From 414ea699038fdddb0d6d5756ea1ed702600abe8f Mon Sep 17 00:00:00 2001 From: Aaron Campbell Date: Mon, 30 Oct 2000 17:46:31 +0000 Subject: libexec man page fleshing. again, bored on the plane home. --- libexec/identd/identd.8 | 38 +++++---- libexec/ld.so/ldconfig/ldconfig.8 | 44 ++++++----- libexec/ld.so/ldd/ldd.1 | 30 ++++---- libexec/lockspool/lockspool.1 | 42 ++++++---- libexec/mail.local/mail.local.8 | 95 +++++++++++++---------- libexec/makewhatis/makewhatis.8 | 6 +- libexec/rexecd/rexecd.8 | 39 +++++----- libexec/rlogind/rlogind.8 | 50 ++++++------ libexec/rpc.rquotad/rpc.rquotad.8 | 13 ++-- libexec/rpc.rwalld/rpc.rwalld.8 | 11 ++- libexec/rpc.yppasswdd/rpc.yppasswdd.8 | 18 +++-- libexec/rshd/rshd.8 | 81 +++++++++---------- libexec/smtpd/smtpd/smtpd.8 | 92 +++++++++++++--------- libexec/smtpd/smtpfwdd/smtpfwdd.8 | 67 +++++++++------- libexec/tcpd/safe_finger/safe_finger.8 | 5 +- libexec/tcpd/tcpd/tcpd.8 | 137 +++++++++++++++++---------------- libexec/tcpd/tcpdchk/tcpdchk.8 | 24 +++--- libexec/tcpd/tcpdmatch/tcpdmatch.8 | 44 +++++++---- libexec/telnetd/telnetd.8 | 80 +++++++++---------- libexec/tftpd/tftpd.8 | 16 ++-- 20 files changed, 508 insertions(+), 424 deletions(-) (limited to 'libexec') diff --git a/libexec/identd/identd.8 b/libexec/identd/identd.8 index b256772d51c..b9e1ef6b5e9 100644 --- a/libexec/identd/identd.8 +++ b/libexec/identd/identd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: identd.8,v 1.14 2000/04/15 02:15:29 aaron Exp $ +.\" $OpenBSD: identd.8,v 1.15 2000/10/30 17:45:59 aaron Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" @@ -74,11 +74,13 @@ to run as a process started from .Xr inetd 8 with the "nowait" option in the .Pa /etc/inetd.conf -file. Use of this mode will make +file. +Use of this mode will make .Xr inetd 8 start one .Nm -daemon for each connection request. This is the default mode of operation. +daemon for each connection request. +This is the default mode of operation. .It Fl w Tells .Nm identd @@ -86,7 +88,8 @@ to run as a process started from .Xr inetd 8 with the "wait" option in the .Pa /etc/inetd.conf -file. This mode of operation will start a copy of +file. +This mode of operation will start a copy of .Nm at the first connection request and then .Nm @@ -99,11 +102,13 @@ is no longer valid. Specify operation as a stand alone daemon. .It Fl h Hide the actual information about the user by providing an opaque -token instead. This token is entered into the local system logs +token instead. +This token is entered into the local system logs so that the administrator can later discover who the real user was. .It Fl t Ar seconds Specifies an idle timeout in seconds where a daemon running in -"wait" mode will timeout and exit. The default is no timeout. +"wait" mode will timeout and exit. +The default is no timeout. .It Fl u Ar uid Specify a user ID number or user name which the .Nm identd @@ -124,9 +129,8 @@ on which to listen when running as a stand alone daemon Default is "auth" (113). .It Fl a Ar address Specify a local IP address in dotted quad format -to bind the listen socket to if -running as a standalone daemon. by default the daemon -listens on all local IP addresses. +to bind the listen socket to if running as a standalone daemon. +By default the daemon listens on all local IP addresses. .It Fl V Print the version number and the exit. .It Fl l @@ -162,14 +166,16 @@ Always return uid numbers instead of usernames. When replying with a user name or ID, first check for a file .Pa .noident -in the user's home directory. If this file is accessible, return +in the user's home directory. +If this file is accessible, return .Dq HIDDEN-USER instead of the normal USERID response. .It Fl m -Allow multiple requests to be -processed per session. Each request is specified one per line and -the responses will be returned one per line. The connection will not -be closed until the client closes its end of the connection. +Allow multiple requests to be processed per session. +Each request is specified one per line and the responses will be returned +one per line. +The connection will not be closed until the client closes its end of +the connection. PLEASE NOTE THAT THIS MODE VIOLATES THE PROTOCOL SPECIFICATION AS IT CURRENTLY STANDS. .It Fl d @@ -190,8 +196,8 @@ Unlike previous versions of .Nm identd , this version uses .Xr sysctl 3 -to obtain information from the kernel instead of parsing kmem. This -version does not require privilege beyond what is needed to bind +to obtain information from the kernel instead of parsing kmem. +This version does not require privilege beyond what is needed to bind the listen port if running as a standalone daemon. .Sh BUGS Since diff --git a/libexec/ld.so/ldconfig/ldconfig.8 b/libexec/ld.so/ldconfig/ldconfig.8 index 30d44c93a5c..9b9eafb83f0 100644 --- a/libexec/ld.so/ldconfig/ldconfig.8 +++ b/libexec/ld.so/ldconfig/ldconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ldconfig.8,v 1.2 2000/07/06 04:15:09 aaron Exp $ +.\" $OpenBSD: ldconfig.8,v 1.3 2000/10/30 17:46:02 aaron Exp $ .\" .\" Copyright (c) 1993,1995 Paul Kranenburg .\" All rights reserved. @@ -46,7 +46,8 @@ is used to prepare a set of for use by the run-time linker .Xr ld.so to facilitate quick lookup of shared libraries available in multiple -directories. It scans a set of built-in system directories and any +directories. +It scans a set of built-in system directories and any .Ar directories specified on the command line (in the given order) looking for shared libraries and stores the results in the file @@ -57,8 +58,8 @@ directory search operations would have to perform to load the required shared libraries. .Pp The shared libraries so found will be automatically available for loading -if needed by the program being prepared for execution. This obviates the need -for storing search paths within the executable. +if needed by the program being prepared for execution. +This obviates the need for storing search paths within the executable. .Pp The .Ev LD_LIBRARY_PATH @@ -70,11 +71,11 @@ is a .Sq \: separated list of directory paths which are searched by .Xr ld.so -when it needs to load a shared library. It can be viewed as the run-time -equivalent of the +when it needs to load a shared library. +It can be viewed as the run-time equivalent of the +.Xr ld Ns 's .Fl L -switch of -.Xr ld. +switch. .Pp .Nm is typically run as part of the boot sequence. @@ -82,16 +83,19 @@ is typically run as part of the boot sequence. The options are as follows: .Bl -tag -width indent .It Fl R -Rescan the previously configured directories. This opens the hints file -and fetches the directory list from the header. Any additional pathnames -on the command line are also processed. +Rescan the previously configured directories. +This opens the hints file +and fetches the directory list from the header. +Any additional pathnames on the command line are also processed. .It Fl m Merge the result of the scan of the directories given as arguments into -the existing hints file. The default action is to build the hints file afresh. +the existing hints file. +The default action is to build the hints file afresh. .It Fl r Lists the current contents of .Xr ld.so.hints -on the standard output. The hints file will not be modified. +on the standard output. +The hints file will not be modified. .It Fl s Do not scan the built-in system directory .Pq Dq /usr/lib @@ -103,16 +107,20 @@ Switch on verbose mode. Special care must be taken when loading shared libraries into the address space of .Ev set-user-Id -programs. Whenever such a program is run, +programs. +Whenever such a program is run, .Xr ld.so will only load shared libraries from the .Ev ld.so.hints -file. In particular, the +file. +In particular, the .Ev LD_LIBRARY_PATH -is not used to search for libraries. Thus, the role of ldconfig is dual. In -addition to building a set of hints for quick lookup, it also serves to +is not used to search for libraries. +Thus, the role of ldconfig is dual. +In addition to building a set of hints for quick lookup, it also serves to specify the trusted collection of directories from which shared objects can -be safely loaded. It is presumed that the set of directories specified to +be safely loaded. +It is presumed that the set of directories specified to .Nm are under control of the system's administrator. .Xr ld.so diff --git a/libexec/ld.so/ldd/ldd.1 b/libexec/ld.so/ldd/ldd.1 index d6621f3e613..5537e90d089 100644 --- a/libexec/ld.so/ldd/ldd.1 +++ b/libexec/ld.so/ldd/ldd.