request:
instead of the -S flag, fix the -s flag to not open a socket
if there are no forwarding rules in /etc/syslog.conf
The behavior of syslogd when -s is specified and there are forwarding rules
should still be made cleaner.
in man page and comments -- for some time it has no longer prevents
an inet socket from being opened, just caused it to be ignored
2.) Fix this problem with `-s' -- syslogd always opens an inet socket, even if
-s is specified and it has nowhere to send to. This socket is then
shutdown(), but there is no way to not have this socket open.
Users setting up paranoid installations can now specify `-S' which
prevents any non-unix-domain sockets from being opened, even if
forwarding is specified in /etc/syslogd.conf.
As per the previous fix, this is not made the default for `-s', as it
also prevents syslogd from forwarding log messages.
3.) document the above in the man page and usage.
Justification: in light of the possibility of future DoS attacks, or the
desire to set up a machine which is relatively uninformative in the face
of port scans, users may quite legitimately want to control what sockets
are open on their machine. Telling such users that they cannot run
syslogd is non-ideal.
option pulls in a set of symbols that increases the size of dhclient
with functionality that is not required for installation media.
This was discussed with Ted Lemon, and the patch is being submitted to him
for inclusion in his source tree.
short enough to put on the same line.
- Kill the comma at the end of SEE ALSO list.
- Remove empty line in the source.
- Break line at the end of statement in the source for better output (in other
words, let the roff to format it).
adding support for Heimdal/KTH Kerberos where easy to do so. Eliminate
bsd.crypto.mk.
There is still a bunch more work to do, but crypto is now more-or-less
fully merged into the base NetBSD distribution.
a bit, to make them more descriptive
* in findbestmatchingname_fn, fix a bug where a null pointer wasn't
caught (I wonder why we didn't actually hit that case...)
* Bugfix in findbestmatchingname_fn: when comparing, strip off any
trailing ".tgz", as this will give wrong results. "1.9.8.tgz" was
found to be greater than "1.9.8.1".
Add flags "-b" and "-I" to dumplfs, to allow the user to specify the
location of the superblock and Ifile inode, respectively.
Don't print "corrupt segment header" any more for leftover slivers of
space too close to the next segment to write a partial-segment. In the
event that there was no such sliver, the segment still ends; recognize
this and print out the segment number, and superblock if asked.
Document all the flags in the man page.
Print the partial-segment write flags (SS_DIROP, SS_CONT).
Make the "-a" flag output look slightly better.
Change all hex numbers to lowercase, instead of having some upper and
some lower.
+ Make depend required all the source files to be built before
the dependencies were generated due to some sub-optimal logic
in the version generation.
Fix from Bernd Ernesti in private mail.
+ Make the version string contain ${PROG} as originally intended
and not "ntpd" for all 7 programs.
Also move version generation to Makefile.inc to stop having 7 copies
of exactly the same thing.
to mention here. notable changes are like below.
kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.
setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification
file, make command specified, and no flags or attrs-which-cause-inclusion
are spec'd. The notion is, if you change either of the last 2, it will
probably have very undesirable results, so only allow the make command to
be changed. override by clobbering the make command in the previous entry.
also, fix a bug where line number of original entry would get clobbered on
dup entry, so that if you had multiple dups the later ones would get bogus
initial definition info.
fhopen() and flock(). This means that if you kill lockd, all locks will
be relased (but you're supposed to kill statd at the same time, so
remote hosts will know it and re-establish the lock).
Tested against solaris 2.7 and linux 2.2.14 clients.
Shared lock are not handled efficiently, they're serialised in lockd when they
could be granted.
with both names. So log the "Unsolicited notification" with LOG_DEBUG
instead of LOG_ERR.
Don't return failure if we received a notification for which the host is
unknown, or we don't have outstanding requests. The remote host will retry
forever otherwise.
had been granted access to the portmapper via hosts.{allow,deny} could use
PMAPPROC_CALLIT to call PMAPPROC_{SET,UNSET} to (un)register services as if
they were running on the local host.
The new code disallows all indirect calls to the portmapper except for
PMAPPROC_NULL unless the -i (insecure) flag has been specified.
While there, add a new flag, -p (paranoid) which also disallows indirect calls
to a small number of other services, including key parts of NFS and NIS. This
code hardcodes the services to be disallowed, and is thus somewhat of a hack,
but will serve for the time being (until portmap is replaced by rpcbind as part
of fvdl's current rpc work, due to happen before 1.5).
Problem pointed out by Frank van der Linden <fvdl@netbsd.org>, solution determined
in discussion with Frank van der Linden and with Bill Sommerfeld <sommerfeld@netbsd.org>.
