- New /etc/security check for entropy in daily security report.
- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:
. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy
. set `entropy=wait' to make multiuser boot wait until enough entropy
Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.
- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.
- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.
This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.
I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.
The output without the dollar sign is less confusing as it's actual
valid shell syntax:
$ /etc/rc.d/foo rcvar
# food
food=YES
Brought up on tech-userlevel@ by Rocky Hotas with some LGTMs from
other people and no objections.
We still refer to '$food' in warnings/errors though.
The /dev/acpi character device gives an aperture into physical memory
that allows only read access to known ACPI tables: RSDP, XSDT/RSDT, and
the root tables. Adapt acpidump(8) to use this interface by default,
falling back to the old /dev/mem method if it is not available or if
ACPIDUMP_USE_DEVMEM=1 is set in the environment. The user visible benefit
of this change is that "options INSECURE" is no longer required to
dump ACPI tables.
- Use "-6" instead of "--noipv4" as it seems more appropriate based on
the dhcpcd(8) manual page.
- Remove "-f /dev/null" as it seems unnecessary with "-6".
- Remove "--persistent" as it is in the default /etc/dhcpcd.conf,
and this way the user can change it, if they would like to (either
through dhcpcd_flags or by editing /etc/dhcpcd.conf).
The "-b" (or "--background") option is needed to avoid a timeout error
message (and a delay in booting), so it is still left in place.
- Use the "pool" keyword for obtaining servers from ntp.pool.org.
- Add "tos minclock" and "tos maxclock" to limit the number of servers.
- Add "restrict source" to apply appropriate restrictions to servers.
(Specifically "nopeer" cannot be applied to "pool" servers.)
- A single "pool" entry suffices -- using "2.netbsd.pool.ntp.org" so
that we get both IPv4 and IPv6 addresses. (No addresses are returned
for just "netbsd.pool.ntp.org.")
- Add a comment about "tinker panic 0" -- useful for VMs and laptops.
- Add a comment about "discard minimum" -- useful for some SNTP clients.
- Add an explanation for the "limited" restriction keyword.
- Unify whitespace and comment formatting.
This results in correct updates to /etc/motd even when the value of
motd_release_tag is changed (a likely event).
Add safe quoting to outputting the read kernel version.
Thanks to kre@ for the feedback.
My personal preferencese for /etc/rc.conf:
update_motd_release=YES
motd_release_tag='Binaries: '
This provides an explanation to users about the second version in motd.
builds on modern systems and seems to have been added as a workaround for
some 2004-era Linux NFS bug. Guessing that the issue has been sorted out
in the meantime.
Still planning to replace wgconfig(8) and wg-keygen(8) by one wg(8)
tool compatible with wireguard-tools; update wg(4) for the minor
changes from the 2018-06-30 spec to the 2020-06-01 spec; &c. This just
clarifies the current state of affairs as it exists in the development
tree for now.
Mark the man page EXPERIMENTAL for extra clarity.
that pre-populate parts of the system (e.g. a tmpfs based /var) an
easy place to plug in like:
# REQUIRE: mountcritlocal
# BEFORE: MOUNTCRITLOCAL
This also cleans up the existing special handling a bit by separating it
into new scripts. All later scripts now depend on MOUNTCRITLOCAL.
Discussed on tech-userlevel some time ago.
This is much better handled by a user-land tool.
Proposed on tech-net here:
https://mail-index.netbsd.org/tech-net/2020/04/22/msg007766.html
Note that the ioctl SIOCGIFINFO_IN6 no longer sets flags. That now
needs to be done using the pre-existing SIOCSIFINFO_FLAGS ioctl.
Compat is fully provided where it makes sense, but trying to turn on
RA handling will obviously throw an error as it no longer exists.
Note that if you use IPv6 temporary addresses, this now needs to be
turned on in dhcpcd.conf(5) rather than in sysctl.conf(5).
christos