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ldd.1,v 1.1 2000/09/17 17:50:57 deraadt Exp $ +.\" $OpenBSD: ldd.1,v 1.2 2000/10/30 17:46:04 aaron Exp $ .\" .\" Copyright (c) 1996 Per Fogelstrom .\" @@ -41,23 +41,24 @@ .Op Fl x .Ar program .Sh DESCRIPTION -.Nm ldd +.Nm displays the shared objects needed to run .Ar program. -.Nm ldd +.Nm uses the -.Nm DT_NEEDED -tags to determine what dynamic objects are required. To list the objects -.Nm ldd +.Dv DT_NEEDED +tags to determine what dynamic objects are required. +To list the objects +.Nm sets the environment variable -.Nm LD_TRACE_LOADED_OBJECTS +.Ev LD_TRACE_LOADED_OBJECTS and then execs -.Ar program Ns . +.Ar program . .Pp If -.Nm ldd +.Nm is invoked with the -.Nm -x +.Fl x flag, the tags from .Ar program are listed without using current ldconfig configuration. @@ -65,8 +66,11 @@ are listed without using current ldconfig configuration. .Xr ldconfig 8 , .Xr ld.so 8 .Sh DIAGNOSTICS -Exit status 0 if no error. Exit status 1 if arg error. Exit status 2 if +Exit status 0 if no error. +Exit status 1 if arg error. +Exit status 2 if .Ar program -can't be read. If -.Nm ldd +can't be read. +If +.Nm fails to open the program file a message is printed. diff --git a/libexec/lockspool/lockspool.1 b/libexec/lockspool/lockspool.1 index 240590e716c..df208723eb9 100644 --- a/libexec/lockspool/lockspool.1 +++ b/libexec/lockspool/lockspool.1 @@ -34,37 +34,45 @@ .Nm lockspool .Op Ar username .Sh DESCRIPTION -.Nm Lockspool +.Nm is useful for a client mail program to attain proper locking. -.Nm Lockspool +.Nm obtains a -.Nm username.lock -for the calling user and retains it until stdin is closed or a signal -like SIGINT, SIGTERM, or SIGHUP is received. Additionally, the superuser -may specify the name of a user in order to lock a different mailbox. +.Pa username.lock +for the calling user and retains it until stdin is closed or a signal like +.Dv SIGINT , +.Dv SIGTERM , +or +.Dv SIGHUP +is received. +Additionally, the superuser may specify the name of a user in order +to lock a different mailbox. .Pp If -.Nm lockspool -is able to create the lock file, ``1'' is written to stdout, otherwise -``0'' is written and an error message is written to stderr. -.Nm Lockspool +.Nm +is able to create the lock file, +.Dq 1 +is written to stdout, otherwise +.Dq 0 +is written and an error message is written to stderr. +.Nm will try up to 10 times to get the lock (sleeping for a short period in between tries). .Pp The -.Nm lockspool +.Nm utility exits 0 on success, and 1 if an error occurs. .Sh FILES .Bl -tag -width /var/mail/username.lock -compact .It Pa /var/mail/username.lock -user's mail lock file. +user's mail lock file .El -.Sh HISTORY -The -.Nm lockspool -program appeared in -.Ox 2.4 . .Sh SEE ALSO .Xr mail 1 , .Xr mail.local 1 , .Xr sendmail 8 +.Sh HISTORY +The +.Nm +program appeared in +.Ox 2.4 . diff --git a/libexec/mail.local/mail.local.8 b/libexec/mail.local/mail.local.8 index b2c341a4c02..f7f1a8873bc 100644 --- a/libexec/mail.local/mail.local.8 +++ b/libexec/mail.local/mail.local.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)mail.local.8 6.8 (Berkeley) 4/27/91 -.\" $Id: mail.local.8,v 1.19 2000/08/16 17:14:08 brad Exp $ +.\" $Id: mail.local.8,v 1.20 2000/10/30 17:46:07 aaron Exp $ .\" .Dd April 27, 1991 .Dt MAIL.LOCAL 8 @@ -45,7 +45,7 @@ .Op Fl f Ar from .Ar user ... .Sh DESCRIPTION -.Nm Mail.local +.Nm reads the standard input up to an end-of-file and appends it to each .Ar user Ns 's .Pa mail @@ -59,51 +59,60 @@ The options are as follows: .It Fl f Ar from Specify the sender's name. .It Fl l -For compatibility, request that -files named -.Nm username.lock -be used for locking. (This is the default behavior.) +For compatibility, request that files named +.Pa username.lock +be used for locking. +(This is the default behavior.) .It Fl L Don't create a -.Nm username.lock +.Pa username.lock file while locking the spool. .El .Pp Individual mail messages in the mailbox are delimited by an empty -line followed by a line beginning with the string ``From ''. -A line containing the string ``From '', the sender's name and a time stamp -is prepended to each delivered mail message. +line followed by a line beginning with the string +.Dq "From\&\ " . +A line containing the string +.Dq "From\&\ " , +the sender's name and a timestamp are prepended to each delivered mail message. A blank line is appended to each message. -A greater-than character (``>'') is prepended to any line in the message -which could be mistaken for a ``From '' delimiter line. +A greater-than character +.Pq Ql > +is prepended to any line in the message which could be mistaken for a +.Dq "From\&\ " +delimiter line. .Pp Significant efforts have been made to ensure that -.Nm mail.local +.Nm acts as securely as possible if the spool directory is mode 1777 or 755. The default of mode 755 is more secure, but it prevents mail clients from using -.Nm username.lock +.Pa username.lock style locking. -The use of 1777 is more flexible in an NFS shared-spool -environment, so many sites use it. However, it does carry some risks, such -as attackers filling the spool disk. Some of these problems may be alleviated +The use of 1777 is more flexible in an NFS shared-spool environment, +so many sites use it. +However, it does carry some risks, such as attackers filling the spool disk. +Some of these problems may be alleviated by making the spool a separate filesystem, and placing quotas on it. The use of any mode other than 1777 and 755 for the spool directory is recommended against but may work properly. .Pp The mailbox is always locked using .Xr flock 2 -while mail is appended. Unless the +while mail is appended. +Unless the .Fl L flag is specified, a -.Nm username.lock +.Pa username.lock file is also used. .Pp -If the ``biff'' service is returned by +If the +.Xr biff 1 +service is returned by .Xr getservbyname 3 , the biff server is notified of delivered mail. .Pp The -.Nm mail.local +.Nm utility exits 0 on success, and >0 if an error occurs. .Sh ENVIRONMENT .Bl -tag -width indent @@ -117,14 +126,20 @@ temporary files .It Pa /var/mail/user user's mailbox directory .El +.Sh SEE ALSO +.Xr biff 1 , +.Xr mail 1 , +.Xr flock 2 , +.Xr getservbyname 3 , +.Xr comsat 8 , +.Xr sendmail 8 .Sh HISTORY A superset of -.Nm mail.local -(handling mailbox reading as well as mail delivery) -appeared in +.Nm +(handling mailbox reading as well as mail delivery) appeared in .At v7 as the program -.Nm mail . +.Xr mail 1 . .Sh BUGS Since .Xr sendmail 8 @@ -133,19 +148,20 @@ on the return value from .Nm mail.local , using quotas in .Pa /var/mail -can be problematic. By default, +can be problematic. +By default, .Xr sendmail 8 will ask -.Nm mail.local -to deliver a message to multiple recipients if possible. This -causes problems in a quota environment since a message may be +.Nm +to deliver a message to multiple recipients if possible. +This causes problems in a quota environment since a message may be delivered to some users but not others due to disk quotas. Even though the message was delivered to some of the recipients, -.Nm mail.local +.Nm will exit with an exit code > 0, causing .Xr sendmail 8 -to attempt redelivery later. That means that some users will keep getting -the same message every time +to attempt redelivery later. +That means that some users will keep getting the same message every time .Xr sendmail 8 runs its queue. .Pp @@ -155,7 +171,8 @@ it is imperative that you unset the .Dq m mailer flag for the .Sq local -mailer. To do this, locate the line beginning with +mailer. +To do this, locate the line beginning with .Dq Mlocal in .Pa /etc/mail/sendmail.cf @@ -163,17 +180,11 @@ and remove the .Dq m from the flags section, denoted by .Dq F= . -Alternately, you can override the default mailer flags by adding -the line: +Alternately, you can override the default mailer flags by adding the line: +.Pp .Dl define(`LOCAL_MAILER_FLAGS', `rn9')dnl +.Pp to your .Dq \.mc file (this is the source file that is used to generate .Pa /etc/mail/sendmail.cf ) . -.Sh SEE ALSO -.Xr biff 1 , -.Xr mail 1 , -.Xr flock 2 , -.Xr getservbyname 3 , -.Xr comsat 8 , -.Xr sendmail 8 diff --git a/libexec/makewhatis/makewhatis.8 b/libexec/makewhatis/makewhatis.8 index faf0887088c..ed157411f7d 100644 --- a/libexec/makewhatis/makewhatis.8 +++ b/libexec/makewhatis/makewhatis.