Age | Commit message (Collapse) | Author |
|
In its current state, it causes too much slowdown, in particular
during system builds, and there are other regressions.
That cannot be fixed quickly while it's enabled.
Problems pointed out by espie@, backout requested by deraadt@,
diff "looks good" to espie@.
|
|
ok miod@
|
|
using DT_DEBUG if DT_MIPS_RLD_MAP isn't there. This requires us to make
.dynamic temporarily writable. Fixes debugging of PIE execuables with gdb(1).
ok miod@
|
|
Unlink the old apropos(1), whatis(1), and makewhatis(8) from the build.
Call the new tools from pkg_create(1) and pkg_add(1).
"Please enable it now." deraadt@
|
|
from Steffen Daode Nurpmeso with a tweak from jmc@
ok jmc@
|
|
This can become pretty handy on busy anonymous servers to avoid filling
up /var with unused wtmp records.
Note that 'U' and 'W' are mutually exclusive.
ok sthen@ millert@
|
|
and make it compatible with bsd.lv mandoc and with groff-1.21.
This tweak was originally added for compatibility with groff-1.15,
which is no longer needed.
ok jmc@ kristaps@
|
|
DF_1_NODELETE and DF_1_INITFIRST, as well as DF_1_NOW and DF_1_GLOBAL.
Committing for kurt@ who worked out the final version; ok guenther@ drahn@
|
|
constants are constructed with several instructions rather than
loaded from the data segment, avoiding relocations.
This fixes ld.so with gcc4. From miod@, ok jsg@
|
|
|
|
1. use a BINDANY socket to connect from the proxy to the server using the
clients address.
2. fork a child to do the work so inetd doesnt keep trying to send more
packets to the proxy, as per doco in the inetd manpage for dgram wait
sockets.
because of 1 you now have to add a pass out divert-reply for the proxy to
server packet to your pf ruleset.
this allows a series of rapid tftp connections from the same host
to a server in my environment. without this diff there's several
minutes of waiting in between requests because of issues with the
rules from previous requests stealing packets but not forwarding
them combined with inetd giving too many packets to tftp-proxy that
only expects to handle one.
this is going in so i can hack on PFRULE_ONCE support.
ok mikeb@ sthen@
|
|
ok espie schwarze deraadt.
|
|
|
|
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
|
|
from .init that uses SSE doesn't randomly trigger SIGBUS.
ok drahn@, miod@
|
|
be stat(2)'ed, but do not complain about those that were just removed,
because removing files is not a security risk in itself.
Sorry, i can't remember the original reporter of the issue;
reported again by mk@; patch looks good to Andrew Fresh.
|
|
with trailing spaces; ugliness spotted by daniel dot c dot sinclair at
gmail dot com, fix from Andrew Fresh.
|
|
dd_flags is renamed to the placeholder position dd_unused so that
we can spot "broken software" which assumes we have Jan Simon Pendry's
union mounts (we don't have them, and won't have them ever again).
__opendir2 question spotted by matthew
verified to not break ports by sthen
|
|
otherwise double decrement can occur. ok kurt@ timeout on other reviewers.
|
|
|
|
catman pages.
okay millert@
|
|
has some issues. Discussed with various, ok drahn@
|
|
Prodded by deraadt@, "Yep" espie@.
|
|
|
|
|
|
by the recent security(8) rewrite.
While here:
1) Skip relative paths in changelist(5), and complain about them.
2) Skip file names ending in a tilde ('~') unless the tilde is
explicitly specified in the changelist(5). That is, trailing
wildcards will not match trailing tildes, as suggested by matthew@.
Bug reported by both mk@ and matthew@.
OK Andrew Fresh, also tested by and "move forward" mk@
|
|
|
|
such that security(8) would output garbage on stderr.
One reported by <RD at thrush dot com>, the other found by code audit.
While here, remove dead code in two other places: stat(_) uses cashed
data and cannot fail, not even if the file is removed in between.
ok Andrew Fresh
|
|
get it in tree now deraadt@, ok by several ports folks. Thanks for the testing.
|
|
that abbreviated syntax is explicitly allowed by group(5). While here,
warn if it isn't the last line in the group file.
Regression reported, fix tested and ok miod@, and seems good to ajacoutot@.
Note: I'm not removing the advice to put "+\n" at the end of the group file
right now because i'm not 100% sure that advice is pointless, even though
guenther@ looked at the code an came to the conclusion OpenBSD libc ought
to cope. And i'd rather have the manuals and the syntax checker be
consistent. In case this really annoys people, it can be carefully tested
and changed later.
|
|
|
|
outside the file the call is in. Since the function is empty, gcc
optmizes the call away, breaking the gdb hook needed to resolve symbols in
lazy bound shared libs. Analysis by kettenis@; ok miod@ kettenis@
|
|
with lots of help from claudio@. Earlier version was ok mikeb@ and looks
good to markus@.
Note: tftp-proxy rdr-to rules must be changed to use divert-to and must
specify the address family.
pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969
-changes to-
pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969
|
|
it from usage(); if any developer wants to confirm that it will never
be an option, let me know and i'll zap the text entirely;
this is one half of a diff from Amit Kulkarni - i won;t be touching the other
half;
|
|
undefined data got used.
Fix this by reporting the UID/GID numerically in that case.
Problem reported and patch provided by rd at thrush dot com.
While here, use // rather than || everywhere to detect get*id failure,
as suggested by RD Thrush. The edge case where it matters - a username
of "0" - is rather insane, but the // is more precise anyway.
|
|
>> "return if !%changed;" in check_filelist would never return
because just above "for @{$changed{xxx}}" autovivifys $changed{xxx} = []
if it is not set already. <<
I hate autovivification, and it hates me.
|
|
to the new Perl script /usr/libexec/security.
The new script was tested by sthen@ and ajacoutot@.
Committing now due to repeated prodding from deraadt@.
In case problems show up, they will be fixed in tree.
|
|
|
|
user %s mailbox is %s, group %s
This is easy because we now have the strmode() function.
From Andrew Fresh, minimally tweaked myself.
|
|
keep the format of the "Block device changes:" output exactly the same
as it was in the past. As a bonus, this also avoids lies in variable
names, making it more obvious what is actually being compared here.
|
|
|
|
heavily based on code written by Andrew Fresh,
but with considerable tweaking, mainly for simplicity;
lightly tested - there are probably still bugs, but auditing and
fixing it in the tree will be easier than with floating diffs
|
|
|
|
for chars.
|
|
* include the colon into $check_title, where needed
* always use the same style for stat calls
* and a few minor points
|
|
heavily based on code written by Andrew Fresh;
tweaked in team-work
|
|
large parts from a submission by Andrew Fresh <andrew at afresh1 dot com>
|
|
|
|
Main design goals:
1. Safely handle untrusted file names and file content.
2. Output compatibility with current security(8) to please people
parsing the output with scripts (except when improving functionality
right away saves considerable implementation effort). Substantial
functional enhancements are for later.
Prodding to do this in Perl by deraadt@.
Using some feedback from espie@.
Agree to put this in now and at this place even though only about
one third of the functionality is ready, to complete it in the tree:
beck@ espie@ millert@ deraadt@
|
|
ok jmc@
|