diff options
Diffstat (limited to 'usr.sbin')
36 files changed, 1651 insertions, 119 deletions
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index 90c23dc26cc5..b97c22ffeb08 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -139,9 +139,7 @@ SUBDIR.${MK_FLOPPY}+= fdformat SUBDIR.${MK_FLOPPY}+= fdread SUBDIR.${MK_FLOPPY}+= fdwrite SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update -.if ${MK_KERBEROS_SUPPORT} != "no" -SUBDIR.${MK_GSSAPI}+= gssd -.endif +SUBDIR.${MK_KERBEROS_SUPPORT}+= gssd SUBDIR.${MK_GPIO}+= gpioctl SUBDIR.${MK_HYPERV}+= hyperv SUBDIR.${MK_INET6}+= ip6addrctl @@ -174,6 +172,7 @@ SUBDIR.${MK_NETGRAPH}+= flowctl SUBDIR.${MK_NETGRAPH}+= ngctl SUBDIR.${MK_NETGRAPH}+= nghook SUBDIR.${MK_NIS}+= rpc.yppasswdd +SUBDIR.${MK_NIS}+= rpc.ypupdated SUBDIR.${MK_NIS}+= rpc.ypxfrd SUBDIR.${MK_NIS}+= ypbind SUBDIR.${MK_NIS}+= ypldap diff --git a/usr.sbin/bsdinstall/scripts/jail b/usr.sbin/bsdinstall/scripts/jail index 4b2882dad477..0c3c7e125fdd 100755 --- a/usr.sbin/bsdinstall/scripts/jail +++ b/usr.sbin/bsdinstall/scripts/jail @@ -207,7 +207,7 @@ fi trap error SIGINT # SIGINT is bad again bsdinstall config || error "Failed to save config" cp /etc/resolv.conf $1/etc -cp /etc/localtime $1/etc +cp -P /etc/localtime $1/etc cp /var/db/zoneinfo $1/var/db # Run post-install script diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index 97bdc840c359..edf993e1361a 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -24,7 +24,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 11, 2025 +.Dd August 18, 2025 .Dt CERTCTL 8 .Os .Sh NAME @@ -63,6 +63,8 @@ This option is only valid in conjunction with the command. .It Fl D Ar destdir Specify the DESTDIR (overriding values from the environment). +.It Fl d Ar distbase +Specify the DISTBASE (overriding values from the environment). .It Fl l When listing installed (trusted or untrusted) certificates, show the full path and distinguished name for each certificate. @@ -117,7 +119,13 @@ Remove the specified file from the untrusted list. .Sh ENVIRONMENT .Bl -tag -width UNTRUSTDESTDIR .It Ev DESTDIR -Alternate destination directory to operate on. +Absolute path to an alternate destination directory to operate on +instead of the file system root, e.g. +.Dq Li /tmp/install . +.It Ev DISTBASE +Additional path component to include when operating on certificate directories. +This must start with a slash, e.g. +.Dq Li /base . .It Ev LOCALBASE Location for local programs. Defaults to the value of the user.localbase sysctl which is usually @@ -125,22 +133,22 @@ Defaults to the value of the user.localbase sysctl which is usually .It Ev TRUSTPATH List of paths to search for trusted certificates. Default: -.Pa ${DESTDIR}/usr/share/certs/trusted +.Pa ${DESTDIR}${DISTBASE}/usr/share/certs/trusted .Pa ${DESTDIR}${LOCALBASE}/share/certs/trusted .Pa ${DESTDIR}${LOCALBASE}/share/certs .It Ev UNTRUSTPATH List of paths to search for untrusted certificates. Default: -.Pa ${DESTDIR}/usr/share/certs/untrusted +.Pa ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted .Pa ${DESTDIR}${LOCALBASE}/share/certs/untrusted .It Ev TRUSTDESTDIR Destination directory for symbolic links to trusted certificates. Default: -.Pa ${DESTDIR}/etc/ssl/certs +.Pa ${DESTDIR}${DISTBASE}/etc/ssl/certs .It Ev UNTRUSTDESTDIR Destination directory for symbolic links to untrusted certificates. Default: -.Pa ${DESTDIR}/etc/ssl/untrusted +.Pa ${DESTDIR}${DISTBASE}/etc/ssl/untrusted .It Ev BUNDLE File name of bundle to produce. .El diff --git a/usr.sbin/certctl/certctl.c b/usr.sbin/certctl/certctl.c index 365870167aeb..3601f6929fc4 100644 --- a/usr.sbin/certctl/certctl.c +++ b/usr.sbin/certctl/certctl.c @@ -63,6 +63,7 @@ static bool verbose; static const char *localbase; static const char *destdir; +static const char *distbase; static const char *metalog; static const char *uname = "root"; @@ -100,6 +101,50 @@ static char *bundle_dest; static FILE *mlf; /* + * Create a directory and its parents as needed. + */ +static void +mkdirp(const char *dir) +{ + struct stat sb; + const char *sep; + char *parent; + + if (stat(dir, &sb) == 0) + return; + if ((sep = strrchr(dir, '/')) != NULL) { + parent = xasprintf("%.*s", (int)(sep - dir), dir); + mkdirp(parent); + free(parent); + } + info("creating %s", dir); + if (mkdir(dir, 0755) != 0) + err(1, "mkdir %s", dir); +} + +/* + * Remove duplicate and trailing slashes from a path. + */ +static char * +normalize_path(const char *str) +{ + char *buf, *dst; + + if ((buf = malloc(strlen(str) + 1)) == NULL) + err(1, NULL); + for (dst = buf; *str != '\0'; dst++) { + if ((*dst = *str++) == '/') { + while (*str == '/') + str++; + if (*str == '\0') + break; + } + } + *dst = '\0'; + return (buf); +} + +/* * Split a colon-separated list into a NULL-terminated array. */ static char ** @@ -124,14 +169,14 @@ split_paths(const char *str) } /* - * Expand %L into LOCALBASE and prefix DESTDIR. + * Expand %L into LOCALBASE and prefix DESTDIR and DISTBASE as needed. */ static char * expand_path(const char *template) { if (template[0] == '%' && template[1] == 'L') return (xasprintf("%s%s%s", destdir, localbase, template + 2)); - return (xasprintf("%s%s", destdir, template)); + return (xasprintf("%s%s%s", destdir, distbase, template)); } /* @@ -155,6 +200,9 @@ expand_paths(const char *const *templates) /* * If destdir is a prefix of path, returns a pointer to the rest of path, * otherwise returns path. + * + * Note that this intentionally does not strip distbase from the path! + * Unlike destdir, distbase is expected to be included in the metalog. */ static const char * unexpand_path(const char *path) @@ -268,7 +316,7 @@ read_cert(const char *path, struct cert_tree *tree, struct cert_tree *exclude) X509_NAME *name; struct cert *cert; unsigned long hash; - int ni, no; + int len, ni, no; if ((f = fopen(path, "r")) == NULL) { warn("%s", path); @@ -293,11 +341,21 @@ read_cert(const char *path, struct cert_tree *tree, struct cert_tree *exclude) cert->x509 = x509; name = X509_get_subject_name(x509); cert->hash = X509_NAME_hash_ex(name, NULL, NULL, NULL); - cert->name = X509_NAME_oneline(name, NULL, 0); + len = X509_NAME_get_text_by_NID(name, NID_commonName, + NULL, 0); + if (len > 0) { + if ((cert->name = malloc(len + 1)) == NULL) + err(1, NULL); + X509_NAME_get_text_by_NID(name, NID_commonName, + cert->name, len + 1); + } else { + /* fallback for certificates without CN */ + cert->name = X509_NAME_oneline(name, NULL, 0); + } cert->path = xstrdup(unexpand_path(path)); if (RB_INSERT(cert_tree, tree, cert) != NULL) errx(1, "unexpected duplicate"); - info("%08lx: %s", cert->hash, strrchr(cert->name, '=') + 1); + info("%08lx: %s", cert->hash, cert->name); no++; } /* @@ -488,9 +546,10 @@ write_certs(const char *dir, struct cert_tree *tree) free(tmppath); tmppath = NULL; } + fflush(f); /* emit metalog */ if (mlf != NULL) { - fprintf(mlf, "%s/%s type=file " + fprintf(mlf, ".%s/%s type=file " "uname=%s gname=%s mode=%#o size=%ld\n", unexpand_path(dir), path, uname, gname, mode, ftell(f)); @@ -561,7 +620,7 @@ write_bundle(const char *dir, const char *file, struct cert_tree *tree) } if (ret == 0 && mlf != NULL) { fprintf(mlf, - "%s/%s type=file uname=%s gname=%s mode=%#o size=%ld\n", + ".%s/%s type=file uname=%s gname=%s mode=%#o size=%ld\n", unexpand_path(dir), file, uname, gname, mode, ftell(f)); } fclose(f); @@ -648,7 +707,7 @@ save_trusted(void) { int ret; - /* save untrusted certs */ + mkdirp(trusted_dest); ret = write_certs(trusted_dest, &trusted); return (ret); } @@ -663,6 +722,7 @@ save_untrusted(void) { int ret; + mkdirp(untrusted_dest); ret = write_certs(untrusted_dest, &untrusted); return (ret); } @@ -684,6 +744,7 @@ save_bundle(void) } else { dir = xasprintf("%.