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: makewhatis.8,v 1.8 2000/04/23 22:14:27 espie Exp $ +.\" $OpenBSD: makewhatis.8,v 1.9 2000/10/30 17:46:08 aaron Exp $ .\" $NetBSD: makewhatis.8,v 1.2.2.1 1997/11/10 19:57:45 thorpej Exp $ .\" .\" Copyright (c) 1997 The NetBSD Foundation, Inc. @@ -112,8 +112,8 @@ man configuration information. .Nm should parse .Pa /etc/man.conf -and deal with extra configuration information. In particular, it does not -handle +and deal with extra configuration information. +In particular, it does not handle .Xr nroff 1 me format. Likewise, its use of diff --git a/libexec/rexecd/rexecd.8 b/libexec/rexecd/rexecd.8 index 90665cfc4e0..43022dcc330 100644 --- a/libexec/rexecd/rexecd.8 +++ b/libexec/rexecd/rexecd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)rexecd.8 6.5 (Berkeley) 3/16/91 -.\" $Id: rexecd.8,v 1.6 1999/07/09 13:35:51 aaron Exp $ +.\" $Id: rexecd.8,v 1.7 2000/10/30 17:46:11 aaron Exp $ .\" .Dd March 16, 1991 .Dt REXECD 8 @@ -41,16 +41,17 @@ .Sh SYNOPSIS .Nm rexecd .Sh DESCRIPTION -.Nm Rexecd +.Nm is the server for the .Xr rexec 3 -routine. The server provides remote execution facilities -with authentication based on user names and -passwords. +routine. +The server provides remote execution facilities with authentication based +on user names and passwords. .Pp -.Nm Rexecd -listens for service requests at the port indicated in -the ``exec'' service specification; see +.Nm +listens for service requests at the port indicated in the +.Dq exec +service specification; see .Xr services 5 . When a service request is received the following protocol is initiated: @@ -59,8 +60,8 @@ is initiated: The server reads characters from the socket up to a NUL .Pq Ql \e0 -byte. The resultant string is -interpreted as an +byte. +The resultant string is interpreted as an .Tn ASCII number, base 10. .It @@ -78,11 +79,11 @@ A NUL terminated, unencrypted password of at most 16 characters is retrieved on the initial socket. .It A NUL terminated command to be passed to a -shell is retrieved on the initial socket. The length of -the command is limited by the upper bound on the size of +shell is retrieved on the initial socket. +The length of the command is limited by the upper bound on the size of the system's argument list. .It -.Nm Rexecd +.Nm then validates the user as is done at login time and, if the authentication was successful, changes to the user's home directory, and establishes the user @@ -90,11 +91,9 @@ and group protections of the user. If any of these steps fail the connection is aborted with a diagnostic message returned. .It -A NUL byte is returned on the initial socket -and the command line is passed to the normal login -shell of the user. The -shell inherits the network connections established -by +A NUL byte is returned on the initial socket and the command line is passed +to the normal login shell of the user. +The shell inherits the network connections established by .Nm rexecd . .El .Sh DIAGNOSTICS @@ -134,10 +133,10 @@ and is not preceded by a flag byte. .El .Sh SEE ALSO .Xr rexec 3 -.Sh BUGS -Do not enable rexecd. .Sh HISTORY The .Nm command appeared in .Bx 4.2 . +.Sh BUGS +Do not enable rexecd. diff --git a/libexec/rlogind/rlogind.8 b/libexec/rlogind/rlogind.8 index 085a6b89d28..5f133594dee 100644 --- a/libexec/rlogind/rlogind.8 +++ b/libexec/rlogind/rlogind.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)rlogind.8 8.1 (Berkeley) 6/4/93 -.\" $Id: rlogind.8,v 1.5 1999/07/09 13:35:53 aaron Exp $ +.\" $Id: rlogind.8,v 1.6 2000/10/30 17:46:13 aaron Exp $ .\" .Dd June 4, 1993 .Dt RLOGIND 8 @@ -42,29 +42,30 @@ .Nm rlogind .Op Fl aln .Sh DESCRIPTION -.Nm Rlogind +.Nm is the server for the .Xr rlogin 1 -program. The server provides a remote login facility +program. +The server provides a remote login facility with authentication based on privileged port numbers from trusted hosts. .Pp -Options supported by -.Nm rlogind : +The options are as follows: .Bl -tag -width Ds .It Fl a -Ask hostname for verification. This flag is ignored; this feature is -always enabled. +Ask hostname for verification. +This flag is ignored; this feature is always enabled. .It Fl l Prevent any authentication based on the user's -.Dq Pa .rhosts +.Pa .rhosts file, unless the user is logging in as the superuser. .It Fl n Disable keep-alive messages. .El .Pp -.Nm Rlogind -listens for service requests at the port indicated in -the ``login'' service specification; see +.Nm +listens for service requests at the port indicated in the +.Dq login +service specification; see .Xr services 5 . When a service request is received the following protocol is initiated: @@ -93,7 +94,7 @@ Normal authentication is bypassed if the address verification fails. .El .Pp Once the source port and address have been checked, -.Nm rlogind +.Nm proceeds with the authentication process described in .Xr rshd 8 . It then allocates a pseudo terminal (see @@ -117,14 +118,14 @@ The parent of the login process manipulates the master side of the pseudo terminal, operating as an intermediary between the login process and the client instance of the .Xr rlogin -program. In normal operation, the packet protocol described -in +program. +In normal operation, the packet protocol described in .Xr pty 4 is invoked to provide .Ql ^S/^Q type facilities and propagate -interrupt signals to the remote programs. The login process -propagates the client terminal's baud rate and terminal type, +interrupt signals to the remote programs. +The login process propagates the client terminal's baud rate and terminal type, as found in the environment variable, .Ql Ev TERM ; see @@ -154,17 +155,16 @@ by the server failed. .Xr login 1 , .Xr ruserok 3 , .Xr rshd 8 -.Sh BUGS -The authentication procedure used here assumes the integrity -of each client machine and the connecting medium. This is -insecure, but is useful in an ``open'' environment. -.Pp -A facility to allow all data exchanges to be encrypted should be -present. -.Pp -A more extensible protocol should be used. .Sh HISTORY The .Nm command appeared in .Bx 4.2 . +.Sh BUGS +The authentication procedure used here assumes the integrity +of each client machine and the connecting medium. +This is insecure, but is useful in an ``open'' environment. +.Pp +A facility to allow all data exchanges to be encrypted should be present. +.Pp +A more extensible protocol should be used. diff --git a/libexec/rpc.rquotad/rpc.rquotad.8 b/libexec/rpc.rquotad/rpc.rquotad.8 index e8956984c34..494571be5f7 100644 --- a/libexec/rpc.rquotad/rpc.rquotad.8 +++ b/libexec/rpc.rquotad/rpc.rquotad.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpc.rquotad.8,v 1.5 1999/07/09 13:35:51 aaron Exp $ +.\" $OpenBSD: rpc.rquotad.8,v 1.6 2000/10/30 17:46:14 aaron Exp $ .\" .\" Copyright (c) 1994 Theo de Raadt .\" All rights reserved. @@ -28,7 +28,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $Id: rpc.rquotad.8,v 1.5 1999/07/09 13:35:51 aaron Exp $ +.\" $Id: rpc.rquotad.8,v 1.6 2000/10/30 17:46:14 aaron Exp $ .