summaryrefslogtreecommitdiffstats
path: root/etc
Commit message (Collapse)AuthorAgeFilesLines
* I4B header files were repo-copied from sys/i386/include tobz2007-07-061-0/+2
| | | | | | | | | | | | sys/i4b/include/ so they will be available to all architectures once I4B compiles on those. I4B header files are now installed in include/i4b/ and no longer in include/machine/. For now we still install the headers for i386 only. Approved by: re (kensmith)
* Remove reference to the old ftp-proxy implementation,delphij2007-07-051-6/+0
| | | | | | which was replaced during the pf 4.1 import. Approved by: re (mux)
* Commit IPv6 support for FAST_IPSEC to the tree.gnn2007-07-011-2/+0
| | | | | | | | This commit includes all remaining changes for the time being including user space updates. Submitted by: bz Approved by: re
* - Remove UMAP filesystem. It was disconnected from build three years ago,rafan2007-06-251-2/+0
| | | | | | | and it is seriously broken. Discussed on: freebsd-arch@ Approved by: re (mux)
* Update the suspend/resume user API while maintaining backwards compat.njl2007-06-213-9/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Improvements: * /etc/rc.suspend,rc.resume are always run, no matter the source of the suspend request (user or kernel, apm or acpi) * suspend now requires positive user acknowledgement. If a user program wants to cancel the suspend, they can. If one of the user programs hangs or doesn't respond within 10 seconds, the system suspends anyway. * /dev/apm is clonable, allowing multiple listeners for suspend events. In the future, xorg-server can use this to be informed about suspend even if there are other listeners (i.e. apmd). Changes: * Two new ACPI ioctls: REQSLPSTATE and ACKSLPSTATE. Request begins the process of suspending by notifying all listeners. acpi is monitored by devd(8) and /dev/apm listener(s) are also counted. Users register their approval or disapproval via Ack. If anyone disapproves, suspend is vetoed. * Old user programs or kernel modules that used SETSLPSTATE continue to work. A message is printed once that this interface is deprecated. * acpiconf gains the -k flag to ack the suspend request. This flag is undocumented on purpose since it's only used by /etc/rc.suspend. It is not intended to be a permanent change and will be removed once a better power API is implemented. * S5 (power off) is no longer supported via acpiconf -s 5 or apm -z/-Z. This restores previous behavior of halt/shutdown -p being the interface. * Miscellaneous improvements to error reporting Approved by: re
* Drop the default zones that are now covered by the new zones thatdougb2007-06-181-0/+4
| | | | were added in the last revision.
* Bring our default named configuration more in line with currentdougb2007-06-187-119/+215
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | best practices: 1. The old way of generating the localhost zones was not optimal both because they did not exist by default, and because they were not really aligned with BCP. There is no need to have the dynamic data that the make-localhost script generated, and good reasons to do this more "by the book." 2. In named.conf a. Clean up white space b. Add/clarify a few comments c. Slave zones from the root servers instead of using a hints file. This has several advantages, as described in the comments. d. Significantly revamp the default zones, including the forward localhost zone, and the reverse zones for IPv4 and IPv6 loopback addresses. There are extensive comments describing what is included and why. Interested readers should take the time to review the RFCs mentioned in the comments. There is also relevant information about the motivations for hosting these zones in the "work in progress" Internet-Draft, http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt or its successor. It's also worth noting that a significant number of these empty zones are already included by default in the named binary without any user configuration. e. Because we're including a lot of examples of both local forward zones and slave zones in the default configuration, eliminate some of those examples. 3. Add new localhost-{forward|reverse} zone files, and an "empty" zone to support the changes in 2.d. above. The empty zone file isn't really empty in order to avoid a warning from BIND about a zone file that doesn't contain any A or AAAA records.
* Add a namedb/master directory for the zone files I'm about to add,dougb2007-06-183-19/+24
| | | | | and switch to the more "normal" way of installing files for the namedb directory so that we can pick up the new subdir.
* Add PAM support to cron(8). Now cron(8) will skip commands scheduledyar2007-06-172-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | by unavailable accounts, e.g., those locked, expired, not allowed in at the moment by nologin(5), or whatever, depending on cron's pam.conf(5). This applies to personal crontabs only, /etc/crontab is unaffected. In other words, now the account management policy will apply to commands scheduled by users via crontab(1) so that a user can no longer use cron(8) to set up a delayed backdoor and run commands during periods when the admin doesn't want him to. The PAM check is done just before running a command, not when loading a crontab, because accounts can get locked, expired, and re-enabled any time with no changes to their crontabs. E.g., imagine that you provide a system with payed access, or better a cluster of such systems with centralized account management via PAM. When a user pays for some days of access, you set his expire field respectively. If the account expires before its owner pays more, its crontab commands won't run until the next payment is made. Then it'll be enough to set the expire field in future for the commands to run again. And so on. Document this change in the cron(8) manpage, which includes adding a FILES section and touching the document date. X-Security: should benefit as users have access to cron(8) by default
* Add PAM support to atrun(8).yar2007-06-152-0/+11
|
* Locked out and expired accounts shouldn't be accessible via remoteyar2007-06-152-0/+2
| | | | | mailbox protocols. Add pam_unix to the `account' function class, too, for imap and pop3 to actually implement this policy.
