openbsd
9 years agoCall tzset() before dropping the priviledge to use correct timezone.
yasuoka [Mon, 19 Oct 2015 07:18:31 +0000 (07:18 +0000)]
Call tzset() before dropping the priviledge to use correct timezone.

9 years agoCan't assert "module->fd >= 0" in radiusd_stop() since the module may
yasuoka [Mon, 19 Oct 2015 06:56:58 +0000 (06:56 +0000)]
Can't assert "module->fd >= 0" in radiusd_stop() since the module may
be closed already when error.

9 years agoMove bge rxeof and txeof outside the kernel lock.
jmatthew [Mon, 19 Oct 2015 05:31:25 +0000 (05:31 +0000)]
Move bge rxeof and txeof outside the kernel lock.
To make rxeof safe, use a separate ring refill timeout for each ring.
We activate the refill timeout for a ring when it's too empty to receive
packets, which ensures we won't attempt to refill it from interrupt context.

To make txeof safe, remove the list of dma maps and just allocate maps based on
the ring slots occupied by the packet, and use atomic operations to adjust
bge_txcnt.  Rework some parts of the txeof and start loops so that we only
adjust bge_txcnt after exiting the loop, and only take actions such as setting
or clearing OACTIVE based on the final value.

tested on 5703, 5714, 5721 by me, 5753 by semarie@, 5761 by naddy@, and
also in snapshots for a while
ok mpi@, dlg@

9 years agoApply style(9) to header includes.
mmcc [Mon, 19 Oct 2015 02:15:45 +0000 (02:15 +0000)]
Apply style(9) to header includes.

ok nicm@

9 years agoNeed <string.h> for memset()
guenther [Sun, 18 Oct 2015 23:27:43 +0000 (23:27 +0000)]
Need <string.h> for memset()

9 years agopledge bgplg(8).
benno [Sun, 18 Oct 2015 22:37:30 +0000 (22:37 +0000)]
pledge bgplg(8).
ok deraadt

9 years agoFinish first round of rework of the rc script.
rpe [Sun, 18 Oct 2015 21:33:18 +0000 (21:33 +0000)]
Finish first round of rework of the rc script.

OK krw@ halex@

9 years agoPass current directory as a string rather than a file descriptor because
nicm [Sun, 18 Oct 2015 20:42:42 +0000 (20:42 +0000)]
Pass current directory as a string rather than a file descriptor because
pledge doesn't let us pass directory file descriptors.

9 years agoThe change of 5.7's sys/arch/i386/i386/bus_space.c and
uaa [Sun, 18 Oct 2015 20:24:10 +0000 (20:24 +0000)]
The change of 5.7's sys/arch/i386/i386/bus_space.c and
sys/arch/i386/include/bus.h invokes the kernel crash at boot
when ignored (disabled) channel is detected.

In all ATA controllers, ignored (disabled) channel is still set cp->hwok = 1.
And pciide_mapregs_native() is not called, wdc_cp->cmd_iot is 0.

5.6 and before, cmd_iot = 0 is treated as I386_BUS_SPACE_IO,
so there is no problem to call bus_space_read_1() in wdcintr().

5.7 and after, cmd_iot is used as function pointer.
We have to initialize it with pciide_mapregs_native() or something,
otherwise set cp->hwok = 0 to prevent calling wdcintr().

When ignored (disabled) channel is found, default_chip_map() should set
cp->hwok = 0. So all controllers do same thing.

ok by deraadt@

9 years agoInstead of fragile CMSG parsing, control pledge "sendfd" and "recvfd"
deraadt [Sun, 18 Oct 2015 20:15:10 +0000 (20:15 +0000)]
Instead of fragile CMSG parsing, control pledge "sendfd" and "recvfd"
in unp_internalize and unp_externalize.
ok kettenis guenther