\" .Dd June 22, 1994 .Dt RPC.RQUOTAD 8 @@ -41,7 +41,7 @@ .Nm rpc.rquotad .Sh DESCRIPTION .Nm rpc.rquotad -is a +is an .Xr rpc 3 server which returns quotas for a user of a local filesystem which is NFS-mounted onto a remote machine. @@ -54,7 +54,10 @@ is normally invoked by .Nm rpc.rquotad uses an RPC protocol defined in .Pa /usr/include/rpcsvc/rquota.x . -.Sh BUGS -BSD 4.4 and OpenBSD support group quotas but the rquota protocol does not. .Sh SEE ALSO .Xr quota 1 +.Sh BUGS +.Bx 4.4 +and +.Ox +support group quotas but the rquota protocol does not. diff --git a/libexec/rpc.rwalld/rpc.rwalld.8 b/libexec/rpc.rwalld/rpc.rwalld.8 index 88742e1a0b9..323813d9612 100644 --- a/libexec/rpc.rwalld/rpc.rwalld.8 +++ b/libexec/rpc.rwalld/rpc.rwalld.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpc.rwalld.8,v 1.4 1999/07/09 13:35:51 aaron Exp $ +.\" $OpenBSD: rpc.rwalld.8,v 1.5 2000/10/30 17:46:15 aaron Exp $ .\" .\" Copyright (c) 1985, 1991 The Regents of the University of California. .\" All rights reserved. @@ -31,7 +31,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: rpc.rwalld.8,v 1.4 1999/07/09 13:35:51 aaron Exp $ +.\" $Id: rpc.rwalld.8,v 1.5 2000/10/30 17:46:15 aaron Exp $ .\" .Dd June 7, 1993 .Dt RPC.RWALLD 8 @@ -45,11 +45,10 @@ .Sh DESCRIPTION .Nm rpc.rwalld is a server which will send a message to users -currently logged in to the system. This server -invokes the +currently logged in to the system. +This server invokes the .Xr wall 1 -command to actually write the messages to the -system. +command to actually write the messages to the system. .Pp Messages are sent to this server by the .Xr rwall 1 diff --git a/libexec/rpc.yppasswdd/rpc.yppasswdd.8 b/libexec/rpc.yppasswdd/rpc.yppasswdd.8 index 0aeda48b8ea..e03c6a8df03 100644 --- a/libexec/rpc.yppasswdd/rpc.yppasswdd.8 +++ b/libexec/rpc.yppasswdd/rpc.yppasswdd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: rpc.yppasswdd.8,v 1.10 1999/07/09 13:35:52 aaron Exp $ +.\" $OpenBSD: rpc.yppasswdd.8,v 1.11 2000/10/30 17:46:17 aaron Exp $ .\" .\" Copyright (c) 1994 Mats O Jansson .\" All rights reserved. @@ -46,14 +46,16 @@ .Sh DESCRIPTION .Nm rpc.yppasswdd must be running on the YP master server to allow users to change information -in the password file. If the user needs to change his password this is +in the password file. +If the user needs to change his password this is normally done with a program called .Nm yppasswd . -This program doesn't exist in OpenBSD but is integrated into +This program doesn't exist in +.Ox +but is integrated into .Xr passwd 1 . .Nm passwd -will automatically determine which password database should -be modified. +will automatically determine which password database should be modified. To force a change of a YP password when a local one also exists, use .Nm passwd -y . .Pp @@ -74,9 +76,9 @@ Don't allow changes of the password in the passwd file. .It Fl m Ar arg1 arg2 ... Don't use .Ar /var/yp/securenet . -Use another file with another file format. For futher information see -man page for -.Ar ypserv.acl . +Use another file with another file format. +For futher information see +.Xr ypserv.acl 5 . .El .Sh FILES .Bl -tag -width /etc/master.passwd -compact diff --git a/libexec/rshd/rshd.8 b/libexec/rshd/rshd.8 index d62d7ad1aab..aa0717e38bd 100644 --- a/libexec/rshd/rshd.8 +++ b/libexec/rshd/rshd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)rshd.8 8.1 (Berkeley) 6/4/93 -.\" $Id: rshd.8,v 1.8 2000/04/15 02:15:29 aaron Exp $ +.\" $Id: rshd.8,v 1.9 2000/10/30 17:46:18 aaron Exp $ .\" .Dd June 4, 1993 .Dt RSHD 8 @@ -43,17 +43,16 @@ .Op Fl alnL .Sh DESCRIPTION The -.Nm rshd -server -is the server for the +.Nm +server is the server for the .Xr rcmd 3 routine and, consequently, for the .Xr rsh 1 -program. The server provides remote execution facilities +program. +The server provides remote execution facilities with authentication based on privileged port numbers from trusted hosts. .Pp -Options supported by -.Nm rshd : +The options are as follows: .Bl -tag -width Ds .It Fl a Ask hostname for verification. @@ -68,22 +67,22 @@ Log successful accesses very verbosely. .El .Pp The -.Nm rshd -server -listens for service requests at the port indicated in -the ``cmd'' service specification; see +.Nm +server listens for service requests at the port indicated in the +.Dq cmd +service specification; see .Xr services 5 . When a service request is received the following protocol is initiated: .Bl -enum .It The server checks the client's source port. -If the port is not in the range 512-1023, the server -aborts the connection. +If the port is not in the range 512-1023, the server aborts the connection. .It -The server reads characters from the socket up -to a null (`\e0') byte. The resultant string is -interpreted as an +The server reads characters from the socket up to a null +.Pq Ql \e0 +byte. +The resultant string is interpreted as an .Tn ASCII number, base 10. .It @@ -92,8 +91,8 @@ it is interpreted as the port number of a secondary stream to be used for the .Em stderr . A second connection is then created to the specified -port on the client's machine. The source port of this -second connection is also in the range 512-1023. +port on the client's machine. +The source port of this second connection is also in the range 512-1023. .It The server checks the client's source address and requests the corresponding host name (see @@ -111,49 +110,50 @@ option is given, the addresses for the hostname are requested, verifying that the name and address correspond. If address verification fails, the connection is aborted -with the message, ``Host address mismatch.'' +with the message +.Dq "Host address mismatch." . .It A null terminated user name of at most 16 characters -is retrieved on the initial socket. This user name -is interpreted as the user identity on the +is retrieved on the initial socket. +This user name is interpreted as the user identity on the .Em client Ns 's machine. .It A null terminated user name of at most 16 characters -is retrieved on the initial socket. This user name -is interpreted as a user identity to use on the +is retrieved on the initial socket. +This user name is interpreted as a user identity to use on the .Sy server Ns 's machine. .It A null terminated command to be passed to a -shell is retrieved on the initial socket. The length of -the command is limited by the upper bound on the size of +shell is retrieved on the initial socket. +The length of the command is limited by the upper bound on the size of the system's argument list. .It -.Nm Rshd +.Nm then validates the user using .Xr ruserok 3 , which uses the file .Pa /etc/hosts.equiv and the .Pa .rhosts -file found in the user's home directory. The +file found in the user's home directory. +The .Fl l option prevents .Xr ruserok 3 -from doing any validation based on the user's ``.rhosts'' file, -unless the user is the superuser. +from doing any validation based on the user's +.Pa .rhosts +file, unless the user is the superuser. .It If the file .Pa /etc/nologin exists and the user is not the superuser, the connection is closed. .It -A null byte is returned on the initial socket -and the command line is passed to the normal login -shell of the user. The -shell inherits the network connections established -by +A null byte is returned on the initial socket and the command line is passed +to the normal login shell of the user. +The shell inherits the network connections established by .Nm rshd . .El .Pp @@ -204,8 +204,8 @@ A .Xr fork by the server failed. .It Sy : ... -The user's login shell could not be started. This message is returned -on the connection associated with the +The user's login shell could not be started. +This message is returned on the connection associated with the .Em stderr , and is not preceded by a flag byte. .El @@ -215,11 +215,12 @@ and is not preceded by a flag byte. .Xr ruserok 3 .Sh BUGS The authentication procedure used here assumes the integrity -of each client machine and the connecting medium. This is -insecure, but is useful in an ``open'' environment. +of each client machine and the connecting medium. +This is insecure, but is useful in an +.Dq open +environment. .Pp -A facility to allow all data exchanges to be encrypted should be -present. +A facility to allow all data exchanges to be encrypted should be present. .Pp A more extensible protocol (such as .Xr ssh 1 ) diff --git a/libexec/smtpd/smtpd/smtpd.8 b/libexec/smtpd/smtpd/smtpd.8 index 0efcd498922..373767daf82 100644 --- a/libexec/smtpd/smtpd/smtpd.8 +++ b/libexec/smtpd/smtpd/smtpd.8 @@ -1,4 +1,4 @@ -.