* Split the FILES list across multiple lines as in rc.d/Makefileyar2007-06-151-2/+14
| | | | | so that the change history stays easily readable as the number of PAM-aware services grows.
* Add a new rc.conf variable, sendmail_rebuild_aliases, which tellsgshapiro2007-06-122-8/+11
| | | | | | | | | | | | | | | /etc/rc.d/sendmail whether or not to run newaliases if the database is missing or the aliases text file is newer than aliases.db. In my opinion, the aliases file should never be automatically rebuilt. The current text form could represent a work in progress. Therefore, in FreeBSD 7.0, this new option will default to "NO". When this rc.d change is MFC'ed, it will need to remain "YES" to maintain backward compatibility. PR: conf/86252 Approved by: re (kensmith) MFC after: 3 days
* Create group ftp by default. This is gid 14 as this is the historicalceri2007-06-111-0/+1
| | | | | | | | | | | | id used by sysinstall when enabling anonymous FTP. Change the default group used by sysinstall for setting up anonymous FTP from operator to ftp; there is no reason to use operator and there are potential security issues when doing so. PR: 93284 Approved by: ru (mentor) Reviewed by: simon
* Now pam_nologin(8) will provide an account management functionyar2007-06-1011-11/+15
| | | | | | | | | | | | | | | | | | | | | | | instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re
* Be robust to a bogus script specification or contentsyar2007-06-041-11/+24
| | | | | | | when figuring out what the real interpreter is for an interpreted command. That is, check whether we can read the script file in the first place and, if so, make sure we got a valid shebang line from it.
* Finish making resolv ordering deterministic by REQUIRE'ing it here.dougb2007-06-021-1/+1
|
* Add REQUIRE netif to make ordering more deterministic, and to make suredougb2007-06-021-5/+6
| | | | | | we have a fighting chance of having useful stuff from DHCP. Tighten up the code a little, and fix whitespace issues.
* s/tabs/spaces/ru2007-06-011-53/+53
|
* Remove more vestiges of /usr/X11R6, but leave mtree for portmgr.dougb2007-05-298-9/+9
|
* Remove X11R6 from the default PATH to join the new world order.dougb2007-05-291-1/+1
| | | | | While I'm here, make the default PATH match that in the csh profile, and login.conf.
* Now that a separate /usr/X11R6 directory is no longer in fashion,dougb2007-05-292-6/+6
| | | | | | | | | | | stop looking there for things like rc.d and periodic. This avoids duplicating effort when /usr/X11R6 is a symlink to /usr/local, which it is by default now. It is not anticipated at this time that we will MFC this change, since we'd like to avoid breaking legacy systems. However, there is a fix for /etc/rc.subr in the works to avoid running any rc.d scripts twice which we should be able to MFC.
* Fix indentation.rse2007-05-241-1/+1
|
* Remove two superfluous trailing semicolons.rse2007-05-242-2/+2
|
* Remove two unnecessary and useless sub-shell constructs.rse2007-05-242-2/+2
|
* Do not attempt to load the kernel module when checking if an interface exists.thompsa2007-05-231-1/+1
| | | | | | | This would cause pseudo network modules to be reloaded again when trying to unload the first time if any cloned interfaces exist. MFC after: 2 weeks
* backout filter of Nil UUID as the boot loader code already filters out Nil ↵rse2007-05-221-4/+0
| | | | UUIDs (see src/sys/boot/i386/libi386/smbios.c:smbios_setuuid for details)
* Remove the ugly csh(1) based UUID lower-case translation hack fromrse2007-05-221-1/+0
| | | | | | /etc/rc.d/hostid now that we switched the origin of the UUID (variable smbios.system.uuid as provided by the i386 BIOS code) to already provide a standard conforming lower-case UUID text representation.
* Cleanup style by consistently using braces around variable expansion andrse2007-05-211-1/+5
| | | | | apply an addition from Andrew Thompson <thompsa> for filtering out the special "Nil" UUID (all zeros) which would be a useless host UUID.
* Adjust UUID lower-case translation from straight-forward tr(1)rse2007-05-211-1/+2
| | | | | | | | | | usage to an equivalent csh(1) usage as tr(1) stays in /usr/bin and /etc/rc.d/hostid has just the root filesystem (and this way mainly the tools in /bin) available. I've chosen csh(1) here as the string manipulation tools available in /bin is extremely limited and the (only) alternative ed(1) usage would have been a lot more complicated or even might require a temporary file.