*s", (int)(sep - bundle_dest), bundle_dest); file = sep + 1; + mkdirp(dir); } ret = write_bundle(dir, file, &trusted); free(dir); @@ -925,6 +986,14 @@ set_defaults(void) if (destdir == NULL && (destdir = getenv("DESTDIR")) == NULL) destdir = ""; + destdir = normalize_path(destdir); + + if (distbase == NULL && + (distbase = getenv("DISTBASE")) == NULL) + distbase = ""; + if (*distbase != '\0' && *distbase != '/') + errx(1, "DISTBASE=%s does not begin with a slash", distbase); + distbase = normalize_path(distbase); if (unprivileged && metalog == NULL && (metalog = getenv("METALOG")) == NULL) @@ -950,22 +1019,23 @@ set_defaults(void) if ((value = getenv("TRUSTDESTDIR")) != NULL || (value = getenv("CERTDESTDIR")) != NULL) - trusted_dest = xstrdup(value); + trusted_dest = normalize_path(value); else trusted_dest = expand_path(TRUSTED_PATH); if ((value = getenv("UNTRUSTDESTDIR")) != NULL) - untrusted_dest = xstrdup(value); + untrusted_dest = normalize_path(value); else untrusted_dest = expand_path(UNTRUSTED_PATH); if ((value = getenv("BUNDLE")) != NULL) - bundle_dest = xstrdup(value); + bundle_dest = normalize_path(value); else bundle_dest = expand_path(BUNDLE_PATH); info("localbase:\t%s", localbase); info("destdir:\t%s", destdir); + info("distbase:\t%s", distbase); info("unprivileged:\t%s", unprivileged ? "true" : "false"); info("verbose:\t%s", verbose ? "true" : "false"); } @@ -987,11 +1057,11 @@ static struct { static void usage(void) { - fprintf(stderr, "usage: certctl [-lv] [-D destdir] list\n" - " certctl [-lv] [-D destdir] untrusted\n" - " certctl [-BnUv] [-D destdir] [-M metalog] rehash\n" - " certctl [-nv] [-D destdir] untrust <file>\n" - " certctl [-nv] [-D destdir] trust <file>\n"); + fprintf(stderr, "usage: certctl [-lv] [-D destdir] [-d distbase] list\n" + " certctl [-lv] [-D destdir] [-d distbase] untrusted\n" + " certctl [-BnUv] [-D destdir] [-d distbase] [-M metalog] rehash\n" + " certctl [-nv] [-D destdir] [-d distbase] untrust <file>\n" + " certctl [-nv] [-D destdir] [-d distbase] trust <file>\n"); exit(1); } @@ -1001,7 +1071,7 @@ main(int argc, char *argv[]) const char *command; int opt; - while ((opt = getopt(argc, argv, "BcD:g:lL:M:no:Uv")) != -1) + while ((opt = getopt(argc, argv, "BcD:d:g:lL:M:no:Uv")) != -1) switch (opt) { case 'B': nobundle = true; @@ -1012,6 +1082,9 @@ main(int argc, char *argv[]) case 'D': destdir = optarg; break; + case 'd': + distbase = optarg; + break; case 'g': gname = optarg; break; diff --git a/usr.sbin/certctl/tests/certctl_test.sh b/usr.sbin/certctl/tests/certctl_test.sh index 4e236d5bfae8..74749db0b3f5 100644 --- a/usr.sbin/certctl/tests/certctl_test.sh +++ b/usr.sbin/certctl/tests/certctl_test.sh @@ -60,41 +60,77 @@ ZWUPHYWKKTVEFBJOLLPDAIKGRDFVXZID $collhash EOF } +sortfile() { + for filename; do + sort "${filename}" >"${filename}"- + mv "${filename}"- "${filename}" + done +} + certctl_setup() { export DESTDIR="$PWD" # Create input directories - mkdir -p usr/share/certs/trusted - mkdir -p usr/share/certs/untrusted - mkdir -p usr/local/share/certs + mkdir -p ${DESTDIR}${DISTBASE}/usr/share/certs/trusted + mkdir -p ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted + mkdir -p ${DESTDIR}/usr/local/share/certs - # Create output directories - mkdir -p etc/ssl/certs - mkdir -p etc/ssl/untrusted + # Do not create output directories; certctl will take care of it + #mkdir -p ${DESTDIR}${DISTBASE}/etc/ssl/certs + #mkdir -p ${DESTDIR}${DISTBASE}/etc/ssl/untrusted # Generate a random key keyname="testkey" gen_key ${keyname} # Generate certificates + :>metalog.expect + :>trusted.expect + :>untrusted.expect + metalog() { + echo ".${DISTBASE}$@ type=file" >>metalog.expect + } + trusted() { + local crtname=$1 + local filename=$2 + printf "%s\t%s\n" "${filename}" "${crtname}" >>trusted.expect + metalog "/etc/ssl/certs/${filename}" + } + untrusted() { + local crtname=$1 + local filename=$2 + printf "%s\t%s\n" "${filename}" "${crtname}" >>untrusted.expect + metalog "/etc/ssl/untrusted/${filename}" + } set1 | while read crtname hash ; do gen_crt ${crtname} ${keyname} - mv ${crtname}.crt usr/share/certs/trusted + mv ${crtname}.crt ${DESTDIR}${DISTBASE}/usr/share/certs/trusted + trusted "${crtname}" "${hash}.0" done + local c=0 coll | while read crtname hash ; do gen_crt ${crtname} ${keyname} - mv ${crtname}.crt usr/share/certs/trusted + mv ${crtname}.crt ${DESTDIR}${DISTBASE}/usr/share/certs/trusted + trusted "${crtname}" "${hash}.${c}" + c=$((c+1)) done set2 | while read crtname hash ; do gen_crt ${crtname} ${keyname} openssl x509 -in ${crtname}.crt rm ${crtname}.crt + trusted "${crtname}" "${hash}.0" done >usr/local/share/certs/bundle.crt set3 | while read crtname hash ; do gen_crt ${crtname} ${keyname} - mv ${crtname}.crt usr/share/certs/untrusted + mv ${crtname}.crt ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted + untrusted "${crtname}" "${hash}.0" done + metalog "/etc/ssl/cert.pem" + unset -f untrusted + unset -f trusted + unset -f metalog + sortfile *.expect } check_trusted() { @@ -102,12 +138,12 @@ check_trusted() { local subject="$(subject ${crtname})" local c=${2:-1} - atf_check -o match:"found: ${c}\$" \ + atf_check -e ignore -o match:"found: ${c}\$" \ openssl storeutl -noout -subject "${subject}" \ - etc/ssl/certs - atf_check -o match:"found: 0\$" \ + ${DESTDIR}${DISTBASE}/etc/ssl/certs + atf_check -e ignore -o not-match:"found: [1-9]" \ openssl storeutl -noout -subject "${subject}" \ - etc/ssl/untrusted + ${DESTDIR}${DISTBASE}/etc/ssl/untrusted } check_untrusted() { @@ -115,23 +151,25 @@ check_untrusted() { local subject="$(subject ${crtname})" local c=${2:-1} - atf_check -o match:"found: 0\$" \ + atf_check -e ignore -o not-match:"found: [1-9]" \ openssl storeutl -noout -subject "${subject}" \ - etc/ssl/certs - atf_check -o match:"found: ${c}\$" \ + ${DESTDIR}/${DISTBASE}/etc/ssl/certs + atf_check -e ignore -o match:"found: ${c}\$" \ openssl storeutl -noout -subject "${subject}" \ - etc/ssl/untrusted + ${DESTDIR}/${DISTBASE}/etc/ssl/untrusted } check_in_bundle() { + local b=${DISTBASE}${DISTBASE+/} local crtfile=$1 local line line=$(tail +5 "${crtfile}" | head -1) - atf_check grep -q "${line}" etc/ssl/cert.pem + atf_check grep -q "${line}" ${DESTDIR}${DISTBASE}/etc/ssl/cert.pem } check_not_in_bundle() { + local b=${DISTBASE}${DISTBASE+/} local crtfile=$1 local line @@ -150,7 +188,7 @@ rehash_body() atf_check certctl rehash # Verify non-colliding trusted certificates - (set1 ; set2) > trusted + (set1; set2) >trusted while read crtname hash ; do check_trusted "${crtname}" done <trusted @@ -167,7 +205,7 @@ rehash_body() check_untrusted "${crtname}" done <untrusted - # Verify bundle; storeutl is no help here + # Verify bundle for f in etc/ssl/certs/*.? ; do check_in_bundle "${f}" done @@ -176,6 +214,31 @@ rehash_body() done } +atf_test_case list +list_head() +{ + atf_set "descr" "Test the list and untrusted commands" +} +list_body() +{ + certctl_setup + atf_check certctl rehash + + atf_check -o save:trusted.out certctl list + sortfile trusted.out + # the ordering of the colliding certificates is partly + # determined by fields that change every time we regenerate + # them, so ignore them in the diff + atf_check diff -u \ + --ignore-matching-lines $collhash \ + trusted.expect trusted.out + + atf_check -o save:untrusted.out certctl untrusted + sortfile untrusted.out + atf_check diff -u \ + untrusted.expect untrusted.out +} + atf_test_case trust trust_head() { @@ -185,7 +248,7 @@ trust_body() { certctl_setup atf_check certctl rehash - crtname=NJWIRLPWAIICVJBKXXHFHLCPAERZATRL + crtname=$(set3 | (read crtname hash ; echo ${crtname})) crtfile=usr/share/certs/untrusted/${crtname}.crt check_untrusted ${crtname} check_not_in_bundle ${crtfile} @@ -204,7 +267,7 @@ untrust_body() { certctl_setup atf_check certctl rehash - crtname=AVOYKJHSLFHWPVQMKBHENUAHJTEGMCCB + crtname=$(set1 | (read crtname hash ; echo ${crtname})) crtfile=usr/share/certs/trusted/${crtname}.crt check_trusted "${crtname}" check_in_bundle ${crtfile} @@ -213,9 +276,57 @@ untrust_body() check_not_in_bundle ${crtfile} } +atf_test_case metalog +metalog_head() +{ + atf_set "descr" "Verify the metalog" +} +metalog_body() +{ + export DISTBASE=/base + certctl_setup + + # certctl gets DESTDIR and DISTBASE from environment + rm -f metalog.orig + atf_check certctl -U -M metalog.orig rehash + sed -E 's/(type=file) .