summaryrefslogtreecommitdiff
path: root/libexec
AgeCommit message (Collapse)Author
2012-01-16Backout activation of the new apropos(1)/whatis(1)/makewhatis(8).Ingo Schwarze
In its current state, it causes too much slowdown, in particular during system builds, and there are other regressions. That cannot be fixed quickly while it's enabled. Problems pointed out by espie@, backout requested by deraadt@, diff "looks good" to espie@.
2012-01-09Don't mmap 0 byte areas, treat them as a noop instead.Ariane van der Steldt
ok miod@
2012-01-08Since PIE executables on mips64 don't have DT_MIPS_RLD_MAP, fall back onMark Kettenis
using DT_DEBUG if DT_MIPS_RLD_MAP isn't there. This requires us to make .dynamic temporarily writable. Fixes debugging of PIE execuables with gdb(1). ok miod@
2012-01-05Enable the new apropos(1), whatis(1), and makewhatis(8).Ingo Schwarze
Unlink the old apropos(1), whatis(1), and makewhatis(8) from the build. Call the new tools from pkg_create(1) and pkg_add(1). "Please enable it now." deraadt@
2011-12-15s,/var/run/wtmp,/var/log/wtmp and add it to FILES.Antoine Jacoutot
from Steffen Daode Nurpmeso with a tweak from jmc@ ok jmc@
2011-12-14Add a new '-W' option to prevent saving login records to /var/run/wtmp.Antoine Jacoutot
This can become pretty handy on busy anonymous servers to avoid filling up /var with unused wtmp records. Note that 'U' and 'W' are mutually exclusive. ok sthen@ millert@
2011-12-03Remove an OpenBSD-specific tweak regarding .Xr spacingIngo Schwarze
and make it compatible with bsd.lv mandoc and with groff-1.21. This tweak was originally added for compatibility with groff-1.15, which is no longer needed. ok jmc@ kristaps@
2011-11-28Add support for getting some flags from DT_FLAGS_1: new flagsPhilip Guenthe
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL. Committing for kurt@ who worked out the final version; ok guenther@ drahn@
2011-11-19Build ld.so on alpha with -mbuild-constants, so large integerChristian Weisgerber
constants are constructed with several instructions rather than loaded from the data segment, avoiding relocations. This fixes ld.so with gcc4. From miod@, ok jsg@
2011-09-28tweak previous;Jason McIntyre
2011-09-28tweak tftp-proxy to:David Gwynne
1. use a BINDANY socket to connect from the proxy to the server using the clients address. 2. fork a child to do the work so inetd doesnt keep trying to send more packets to the proxy, as per doco in the inetd manpage for dgram wait sockets. because of 1 you now have to add a pass out divert-reply for the proxy to server packet to your pf ruleset. this allows a series of rapid tftp connections from the same host to a server in my environment. without this diff there's several minutes of waiting in between requests because of issues with the rules from previous requests stealing packets but not forwarding them combined with inetd giving too many packets to tftp-proxy that only expects to handle one. this is going in so i can hack on PFRULE_ONCE support. ok mikeb@ sthen@
2011-09-19Obsoleted after the makewhatis(8) re-write in 2000.Okan Demirmen
ok espie schwarze deraadt.
2011-09-03knock out some useless Pp;Jason McIntyre
2011-09-03make -column lists pretty again;Jason McIntyre
specifically, rewrite them to permit some markup in the column headers, and use "Ta" instead of literal tabs; mandoc does not currently match groff 100%, but a mandoc fix may be some time off, and we've gone enough releases with poorly formatting column lists. in some cases i have rewritten the lists as -tag, where -column made little sense.
2011-07-23Properly align the stack early on in the ld.so startup code such that code runMark Kettenis
from .init that uses SSE doesn't randomly trigger SIGBUS. ok drahn@, miod@
2011-07-20During mailbox and special file checks, skip all files that can'tIngo Schwarze
be stat(2)'ed, but do not complain about those that were just removed, because removing files is not a security risk in itself. Sorry, i can't remember the original reporter of the issue; reported again by mk@; patch looks good to Andrew Fresh.
2011-07-20In lists of setuid/setgid files and devices, do not pad the last columnIngo Schwarze
with trailing spaces; ugliness spotted by daniel dot c dot sinclair at gmail dot com, fix from Andrew Fresh.
2011-07-14__opendir2, DTF_NODUP, and __DTF_READALL can die. struct direntTheo de Raadt
dd_flags is renamed to the placeholder position dd_unused so that we can spot "broken software" which assumes we have Jan Simon Pendry's union mounts (we don't have them, and won't have them ever again). __opendir2 question spotted by matthew verified to not break ports by sthen
2011-07-13Delete items on grpreflist when walking them to decrement the count,Dale Rahn
otherwise double decrement can occur. ok kurt@ timeout on other reviewers.
2011-07-04Add ld.so ia64 support.Paul Irofti
2011-07-02add file equivalence. Choose the most recent timestamp between man andMarc Espie
catman pages. okay millert@
2011-06-27Backout the dynamic linker speed improvement diff for now, it stillStuart Henderson
has some issues. Discussed with various, ok drahn@
2011-06-24Handle \*(Na in .Nd, needed by nan(3).Ingo Schwarze
Prodded by deraadt@, "Yep" espie@.