* The standardized textual representation of UUIDs according to RFC 4122rse2007-05-211-2/+2
| | | | | | | | and ISO/IEC-9834-8:2005 is with LOWER-CASE hexadecimal characters only, so translate the (usually upper-case and this way not conforming) representation of the BIOS UUID when reading it. Also be more strict about the valid characters in the textual representation by checking for just the hexadecimal characters.
* Update /etc/protocols with IANA list updated 2007-02-12grog2007-05-201-15/+19
| | | | | | | | Gotcha: Number 48 (mhrp) is replaced with dsr. Submitted by: edwin PR: config/112732 MFC after: 2 weeks
* White space fixes only: replace spaces with tabs.grog2007-05-201-10/+10
|
* Bring the well known ports of /etc/services into sync with the IANAgrog2007-05-201-24/+284
| | | | | | | | | | | | | | | | | list. This is only for the well known known ports (port 1-1023) for tcp and udp only. Changes: - Removed "problems" comments around port 57, 77 and 87 - Removed audionews (port 114) - Added imap3 (port 220) - Removed yak-chat (port 258) - Removed concert (port 786) - Added a lot of new allocations Submitted by: edwin
* Add templates for new GCC 4.2 C++ include files hierarchy.kan2007-05-191-3/+57
|
* o Implement the stop_boot subroutine [1]. This subroutine can be used bymtm2007-05-186-23/+26
| | | | | | | | | | | | | | | | | scripts in rc.d to stop rc(8) from booting into multi-user mode when a critical or severe error condition is encountered. o Modify scripts in etc/rc.d that already implemented this functionality independently. o Document it. [1] - This subroutine was implemented in FreeBSD in rc.d/fsck. I moved it to rc.subr(8). Our version differs slightly in that it takes an optional argument to stop the boot even if "autoboot" is not set. Obtained from: NetBSD MFC after: 2 weeks
* o Use the --detach option to kdc(8) instead of using the shellmtm2007-05-171-3/+3
| | | | | | | | | background operator '&'. PR: conf/102722 o No need to include $kerberos5_server_flags in $command_args as rc.subr(8) will take care of this.
* The precmd routine does not need to check whether the command should bemtm2007-05-173-24/+30
| | | | | | | | | | "forced". If some pre-condition is not met, it should fail as it normally does and rc.subr(8) will make the appropriate decision. Incidentally, the previous behaviour had a bug where the "force" flag was respected only when checking rc.conf(5) knobs. The flag was ignored when verifying the rpcbind(8) dependency. MFC after: 2 weeks
* Add SIP-related ports.grog2007-05-161-0/+6
| | | | | Obtained from: IANA list of reserved ports. Reviewed by: edwin@
* White space tidy-up.grog2007-05-161-4/+4
|
* o Install 480.status-ntpd.maxim2007-05-141-0/+1
| | | | Pointed out by: Henrik Brix Anders
* o Add a script to check ntpd(8) state. Default is off.maxim2007-05-132-0/+31
| | | | | | PR: conf/112604 Submitted by: Oliver Fromme MFC after: 1 month
* Move options that do not have anything to do with routing out ofmtm2007-05-022-42/+43
| | | | | rc.d/routing and in to rc.d/netoptions. Also instead of saying "TCP options" say "IP options".
* When rc.d/NETWORKING included this script in its REQUIRE line, a circularmtm2007-05-021-1/+1
| | | | | | | | dependency was introduced because this script had rc.d/localpkg (which is *after* rc.d/NETWORKING) in its REQUIRE line. From an examination of its contents it seems that only the availability of a local filesystem is necessary for this script to function properly.
* When zfs dataset has jailed=on property, it won't be mounted withpjd2007-04-221-3/+34
| | | | | | | 'zfs mount -a' from the main system - this is by design, as mountpoint may be set to dangerous value. This all means, that such file system has to be mounted from within a jail. To make it easier, reorganize rc.d/zfs script so it can be used from within a jail.
* Quick kill posix4 directory.trhodes2007-04-181-2/+0
| | | | Submitted by: rodrigc (BSD.include.dist).
* When org.freebsd:swap property is set to 'on' on a ZVOL, use is as a swappjd2007-04-151-0/+18
| | | | | | device. Discussed with: des
* Remove the shutdown keyword. It just adds noise to the shutdown process.des2007-04-131-1/+1
|
* - Create an empty /etc/zfs/exports file when zfs_enable="YES" and we don'tpjd2007-04-131-2/+5
| | | | | | | | | | NFS-share anything. This way we can safely start mountd with /etc/zfs/exports and mountd won't complain. Pointed out by: ceri - Move 'zfs volinit' before 'zfs mount -a' and 'zfs volfini' after 'zfs unmount -a'.
* mountd(8) was changed to only abort when all given exports files cannot bepjd2007-04-131-1/+1
| | | | open, so we not longer has to check if /etc/zfs/exports exists.
OpenPOWER on IntegriCloud