*/\1/' metalog.orig | sort >metalog.short + atf_check diff -u metalog.expect metalog.short + + # certctl gets DESTDIR and DISTBASE from command line + rm -f metalog.orig + atf_check env -uDESTDIR -uDISTBASE \ + certctl -D ${DESTDIR} -d ${DISTBASE} -U -M metalog.orig rehash + sed -E 's/(type=file) .*/\1/' metalog.orig | sort >metalog.short + atf_check diff -u metalog.expect metalog.short + + # as above, but intentionally add trailing slashes + rm -f metalog.orig + atf_check env -uDESTDIR -uDISTBASE \ + certctl -D ${DESTDIR}// -d ${DISTBASE}/ -U -M metalog.orig rehash + sed -E 's/(type=file) .*/\1/' metalog.orig | sort >metalog.short + atf_check diff -u metalog.expect metalog.short +} + +atf_test_case misc +misc_head() +{ + atf_set "descr" "Test miscellaneous edge cases" +} +misc_body() +{ + # certctl rejects DISTBASE that does not begin with a slash + atf_check -s exit:1 -e match:"begin with a slash" \ + certctl -d base -n rehash + atf_check -s exit:1 -e match:"begin with a slash" \ + env DISTBASE=base certctl -n rehash +} + atf_init_test_cases() { atf_add_test_case rehash + atf_add_test_case list atf_add_test_case trust atf_add_test_case untrust + atf_add_test_case metalog + atf_add_test_case misc } diff --git a/usr.sbin/devinfo/devinfo.8 b/usr.sbin/devinfo/devinfo.8 index f782b919056c..c34713d367ff 100644 --- a/usr.sbin/devinfo/devinfo.8 +++ b/usr.sbin/devinfo/devinfo.8 @@ -1,4 +1,5 @@ -.\" -*- nroff -*- +.\" +.\" SPDX-License-Identifer: BSD-2-Clause .\" .\" Copyright (c) 2002 Hiten Pandya .\" Copyright (c) 2002 Robert N. M. Watson @@ -25,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 29, 2025 +.Dd August 28, 2025 .Dt DEVINFO 8 .Os .Sh NAME @@ -33,11 +34,14 @@ .Nd print information about system device configuration .Sh SYNOPSIS .Nm +.Op Fl -libxo .Op Fl rv .Nm -.Fl u Op Fl v -.Nm +.Op Fl -libxo .Fl p Ar dev Op Fl v +.Nm +.Op Fl -libxo +.Fl u Op Fl v .Sh DESCRIPTION The .Nm @@ -46,11 +50,23 @@ in the system, starting from the .Dq nexus device. .Pp -The following options are accepted. -.Bl -tag -width indent +The following options are accepted: +.Bl -tag -width "--libxo" +.It Fl -libxo +Generate output via +.Xr libxo 3 +in a selection of different human and machine readable formats. +See +.Xr xo_options 7 +for details on command line arguments. +.It Fl p Ar dev +Display the path of +.Ar dev +back to the root of the device tree. .It Fl r -Causes hardware resource information (such as IRQ, I/O ports, I/O memory -addresses) to be also listed, under each device that has reserved those resources. +Causes hardware resource information +.Pq such as IRQ, I/O ports, I/O memory addresses +to be also listed, under each device that has reserved those resources. .It Fl u Displays the same information as with .Fl r @@ -63,19 +79,22 @@ Display all devices in the driver tree, not just those that are attached or busy. Without this flag, only those devices that have attached are reported. This flag also displays verbose information about each device. -.It Fl p Ar dev -Display the path of -.Ar dev -back to the root of the device tree. .El .Sh SEE ALSO .Xr systat 1 , .Xr devinfo 3 , +.Xr libxo 3 , +.Xr xo_options 7 , .Xr devctl 8 , .Xr iostat 8 , .Xr pciconf 8 , .Xr vmstat 8 , .Xr devclass 9 , .Xr device 9 +.Sh HISTORY +The +.Nm +utility appeared in +.Fx 5.0 . .Sh AUTHORS .An Mike Smith Aq Mt msmith@FreeBSD.org diff --git a/usr.sbin/freebsd-update/freebsd-update.sh b/usr.sbin/freebsd-update/freebsd-update.sh index c388e76644dc..81040431ea79 100644 --- a/usr.sbin/freebsd-update/freebsd-update.sh +++ b/usr.sbin/freebsd-update/freebsd-update.sh @@ -3000,7 +3000,7 @@ install_from_index () { if [ -z "${LINK}" ]; then # Create a file, without setting flags. gunzip < files/${HASH}.gz > ${HASH} - install -S -o ${OWNER} -g ${GROUP} \ + install -o ${OWNER} -g ${GROUP} \ -m ${PERM} ${HASH} ${BASEDIR}/${FPATH} rm ${HASH} else diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 70de82e662e7..1bad04ccde68 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -189,7 +189,7 @@ load_config(const char *cfname) * jail is created or found. */ if (j->intparams[KP_NAME] == NULL) - add_param(j, j->intparams[KP_JID], KP_NAME, NULL); + add_param(j, NULL, KP_NAME, j->name); /* Resolve any variable substitutions. */ pgen = 0; diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh index 509900e8569c..6802da7b049a 100755 --- a/usr.sbin/jail/tests/jail_basic_test.sh +++ b/usr.sbin/jail/tests/jail_basic_test.sh @@ -198,7 +198,7 @@ clean_jails() fi while read jail; do - if jls -e -j "$jail"; then + if jls -c -j "$jail"; then jail -r "$jail" fi done < jails.lst @@ -211,10 +211,23 @@ jid_name_set_body() echo "basejail" >> jails.lst echo "$jid { name = basejail; persist; }" > jail.conf atf_check -o match:"$jid: created" jail -f jail.conf -c "$jid" + # Confirm that we didn't override the explicitly-set name with the jid + # as the name. + atf_check -o match:"basejail" jls -j "$jid" name + atf_check -o match:"$jid: removed" jail -f jail.conf -r "$jid" + + echo "$jid { host.hostname = \"\${name}\"; persist; }" > jail.conf + atf_check -o match:"$jid: created" jail -f jail.conf -c "$jid" + # Confirm that ${name} expanded and expanded correctly to the + # jid-implied name. + atf_check -o match:"$jid" jls -j "$jid" host.hostname atf_check -o match:"$jid: removed" jail -f jail.conf -r "$jid" echo "basejail { jid = $jid; persist; }" > jail.conf atf_check -o match:"basejail: created" jail -f jail.conf -c basejail + # Confirm that our jid assigment in the definition worked out and we + # did in-fact create the jail there. + atf_check -o match:"$jid" jls -j "basejail" jid atf_check -o match:"basejail: removed" jail -f jail.conf -r basejail } diff --git a/usr.sbin/makefs/ffs.c b/usr.sbin/makefs/ffs.c index c0fcadf11fba..ed94abb7504f 100644 --- a/usr.sbin/makefs/ffs.c +++ b/usr.sbin/makefs/ffs.c @@ -591,6 +591,75 @@ ffs_create_image(const char *image, fsinfo_t *fsopts) return (fsopts->fd); } +static void +ffs_add_size(fsinfo_t *fsopts, size_t file_len) +{ + ffs_opt_t *ffs_opts = fsopts->fs_specific; + size_t blocks, fs_nindir, overhead; + int indir_level; + + blocks = howmany(file_len, ffs_opts->bsize); + + if (blocks <= UFS_NDADDR) { + /* Count full blocks. */ + fsopts->size += rounddown2(file_len, ffs_opts->bsize); + /* Calculate fragment size needed. */ + overhead = howmany(file_len - + rounddown2(file_len, ffs_opts->bsize), ffs_opts->fsize); + + /* + * A file could have just 1 fragment with size 1/8, 1/4 or 1/2 + * of bsize. + */ + switch (overhead) { + case 0: + break; + case 1: + fsopts->size += ffs_opts->fsize; + break; + case 2: + fsopts->size += 2 * ffs_opts->fsize; + break; + case 3: + case 4: + fsopts->size += 4 * ffs_opts->fsize; + break; + default: + fsopts->size += ffs_opts->bsize; + break; + } + return; + } + + /* File does not fit into direct blocks, count indirect blocks. */ + blocks = howmany(file_len - UFS_NDADDR * (size_t)ffs_opts->bsize, + ffs_opts->bsize); + fs_nindir = (size_t)ffs_opts->bsize / ((ffs_opts->version == 1) ? + sizeof(ufs1_daddr_t) : sizeof(ufs2_daddr_t)); + + indir_level = overhead = 0; + while (blocks > 0 && indir_level < 3) { + /* One indirect block is stored in di_ib[] */ + blocks = howmany(blocks, fs_nindir) - 1; + fsopts->size += ffs_opts->bsize * blocks; + overhead += blocks + 1; + indir_level++; + } + + assert(blocks == 0); + + if ((debug & DEBUG_FS_SIZE_DIR_NODE) != 0) { + printf("ffs_size_dir: size %jd, using %d levels of indirect " + "blocks, overhead %jd