summaryrefslogtreecommitdiff
path: root/etc
AgeCommit message (Collapse)Author
2017-06-03Immediately after mounting / read-write, chmod og-rwx the kernel. RemoteTheo de Raadt
prying eyes were already been hindered at determining kernel addresses, now local prying eyes are also hindered. ok tb rpe
2017-06-03kernels in compile dirs are og-rwx, so need to make them readable inTheo de Raadt
$RELEASEDIR ok tb rpe
2017-06-03Move slaacd to /sbinFlorian Obser
jca points out that all the other interface configuration tools live there (like ifconfig or dhclient). Furthermore it starts so early in the boot process that /usr might not be mounted yet if it's a nfs filesystem. sthen and deraadt agree
2017-05-30Introduce a scary rc.conf(8) knob library_aslr=(YES|NO) to turn off theTheo Buehler
reordering of libraries by rc(8). This way machines with very slow disk I/O have a chance of booting within reasonable time now that libcrypto is also randomized. Discussed with various; input & ok from deraadt ajacoutot
2017-05-30Enable slaacd(8) by default and disable router solicitation andFlorian Obser
advertisement processing in the kernel. Go for it!!! deraadt@ additional encouragement to push forward from at least mpi and henning special thanks to naddy for being an early adopter and finding bugs.
2017-05-29rc.d(8) for slaacdFlorian Obser
OK phessler, deraadt
2017-05-29Randomize link-order of libcrypto as we do with libc. This libraryTheo de Raadt
has many small functions without significant local storage, therefore less tail protection from -fstack-protector-strong to prevent their use as ROP gadgets. It is used in security contexts. Also many functions dribble pointers onto the stack, allowing discovery of gadgets via the fixed relative addresses, so let's randomly bias those. ok tedu jsing The rc script will soon need a strategy for skipping this step on machines with poor IO performance. Or maybe do it less often? However, I don't see many more libraries we'll do this with, these are the two most important ones.
2017-05-28Move check later to mitigate a possible race.Antoine Jacoutot
2017-05-28Indent and rename var; no functional change.Antoine Jacoutot
2017-05-28When a daemon reaches its timeout when starting, display "timeout" insteadAntoine Jacoutot
of "ok" so the user is warned and has a chance to fix it (most of the time due to bogus flags). Daemons reaching the timeout without being able to start are still marked as "failed" (which should also give a clue to the user that some investigation is needed). prodded by beck@ a while ago discussed with and ok sthen@
2017-05-28Drop useless lines continuation; no functional change.Antoine Jacoutot
2017-05-28etc/netstart: use colon separator instead of dot with chownAdam Wolk
OK jung@, deraadt@, jmc@
2017-05-27Ok turns out we still want to keep the rc_bg variable around but we needAntoine Jacoutot
to know which daemon cannot background themselves (actually we want to know the opposite, but there are much more). However, it's only needed in _rc_wait and rc.subr still does its magic without the need to add `&'.
2017-05-27Add an ALRM timer to cope with 2 annoying issues in rc.d(8):Antoine Jacoutot
- prevent a daemon from hanging the boot (typo in your flagsm e.g. httpd_flags=-d) - make sure we can get the status of a backgrounded daemon instead of always returning success Side effect of this is that we can kill a knob! rip rc_bg :-) Ports will need love, and a second commit is coming for that. The diff is small yet not trivial so I am committing early in the release process in one shot so it can easily be reverted if needed. I started working on this during g2k16 in Cambridge then finished it in Brisbane for a2k17 where robert@, beck@ and sthen@ agreed it was the correct way to go and I should move ahead with it post 6.1. If you see any regression, please talk to me!
2017-05-21regenVisa Hankala
2017-05-21Enable radeondrm(4) on loongson to get accelerated graphicsVisa Hankala
with the RS780E chipset. OK kettenis@, jsg@
2017-05-07Change test from [] to [[]] and simplify pattern.Robert Peichaer
OK tb@, krw@ (for [[]]) Feedback and OK halex@
2017-05-07Replace hardcoded script name with ${0##*/}Robert Peichaer
OK tb@ halex@
2017-05-03add vm.conf to changelist and mtree/specialGleydson Soares
OK reyk mlarkin
2017-05-01Revert r1.170 and remove the id==0 check.Robert Peichaer
The id binary is not available in nfs diskless setups at this point. reported by Andreas Kusalananda, thanks. discussed with deraadt@
2017-05-01Remove last remnants of rtsol. IPv6 autoconfiguration of interfaces is nowRobert Peichaer
done in ifstart(). Remove ipv6autoconf() and replace rtsolif with a boolean variable V6_AUTOCONF. Replace dhcpif with a boolean variable V4_DHCPCONF. Both are later used in defaultroute() to decide whether or not to configre defaultroutes from /etc/mygate. OK krw@
2017-05-01Comments and spacing.Robert Peichaer
2017-04-30Do not try to delete a default route before adding it.Martin Pieuchot
Now that route are automatically G/C with the address they are attached to there's no reason to duplicate the kernel's job. Fix a regression introduced with multipath default routes. ok deraadt@
2017-04-26Install arm64 manpages: eeprom(8), MAKEDEV(8). ok phessler kettenisStuart Henderson
2017-04-25Unbreak netstart for multiple inteface configurations like trunkRobert Peichaer
or carp. Ensure that the noglob option is disabled at the end of parse_hn_line() and ifstart(). Reported by Christer Solskogen and Stefan Wollny, thanks!