9 years agoPull in <float.h> instead of declaring __flt_rounds() locally
guenther [Sun, 18 Oct 2015 19:30:39 +0000 (19:30 +0000)]
Pull in <float.h> instead of declaring __flt_rounds() locally

ok miod@ jsg@

9 years agofix lmtp delivery regressions introduced in previous:
jung [Sun, 18 Oct 2015 18:59:51 +0000 (18:59 +0000)]
fix lmtp delivery regressions introduced in previous:

- strip \r\n and add them explicitly to all DATA lines
- fix DATA termination
- add missing QUIT command (and check for reply)
- remove free() and fclose() and use exit(3) instead of _exit(2)
  to handle cleanup

ok sunil gilles

9 years agoMove more EXTERN-defined globals from sh.h.
mmcc [Sun, 18 Oct 2015 18:05:35 +0000 (18:05 +0000)]
Move more EXTERN-defined globals from sh.h.

ok nicm@

9 years agoBackport another Broadwell fix from Linux 3.15
kettenis [Sun, 18 Oct 2015 18:00:45 +0000 (18:00 +0000)]
Backport another Broadwell fix from Linux 3.15

Ben Widawsky
drm/i915: Provide PDP updates via MMIO
e178f7057b81c87a7ceaae0ca204487b6f7eedcf

Doesn't make resume work, but at least it prevents the machine from hanging
and/or resetting.

9 years agoUse "getpw" rather than "flock", per deraadt@'s suggestion.
miod [Sun, 18 Oct 2015 17:53:51 +0000 (17:53 +0000)]
Use "getpw" rather than "flock", per deraadt@'s suggestion.

9 years agoAvoid integer overflow with very large files.
tobias [Sun, 18 Oct 2015 17:32:22 +0000 (17:32 +0000)]
Avoid integer overflow with very large files.

ok millert

9 years agoFix comments.
rpe [Sun, 18 Oct 2015 17:24:25 +0000 (17:24 +0000)]
Fix comments.

OK krw@

9 years agopledge+=flock, for /var/run/ypbind.lock. ok semarie@
miod [Sun, 18 Oct 2015 17:20:49 +0000 (17:20 +0000)]
pledge+=flock, for /var/run/ypbind.lock. ok semarie@

9 years agoDo not warn for sort -o if we can't chown the output temporary file
millert [Sun, 18 Oct 2015 17:02:03 +0000 (17:02 +0000)]
Do not warn for sort -o if we can't chown the output temporary file
to match the owner of the output file.

9 years agoAdd "id" pledge to syslogd privsep process. Needed for logging to pipe.
bluhm [Sun, 18 Oct 2015 16:35:06 +0000 (16:35 +0000)]
Add "id" pledge to syslogd privsep process.  Needed for logging to pipe.
OK deraadt@

9 years agoMake use of pledge(2); initial diff from deraadt@
jca [Sun, 18 Oct 2015 16:11:19 +0000 (16:11 +0000)]
Make use of pledge(2); initial diff from deraadt@

As Theo says, there's probably room for stricter pledge requests, but
this would involve refactoring.

9 years agoactually, it uses getaddrinfo
deraadt [Sun, 18 Oct 2015 15:28:03 +0000 (15:28 +0000)]
actually, it uses getaddrinfo

9 years agolibc DNS functions will now use the new dnssocket() / dnsconnect()
deraadt [Sun, 18 Oct 2015 15:15:00 +0000 (15:15 +0000)]
libc DNS functions will now use the new dnssocket() / dnsconnect()
system calls.  These signal to the pledge kernel code that a DNS
transaction is happening.  These special sockets only work well with
port 53 (there are some cute plans...).
Programs calling pledge "inet" will not work! You need pledge "dns",

and of course, you need a fairly fresh kernel.

ok guenther kettenis tedu

9 years agoTweak previous: call fatal(), not err(3), for consistency. err.h goes away.
jca [Sun, 18 Oct 2015 14:35:36 +0000 (14:35 +0000)]
Tweak previous: call fatal(), not err(3), for consistency. err.h goes away.