blocks\n", (uintmax_t)file_len, + indir_level, (uintmax_t)overhead); + } + + /* + * If the file is big enough to use indirect blocks, + * we allocate bsize block for trailing data. + */ + fsopts->size += roundup2(file_len, ffs_opts->bsize); +} static void ffs_size_dir(fsnode *root, fsinfo_t *fsopts) @@ -622,20 +691,6 @@ ffs_size_dir(fsnode *root, fsinfo_t *fsopts) e, tmpdir.d_namlen, this, curdirsize); \ } while (0); -#define ADDSIZE(x) do { \ - if ((size_t)(x) < UFS_NDADDR * (size_t)ffs_opts->bsize) { \ - fsopts->size += roundup((x), ffs_opts->fsize); \ - } else { \ - /* Count space consumed by indirecttion blocks. */ \ - fsopts->size += ffs_opts->bsize * \ - (howmany((x), UFS_NDADDR * ffs_opts->bsize) - 1); \ - /* \ - * If the file is big enough to use indirect blocks, \ - * we allocate bsize block for trailing data. \ - */ \ - fsopts->size += roundup((x), ffs_opts->bsize); \ - } \ -} while (0); curdirsize = 0; for (node = root; node != NULL; node = node->next) { @@ -646,13 +701,13 @@ ffs_size_dir(fsnode *root, fsinfo_t *fsopts) } else if ((node->inode->flags & FI_SIZED) == 0) { /* don't count duplicate names */ node->inode->flags |= FI_SIZED; - if (debug & DEBUG_FS_SIZE_DIR_NODE) + if ((debug & DEBUG_FS_SIZE_DIR_NODE) != 0) printf("ffs_size_dir: `%s' size %lld\n", node->name, (long long)node->inode->st.st_size); fsopts->inodes++; if (node->type == S_IFREG) - ADDSIZE(node->inode->st.st_size); + ffs_add_size(fsopts, node->inode->st.st_size); if (node->type == S_IFLNK) { size_t slen; @@ -660,13 +715,16 @@ ffs_size_dir(fsnode *root, fsinfo_t *fsopts) if (slen >= (ffs_opts->version == 1 ? UFS1_MAXSYMLINKLEN : UFS2_MAXSYMLINKLEN)) - ADDSIZE(slen); + ffs_add_size(fsopts, slen); } } if (node->type == S_IFDIR) ffs_size_dir(node->child, fsopts); } - ADDSIZE(curdirsize); + ffs_add_size(fsopts, curdirsize); + + /* Round up to full block to account fragment scattering. */ + fsopts->size = roundup2(fsopts->size, ffs_opts->bsize); if (debug & DEBUG_FS_SIZE_DIR) printf("ffs_size_dir: exit: size %lld inodes %lld\n", diff --git a/usr.sbin/makefs/zfs.c b/usr.sbin/makefs/zfs.c index 8d50c450541b..e33a182e5c8f 100644 --- a/usr.sbin/makefs/zfs.c +++ b/usr.sbin/makefs/zfs.c @@ -596,7 +596,7 @@ pool_labels_write(zfs_opt_t *zfs) * checksum is calculated in vdev_label_write(). */ for (size_t uoff = 0; uoff < sizeof(label->vl_uberblock); - uoff += (1 << zfs->ashift)) { + uoff += ASHIFT_UBERBLOCK_SIZE(zfs->ashift)) { ub = (uberblock_t *)(&label->vl_uberblock[0] + uoff); ub->ub_magic = UBERBLOCK_MAGIC; ub->ub_version = SPA_VERSION; diff --git a/usr.sbin/makefs/zfs/vdev.c b/usr.sbin/makefs/zfs/vdev.c index afcce402cb13..a2423e180ca3 100644 --- a/usr.sbin/makefs/zfs/vdev.c +++ b/usr.sbin/makefs/zfs/vdev.c @@ -200,7 +200,7 @@ vdev_label_write(zfs_opt_t *zfs, int ind, const vdev_label_t *labelp) * per sector; for example, with an ashift of 12 we end up with * 128KB/4KB=32 copies of the uberblock in the ring. */ - blksz = 1 << zfs->ashift; + blksz = ASHIFT_UBERBLOCK_SIZE(zfs->ashift); assert(sizeof(label->vl_uberblock) % blksz == 0); for (size_t roff = 0; roff < sizeof(label->vl_uberblock); roff += blksz) { diff --git a/usr.sbin/mountd/exports.5 b/usr.sbin/mountd/exports.5 index a90d81c4db99..786411fbf6d8 100644 --- a/usr.sbin/mountd/exports.5 +++ b/usr.sbin/mountd/exports.5 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd December 16, 2024 +.Dd August 24, 2025 .Dt EXPORTS 5 .Os .Sh NAME @@ -148,6 +148,19 @@ characters. Mount points for a file system may appear on multiple lines each with different sets of hosts and export options. .Pp +Note that, for NFSv4 exporting, there must be both one or more ``V4:'' line(s) +and one or more line(s) exporting the file systems that are to be +exported to NFSv4 clients. +If there are multiple ``V4:'' lines, these lines must all specify the +same root directory path, but with different options for different +clients. +These line(s) do not export any file system, but simply define the +location of the ``root'' of the NFSv4 export subtree. +The line(s) exporting the file systems should always +specify the pathname of the root of a server file system +and must include at least one line exporting the file system +which is specified as the ``root'' by the ``V4:'' line(s). +.Pp The second component of a line specifies how the file system is to be exported to the host set. The option flags specify whether the file system diff --git a/usr.sbin/ngctl/Makefile b/usr.sbin/ngctl/Makefile index 72a5ccaa96d7..997841272376 100644 --- a/usr.sbin/ngctl/Makefile +++ b/usr.sbin/ngctl/Makefile @@ -13,4 +13,9 @@ LIBADD= netgraph CFLAGS+= -DEDITLINE LIBADD+= edit pthread +.if ${MK_JAIL} != "no" +CFLAGS+= -DJAIL +LIBADD+= jail +.endif + .include <bsd.prog.mk> diff --git a/usr.sbin/ngctl/main.c b/usr.sbin/ngctl/main.c index 7c79e67d8275..b32e4f878b6e 100644 --- a/usr.sbin/ngctl/main.c +++ b/usr.sbin/ngctl/main.c @@ -55,6 +55,10 @@ #include <histedit.h> #include <pthread.h> #endif +#ifdef JAIL +#include <sys/jail.h> +#include <jail.h> +#endif #include <netgraph.h> @@ -137,16 +141,17 @@ int csock, dsock; int main(int ac, char *av[]) { - char name[NG_NODESIZ]; - int interactive = isatty(0) && isatty(1); - FILE *fp = NULL; - int ch, rtn = 0; + char name[NG_NODESIZ]; + int interactive = isatty(0) && isatty(1); + FILE *fp = NULL; + const char *jail_name = NULL; + int ch, rtn = 0; /* Set default node name */ snprintf(name, sizeof(name), "ngctl%d", getpid()); /* Parse command line */ - while ((ch = getopt(ac, av, "df:n:")) != -1) { + while ((ch = getopt(ac, av, "df:j:n:")) != -1) { switch (ch) { case 'd': NgSetDebug(NgSetDebug(-1) + 1); @@ -157,6 +162,13 @@ main(int ac, char *av[]) else if ((fp = fopen(optarg, "r")) == NULL) err(EX_NOINPUT, "%s", optarg); break; + case 'j': +#ifdef JAIL + jail_name = optarg; +#else + errx(EX_UNAVAILABLE, "not built with jail support"); +#endif + break; case 'n': snprintf(name, sizeof(name), "%s", optarg); break; @@ -169,6 +181,22 @@ main(int ac, char *av[]) ac -= optind; av += optind; + if (jail_name != NULL) { + int jid; + + if (jail_name[0] == '\0') + Usage("invalid jail name"); + + jid = jail_getid(jail_name); + + if (jid == -1) + errx((errno == EPERM) ? EX_NOPERM : EX_NOHOST, + "%s", jail_errmsg); + if (jail_attach(jid) != 0) + errx((errno == EPERM) ? EX_NOPERM : EX_OSERR, + "cannot attach to jail"); + } + /* Create a new socket node */ if (NgMkSockNode(name, &csock, &dsock) < 0) err(EX_OSERR, "can't create node"); @@ -657,6 +685,7 @@ Usage(const char *msg) if (msg) warnx("%s", msg); fprintf(stderr, - "usage: ngctl [-d] [-f file] [-n name] [command ...]\n"); + "usage: ngctl [-j jail] [-d] [-f filename] [-n nodename] " + "[command [argument ...]]\n"); exit(EX_USAGE); } diff --git a/usr.sbin/ngctl/ngctl.8 b/usr.sbin/ngctl/ngctl.8 index 2225c836674a..63b8f58ed3df 100644 --- a/usr.sbin/ngctl/ngctl.8 +++ b/usr.sbin/ngctl/ngctl.8 @@ -31,7 +31,7 @@ .\" OF SUCH DAMAGE. .\" $Whistle: ngctl.8,v 1.6 1999/01/20 03:19:44 archie Exp $ .