2017-04-24Introduce a new function parse_hn_line() that replaces the existingRobert Peichaer
hostname.if(5) parsing code in ifstart(). Add a -n option to netstart to only print the interface configuration commands instead of executing them. Add a HN_DIR variable, that points to the directory of the hostname.if files (default /etc) that allows for future regression tests. - add new parse_hn_line() function - change ifstart() - rename $if to $_if - don't ifconfig or ifconfig create if -n option is used - replace hostname.if(5) parsing code with new parse_hn_line() - just print configuration commands if -n option is used - autoconf now happens in ifstart(), remove ifv6autoconf() - introduce HN_DIR variable for the hostname.if file location - add handling of the -n option to only print config commands - ensure -n is only used if interfaces are specified as parameters Discussed with and positive feedback from many 'commit' deraadt@ OK sthen@
2017-04-18Simplify patching of motd(5), also making it agree better with theIngo Schwarze
documentation if the first line of the file is blank. Quirk reported by Anthony Coulter <bsd at anthonycoulter dot name>. OK rpe@
2017-04-18installation of the compiler creates include/g++ if needed; mtree does notTheo de Raadt
need to do this.
2017-04-17skip mtree creation of two include dirs. gcc3 may still use them, butTheo de Raadt
if so gcc3 should create them itself.
2017-04-16Remove /etc/ssl/acme/. We don't need it now that we have a default acme-conf(5)Antoine Jacoutot
that direclty uses /etc/ssl/{,private} by default. Adapt the httpd.conf example accordingly. ok florian@ benno@ millert@
2017-04-15Build full mandoc.db(5) databases by default using makewhatis(8)Ingo Schwarze
without -Q during the build and in weekly(8). According to tests by many developers, makewhatis(8) takes a few minutes at most even on slower hardware like octeon, loongson, ALIX, RPI3, Soekris, cubox, softiron etc., and security(8) is often worse than makewhatis(8). In case this causes excessive weekly(8) run times on even slower (~50 MHz-class) CPUs, consider adding "MAKEWHATISARGS=-Q" to /etc/weekly.local on machines that feel unhappy. OK sthen@ kettenis@ millert@ deraadt@
2017-04-14mark newish phony targets as phony.Marc Espie
okay tb@
2017-04-08- localize the if, file and stat variables which also ensures thatRobert Peichaer
variables are not named like commands. - change test from [] to [[]] OK tb@ halex@
2017-04-07Minimize differences in ifstart() function between netstart andRobert Peichaer
install.sub which makes it easier to spot changes in the future. - comments and formatting - quotes on assignments are not needed (netstart) - remove stray space in test (netstart) - use $file variable with while-loop (netstart) - although valid, instead of i use $i in arithmetic test (install.sub) OK krw@, tb@ Looks good deraadt@
2017-04-07Align comments of ifstart() function in netstart and install.sub.Robert Peichaer
2017-04-07Align comments of stripcom() function in netstart and install.sub.Robert Peichaer
2017-04-04cp -p the bootblocks to RELEASEDIR; ok tbTheo de Raadt
2017-04-01MDT...Theo de Raadt
2017-03-30add signify public keys for syspatch for the current and next releaseRobert Nagy
2017-03-29sync the version of the example package; ok deraadt@Christian Weisgerber
2017-03-25Boot using BIOS from /etc/firmware/vmm-bios by default.Reyk Floeter
Instead of using the internal "vmboot", VMs will now be booted using the external BIOS firmware in /etc/firmware/vmm-bios (which is subject to a LGPLv3 license). Direct booting of OpenBSD kernels or non-default BIOS images is still supported for now using the -b/boot option that is replacing the -k/kernel option. As requested by Theo, vmd(8) fails if neither the default BIOS is found nor a kernel has been specified in the VM configuration. The "vmm" BIOS has to be installed using fw_update(1), which will be done automatically in most cases where the OpenBSD can fetch it after install/upgrade. OK mlarkin@
2017-03-23Don't check for spamd_black twice in rc_pre and rc_start; just do everythingAntoine Jacoutot
in rc_pre. prodded by and ok jmc@, ok halex@
2017-03-22Improve manpage and config file to show the more common use case.Sebastian Benoit
from Nick Holland (nick AT holland-consulting DOT net) ok jmc@ florian@
2017-03-18add user for slaacd(8)Florian Obser
2017-03-17Enable dhcrelay6(8).Rafael Zalamena
ok deraadt@
2017-03-056.2 key for future packagesChristian Weisgerber
2017-03-05bump one more 2016Theo Buehler
2017-03-04fix date and mention installurl way of pkg_addTheo de Raadt
2017-03-046.2 key for future firmwareStuart Henderson
2017-03-04crank to 6.1-betaTheo de Raadt