\" $Id: smtpd.8,v 1.16 2000/08/02 13:53:01 aaron Exp $ +.\" $Id: smtpd.8,v 1.17 2000/10/30 17:46:19 aaron Exp $ .Dd December 10, 1997 .Dt SMTPD 8 .Os @@ -21,9 +21,10 @@ Obtuse Systems SMTPD message storing daemon .Sh DESCRIPTION .Nm talks the Simple Mail Transfer Protocol (SMTP) with -other SMTP daemons to receive mail from them, and saves it into a spool -directory for later processing. It is the store portion of an SMTP -store and forward proxy. The symbiotic companion program +other SMTP daemons to receive mail from them and saves it into a spool +directory for later processing. +It is the store portion of an SMTP store and forward proxy. +The symbiotic companion program .Xr smtpfwdd 8 is used to forward the spooled mail on to its eventual destination. .Nm @@ -35,14 +36,17 @@ The options are as follows: .It Fl c Ar chrootdir Specify a different .Ar chrootdir -directory to chroot into on startup. The default is +directory to chroot into on startup. +The default is .Pa /var/spool/smtpd . This directory should be readable and writable only to the user that .Nm runs as. .It Fl d Ar spooldir Specify a different spool directory within the chrooted subtree. -The default is ".", making +The default is +.Dq \&. , +making .Nm spool files to the directory it chroots itself to. .It Fl D @@ -55,7 +59,8 @@ Specify a .Ar group to run as. .It Fl H -Disable host checking against the DNS. By default +Disable host checking against the DNS. +By default, .Nm checks and will complain in the syslogs if the DNS information for a host seems to indicate a possible spoof or misconfiguration. @@ -63,8 +68,8 @@ a host seems to indicate a possible spoof or misconfiguration. Specify a filename that .Nm should lock and write its PID to when running as a daemon. -Doesn't do anything if running from inetd. Default pid file -in daemon mode is +Doesn't do anything if running from inetd. +Default PID file in daemon mode is .Pa /var/run/smtpd.pid on BSD systems, or .Pa /usr/spool/smtpd/smtpd.pid @@ -72,17 +77,21 @@ on non-BSD systems. .It Fl l Ar listenip Specify an IP address in dotted quad format for .Nm -to accept connections to. In daemon mode this limits the address -that +to accept connections to. +In daemon mode this limits the address that .Nm -listens on. In inetd mode, smtpd will issue a 521 error -code and exit if connected to an address other than the specified -one. By default, +listens on. +In inetd mode, +.Nm smtpd +will issue a 521 error code and exit if connected to an address other than +the specified one. +By default, .Nm accepts a connection no matter what address it is connected to. .It Fl L Suppress children in daemon mode (above) from doing an -openlog() call. This means your syslogs won't have pid +openlog() call. +This means your syslogs won't have PID information, but is useful if you don't want to have to set up your chroot jail for .Nm @@ -90,35 +99,43 @@ in a manner that an openlog() call will work in it. .It Fl m Ar myname Specify .Ar myname , -the hostname the daemon should announce itself -as. The default is whatever gethostname() returns. +the hostname the daemon should announce itself as. +The default is whatever +.Fn gethostname +returns. .It Fl p Ar listenport Specify a decimal port number for .Nm -to listen when running as a daemon. Doesn't do anything if running +to listen when running as a daemon. +Doesn't do anything if running from inetd. .It Fl P -Enable paranoid mode of operation. In this mode connections are -dropped from any client feeding +Enable paranoid mode of operation. +In this mode connections are dropped from any client feeding .Nm a suspicious hostname, FROM: or RCPT: lines containing characters indicative of an attempt to do something evil, or any message headers -that aren't 8-bit clean. The default is to log such occurrences and +that aren't 8-bit clean. +The default is to log such occurrences and substitute for the offending characters, but not drop the connection. .It Fl q Tell .Nm -to be quieter. By default smtpd emits very verbose syslog messages. With -this option it will emit one line of log for each normal message exchange. +to be quieter. +By default, +.Nm +emits very verbose syslog messages. +With this option it will emit one line of log for each normal message exchange. .It Fl s Ar maxsize Specify .Ar maxsize , -the maximum size (in bytes) of mail message the -daemon should accept. The default is not to have a maximum size. +the maximum size (in bytes) of mail message the daemon should accept. +The default is not to have a maximum size. .It Fl u Ar user Specify a .Ar user -to run as. This user must not be root but +to run as. +This user must not be root but should be a user that is able to run sendmail and use the .Fl f option to specify the sender of a mail message. @@ -129,9 +146,13 @@ The address checking file is normally within the chroot directory. .Pp The address check file, when enabled, is read for each RCPT line in the -SMTP dialogue. Each rule is checked with the current source (SMTP -client machine and possibly user from ident) and the current FROM: and -RCPT: addresses. +SMTP dialogue. +Each rule is checked with the current source (SMTP client machine and +possibly user from ident) and the current +.Dq FROM: +and +.Dq RCPT: +addresses. .Sh SEE ALSO .Xr inetd 8 , .Xr sendmail 8 , @@ -148,19 +169,18 @@ Mistakes in can discard legitimate mail and annoy your users and other postmasters a very great deal! When combined with custom return codes it is possible to write rules -that completely break the smtp protocol. It is important to test -your rules out and be absolutely sure they do exactly what you -want and no more. +that completely break the smtp protocol. +It is important to test your rules out and be absolutely sure they do +exactly what you want and no more. .Pp If .Xr sendmail 8 is not run as a daemon when using -.Xr smtpd 8 +.Nm and .Xr smtpfwdd 8 , one must use cron to periodically invoke sendmail -q so that -queued messages are retried for eventual delivery. Alternatively, +queued messages are retried for eventual delivery. +Alternatively, .Xr sendmail 8 may be run as a daemon, but configured not to listen to the network. -.Pp - diff --git a/libexec/smtpd/smtpfwdd/smtpfwdd.8 b/libexec/smtpd/smtpfwdd/smtpfwdd.8 index cc33718aa6c..6b3eca03558 100644 --- a/libexec/smtpd/smtpfwdd/smtpfwdd.8 +++ b/libexec/smtpd/smtpfwdd/smtpfwdd.8 @@ -1,4 +1,4 @@ -.\" $Id: smtpfwdd.8,v 1.12 1999/09/23 04:12:01 alex Exp $ +.