->e_protocol) {
ERR(EAI_BADHINTS);
}
}
@@ -440,7 +422,7 @@
/*
* post-2553: AI_ALL and AI_V4MAPPED are effective only against
- * AF_INET6 query. They needs to be ignored if specified in other
+ * AF_INET6 query. They need to be ignored if specified in other
* occassions.
*/
switch (pai->ai_flags & (AI_ALL | AI_V4MAPPED)) {
@@ -776,7 +758,7 @@
while (cur && cur->ai_next)
cur = cur->ai_next;
} else
- ERR(EAI_FAMILY); /*xxx*/
+ ERR(EAI_FAMILY); /* XXX */
}
break;
}
@@ -870,7 +852,7 @@
ai->ai_canonname = (char *)malloc(strlen(str) + 1);
if (ai->ai_canonname == NULL)
return EAI_MEMORY;
- strcpy(ai->ai_canonname, str);
+ strlcpy(ai->ai_canonname, str, strlen(str) + 1);
}
return 0;
}
@@ -997,9 +979,10 @@
if (str_isnumber(servname)) {
if (!allownumeric)
return EAI_SERVICE;
- port = htons(atoi(servname));
+ port = atoi(servname);
if (port < 0 || port > 65535)
return EAI_SERVICE;
+ port = htons(port);
} else {
switch (ai->ai_socktype) {
case SOCK_DGRAM:
@@ -1227,8 +1210,8 @@
const u_char *cp;
int n;
const u_char *eom;
- char *bp;
- int type, class, buflen, ancount, qdcount;
+ char *bp, *ep;
+ int type, class, ancount, qdcount;
int haveanswer, had_error;
char tbuf[MAXDNAME];
int (*name_ok)(const char *);
@@ -1255,13 +1238,13 @@
ancount = ntohs(hp->ancount);
qdcount = ntohs(hp->qdcount);
bp = hostbuf;
- buflen = sizeof hostbuf;
+ ep = hostbuf + sizeof hostbuf;
cp = answer->buf + HFIXEDSZ;
if (qdcount != 1) {
h_errno = NO_RECOVERY;
return (NULL);
}
- n = dn_expand(answer->buf, eom, cp, bp, buflen);
+ n = dn_expand(answer->buf, eom, cp, bp, ep - bp);
if ((n < 0) || !(*name_ok)(bp)) {
h_errno = NO_RECOVERY;
return (NULL);
@@ -1279,14 +1262,13 @@
}
canonname = bp;
bp += n;
- buflen -= n;
/* The qname can be abbreviated, but h_name is now absolute. */
qname = canonname;
}
haveanswer = 0;
had_error = 0;
while (ancount-- > 0 && cp < eom && !had_error) {
- n = dn_expand(answer->buf, eom, cp, bp, buflen);
+ n = dn_expand(answer->buf, eom, cp, bp, ep - bp);
if ((n < 0) || !(*name_ok)(bp)) {
had_error++;
continue;
@@ -1313,14 +1295,13 @@
cp += n;
/* Get canonical name. */
n = strlen(tbuf) + 1; /* for the \0 */
- if (n > buflen || n >= MAXHOSTNAMELEN) {
+ if (n > ep - bp || n >= MAXHOSTNAMELEN) {
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list