\" -.Dd January 19, 1999 +.Dd August 29, 2025 .Dt NGCTL 8 .Os .Sh NAME @@ -39,9 +39,11 @@ .Nd netgraph control utility .Sh SYNOPSIS .Nm +.Op Fl j Ar jail .Op Fl d .Op Fl f Ar filename .Op Fl n Ar nodename +.Op Ar command Op Ns Ar argument ... .Op Ar command ... .Sh DESCRIPTION The @@ -73,12 +75,31 @@ form if the originating node supports conversion. .Pp The options are as follows: .Bl -tag -width indent -.It Fl f Ar nodeinfo +.It Fl f Ar filename Read commands from the named file. A single dash represents the standard input. Blank lines and lines starting with a .Dq # are ignored. +Note that when the +.Fl j Ar jail +option is specified, the file will be opened before attaching to the jail and +then be processed inside the jail. +.It Fl j Ar jail +Perform the actions inside the +.Ar jail . +.Pp +.Nm +will first attach to the +.Ar jail +(by jail id or jail name) before performing the effects. +.Pp +This allows netgraph nodes of +.Ar jail +to be created, modified, and destroyed even if the +.Nm +binary is not available in +.Ar jail . .It Fl n Ar nodename Assign .Em nodename diff --git a/usr.sbin/pkg/FreeBSD.conf.latest b/usr.sbin/pkg/FreeBSD.conf.latest index 8c68118c4938..ac1636386942 100644 --- a/usr.sbin/pkg/FreeBSD.conf.latest +++ b/usr.sbin/pkg/FreeBSD.conf.latest @@ -3,18 +3,18 @@ # create a /usr/local/etc/pkg/repos/FreeBSD.conf file, e.g.: # # mkdir -p /usr/local/etc/pkg/repos -# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf -# echo "FreeBSD-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf # -FreeBSD: { +FreeBSD-ports: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } -FreeBSD-kmods: { +FreeBSD-ports-kmods: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_latest", mirror_type: "srv", signature_type: "fingerprints", diff --git a/usr.sbin/pkg/FreeBSD.conf.quarterly b/usr.sbin/pkg/FreeBSD.conf.quarterly index 884226fc02d1..4e26582c6981 100644 --- a/usr.sbin/pkg/FreeBSD.conf.quarterly +++ b/usr.sbin/pkg/FreeBSD.conf.quarterly @@ -3,18 +3,18 @@ # create a /usr/local/etc/pkg/repos/FreeBSD.conf file, e.g.: # # mkdir -p /usr/local/etc/pkg/repos -# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf -# echo "FreeBSD-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf # -FreeBSD: { +FreeBSD-ports: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } -FreeBSD-kmods: { +FreeBSD-ports-kmods: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_quarterly", mirror_type: "srv", signature_type: "fingerprints", diff --git a/usr.sbin/pkg/FreeBSD.conf.quarterly-release b/usr.sbin/pkg/FreeBSD.conf.quarterly-release index bd0ee13b9b43..b4a78009f7d2 100644 --- a/usr.sbin/pkg/FreeBSD.conf.quarterly-release +++ b/usr.sbin/pkg/FreeBSD.conf.quarterly-release @@ -3,18 +3,18 @@ # create a /usr/local/etc/pkg/repos/FreeBSD.conf file, e.g.: # # mkdir -p /usr/local/etc/pkg/repos -# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf -# echo "FreeBSD-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf +# echo "FreeBSD-ports-kmods: { enabled: no }" >> /usr/local/etc/pkg/repos/FreeBSD.conf # -FreeBSD: { +FreeBSD-ports: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/quarterly", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } -FreeBSD-kmods: { +FreeBSD-ports-kmods: { url: "pkg+https://pkg.FreeBSD.org/${ABI}/kmods_quarterly_${VERSION_MINOR}", mirror_type: "srv", signature_type: "fingerprints", diff --git a/usr.sbin/pw/pw.8 b/usr.sbin/pw/pw.8 index c72623ee05b3..5eae810b6732 100644 --- a/usr.sbin/pw/pw.8 +++ b/usr.sbin/pw/pw.8 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 29, 2024 +.Dd August 19, 2025 .Dt PW 8 .Os .Sh NAME @@ -191,7 +191,12 @@ utility handles updating the .Xr master.passwd 5 , .Xr group 5 and the secure and insecure -password database files, and must be run as root. +password database files, and must be run as root +.Po except when using +.Fl R +or +.Fl V +.Pc . .Pp The first one or two keywords provided to .Nm diff --git a/usr.sbin/pw/pw.c b/usr.sbin/pw/pw.c index fc17f6dba022..a4c95258f3bb 100644 --- a/usr.sbin/pw/pw.c +++ b/usr.sbin/pw/pw.c @@ -162,6 +162,7 @@ main(int argc, char *argv[]) snprintf(conf.etcpath, sizeof(conf.etcpath), "%s%s", optarg, arg == 'R' ? _PATH_PWD : ""); + conf.altroot = true; } else break; } diff --git a/usr.sbin/pw/pw_user.c b/usr.sbin/pw/pw_user.c index d9fd8c77c13e..8a9a4342f5ef 100644 --- a/usr.sbin/pw/pw_user.c +++ b/usr.sbin/pw/pw_user.c @@ -238,6 +238,13 @@ perform_chgpwent(const char *name, struct passwd *pwd, char *nispasswd) } } +static void +pw_check_root(void) +{ + if (!conf.altroot && geteuid() != 0) + errx(EX_NOPERM, "you must be root"); +} + /* * The M_LOCK and M_UNLOCK functions simply add or remove * a "*LOCKED*" prefix from in front of the password to @@ -256,8 +263,7 @@ pw_userlock(char *arg1, int mode) bool locked = false; uid_t id = (uid_t)-1; - if (geteuid() != 0) - errx(EX_NOPERM, "you must be root"); + pw_check_root(); if (arg1 == NULL) errx(EX_DATAERR, "username or id required"); @@ -1324,8 +1330,8 @@ pw_user_add(int argc, char **argv, char *arg1) if (argc > 0) usage(); - if (geteuid() != 0 && ! dryrun) - errx(EX_NOPERM, "you must be root"); + if (!dryrun) + pw_check_root(); if (quiet) freopen(_PATH_DEVNULL, "w", stderr); @@ -1641,8 +1647,8 @@ pw_user_mod(int argc, char **argv, char *arg1) if (argc > 0) usage(); - if (geteuid() != 0 && ! dryrun) - errx(EX_NOPERM, "you must be root"); + if (!dryrun) + pw_check_root(); if (quiet) freopen(_PATH_DEVNULL, "w", stderr); diff --git a/usr.sbin/pw/pwupd.h b/usr.sbin/pw/pwupd.h index 262b044e07fc..a39a022ca309 100644 --- a/usr.sbin/pw/pwupd.h +++ b/usr.sbin/pw/pwupd.h @@ -78,6 +78,7 @@ struct pwconf { char etcpath[MAXPATHLEN]; int fd; int rootfd; + bool altroot; bool checkduplicate; }; diff --git a/usr.sbin/rpc.ypupdated/Makefile b/usr.sbin/rpc.ypupdated/Makefile new file mode 100644 index 000000000000..78ee19fc7a6d --- /dev/null +++ b/usr.sbin/rpc.ypupdated/Makefile @@ -0,0 +1,32 @@ +.PATH: ${SRCTOP}/usr.sbin/ypserv ${SRCTOP}/libexec/ypxfr + +PACKAGE=yp +PROG= rpc.ypupdated +MAN= +SRCS= ypupdate_prot_svc.c ypupdate_prot.h ypupdated_main.c \ + yp_error.c update.c ypupdated_server.c \ + yp_dblookup.c yp_dbwrite.c yp_dbdelete.c yp_dbupdate.c + +#CFLAGS+= -DYP +CFLAGS+= -I${SRCTOP}/usr.sbin/ypserv -I. -I${SRCTOP}/libexec/ypxfr + +WARNS?= 1 + +LIBADD= rpcsvc + +CLEANFILES= ypupdate_prot_svc.c ypupdate_prot.h + +RPCDIR= ${SYSROOT:U${DESTDIR}}/usr/include/rpcsvc +RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -I -C + +# We need to remove the 'static' keyword from _rpcsvcstate so that +# ypupdated_main.c can see it. +ypupdate_prot_svc.c: ${RPCDIR}/ypupdate_prot.x + rm -f ${.TARGET} + ${RPCGEN} -m ${.ALLSRC} | \ + sed s/"static int _rpcsvcstate"/"int _rpcsvcstate"/g > ${.TARGET} + +ypupdate_prot.h: ${RPCDIR}/ypupdate_prot.x + ${RPCGEN} -h -o ${.TARGET} ${.ALLSRC} + +.include <bsd.prog.mk> diff --git a/usr.sbin/rpc.ypupdated/Makefile.depend b/usr.sbin/rpc.ypupdated/Makefile.depend new file mode 100644 index 000000000000..352a225b19c6 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/Makefile.depend @@ -0,0 +1,18 @@ +# Autogenerated - do NOT edit! + +DIRDEPS = \ + include \ + include/rpc \ + include/rpcsvc \ + include/xlocale \ + lib/${CSU_DIR} \ + lib/libc \ + lib/libcompiler_rt \ + lib/librpcsvc \ + + +.include <dirdeps.mk> + +.if ${DEP_RELDIR} == ${_DEP_RELDIR} +# local dependencies - needed for -jN in clean tree +.endif diff --git a/usr.sbin/rpc.ypupdated/update.c b/usr.sbin/rpc.ypupdated/update.c new file mode 100644 index 000000000000..332ed752acc4 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/update.c @@ -0,0 +1,328 @@ +/* + * Sun RPC is a product of Sun Microsystems, Inc. and is provided for + * unrestricted use provided that this legend is included on all tape + * media and as a part of the software program in whole or part. Users + * may copy or modify Sun RPC without charge, but are not authorized + * to license or distribute it to anyone else except as part of a product or + * program developed by the user or with the express written consent of + * Sun Microsystems, Inc. + * + * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE + * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR + * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. + * + * Sun RPC is provided with no support and without any obligation on the + * part of Sun Microsystems, Inc. to assist in its use, correction, + * modification or enhancement. + * + * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE + * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC + * OR ANY PART THEREOF. + * + * In no event will Sun Microsystems, Inc. be liable for any lost revenue + * or profits or other special, indirect and consequential damages, even if + * Sun has been advised of the possibility