\" $Id: smtpfwdd.8,v 1.13 2000/10/30 17:46:20 aaron Exp $ .Dd December 10, 1997 .Dt SMTPFWDD 8 .Os @@ -17,19 +17,21 @@ Obtuse Systems SMTPFWDD message forwarding daemon .Op Fl P Ar poll time .Sh DESCRIPTION The -.Nm smtpfwdd +.Nm daemon forwards mail messages from a spool directory to -their eventual destinations. It regularly scans the spool directory in +their eventual destinations. +It regularly scans the spool directory in which its symboitic companion program .Xr smtpd 8 stores messages and invokes a mail program (such as .Xr sendmail 8 ) -to forward them. It is the forward -portion of an SMTP store and forward proxy. -.Nm smtpfwdd +to forward them. +It is the forward portion of an SMTP store and forward proxy. +.Nm is a standalone daemon, usually invoked at system startup. -.Sh OPTIONS +.Pp +The options are as follows: .Bl -tag -width Ds .It Fl d Specify a different spool @@ -41,28 +43,35 @@ is spooling files (usually .It Fl g Specify a .Ar group -to run as. Same as user above. +to run as. +Same as user above. .It Fl M Specifies .Ar maxchildren as the maximum number of children -.Nm smtpfwdd -should be allowed to spawn at once when delivering mail. Default is 10. +.Nm +should be allowed to spawn at once when delivering mail. +Default is 10. .It Fl P specifies a polling interval of .Ar polltime seconds indicating how often the master -.Nm smtpfwdd +.Nm process should wake up and check the spool directory for new mail -to forward. Default is 10 seconds. +to forward. +Default is 10 seconds. .It Fl q Tell -.Nm smtpfwdd -to be quieter. By default smtpfwdd emits very verbose syslog messages. With +.Nm +to be quieter. +By default, +.Nm +emits very verbose syslog messages. +With this option it will emit one line of log for each normal message exchange. .It Fl s -Specify a different mail program to use to forward -mail. The default is +Specify a different mail program to use to forward mail. +The default is .Pa /usr/sbin/sendmail Any replacement must be able to be invoked in the same manner as sendmail with a -f fromaddress, followed by one or more destination addresses @@ -70,8 +79,8 @@ on the command line. .It Fl u Specify a .Ar user -to run as. This user must not be root but -should normally be a user that is able to run +to run as. +This user must not be root but should normally be a user that is able to run .Xr sendmail 8 and use the .Fl f @@ -94,16 +103,20 @@ may be run standalone, but not listening to the network if your version of sendmail supports doing this correctly. .Pp There are many different variations of sendmail. -.Nm smtpfwdd +.Nm will check and pay attention to the exit status of the sendmail processes it -invokes, possibly retrying an invocation of sendmail. If you aren't -using real unadulterated Berkeley sendmail of a recent vintage, you may -need to disable the exit status checking at compile time. +invokes, possibly retrying an invocation of sendmail. +If you aren't using real unadulterated Berkeley sendmail or a recent +vintage, you may need to disable the exit status checking at compile time. .Pp -sendmail can't handle a . on one line in a message body. This problem -is bypassed in -.Nm smtpfwdd -by giving sendmail the option -oitrue. Again, -if you aren't using genuine sendmail, you may need to disable this at +.Xr sendmail 8 +can't handle a +.Ql \&. +on one line in a message body. +This problem is bypassed in +.Nm +by giving sendmail the option +.Fl oitrue . +Again, if you aren't using genuine sendmail, you may need to disable this at compile time. diff --git a/libexec/tcpd/safe_finger/safe_finger.8 b/libexec/tcpd/safe_finger/safe_finger.8 index 5942df49a0c..8c329861280 100644 --- a/libexec/tcpd/safe_finger/safe_finger.8 +++ b/libexec/tcpd/safe_finger/safe_finger.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: safe_finger.8,v 1.6 2000/02/16 16:53:23 aaron Exp $ +.\" $OpenBSD: safe_finger.8,v 1.7 2000/10/30 17:46:22 aaron Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" @@ -45,7 +45,8 @@ is simply a wrapper around the .Xr finger 1 program, meant for use in .Xr tcpd 8 -rulesets. It accepts exactly the same arguments as +rulesets. +It accepts exactly the same arguments as .Xr finger 1 . .Sh SEE ALSO .Xr finger 1 , diff --git a/libexec/tcpd/tcpd/tcpd.8 b/libexec/tcpd/tcpd/tcpd.8 index db55c34fc91..ba76e75328f 100644 --- a/libexec/tcpd/tcpd/tcpd.8 +++ b/libexec/tcpd/tcpd/tcpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpd.8,v 1.7 2000/04/15 02:15:30 aaron Exp $ +.\" $OpenBSD: tcpd.8,v 1.8 2000/10/30 17:46:24 aaron Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" @@ -38,7 +38,7 @@ .Nd tcp wrappers access control facility for internet services .Sh DESCRIPTION The -.Nm tcpd +.Nm program can be set up to monitor incoming requests for .Xr telnet 1 , .Xr finger 1 , @@ -60,11 +60,12 @@ and other services that have a one-to-one mapping onto executable files. Operation is as follows: whenever a request for service arrives, the .Xr inetd 8 daemon is tricked into running the -.Nm tcpd +.Nm program instead of the desired server. -.Nm tcpd -logs the request and does some additional checks. When all is well, -.Nm tcpd +.Nm +logs the request and does some additional checks. +When all is well, +.Nm runs the appropriate server program and goes away. .Pp Optional features are: pattern-based access control, client username @@ -73,23 +74,25 @@ pretend to have someone elses host name, and protection against hosts that pretend to have someone elses network address. .Sh LOGGING Connections that are monitored by -.Nm tcpd +.Nm are reported through the .Xr syslog 3 -facility. Each record contains a time stamp, the client host name and -the name of the requested service. The information can be useful to detect -unwanted activities, especially when logfile information from several hosts -is merged. +facility. +Each record contains a time stamp, the client host name and +the name of the requested service. +The information can be useful to detect unwanted activities, +especially when logfile information from several hosts is merged. .Pp In order to find out where your logs are going, examine the syslog configuration file, usually .Pa /etc/syslog.conf . .Sh ACCESS CONTROL Optionally, -.Nm tcpd -supports a simple form of access control that is based on pattern -matching. The access-control software provides hooks for the execution -of shell commands when a pattern fires. For details, see the +.Nm +supports a simple form of access control that is based on pattern matching. +The access-control software provides hooks for the execution +of shell commands when a pattern fires. +For details, see the .Xr hosts_access 5 manual page. .Sh HOST NAME VERIFICATION @@ -97,15 +100,16 @@ The authentication scheme of some protocols .Pf ( Xr rlogin 1 , .Xr rsh 1 ) relies -on host names. Some implementations believe the host name that they get -from any random name server; other implementations are more careful but -use a flawed algorithm. +on host names. +Some implementations believe the host name that they get from any random +name server; other implementations are more careful but use a flawed algorithm. .Pp -.Nm tcpd +.Nm verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the -name->address DNS server. If any discrepancy is detected, -.Nm tcpd +name->address DNS server. +If any discrepancy is detected, +.Nm concludes that it is dealing with a host that pretends to have someone elses host name. .Pp @@ -118,17 +122,17 @@ elses host name. .\" after which suitable action can be taken. .Sh HOST ADDRESS SPOOFING Optionally, -.Nm tcpd -disables source-routing socket options on every connection that it -deals with. This will take care of most attacks from hosts that pretend -to have an address that belongs to someone elses network. UDP services -do not benefit from this protection. This feature must be turned on -at compile time. +.Nm +disables source-routing socket options on every connection that it deals with. +This will take care of most attacks from hosts that pretend +to have an address that belongs to someone elses network. +UDP services do not benefit from this protection. +This feature must be turned on at compile-time. .Sh RFC 931 When RFC 931 etc. lookups are enabled (compile-time option) -.Nm tcpd -will attempt to establish the name of the client user. This will -succeed only if the client host runs an RFC 931-compliant daemon. +.Nm +will attempt to establish the name of the client user. +This will succeed only if the client host runs an RFC 931-compliant daemon. Client user name lookups will not work for datagram-oriented connections, and may cause noticeable delays in the case of connections from PCs. @@ -160,10 +164,10 @@ from PCs. .