Enabled via per_user_tmp in /etc/rc.conf (default off).
See security(8) and rc.conf(5) for more details.
Lots of input from thorpej@ & christos@, thanks!
remove pseudo-device btdev(4) and inherent limitations
add bthub(4) which autoconfigures at bluetooth controllers as they
are enabled. bluetooth devices now attach here.
btdevctl(8) and its cache is updated to handle new semantics
etc/rc.d/btdevctl is updated to configure devices from a list
in /etc/bluetooth/btdevctl.conf
of /etc/rc.d/ipfilter and family if MKIPFILTER=no. As lukem points
out, skipping installation of etc/rc.d/ scripts is not inconsistent
with other optional components, such as pf, x11, etc.
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.
The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.
Drivers for both PCMCIA and USB bluetooth controllers are included.
not absolute.
This affects an update with sysinst, which will try to look at
/targetroot/etc/fstab, which points to /etc/etc.whatever, which is
not there during the upgrade, and results in all (/targetroot)/etc
files getting nuked!
display or mouse variable should be changed. This is backwards compatible
with the old setvar style: if the argument is not specified, it defaults
to `keyboard'.
* remove all references to $ip6sitelocal and output a warning
message if the variable is defined.
* introduce $ip6uniquelocal (defaults to 'NO') that will control the
behaviour of the system when $ip6mode is ``router'' (i.e. fc00::/7
will not be routed if the variable is ``NO'') as per RFC 4193.
Thanks to Jonathan A. Kollasch for pointing this out in PR 32152.
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.
Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.
No objections on: tech-security
when running ftpd as daemon and it will now automatically be appended to the
command line, even if ftpd_flags doesn't have it.
Suggested by Alan Barrett and Luke Mewburn, thanks.
* We now use hash tables instead of a list to store the in kernel
fingerprints.
* Fingerprint methods handling has been made more flexible, it is now
even simpler to add new methods.
* the loader no longer passes in magic numbers representing the
fingerprint method so veriexecctl is not longer kernel specific.
* fingerprint methods can be tailored out using options in the kernel
config file.
* more fingerprint methods added - rmd160, sha256/384/512
* veriexecctl can now report the fingerprint methods supported by the
running kernel.
* regularised the naming of some portions of veriexec.
process (we're -- probably inappropriately -- waiting for the kernel to do
that at the end), so cgdconfig -U won't do much until that situation changes.
of the appropriate configuration file.
Based on PR 28757 from Jason White.
* Add comments explaining why we flush separately from the reload
(backwards compat with older ipf(8) binaries).
correctly on ipf(8) from prior to 4.1.3 (where -Fa flushes both protocols)
and 4.1.3 (where -Fa only flushes the current protocol).
Fix from Kimmo Suominen, per private discussion.
rebuilt from "newer than" to "not older than". The latter check also
manages to take into account cases where the db file doesn't yet exist
because the source is "not older than" something that doesn't yet
exist.
(1) The stock sendmail.cf will only listen on the loopback interface.
(2) The stock submit.cf specifally connects to "localhost." which
should be less susceptible to being confused or looking confused.
(3) The smtp listener starts by default, if needed. The setting in
/etc/default/rc.conf is still "no", but rc.d/sendmail detects the
default setting and will change it to yes if need is determined.
Need is defined as "nothing else seems to have been changed about the
mail configuration but we'd like locally originated and locally
destined mail to be delivered". If you change, eg, mailer.conf to
point to postfix or some other MTA, sendmail will not start.
* REQUIRE: isdnd, so this will be shutdown before that, to prevent
future problem if isdnd eve gets an explicit "shutdown" keyword.
Per discussion with Martin Husemann.
target) instead of using home-grown 'distribution' targets or using
FILES with the 'install' target.
Add some etc/ subdir Makefiles where appropriate.