2011-06-22fix whitespaceStuart Henderson
2011-06-22Fix another pre-{rdr,nat}-to rule example...Stuart Henderson
2011-06-20Restore changelist(5) wildcard support that we inadvertently killedIngo Schwarze
by the recent security(8) rewrite. While here: 1) Skip relative paths in changelist(5), and complain about them. 2) Skip file names ending in a tilde ('~') unless the tilde is explicitly specified in the changelist(5). That is, trailing wildcards will not match trailing tildes, as suggested by matthew@. Bug reported by both mk@ and matthew@. OK Andrew Fresh, also tested by and "move forward" mk@
2011-05-26No need to call _dl_newsymsearch() twice; ok drahn@Otto Moerbeek
2011-05-25Fix two bugs where race conditions might cause stat(2) to fail,Ingo Schwarze
such that security(8) would output garbage on stderr. One reported by <RD at thrush dot com>, the other found by code audit. While here, remove dead code in two other places: stat(_) uses cashed data and cannot fail, not even if the file is removed in between. ok Andrew Fresh
2011-05-22Dynamic linker speed improvement diff. tested by several sinc k2k11.Dale Rahn
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.
2011-05-10Do not complain about an /etc/group line "+\n" as "wrong number of fields",Ingo Schwarze
that abbreviated syntax is explicitly allowed by group(5). While here, warn if it isn't the last line in the group file. Regression reported, fix tested and ok miod@, and seems good to ajacoutot@. Note: I'm not removing the advice to put "+\n" at the end of the group file right now because i'm not 100% sure that advice is pointless, even though guenther@ looked at the code an came to the conclusion OpenBSD libc ought to cope. And i'd rather have the manuals and the syntax checker be consistent. In case this really annoys people, it can be carefully tested and changed later.
2011-05-10Fix previous. On i386, library.c isn't compiledOtto Moerbeek
2011-05-09Outsmart gcc4 on mips* by moving the declaration of _dl_debug_stateOtto Moerbeek
outside the file the call is in. Since the function is empty, gcc optmizes the call away, breaking the gdb hook needed to resolve symbols in lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
2011-05-05Switch tftp-proxy over to using divert-to. Based on a diff from oga@Stuart Henderson
with lots of help from claudio@. Earlier version was ok mikeb@ and looks good to markus@. Note: tftp-proxy rdr-to rules must be changed to use divert-to and must specify the address family. pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969 -changes to- pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969
2011-04-29-x is currently unimplemented, so comment it out from the man page, and removeJason McIntyre
it from usage(); if any developer wants to confirm that it will never be an option, let me know and i'll zap the text entirely; this is one half of a diff from Amit Kulkarni - i won;t be touching the other half;
2011-04-23When a device or setuid file is owned by a nonexistent user or group,Ingo Schwarze
undefined data got used. Fix this by reporting the UID/GID numerically in that case. Problem reported and patch provided by rd at thrush dot com. While here, use // rather than || everywhere to detect get*id failure, as suggested by RD Thrush. The edge case where it matters - a username of "0" - is rather insane, but the // is more precise anyway.
2011-04-23Very nice bugfix from Andrew Fresh, who writes:Ingo Schwarze
>> "return if !%changed;" in check_filelist would never return because just above "for @{$changed{xxx}}" autovivifys $changed{xxx} = [] if it is not set already. << I hate autovivification, and it hates me.
2011-04-17Switch from the old shell script /etc/securityIngo Schwarze
to the new Perl script /usr/libexec/security. The new script was tested by sthen@ and ajacoutot@. Committing now due to repeated prodding from deraadt@. In case problems show up, they will be fixed in tree.
2011-04-17remove a bogus blank line; from Andrew FreshIngo Schwarze
2011-04-17Keep the exact format of the message:Ingo Schwarze
user %s mailbox is %s, group %s This is easy because we now have the strmode() function. From Andrew Fresh, minimally tweaked myself.
2011-04-10Reviewing my version of the code, Andrew Fresh found an elegant way toIngo Schwarze
keep the format of the "Block device changes:" output exactly the same as it was in the past. As a bonus, this also avoids lies in variable names, making it more obvious what is actually being compared here.
2011-04-09implement one last check that Andrew overlookedIngo Schwarze
2011-04-09implementation of the remaining checks;Ingo Schwarze
heavily based on code written by Andrew Fresh, but with considerable tweaking, mainly for simplicity; lightly tested - there are probably still bugs, but auditing and fixing it in the tree will be easier than with floating diffs
2011-04-08Do not use NULL in integer comparison.Theo de Raadt
2011-04-06Avoid using NULL in non-pointer contexts: use 0 for integer values and '\0'Miod Vallat
for chars.
2011-03-30style cleanup:Ingo Schwarze
* include the colon into $check_title, where needed * always use the same style for stat calls * and a few minor points
2011-03-26umask and path checks;Ingo Schwarze
heavily based on code written by Andrew Fresh; tweaked in team-work
2011-03-25home directory checks;Ingo Schwarze
large parts from a submission by Andrew Fresh <andrew at afresh1 dot com>
2011-03-24fix "german" typo; from <markus dot lude at gmx dot de>Ingo Schwarze
2011-03-23Work in progress to replace /etc/security, not yet linked to the build.Ingo Schwarze
Main design goals: 1. Safely handle untrusted file names and file content. 2. Output compatibility with current security(8) to please people parsing the output with scripts (except when improving functionality right away saves considerable implementation effort). Substantial functional enhancements are for later. Prodding to do this in Perl by deraadt@. Using some feedback from espie@. Agree to put this in now and at this place even though only about one third of the functionality is ready, to complete it in the tree: beck@ espie@ millert@ deraadt@
2011-03-19fix rdr-to example (requires direction); from James TurnerOkan Demirmen
ok jmc@