\" .Sh EXAMPLE 2 .Sh EXAMPLE This example applies when -.Nm tcpd +.Nm expects that the network daemons are left in their original place, as it is configured within -.Nm OpenBSD . +.Ox . .Pp In order to monitor access to the .Xr finger 1 @@ -200,21 +204,45 @@ In the case of daemons that do not live in a common directory ("secret" or otherwise), edit the .Xr inetd 8 configuration file so that it specifies an absolute path name for the process -name field. For example: +name field. +For example: .Pp -.Bd -unfilled -offset indent +.Bd -unfilled ntalk dgram udp wait root /usr/libexec/tcpd /usr/local/lib/ntalkd .Ed .Pp Only the last component .Pf ( Nm ntalkd ) of the pathname will be used for access control and logging. +.Sh FILES +The default locations of the host access control tables are: +.Pp +.Bl -tag -width /etc/hosts.allow -compact +.It Pa /etc/hosts.allow +Access control table (allow list) +.It Pa /etc/hosts.deny +Access control table (deny list) +.El +.Sh SEE ALSO +.Xr hosts_access 5 , +.Xr inetd.conf 5 , +.Xr syslog.conf 5 . +.Sh AUTHOR +.Bd -unfilled -offset indent +Wietse Venema (wietse@wzv.win.tue.nl), +Department of Mathematics and Computing Science, +Eindhoven University of Technology +Den Dolech 2, P.O. Box 513, +5600 MB Eindhoven, The Netherlands +.Ed +\" @(#) tcpd.8 1.5 96/02/21 16:39:16 .Sh BUGS Some UDP (and RPC) daemons linger around for a while after they have -finished their work, in case another request comes in. In the inetd -configuration file these services are registered with the +finished their work, in case another request comes in. +In the inetd configuration file these services are registered with the .Ar wait -option. Only the request that started such a daemon will be logged. +option. +Only the request that started such a daemon will be logged. .Pp .\" The program does not work with RPC services over TCP. These services .\" are registered as @@ -234,35 +262,12 @@ RPC broadcast requests (for example: .Xr rwall 1 , .Xr rup 1 , .Xr rusers 1 ) -always -appear to come from the responding host. What happens is that the -client broadcasts the request to all +always appear to come from the responding host. +What happens is that the client broadcasts the request to all .Xr portmap 8 -daemons on its -network; each +daemons on its network; each .Xr portmap 8 -daemon forwards the request to a local daemon. As far as the +daemon forwards the request to a local daemon. +As far as the .Xr rwall 8 -etc. daemons know, the request comes from the local host. -.Sh FILES -The default locations of the host access control tables are: -.Pp -.Bl -tag -width /etc/hosts.allow -compact -.It Pa /etc/hosts.allow -Access control table (allow list) -.It Pa /etc/hosts.deny -Access control table (deny list) -.El -.Sh SEE ALSO -.Xr hosts_access 5 , -.Xr inetd.conf 5 , -.Xr syslog.conf 5 . -.Sh AUTHOR -.Bd -unfilled -offset indent -Wietse Venema (wietse@wzv.win.tue.nl), -Department of Mathematics and Computing Science, -Eindhoven University of Technology -Den Dolech 2, P.O. Box 513, -5600 MB Eindhoven, The Netherlands -.Ed -\" @(#) tcpd.8 1.5 96/02/21 16:39:16 +etc. daemons know, the request comes from the local host. diff --git a/libexec/tcpd/tcpdchk/tcpdchk.8 b/libexec/tcpd/tcpdchk/tcpdchk.8 index d0f5de18ad8..0b76115e179 100644 --- a/libexec/tcpd/tcpdchk/tcpdchk.8 +++ b/libexec/tcpd/tcpdchk/tcpdchk.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpdchk.8,v 1.6 1999/07/09 13:35:52 aaron Exp $ +.\" $OpenBSD: tcpdchk.8,v 1.7 2000/10/30 17:46:26 aaron Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" @@ -43,9 +43,10 @@ .Op Fl i Ar inet_conf .Op Fl v .Sh DESCRIPTION -.Nm tcpdchk +.Nm examines your tcp wrapper configuration and reports all -potential and real problems it can find. The program examines the +potential and real problems it can find. +The program examines the .Xr tcpd 8 access control files (by default, these are .Pa /etc/hosts.allow @@ -56,7 +57,7 @@ entries in these files against entries in the .Xr inetd 8 network configuration file. .Pp -.Nm tcpdchk +.Nm reports problems such as non-existent pathnames; services that appear in .Xr tcpd 8 @@ -70,9 +71,10 @@ netgroups or references to non-existent NIS netgroups; references to non-existent options; invalid arguments to options; and so on. .Pp Where possible, -.Nm tcpdchk +.Nm provides a helpful suggestion to fix the problem. -.Sh OPTIONS +.Pp +The options are as follows: .Bl -tag -width XXXXXXXXXXXX .It Fl a Report access control rules that permit access without an explicit @@ -87,15 +89,15 @@ and files in the current directory instead of the default ones. .It Fl i Ar inet_conf Specify this option when -.Nm tcpdchk +.Nm is unable to find your .Pa inetd.conf network configuration file, or when you wish to test with a non-default one. .It Fl v -Display the contents of each access control rule. Daemon lists, client -lists, shell commands and options are shown in a pretty-printed format; -this makes it easier for you to spot any discrepancies between what you -want and what the program understands. +Display the contents of each access control rule. +Daemon lists, client lists, shell commands and options are shown in a +pretty-printed format; this makes it easier for you to spot any +discrepancies between what you want and what the program understands. .El .Sh FILES .Bl -tag -width /etc/hosts.allow -compact diff --git a/libexec/tcpd/tcpdmatch/tcpdmatch.8 b/libexec/tcpd/tcpdmatch/tcpdmatch.8 index e8acc971ee8..1b33ebb052e 100644 --- a/libexec/tcpd/tcpdmatch/tcpdmatch.8 +++ b/libexec/tcpd/tcpdmatch/tcpdmatch.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tcpdmatch.8,v 1.5 1999/07/09 13:35:52 aaron Exp $ +.\" $OpenBSD: tcpdmatch.8,v 1.6 2000/10/30 17:46:27 aaron Exp $ .\" .\" Copyright (c) 1997, Jason Downs. All rights reserved. .\" @@ -49,7 +49,7 @@ tcpdmatch \- tcp wrapper oracle .Op Ar user@ .Ar client .Sh DESCRIPTION -.Nm tcpdmatch +.Nm predicts how the tcp wrapper would handle a specific request for service. Examples are given below. .Pp @@ -59,15 +59,15 @@ access control tables (default .Pa /etc/hosts.allow and .Pa /etc/hosts.deny ) -and prints its conclusion. For maximal accuracy, it extracts additional -information from your +and prints its conclusion. +For maximal accuracy, it extracts additional information from your .Xr inetd 8 network configuration file. .Pp When -.Nm tcpdmatch -finds a match in the access control tables, it -identifies the matched rule. In addition, it displays the optional +.Nm +finds a match in the access control tables, it identifies the matched rule. +In addition, it displays the optional shell commands or options in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands. @@ -76,19 +76,22 @@ The following two arguments are always required: .Pp .Bl -tag -width XXXXXX -compact .It Ar daemon -A daemon process name. Typically, the last component of a daemon -executable pathname. +A daemon process name. +Typically, the last component of a daemon executable pathname. .It Ar client -A host name or network address, or one of the `unknown' or `paranoid' +A host name or network address, or one of the +.Dq unknown +or +.Dq paranoid wildcard patterns. .El .Pp When a client host name is specified, -.Nm tcpdmatch +.Nm gives a prediction for each address listed for that client. .Pp When a client address is specified, -.Nm tcpdmatch +.Nm predicts what .Xr tcpd 8 would do when client name lookup fails. @@ -99,8 +102,13 @@ form: .Pp .Bl -tag -width XXXXXX -compact .It Ar server -A host name or network address, or one of the `unknown' or `paranoid' -wildcard patterns. The default server name is `unknown'. +A host name or network address, or one of the +.Dq unknown +or +.Dq paranoid +wildcard patterns. +The default server name is +.Dq unknown . .El .Pp Optional information specified with the @@ -109,8 +117,10 @@ form: .Pp .Bl -tag -width XXXXXX -compact .It Ar user -A client user identifier. Typically, a login name or a numeric userid. -The default user name is `unknown'. +A client user identifier. +Typically, a login name or a numeric user ID. +The default user name is +.Dq unknown . .El .Sh OPTIONS .Bl -tag -width XXXXXXXXXXXX @@ -122,7 +132,7 @@ and files in the current directory instead of the default ones. .It Fl i Ar inet_conf Specify this option when -.Nm tcpdmatch +.Nm is unable to find your .Pa inetd.conf network configuration file, or when you wish to test with a non-default one. diff --git a/libexec/telnetd/telnetd.8 b/libexec/telnetd/telnetd.8 index 5cbfece2784..114af084840 100644 --- a/libexec/telnetd/telnetd.8 +++ b/libexec/telnetd/telnetd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: telnetd.8,v 1.16 2000/10/06 10:55:00 hin Exp $ +.