XXX: some of etc/Makefile install-etc-files could be converted to CONFIGFILES.
which may have been introduced by booting a netbsd-current kernel
from between April of 2003 and January 2004. For more information
see <http://mail-index.NetBSD.org/current-users/2004/01/11/0022.html>
This script was developed as a response to NetBSD pr install/25138
This should not be added to the Makefile or the default install until
it has been further tested
at boot automatically, so a machine dual booting another OS that uses
the RTC at localtime and NetBSD agree on the current time even if daylight
saving started/ended (without recompiling a kernel twice per year).
Awk code by Matt Thomas.
isn't enabled.
This is how the rc.d system works in conjunction with our current build
and install system; all the rc.d scripts are installed even if the
subsystems they control are not.
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.
* move kerberos- and kerberos 4-only files into new flists,
distrib/sets/lists/*/krb.*
* make the flist generators grok MKKERBEROS{,4} variables
* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
9 out of 10 experts agree that it is ludicrous to build w/
KERBEROS4 and w/o KERBEROS5.
* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.
* omit some Kerberos-only subdirectories from the build as
MKKERBEROS{,4} indicate
(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly. That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles. While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
that might block startup, and be more permissive in general about
allowing the daemons to start.
Add some descriptive comments to the top of the smmsp script that
describe the purpose of the process.
sendmail 8.12.8. Some of the same machinery (in shorter form) is in
the additions to rc.d/sendmail. Also, add a smmsp startup script for
the sendmail client queue runner.
the state table, making it much more useful.
The behaviour of 'restart' is unchanged (flush state table and reload
rules), but is now done slightly more elegantly.
ok'd by lukem.
dev database be rebuilt after loading modules. Loading modules might
create new nodes in /dev, but the dev database is being initialized
too soon for lkm2 and lkm3. This means that, eg, /dev/xf86 (typically
marked AFTERMOUNT and loaded by lkm2) will show up properly. Reviewed
by lukem.
immediately afterwards before bringing the interface up. This avoids
a small security gap existing in the previous scheme where IP Filter
was synced after all cloning interfaces were created and brought up.
called after quota so we don't end up with fsck and raidframe parity rebuild
taking forever after a crash/reboot.
While we are here check for raid[0-9].conf & raid[1-9][0-9].conf not
raid[0-9].conf & raid[0-9][0-9].conf
"/etc/ssh/ssh_config" (from "/etc/ssh/ssh.conf") for ssh(1) and other
userland tools, and "/etc/ssh/sshd_config (from "/etc/ssh/sshd.conf")
for sshd(8).
etc/postinstall will detect this, and if "fix" is given, rename the files.
- Add support for "setvar", which allows setting of arbitrary wsconsctl(8)
variables. Per email on tech-userlevel from Julio Merino <jmmv@hispabsd.org>
make -V FILES
from being useful (and given that every other variable can be
extracted using make -V, the behaviour was unusually inconsistent
given that the original reason for clearing it doesn't seem to be
relevant anymore)
- use <bsd.prog.mk> instead of directly including <bsd.files.mk>
(and possibly <bsd.man.mk> or <bsd.own.mk>)
- remove obsolete NOPROG
+ it was not discussed first
+ it is not consistent with the rest of the rc.d system. everything else:
- has defaults & example configuration in /etc/defaults/rc.conf
- uses lower-case variable names, including ipmon itself
Similar functionality added by the change I'm backing out may be
reintroduced in the future once it's been changed to meet our de-facto
rc.d standards, as opposed to something that appears to have been
lifted from a non-NetBSD source (HP/UX ?) ...
This occurs before the first load_rc_config() so that it may be
overridden by the user, and appears in single quotes so the
variables don't get evaluated until the eval in run_rc_command().
Problem noted by Patrick Welche <prlw1@cam.ac.uk> in [bin/15912].
Replace $critical_filesystems with $critical_filesystems_remote .
The new names are now consistent with the type argument that
mount_critical_filesystems() is called with, and allows for other types to
be easily supported by that function.
For backwards compatibility purposes, if the now obsolete variable is defined
(even empty), it takes precedence over the new form, and you will be warned.
If you want to stop the warnings, update your rc.conf(5) settings!