9 years agoregress pledge: test kill()
semarie [Sun, 18 Oct 2015 13:01:40 +0000 (13:01 +0000)]
regress pledge: test kill()

since "inet" has PLEDGE_SELF, and now calling kill() to self is permitted with PLEDGE_SELF, try this with "fattr"

9 years agoregress pledge: remove cmsg
semarie [Sun, 18 Oct 2015 12:54:25 +0000 (12:54 +0000)]
regress pledge: remove cmsg

it has no sens to keep it.

9 years agoregress pledge: cpath test
semarie [Sun, 18 Oct 2015 12:53:32 +0000 (12:53 +0000)]
regress pledge: cpath test

you need to read the directory before creating something in. add rpath

9 years agoregress pledge: cmsg is deprecated
semarie [Sun, 18 Oct 2015 12:26:21 +0000 (12:26 +0000)]
regress pledge: cmsg is deprecated

9 years agoregress pledge: tweak a bit the manner to grab hte syscall number
semarie [Sun, 18 Oct 2015 12:25:33 +0000 (12:25 +0000)]
regress pledge: tweak a bit the manner to grab hte syscall number

permit debug string be present on the line

9 years agoNeed native-pledge for id.
doug [Sun, 18 Oct 2015 11:27:17 +0000 (11:27 +0000)]
Need native-pledge for id.

9 years agold.so no longer needs or uses a bind lock, so stop setting it. This
guenther [Sun, 18 Oct 2015 08:02:58 +0000 (08:02 +0000)]
ld.so no longer needs or uses a bind lock, so stop setting it.  This
eliminates a chunk of complexity from the libpthread init and the fork
wrapper, as it was the bind lock that needed prebinding before use.

9 years agoTadpole/Sun Voyager IIi reported to work via dmesg@
jsg [Sun, 18 Oct 2015 07:09:44 +0000 (07:09 +0000)]
Tadpole/Sun Voyager IIi reported to work via dmesg@

9 years agomove SS_DNS socket check from kern_plegde.c to sys_generic.c
semarie [Sun, 18 Oct 2015 05:26:55 +0000 (05:26 +0000)]
move SS_DNS socket check from kern_plegde.c to sys_generic.c

this check has nothing to do with pledge(2). make it lives in sys_ioctl() call.

while here, move the (fp == NULL) check early and remove duplicate check from
pledge_ioctl_check().

ok guenther@ deraadt@

9 years agoUse offsetof() instead of adding the sizes of the preceeding struct members
guenther [Sun, 18 Oct 2015 05:03:22 +0000 (05:03 +0000)]
Use offsetof() instead of adding the sizes of the preceeding struct members

ok millert@

9 years agoMake sure sm_rotate_bak() is only run once.
ajacoutot [Sun, 18 Oct 2015 04:45:21 +0000 (04:45 +0000)]
Make sure sm_rotate_bak() is only run once.

9 years agogetting sloppy, lost a }
deraadt [Sun, 18 Oct 2015 04:21:39 +0000 (04:21 +0000)]
getting sloppy, lost a }

9 years agosorry, sdiff -o interactive mode does another spawn
deraadt [Sun, 18 Oct 2015 04:18:41 +0000 (04:18 +0000)]
sorry, sdiff -o interactive mode does another spawn

9 years agoAdd "dns" to the pledges. Previously these worked because of "inet",
deraadt [Sun, 18 Oct 2015 03:54:22 +0000 (03:54 +0000)]
Add "dns" to the pledges.  Previously these worked because of "inet",
alas "dns" is now a mandatory statement if you want to do dns!

9 years agoForcibly delete /var/run/ypbind.lock to prepare for the worst cases.
deraadt [Sun, 18 Oct 2015 03:51:11 +0000 (03:51 +0000)]
Forcibly delete /var/run/ypbind.lock to prepare for the worst cases.
ok aja

9 years agounrelated commit; not ready yet
deraadt [Sun, 18 Oct 2015 03:41:14 +0000 (03:41 +0000)]
unrelated commit; not ready yet

9 years agoFirst casualty of making pledge "dns" mandatory for dns users.
deraadt [Sun, 18 Oct 2015 03:39:37 +0000 (03:39 +0000)]
First casualty of making pledge "dns" mandatory for dns users.
"dns" was missing, and this was relying on "inet" support..