of such damages. + * + * Sun Microsystems, Inc. + * 2550 Garcia Avenue + * Mountain View, California 94043 + */ + +/* + * Copyright (C) 1986, 1989, Sun Microsystems, Inc. + */ + +/* + * Administrative tool to add a new user to the publickey database + */ +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <rpc/rpc.h> +#include <rpc/key_prot.h> +#ifdef YP +#include <rpcsvc/yp_prot.h> +#include <rpcsvc/ypclnt.h> +#include <sys/wait.h> +#include <netdb.h> +#endif /* YP */ +#include <pwd.h> +#include <string.h> +#include <sys/resource.h> +#include "ypupdated_extern.h" + +#ifdef YP +#define MAXMAPNAMELEN 256 +#else +#define YPOP_CHANGE 1 /* change, do not add */ +#define YPOP_INSERT 2 /* add, do not change */ +#define YPOP_DELETE 3 /* delete this entry */ +#define YPOP_STORE 4 /* add, or change */ +#endif + +#ifdef YP +static char SHELL[] = "/bin/sh"; +static char YPDBPATH[]="/var/yp"; /* This is defined but not used! */ +static char PKMAP[] = "publickey.byname"; +static char UPDATEFILE[] = "updaters"; +static char PKFILE[] = "/etc/publickey"; +#endif /* YP */ + +#ifdef YP +static int _openchild(char *, FILE **, FILE **); + +/* + * Determine if requester is allowed to update the given map, + * and update it if so. Returns the yp status, which is zero + * if there is no access violation. + */ +int +mapupdate(char *requester, char *mapname, u_int op, u_int keylen, char *key, + u_int datalen, char *data) +{ + char updater[MAXMAPNAMELEN + 40]; + FILE *childargs; + FILE *childrslt; +#ifdef WEXITSTATUS + int status; +#else + union wait status; +#endif + pid_t pid; + u_int yperrno; + + +#ifdef DEBUG + printf("%s %s\n", key, data); +#endif + (void)sprintf(updater, "make -s -f %s/%s %s", YPDBPATH, /* !!! */ + UPDATEFILE, mapname); + pid = _openchild(updater, &childargs, &childrslt); + if (pid < 0) { + return (YPERR_YPERR); + } + + /* + * Write to child + */ + (void)fprintf(childargs, "%s\n", requester); + (void)fprintf(childargs, "%u\n", op); + (void)fprintf(childargs, "%u\n", keylen); + (void)fwrite(key, (int)keylen, 1, childargs); + (void)fprintf(childargs, "\n"); + (void)fprintf(childargs, "%u\n", datalen); + (void)fwrite(data, (int)datalen, 1, childargs); + (void)fprintf(childargs, "\n"); + (void)fclose(childargs); + + /* + * Read from child + */ + (void)fscanf(childrslt, "%d", &yperrno); + (void)fclose(childrslt); + + (void)wait(&status); +#ifdef WEXITSTATUS + if (WEXITSTATUS(status) != 0) +#else + if (status.w_retcode != 0) +#endif + return (YPERR_YPERR); + return (yperrno); +} + +/* + * returns pid, or -1 for failure + */ +static int +_openchild(char *command, FILE **fto, FILE **ffrom) +{ + int i; + pid_t pid; + int pdto[2]; + int pdfrom[2]; + char *com; + struct rlimit rl; + + if (pipe(pdto) < 0) { + goto error1; + } + if (pipe(pdfrom) < 0) { + goto error2; + } + switch (pid = fork()) { + case -1: + goto error3; + + case 0: + /* + * child: read from pdto[0], write into pdfrom[1] + */ + (void)close(0); + (void)dup(pdto[0]); + (void)close(1); + (void)dup(pdfrom[1]); + getrlimit(RLIMIT_NOFILE, &rl); + for (i = rl.rlim_max - 1; i >= 3; i--) { + (void) close(i); + } + com = malloc((unsigned) strlen(command) + 6); + if (com == NULL) { + _exit(~0); + } + (void)sprintf(com, "exec %s", command); + execl(SHELL, basename(SHELL), "-c", com, (char *)NULL); + _exit(~0); + + default: + /* + * parent: write into pdto[1], read from pdfrom[0] + */ + *fto = fdopen(pdto[1], "w"); + (void)close(pdto[0]); + *ffrom = fdopen(pdfrom[0], "r"); + (void)close(pdfrom[1]); + break; + } + return (pid); + + /* + * error cleanup and return + */ +error3: + (void)close(pdfrom[0]); + (void)close(pdfrom[1]); +error2: + (void)close(pdto[0]); + (void)close(pdto[1]); +error1: + return (-1); +} + +static char * +basename(char *path) +{ + char *p; + + p = strrchr(path, '/'); + if (p == NULL) { + return (path); + } else { + return (p + 1); + } +} + +#else /* YP */ + +static int match(char *, char *); + +/* + * Determine if requester is allowed to update the given map, + * and update it if so. Returns the status, which is zero + * if there is no access violation. This function updates + * the local file and then shuts up. + */ +int +localupdate(char *name, char *filename, u_int op, u_int keylen __unused, + char *key, u_int datalen __unused, char *data) +{ + char line[256]; + FILE *rf; + FILE *wf; + char *tmpname; + int err; + + /* + * Check permission + */ + if (strcmp(name, key) != 0) { + return (ERR_ACCESS); + } + if (strcmp(name, "nobody") == 0) { + /* + * Can't change "nobody"s key. + */ + return (ERR_ACCESS); + } + + /* + * Open files + */ + tmpname = malloc(strlen(filename) + 4); + if (tmpname == NULL) { + return (ERR_MALLOC); + } + sprintf(tmpname, "%s.tmp", filename); + rf = fopen(filename, "r"); + if (rf == NULL) { + err = ERR_READ; + goto cleanup; + } + wf = fopen(tmpname, "w"); + if (wf == NULL) { + fclose(rf); + err = ERR_WRITE; + goto cleanup; + } + err = -1; + while (fgets(line, sizeof (line), rf)) { + if (err < 0 && match(line, name)) { + switch (op) { + case YPOP_INSERT: + err = ERR_KEY; + break; + case YPOP_STORE: + case YPOP_CHANGE: + fprintf(wf, "%s %s\n", key, data); + err = 0; + break; + case YPOP_DELETE: + /* do nothing */ + err = 0; + break; + } + } else { + fputs(line, wf); + } + } + if (err < 0) { + switch (op) { + case YPOP_CHANGE: + case YPOP_DELETE: + err = ERR_KEY; + break; + case YPOP_INSERT: + case YPOP_STORE: + err = 0; + fprintf(wf, "%s %s\n", key, data); + break; + } + } + fclose(wf); + fclose(rf); + if (err == 0) { + if (rename(tmpname, filename) < 0) { + err = ERR_DBASE; + goto cleanup; + } + } else { + if (unlink(tmpname) < 0) { + err = ERR_DBASE; + goto cleanup; + } + } +cleanup: + free(tmpname); + return (err); +} + +static int +match(char *line, char *name) +{ + int len; + + len = strlen(name); + return (strncmp(line, name, len) == 0 && + (line[len] == ' ' || line[len] == '\t')); +} +#endif /* !YP */ diff --git a/usr.sbin/rpc.ypupdated/yp_dbdelete.c b/usr.sbin/rpc.ypupdated/yp_dbdelete.c new file mode 100644 index 000000000000..d07a8fcd2ff9 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/yp_dbdelete.c @@ -0,0 +1,68 @@ +/*- + * SPDX-License-Identifier: BSD-4-Clause + * + * Copyright (c) 1995, 1996 + * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <string.h> +#include <limits.h> +#include <unistd.h> +#include <db.h> +#include <sys/stat.h> +#include <errno.h> +#include <paths.h> +#include <rpcsvc/yp.h> +#include "ypxfr_extern.h" + +int +yp_del_record(DB *dbp, DBT *key) +{ + int rval; + + if ((rval = (dbp->del)(dbp,key,0))) { + switch (rval) { + case 1: + return(YP_FALSE); + break; + case -1: + default: + (void)(dbp->close)(dbp); + return(YP_BADDB); + break; + } + } + + return(YP_TRUE); +} diff --git a/usr.sbin/rpc.ypupdated/yp_dbupdate.c b/usr.sbin/rpc.ypupdated/yp_dbupdate.c new file mode 100644 index 000000000000..af17bf5244ef --- /dev/null +++ b/usr.sbin/rpc.ypupdated/yp_dbupdate.c @@ -0,0 +1,147 @@ +/*- + * SPDX-License-Identifier: BSD-4-Clause + * + * Copyright (c) 1996 + * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +#include <sys/fcntl.h> + +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <limits.h> +#include <db.h> +#include <unistd.h> +#include <rpcsvc/ypclnt.h> +#include <rpcsvc/ypupdate_prot.h> +#include "ypxfr_extern.h" +#include "ypupdated_extern.h" + +static int +yp_domake(char *map, char *domain) +{ + int pid; + + switch ((pid = fork())) { + case 0: + execlp(MAP_UPDATE_PATH, MAP_UPDATE, map, domain, (char *)NULL); + yp_error("couldn't exec map update process: %s", + strerror(errno)); + exit(1); + break; + case -1: + yp_error("fork() failed: %s", strerror(errno)); + return(YPERR_YPERR); + break; + default: + children++; + break; + } + + return(0); +} + +int +ypmap_update(char *netname, char *map, unsigned int op, unsigned int keylen, + char *keyval, unsigned int datlen, char *datval) +{ + DB *dbp; + DBT key = { NULL, 0 }, data = { NULL, 0 }; + char *yp_last = "YP_LAST_MODIFIED"; + char yplastbuf[32]; + char *domptr; + int rval = 0; + + if ((domptr = strchr(netname, '@')) == NULL) + return(ERR_ACCESS); + domptr++; + + + dbp = yp_open_db_rw(domptr, map, O_RDWR); + if (dbp == NULL) + return(ERR_DBASE); + + key.data = keyval; + key.size = keylen; + data.data = datval; + data.size = datlen; + + switch (op) { + case YPOP_DELETE: /* delete this entry */ + rval = yp_del_record(dbp, &key); + if (rval == YP_TRUE) + rval = 0; + break; + case YPOP_INSERT: /* add, do not change */ + rval = yp_put_record(dbp, &key, &data, 0); + if (rval == YP_TRUE) + rval = 0; + break; + case YPOP_STORE: /* add, or change */ + rval = yp_put_record(dbp, &key, &data, 1); + if (rval == YP_TRUE) + rval = 0; + break; + case YPOP_CHANGE: /* change, do not add */ + if (yp_get_record(domptr, map, &key, &data, 0) != YP_TRUE) { + rval = ERR_KEY; + break; + } + rval = yp_put_record(dbp, &key, &data, 1); + if (rval == YP_TRUE) + rval = 0; + break; + default: + yp_error("unknown update command: (%d)", op); + } + + if (rval) { + (void)(dbp->close)(dbp); + return(rval); + } + + snprintf(yplastbuf, sizeof(yplastbuf), "%jd", (intmax_t)time(NULL)); + key.data = yp_last; + key.size = strlen(yp_last); + data.data = (char *)&yplastbuf; + data.size = strlen(yplastbuf); + if (yp_put_record(dbp, &key, &data, 1) != YP_TRUE) { + yp_error("failed to update timestamp in %s/%s", domptr, map); + (void)(dbp->close)(dbp); + return(ERR_DBASE); + } + + (void)(dbp->close)(dbp); + return(yp_domake(map, domptr)); +} diff --git a/usr.sbin/rpc.ypupdated/ypupdate b/usr.sbin/rpc.ypupdated/ypupdate new file mode 100755 index 000000000000..8795ef3baf80 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/ypupdate @@ -0,0 +1,32 @@ +#!/bin/sh +# +# This script is invoked by rpc.ypupdatedd to propagate NIS maps +# after the master map databases have been modified. It expects +# to be passed two arguments: the name of the map that was updated +# and the name of the domain where the map resides. +# These are passed to /var/yp/Makefile. +# +# Comment out the LOG=yes line to disable logging. +# +# + +LOG=yes +LOGFILE=/var/yp/ypupdate.log + +umask 077 + +if [ ! -f $LOGFILE ]; +then + /usr/bin/touch $LOGFILE + echo "# Edit /usr/libexec/yppwupdate to disable" >> $LOGFILE + echo "# logging to this file from yppasswdd." >> $LOGFILE + echo -n "# Log started on: " >> $LOGFILE + /bin/date >> $LOGFILE +fi + +if [ ! $LOG ]; +then + cd /var/yp/$2; /usr/bin/make -f ../Makefile $1 2>&1 +else + cd /var/yp/$2; /usr/bin/make -f ../Makefile $1 >> $LOGFILE +fi diff --git a/usr.sbin/rpc.ypupdated/ypupdated_extern.h b/usr.sbin/rpc.ypupdated/ypupdated_extern.h new file mode 100644 index 000000000000..90968df36748 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/ypupdated_extern.h @@ -0,0 +1,32 @@ +/* + */ + +#include <db.h> + +#define YPOP_CHANGE 1 /* change, do not add */ +#define YPOP_INSERT 2 /* add, do not change */ +#define YPOP_DELETE 3 /* delete this entry */ +#define YPOP_STORE 4 /* add, or change */ + +#define ERR_ACCESS 1 +#define ERR_MALLOC 2 +#define ERR_READ 3 +#define ERR_WRITE 4 +#define ERR_DBASE 5 +#define ERR_KEY 6 + +#ifndef YPLIBDIR +#define YPLIBDIR "/usr/libexec/" +#endif + +#ifndef MAP_UPPATE +#define MAP_UPDATE "ypupdate" +#endif + +#define MAP_UPDATE_PATH YPLIBDIR MAP_UPDATE + +extern int children; +extern void ypu_prog_1(struct svc_req *, register SVCXPRT *); +extern int localupdate(char *, char *, u_int, u_int, char *, u_int, char *); +extern int ypmap_update(char *, char *, u_int, u_int, char *, u_int, char *); +extern int yp_del_record(DB *, DBT *); diff --git a/usr.sbin/rpc.ypupdated/ypupdated_main.c b/usr.sbin/rpc.ypupdated/ypupdated_main.c new file mode 100644 index 000000000000..dae956594da0 --- /dev/null +++ b/usr.sbin/rpc.ypupdated/ypupdated_main.c @@ -0,0 +1,287 @@ +/*- + * SPDX-License-Identifier: BSD-4-Clause + * + * Copyright (c) 1995, 1996 + * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +#include "ypupdate_prot.h" +#include <stdio.h> +#include <stdlib.h> /* getenv, exit */ +#include <rpc/pmap_clnt.h> /* for pmap_unset */ +#include <rpc/rpc_com.h> +#include <string.h> /* strcmp */ +#include <signal.h> +#ifdef __cplusplus +#include <sysent.h> /* getdtablesize, open */ +#endif /* __cplusplus */ +#include <memory.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <syslog.h> +#include <sys/wait.h> +#include <errno.h> +#include <err.h> +#include <unistd.h> +#include "ypupdated_extern.h" +#include "yp_extern.h" + +#ifndef SIG_PF +#define SIG_PF void(*)(int) +#endif + +#ifdef DEBUG +#define RPC_SVC_FG +#endif + +#define _RPCSVC_CLOSEDOWN 120 +int _rpcpmstart; /* Started by a port monitor ? */ +static int _rpcfdtype; + /* Whether Stream or Datagram ? */ + /* States a server can be in wrt request */ + +#define _IDLE 0 +#define _SERVED 1 +#define _SERVING 2 + +extern int _rpcsvcstate; /* Set when a request is serviced */ + +int debug; + +char *progname = "rpc.ypupdated"; +char *yp_dir = "/var/yp/"; + +static void +_msgout(char* msg) +{ +#ifdef RPC_SVC_FG + if (_rpcpmstart) + syslog(LOG_ERR, "%s", msg); + else + warnx("%s", msg); +#else + syslog(LOG_ERR, "%s", msg); +#endif +} + +static void +closedown(int sig) +{ + if (_rpcsvcstate == _IDLE) { + extern fd_set svc_fdset; + static int size; + int i, openfd; + + if (_rpcfdtype == SOCK_DGRAM) + exit(0); + if (size == 0) { + size = getdtablesize(); + } + for (i = 0, openfd = 0; i < size && openfd < 2; i++) + if (FD_ISSET(i, &svc_fdset)) + openfd++; + if (openfd <= 1) + exit(0); + } + if (_rpcsvcstate == _SERVED) + _rpcsvcstate = _IDLE; + + (void) signal(SIGALRM, (SIG_PF) closedown); + (void) alarm(_RPCSVC_CLOSEDOWN/2); +} + +static void +ypupdated_svc_run(void) +{ +#ifdef FD_SETSIZE + fd_set readfds; +#else + int readfds; +#endif /* def FD_SETSIZE */ + extern int forked; + int pid; + int fd_setsize = _rpc_dtablesize(); + + /* Establish the identity of the parent ypupdated process. */ + pid = getpid(); + + for (;;) { +#ifdef FD_SETSIZE + readfds = svc_fdset; +#else + readfds = svc_fds; +#endif /* def FD_SETSIZE */ + switch (select(fd_setsize, &readfds, NULL, NULL, + (struct timeval *)0)) { + case -1: + if (errno == EINTR) { + continue; + } + warn("svc_run: - select failed"); + return; + case 0: + continue; + default: + svc_getreqset(&readfds); + if (forked && pid != getpid()) + exit(0); + } + } +} + +static void +reaper(int sig) +{ + int status; + + if (sig == SIGHUP) { +#ifdef foo + load_securenets(); +#endif + return; + } + + if (sig == SIGCHLD) { + while (wait3(&status, WNOHANG, NULL) > 0) + children--; + } else { + (void) pmap_unset(YPU_PROG, YPU_VERS); + exit(0); + } +} + +void +usage(void) +{ + fprintf(stderr, "rpc.ypupdatedd [-p path]\n"); + exit(0); +} + +int +main(int argc, char *argv[]) +{ + register SVCXPRT *transp = NULL; + int sock; + int proto = 0; + struct sockaddr_in saddr; + int asize = sizeof (saddr); + int ch; + + while ((ch = getopt(argc, argv, "p:h")) != -1) { + switch (ch) { + case 'p': + yp_dir = optarg; + break; + default: + usage(); + break; + } + } +#ifdef foo + load_securenets(); +#endif + + if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1) { + yp_error("failed to register AUTH_DES flavor"); + exit(1); + } + + if (getsockname(0, (struct sockaddr *)&saddr, &asize) == 0) { + int ssize = sizeof (int); + + if (saddr.sin_family != AF_INET) + exit(1); + if (getsockopt(0, SOL_SOCKET, SO_TYPE, + (char *)&_rpcfdtype, &ssize) == -1) + exit(1); + sock = 0; + _rpcpmstart = 1; + proto = 0; + openlog("rpc.ypupdatedd", LOG_PID, LOG_DAEMON); + } else { +#ifndef RPC_SVC_FG + if (daemon(0,0)) { + err(1, "cannot fork"); + } + openlog("rpc.ypupdated", LOG_PID, LOG_DAEMON); +#endif + sock = RPC_ANYSOCK; + (void) pmap_unset(YPU_PROG, YPU_VERS); + } + + if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_DGRAM)) { + transp = svcudp_create(sock); + if (transp == NULL) { + _msgout("cannot create udp service."); + exit(1); + } + if (!