Some inspiration drawn from the (less general) handling of this problem in Wietse
Venema's libwrap'ed portmap.
use of non-exported function __ivaliduser{,_sa}().
we cannot make __ivaliduser{,_sa}() static yet, since doing that would choke
compiled lpd binaries. we should do it on next libc major version bump.
added a memo on lib/libc/shlib_version.
while here, do some whitespace/const cleanup, convert to use addentry(),
g/c section[] (now uses buf[] directly) - 10 character limit for section
name is gone
- decrease warning level on missing rtadvd.conf (actually, the file
can be omitted)
- strict prototype
- gather stats better, emit stats on SIGUSR1 to /var/run
+ Use _PATH_GROUP and _PATH_MASTERPASSWD (from OpenBSD)
+ Use -G group1,group2,group3 for multiple groups in useradd and usermod
(pointed out by Matt Green, and also changed in OpenBSD, but done more
efficiently here)
+ is_number should not be inside #ifdef EXTENSIONS (from OpenBSD)
+ clear up yet another usage message (for user(8) and group(8)) - noticed
in passing, unknown if fixed anywhere else
support the address family (like including "tcp6" in inetd.conf, on
non-IPv6 kernel).
was:
inetd[185]: ftp/tcp6: *: hostname nor servname provided, or not known
now:
inetd[315]: ftp/tcp6: *: the address family is not supported by the kernel
1. if there is a colon present, use that as a separator for user:group
2. if there is no colon, attempt to convert the arg into a username,
searching backwards in the string for a '.' for us.er.group
3. if the arg doesn't match a username and has a '.' in it, split it
up and try user.group
package matching a certain pattern. Examples:
yui# cd /usr/pkgsrc/packages/i386ELF/All/
yui# ls unzip*
unzip-5.40.tgz unzip-5.41.tgz
yui# pkg_admin lsall 'unzip*'
unzip-5.40.tgz
unzip-5.41.tgz
yui# pkg_admin lsall 'unzip>=5.40'
unzip-5.40.tgz
unzip-5.41.tgz
yui# pkg_admin lsall 'unzip>=5.41'
unzip-5.41.tgz
yui# pkg_admin lsbest 'unzip>=5.40'
unzip-5.41.tgz
yui# pkg_admin lsall /usr/pkgsrc/packages/i386ELF/All/'{mit,unproven}-pthread*'
/usr/pkgsrc/packages/i386ELF/All/mit-pthreads-1.60b6.tgz
This adds a shell/user-interface to pkg-patterns, which are a superset
of sh/csh patterns and can't be expanded by any shell.
a static once-generated version instead. We know we have IPv6
headers available here.
The probing was problematical for several reasons:
o it probed the host headers, not the headers in the build or DESTDIR
tree (could be fixed in another way)
o the probe_ipv6 script mucks with PATH, which would be problematical
for cross compilation.
contents of that header (the only file that includes it compiles to the
same object code on multiple architectures with or without including
<ieeefp.h>), so remove all references to it.
Fix sent to NTP maintainers - they will probably implement this change
after the immenient 4.1.0 release, but don't want to change it so close
to the release date.
- isakmp: print CERT and SIG payload. fix IPsec-AH algorithm type.
- rt6: avoid duplicated IPv6 src/dst.
sync with tcpdump.org.
XXX we need to think about future synchronization with tcpdump.org...
default nis-domain "";
would cause a NULL pointer deref while writing out the lease into
the persistent database if the server didn't include an nis-domain
option in the reply.
From: hiro@takechi.org
XXX checkremote() should be improved. gethostname -> getaddrinfo is
not the right thing to do, we cannot assume DNS FQDNs is configured
as hostname. if the goal here is to check if it is really remote or not,
getifaddrs() is the way to go.
struct dirent *, rather than non-const. this makes scandir(3) the
same as the scandir implementations in libiberty and glibc, and the
select function has no need to modify the dirent.
Handling all kinds of wildcards properly would be hard, though it should
handle some cases better now. Esp. ones with '-' in the pkg(!) name, and/or
ones with dewer relational versions. I.e. the teTeX-share>1.97 case should
work now.
after a "-" with the "more liberal pattern", but also anything after
any pkg wildcard.
That way if someone has teTeX-share-1.0 installed and pkg_adds
teTeX-1.0.7 (which wants teTeX-share>1.0.2), it will be caught.
XXX This "quick depends pre-check" would be nice to be done in
bsd.pkg.mk as well
dependencies if they _can_ be installed. I.e. if a package wants
version X installed, but version Y is already installed, pkg_adding
that required pkg will blow up later (probably some pkg_add recursions
down, given what we keep in the depends list). Now, it stopps right
away:
noon# pkg_add /usr/pkgsrc/packages/i386ELF/All/xdaemon-1.0.tgz
pkg_add: pkg `xteddy-1.*' required, but `xteddy-2.0.1' found installed.
Please resolve this conflict!
The idea of this is from Thomas Klausner, further inputs from Alistair
Crooks.
* allow pkg names without versions given to "pkg_admin check"
* Use sizeof() instead of hardcoding the buffers' size in some places
augustss