9 years agoMove your drink further away... When a program pledged "getpw" fails to
deraadt [Sun, 18 Oct 2015 03:30:01 +0000 (03:30 +0000)]
Move your drink further away...  When a program pledged "getpw" fails to
get a response from a YP server, it will open "/dev/tty" and spit out:
    'YP server for domain %s not responding, still trying'
For now allow open of /dev/tty for "getpw".  I hope to re-architect the
libc:YP communication protocol (strategy similar to syslog->sendsyslog,
isatty->fcntl, dnssocket/dnsconnect) and then we can reevaluate this.

9 years agoafter kmem is open and setup, pledge "stdio rpath wpath cpath"
deraadt [Sun, 18 Oct 2015 03:17:48 +0000 (03:17 +0000)]
after kmem is open and setup, pledge "stdio rpath wpath cpath"
seems to be working.  commiting to get feedback from people who crash.

9 years agoCollapse some strange programmer style with too much abstraction.
deraadt [Sun, 18 Oct 2015 03:13:07 +0000 (03:13 +0000)]
Collapse some strange programmer style with too much abstraction.

9 years agoWith TIOCSTI supported in pledge "tty proc", csh is good enough to run
deraadt [Sun, 18 Oct 2015 03:09:11 +0000 (03:09 +0000)]
With TIOCSTI supported in pledge "tty proc", csh is good enough to run
with pledge "stdio rpath wpath cpath fattr getpw proc exec tty".  (Note
that ksh "emacs mode" is also a abus^Wconsumer of TIOCSTI, but we had
let that slide for a week since noone uses it...)

9 years agoA whole buncha unsigned char casts for ctype function arguments.
mmcc [Sun, 18 Oct 2015 03:04:11 +0000 (03:04 +0000)]
A whole buncha unsigned char casts for ctype function arguments.

ok guenther@

9 years agoUse explicit_bzero() when the memory is freed directly afterward.
mmcc [Sun, 18 Oct 2015 02:39:04 +0000 (02:39 +0000)]
Use explicit_bzero() when the memory is freed directly afterward.

ok deraadt@

9 years agoUse explicit_bzero() when the memory is freed directly afterward.
mmcc [Sun, 18 Oct 2015 02:30:53 +0000 (02:30 +0000)]
Use explicit_bzero() when the memory is freed directly afterward.

ok deraadt@

9 years agoTIOCSTI and TIOCSCTTY; oops got the condition backwards.
deraadt [Sun, 18 Oct 2015 01:53:31 +0000 (01:53 +0000)]
TIOCSTI and TIOCSCTTY; oops got the condition backwards.

9 years agobetter placement for dnssocket/dnsconnect
deraadt [Sun, 18 Oct 2015 01:45:48 +0000 (01:45 +0000)]
better placement for dnssocket/dnsconnect

9 years agoDescribe dnssocket / dnsconnect arguments
deraadt [Sun, 18 Oct 2015 01:32:05 +0000 (01:32 +0000)]
Describe dnssocket / dnsconnect arguments

9 years agoAllow read/write access to /dev/tty when using "tty" pledge.
doug [Sun, 18 Oct 2015 01:07:19 +0000 (01:07 +0000)]
Allow read/write access to /dev/tty when using "tty" pledge.