_rpcpmstart) + proto = IPPROTO_UDP; + if (!svc_register(transp, YPU_PROG, YPU_VERS, ypu_prog_1, proto)) { + _msgout("unable to register (YPU_PROG, YPU_VERS, udp)."); + exit(1); + } + } + + if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_STREAM)) { + transp = svctcp_create(sock, 0, 0); + if (transp == NULL) { + _msgout("cannot create tcp service."); + exit(1); + } + if (!_rpcpmstart) + proto = IPPROTO_TCP; + if (!svc_register(transp, YPU_PROG, YPU_VERS, ypu_prog_1, proto)) { + _msgout("unable to register (YPU_PROG, YPU_VERS, tcp)."); + exit(1); + } + } + + if (transp == (SVCXPRT *)NULL) { + _msgout("could not create a handle"); + exit(1); + } + if (_rpcpmstart) { + (void) signal(SIGALRM, (SIG_PF) closedown); + (void) alarm(_RPCSVC_CLOSEDOWN/2); + } + + (void) signal(SIGPIPE, SIG_IGN); + (void) signal(SIGCHLD, (SIG_PF) reaper); + (void) signal(SIGTERM, (SIG_PF) reaper); + (void) signal(SIGINT, (SIG_PF) reaper); + (void) signal(SIGHUP, (SIG_PF) reaper); + + ypupdated_svc_run(); + _msgout("svc_run returned"); + exit(1); + /* NOTREACHED */ +} diff --git a/usr.sbin/rpc.ypupdated/ypupdated_server.c b/usr.sbin/rpc.ypupdated/ypupdated_server.c new file mode 100644 index 000000000000..47e52401cd6e --- /dev/null +++ b/usr.sbin/rpc.ypupdated/ypupdated_server.c @@ -0,0 +1,227 @@ +/*- + * SPDX-License-Identifier: BSD-4-Clause + * + * Copyright (c) 1995, 1996 + * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * ypupdate server implementation + * + * Written by Bill Paul <wpaul@ctr.columbia.edu> + * Center for Telecommunications Research + * Columbia University, New York City + */ + +#include <sys/cdefs.h> +#include <stdio.h> +#include <rpc/rpc.h> +#include <rpc/key_prot.h> +#include <sys/param.h> +#include <rpcsvc/yp.h> +#include "ypupdate_prot.h" +#include "ypupdated_extern.h" +#include "yp_extern.h" +#include "ypxfr_extern.h" + +int children = 0; +int forked = 0; + +/* + * Try to avoid spoofing: if a client chooses to use a very large + * window and then tries a bunch of randomly chosen encrypted timestamps, + * there's a chance he might stumble onto a valid combination. + * We therefore reject any RPCs with a window size larger than a preset + * value. + */ +#ifndef WINDOW +#define WINDOW (60*60) +#endif + +static enum auth_stat +yp_checkauth(struct svc_req *svcreq) +{ + struct authdes_cred *des_cred; + + switch (svcreq->rq_cred.oa_flavor) { + case AUTH_DES: + des_cred = (struct authdes_cred *) svcreq->rq_clntcred; + if (des_cred->adc_fullname.window > WINDOW) { + yp_error("warning: client-specified window size \ +was too large -- possible spoof attempt"); + return(AUTH_BADCRED); + } + return(AUTH_OK); + break; + case AUTH_UNIX: + case AUTH_NONE: + yp_error("warning: client didn't use DES authentication"); + return(AUTH_TOOWEAK); + break; + default: + yp_error("client used unknown auth flavor"); + return(AUTH_REJECTEDCRED); + break; + } +} + +unsigned int * +ypu_change_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) +{ + struct authdes_cred *des_cred; + static int res; + char *netname; + enum auth_stat astat; + + res = 0; + + astat = yp_checkauth(svcreq); + + if (astat != AUTH_OK) { + svcerr_auth(svcreq->rq_xprt, astat); + return(&res); + } + + des_cred = (struct authdes_cred *) svcreq->rq_clntcred; + netname = des_cred->adc_fullname.name; + + res = localupdate(netname, "/etc/publickey", YPOP_CHANGE, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + if (res) + return (&res); + + res = ypmap_update(netname, args->mapname, YPOP_CHANGE, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + return (&res); +} + +unsigned int * +ypu_insert_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) +{ + struct authdes_cred *des_cred; + static int res; + char *netname; + enum auth_stat astat; + + res = 0; + + astat = yp_checkauth(svcreq); + + if (astat != AUTH_OK) { + svcerr_auth(svcreq->rq_xprt, astat); + return(&res); + } + + des_cred = (struct authdes_cred *) svcreq->rq_clntcred; + netname = des_cred->adc_fullname.name; + + res = localupdate(netname, "/etc/publickey", YPOP_INSERT, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + if (res) + return (&res); + + res = ypmap_update(netname, args->mapname, YPOP_INSERT, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + return (&res); +} + +unsigned int * +ypu_delete_1_svc(struct ypdelete_args *args, struct svc_req *svcreq) +{ + struct authdes_cred *des_cred; + static int res; + char *netname; + enum auth_stat astat; + + res = 0; + + astat = yp_checkauth(svcreq); + + if (astat != AUTH_OK) { + svcerr_auth(svcreq->rq_xprt, astat); + return(&res); + } + + des_cred = (struct authdes_cred *) svcreq->rq_clntcred; + netname = des_cred->adc_fullname.name; + + res = localupdate(netname, "/etc/publickey", YPOP_DELETE, + args->key.yp_buf_len, args->key.yp_buf_val, + 0, NULL); + + if (res) + return (&res); + + res = ypmap_update(netname, args->mapname, YPOP_DELETE, + args->key.yp_buf_len, args->key.yp_buf_val, + 0, NULL); + + return (&res); +} + +unsigned int * +ypu_store_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) +{ + struct authdes_cred *des_cred; + static int res; + char *netname; + enum auth_stat astat; + + res = 0; + + astat = yp_checkauth(svcreq); + + if (astat != AUTH_OK) { + svcerr_auth(svcreq->rq_xprt, astat); + return(&res); + } + + des_cred = (struct authdes_cred *) svcreq->rq_clntcred; + netname = des_cred->adc_fullname.name; + + res = localupdate(netname, "/etc/publickey", YPOP_STORE, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + if (res) + return (&res); + + res = ypmap_update(netname, args->mapname, YPOP_STORE, + args->key.yp_buf_len, args->key.yp_buf_val, + args->datum.yp_buf_len, args->datum.yp_buf_val); + + return (&res); +} diff --git a/usr.sbin/services_mkdb/services b/usr.sbin/services_mkdb/services index 4a5b6863d92d..c5f950831767 100644 --- a/usr.sbin/services_mkdb/services +++ b/usr.sbin/services_mkdb/services @@ -893,7 +893,7 @@ biff 512/udp comsat #used by mail system to notify users # processes on the same machine login 513/tcp #remote login a la telnet; # automatic authentication performed -# based on priviledged port numbers +# based on privileged port numbers # and distributed data bases which # identify "authentication domains" who 513/udp whod #maintains data bases showing who's diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index fe7427130b78..81bbbbe66be8 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1830,15 +1830,14 @@ fprintlog_write(struct filed *f, struct iovlist *il, int flags) case EHOSTUNREACH: case EHOSTDOWN: case EADDRNOTAVAIL: + case EAGAIN: + case ECONNREFUSED: break; /* case EBADF: */ /* case EACCES: */ /* case ENOTSOCK: */ /* case EFAULT: */ /* case EMSGSIZE: */ - /* case EAGAIN: */ - /* case ENOBUFS: */ - /* case ECONNREFUSED: */ default: dprintf("removing entry: errno=%d\n", e); f->f_type = F_UNUSED; diff --git a/usr.sbin/unbound/setup/local-unbound-setup.sh b/usr.sbin/unbound/setup/local-unbound-setup.sh index d52534b46fa3..d57d74952fc7 100755 --- a/usr.sbin/unbound/setup/local-unbound-setup.sh +++ b/usr.sbin/unbound/setup/local-unbound-setup.sh @@ -259,7 +259,7 @@ gen_unbound_conf() { echo " pidfile: ${pidfile}" echo " auto-trust-anchor-file: ${anchor}" if [ "${use_tls}" = "yes" ] ; then - echo " tls-system-cert: yes" + echo " tls-cert-bundle: /etc/ssl/cert.pem" fi echo "" if [ -f "${forward_conf}" ] ; then diff --git a/usr.sbin/watch/watch.8 b/usr.sbin/watch/watch.8 index 7acd79df8710..3cc72267f207 100644 --- a/usr.sbin/watch/watch.8 +++ b/usr.sbin/watch/watch.8 @@ -28,7 +28,7 @@ The utility writes to standard output. .Pp The options are as follows: -.Bl -tag -width indent +.Bl -tag -width "-f snpdev" .It Fl c Reconnect on close. If the tty observed by |