\" $OpenBSD: telnetd.8,v 1.17 2000/10/30 17:46:29 aaron Exp $ .\" $NetBSD: telnetd.8,v 1.8 1996/03/20 04:25:55 tls Exp $ .\" .\" Copyright (c) 1983, 1993 @@ -103,35 +103,28 @@ There are several valid values for .It debug Turns on authentication debugging code. .It user -Only allow connections when the remote user -can provide valid authentication information -to identify the remote user, -and is allowed access to the specified account -without providing a password. +Only allow connections when the remote user can provide valid authentication +information to identify the remote user, and is allowed access to the +specified account without providing a password. .It valid -Only allow connections when the remote user -can provide valid authentication information -to identify the remote user. +Only allow connections when the remote user can provide valid authentication +information to identify the remote user. The .Xr login 1 -command will provide any additional user verification -needed if the remote user is not allowed automatic -access to the specified account. +command will provide any additional user verification needed if the remote +user is not allowed automatic access to the specified account. .It other Only allow connections that supply some authentication information. -This option is currently not supported -by any of the existing authentication mechanisms, -and is thus the same as specifying +This option is currently not supported by any of the existing authentication +mechanisms, and is thus the same as specifying .Fl a .Cm valid . .It none This is the default state. Authentication information is not required. -If no or insufficient authentication information -is provided, then the +If no or insufficient authentication information is provided, then the .Xr login 1 -program will provide the necessary user -verification. +program will provide the necessary user verification. .It off This disables the authentication code. All user verification will happen through the @@ -156,8 +149,8 @@ options. .It Cm report Prints the .Cm options -information, plus some additional information -about what processing is going on. +information, plus some additional information about what processing +is going on. .It Cm netdata Displays the data stream received by .Nm telnetd . @@ -176,8 +169,8 @@ in .It Fl g Ar gettyent Specifies which entry from .Pa /etc/gettytab -should be used to get banner strings, login program and -other information. The default entry is +should be used to get banner strings, login program and other information. +The default entry is .Dq default. .It Fl h Disables the printing of host-specific information before @@ -190,16 +183,16 @@ It specifies the .Em ID from .Pa /etc/inittab -to use when init starts login sessions. The default ID is +to use when init starts login sessions. +The default ID is .Dq fe . .It Fl k This option is only useful if .Nm -has been compiled with both linemode and kludge linemode -support. If the +has been compiled with both linemode and kludge linemode support. +If the .Fl k -option is specified, then if the remote client does not -support the +option is specified, then if the remote client does not support the .Cm LINEMODE option, then .Nm @@ -221,16 +214,16 @@ in response to a .Tn DO TIMING-MARK) for kludge linemode support. .It Fl l -Specifies line mode. Tries to force clients to use line- -at-a-time mode. +Specifies line mode. +Tries to force clients to use line-at-a-time mode. If the .Tn LINEMODE -option is not supported, it will go -into kludge linemode. +option is not supported, it will go into kludge linemode. .It Fl n Disable .Tn TCP -keep-alives. Normally +keep-alives. +Normally .Nm enables the .Tn TCP @@ -244,17 +237,18 @@ This option is only enabled when .Nm is compiled for .Tn UNICOS . -It specifies an inclusive range of pseudo-terminal devices to -use. If the system has sysconf variable +It specifies an inclusive range of pseudo-terminal devices to use. +If the system has sysconf variable .Dv _SC_CRAY_NPTY configured, the default pty search range is 0 to .Dv _SC_CRAY_NPTY; -otherwise, the default range is 0 to 128. Either +otherwise, the default range is 0 to 128. +Either .Ar lowpty or .Ar highpty -may be omitted to allow changing -either end of the search range. If +may be omitted to allow changing either end of the search range. +If .Ar lowpty is omitted, the - character is still required so that .Nm @@ -264,8 +258,7 @@ from .Ar lowpty . .It Fl S Ar tos .It Fl u Ar len -This option is used to specify the size of the field -in the +This option is used to specify the size of the field in the .Li utmp structure that holds the remote host name. If the resolved host name is longer than @@ -282,8 +275,8 @@ file. .It Fl U This option causes .Nm -to refuse connections from addresses that -cannot be mapped back into a symbolic name +to refuse connections from addresses that cannot be mapped back into a +symbolic name via the via the .Xr gethostbyaddr 3 routine. @@ -293,8 +286,7 @@ This option is only valid if has been built with support for the authentication option. It disables the use of .Ar authtype -authentication, and -can be used to temporarily disable +authentication, and can be used to temporarily disable a specific authentication type without having to recompile .Nm telnetd . .It Fl 4 diff --git a/libexec/tftpd/tftpd.8 b/libexec/tftpd/tftpd.8 index bba64416513..73aeaa310cf 100644 --- a/libexec/tftpd/tftpd.8 +++ b/libexec/tftpd/tftpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tftpd.8,v 1.7 1999/07/09 13:35:51 aaron Exp $ +.\" $OpenBSD: tftpd.8,v 1.8 2000/10/30 17:46:30 aaron Exp $ .\" .\" Copyright (c) 1983, 1991 The Regents of the University of California. .\" All rights reserved. @@ -32,7 +32,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)tftpd.8 6.7 (Berkeley) 5/13/91 -.\" $OpenBSD: tftpd.8,v 1.7 1999/07/09 13:35:51 aaron Exp $ +.\" $OpenBSD: tftpd.8,v 1.8 2000/10/30 17:46:30 aaron Exp $ .\" .Dd June 11, 1997 .Dt TFTPD 8 @@ -59,8 +59,7 @@ The server operates at the port indicated in the .Ql tftp -service description; -see +service description; see .Xr services 5 . The server is normally started by .Xr inetd 8 . @@ -70,8 +69,7 @@ The use of does not require an account or password on the remote system. Due to the lack of authentication information, .Nm -will allow only publicly readable files to be -accessed. +will allow only publicly readable files to be accessed. Files may be written only if they already exist and are publicly writable. Note that this extends the concept of .Dq public @@ -94,7 +92,8 @@ If the flag is used, .Nm will allow new files to be created; otherwise uploaded files must already -exist. Files are created with default permissions allowing anyone to read +exist. +Files are created with default permissions allowing anyone to read or write to them. .Pp When using the @@ -104,7 +103,8 @@ flag with a directory name, will .Xr chroot 2 on startup; therefore the remote host is not expected to pass the directory -as part of the file name to transfer. This option is intended primarily for +as part of the file name to transfer. +This option is intended primarily for compatibility with SunOS boot ROMs which do not include a directory name. .Sh SEE ALSO .Xr tftp 1 , -- cgit v1.2.3