and sh's && instead of test's obsolete -a.
Minor formatting cleanups, including removing unneeded \ line continuations.
The somewhat bizarre way that named_migrate() was made to work in a
subshell (which of itself is fine, and looks needed) has been made more
rational. Because of that, the need to use local vars is no longer there,
(subshells can't affect the parent) and "local" in that func could be deleted
(but hasn't been).
Take the opportunity to do a little sh formatting cleanups, the \
line continuation can ususually be avoided by placing sh operators at
the appropriate places.
Note the [ x"$var" = x"$other" ] usage no longer needs the 'x',
avoiding that kind of nonsense is partly why test was much more
precisely specified, and a lot of the unnecessary stuff made obsolete.
Those however I did not remove (they're harmless).
This one was particularly bad:
if [ -z ${dev} -o ${junk} ]; then
was supposed to be validating an entry read from a config file,
dev should be not empty, and junk should be empty (ie: correct
number of fields present). If that test succeeds, the line is
bad, and we error out.
But if dev was empty, and junk was also empty, that turned into
if [ -z -o ]; then
which tests if "-o" is the empty string, which it isn't, so instead
of succeeding, and considering the entry invalid (no dev specified)
the code would just carry on as if all was good.
Because of this, a bunch of quoting fixes were also made (there might
perhaps be more needed).
While here a couple of minor formatting improvements - in general it
is always a good idea to surround sh operator chars (like '>' '(' ...)
with white space, to guard against thet possibility that some other (or
later enhanced) sh might have additional operators which happen to be
the character string used.
I don't understand while the final part of the condition for not doing
anything needs to run in a subshell, but that can stay for now.
- Allows overriding default from /etc/npf.conf
- Indicate rules file used in output
- Drop check for file presence in script - rely on npf exiting with error
This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.
We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.
PR install/57629
XXX pullup-10
The default is NIST P-256, which:
(a) has plenty of cryptanalytic security,
(b) performs better on essentially all platforms (smaller enough that
even the advantage of the Mersenne prime structure of P-521 can't
compete), and
(c) likely gets more scrutiny on implementations than P-521 since it's
more widespread.
If you want them you can generate them yourself, but in this day and
age (Monday and 2023, specifically) there's no reason to be using DSA
except for compatibility with ancient legacy software.
- check cmd: run `sshd -t' to check sshd_config file
- reload precmd: run check cmd before reloading so we don't nuke sshd
if there's an error in the sshd_config file
(It is still possible to effectively nuke sshd by changing the
configuration tosomething that won't work on your network, but at
least we avoid making sshd just exit on reload when you make a typo
in a config option.)
XXX pullup-9
XXX pullup-10
The default is to execute the script (iscsid_volumes=YES), so if you have
any volumes defined, you should also start iscsid (iscsid=YES) to avoid
error messages.
in /etc/conf/raid/raidN (as well as in /etc/raidN.conf) (less
clutter in /etc).
Allow config files to exist for raids that are autoconfigured (just
skip anything autoconfigured) - this allows a (simplistic) recovery
mechanism if autoconf fails, and makes it simpler to enable/disable
autoconf at will, while keeping the raid working.
While here, add sh quoting where it is needed, and remove it from
where it is pointless.
allow conditionally disabling the building of certain user space
programs in the 'base' set.
There is not enough consensus that this is the right way and a few
people had strong objections, see source-changes-d@.
created if it actualy did create keys (one should thing that a
function called sshd_keygen() only is called to create keys, but
the "precmd" magic makes it run every time sshd is started or stopped).
Patch from Tom Lane, with modifications suggested by kre and a minor
additional cosemtic change.
first character in /etc/gpio.conf and have the rest evaluated in a
shell. It is useful to be able to do actions after setting up gpio
pins or attaching gpioiic(4).
in /etc/rc.conf.d are loaded.
Usually this does not matter as rcvar and name are set to the same value.
For pf_boot and npf_boot, rcvar is set to pf and npf respectively.
Prior to the change, if:
rc.conf contains nfp=YES
rc.conf.d/npf does not exist
Then:
/etc/rc.d/npf_boot rcvar
outputs:
# npf_boot
$npf=YES
If:
rc.conf contains npf=NO (or is not set)
rc.conf.d/npf contains npf=YES
Then:
/etc/rc.d/npf_boot rcvar
outputs:
# npf_boot
$npf=NO
This means that in the latter case, at boot time the npfctl start command
is never run and the firewall is not operational.
a warning to motd pointing at entropy(7) and give instructions how to
re-generate the (weak) keys after fixing up entropy.
Add a "keyregen" command, which forces regeneration of all host keys
to simplify the replacement of weak keys.
- New /etc/security check for entropy in daily security report.
- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:
. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy
. set `entropy=wait' to make multiuser boot wait until enough entropy
Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.
- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.
- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.
This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.
I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.
- Use "-6" instead of "--noipv4" as it seems more appropriate based on
the dhcpcd(8) manual page.
- Remove "-f /dev/null" as it seems unnecessary with "-6".
- Remove "--persistent" as it is in the default /etc/dhcpcd.conf,
and this way the user can change it, if they would like to (either
through dhcpcd_flags or by editing /etc/dhcpcd.conf).
The "-b" (or "--background") option is needed to avoid a timeout error
message (and a delay in booting), so it is still left in place.
kre