Without this change, you need "rpath" and "wpath" to open /dev/tty.  Some
applications explicitly open /dev/tty, but deraadt@ found the most
common use is indirectly via readpassphrase().

tweak and ok deraadt@
pre-tweak ok millert@, semarie@

9 years agocreate libc stubs for dnssocket() and dnsconnect()
deraadt [Sun, 18 Oct 2015 00:36:20 +0000 (00:36 +0000)]
create libc stubs for dnssocket() and dnsconnect()

9 years agosync
deraadt [Sun, 18 Oct 2015 00:05:59 +0000 (00:05 +0000)]
sync

9 years agoAdd two new system calls: dnssocket() and dnsconnect(). This creates a
deraadt [Sun, 18 Oct 2015 00:04:43 +0000 (00:04 +0000)]
Add two new system calls: dnssocket() and dnsconnect().  This creates a
SS_DNS tagged socket which has limited functionality (for example, you
cannot accept on them...)  The libc resolver will switch to using these,
therefore pledge can identify a DNS transaction better.
ok tedu guenther kettenis beck and others

9 years agonaddy asks me if __tfork should be allowed by "proc". yes!
deraadt [Sat, 17 Oct 2015 23:50:04 +0000 (23:50 +0000)]
naddy asks me if __tfork should be allowed by "proc".  yes!
We may need a better semantic later ("thread"?), but this allows
progress, and people can report their experiences.

9 years agoconnect() to an AF_UNIX socket is really read/write, so tell pledge this
deraadt [Sat, 17 Oct 2015 23:15:10 +0000 (23:15 +0000)]
connect() to an AF_UNIX socket is really read/write, so tell pledge this
is a RPATH|WPATH operation.
Discussed with doug and millert

9 years agoAllow the nasty ioctl TIOCSTI in "tty", but also require the "proc"
deraadt [Sat, 17 Oct 2015 23:12:46 +0000 (23:12 +0000)]
Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc"
permission.  For now, we'll tighten it down further later.

9 years agobetter wording in a comment
deraadt [Sat, 17 Oct 2015 23:04:06 +0000 (23:04 +0000)]
better wording in a comment

9 years agoUnify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.
deraadt [Sat, 17 Oct 2015 23:01:37 +0000 (23:01 +0000)]
Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.
(both "tty" and "ioctl" allow these; they should behave the same)

9 years agoAllow TIOCSCTTY on tty devices, if the pledge says "tty id"
deraadt [Sat, 17 Oct 2015 22:58:30 +0000 (22:58 +0000)]
Allow TIOCSCTTY on tty devices, if the pledge says "tty id"
worked out with nicm

9 years agowhitespace
deraadt [Sat, 17 Oct 2015 22:54:23 +0000 (22:54 +0000)]
whitespace

9 years agoRename SYSEXIT() to SYSCALL_END() for consistency with most other archs.
guenther [Sat, 17 Oct 2015 22:40:54 +0000 (22:40 +0000)]
Rename SYSEXIT() to SYSCALL_END() for consistency with most other archs.
No change in resulting object files

ok millert@

9 years agomailaddr_match() allows comparing two struct mailaddr taking into account
gilles [Sat, 17 Oct 2015 22:24:36 +0000 (22:24 +0000)]
mailaddr_match() allows comparing two struct mailaddr taking into account
catchall and +-tags

ok millert@ and jung@ for util.c

9 years agoMove the last of the __DBINTERFACE_PRIVATE bits from <db.h> to libc's wrapper
guenther [Sat, 17 Oct 2015 21:48:42 +0000 (21:48 +0000)]
Move the last of the __DBINTERFACE_PRIVATE bits from <db.h> to libc's wrapper
and eliminate the now superfluous -D option

ok kettenis@ millert@

9 years agoFix the code that sets up the MCH BAR on systems where the (buggy) BIOS
kettenis [Sat, 17 Oct 2015 21:41:12 +0000 (21:41 +0000)]
Fix the code that sets up the MCH BAR on systems where the (buggy) BIOS
doesn't do this for us.  The code was poking registers on the wrong PCI
device.  We were just lucky that it worked on most systems.

This should fix machines such as the Asus EeePC 701 and get rid of the

error: [drm:pid0:i915_gem_detect_bit_6_swizzle] *ERROR* Couldn't read from
MC HBAR.  Disabling tiling.

messages on that machine.

9 years agoTighten pledge: We only write to stdio and never to any files if
naddy [Sat, 17 Oct 2015 21:34:07 +0000 (21:34 +0000)]
Tighten pledge: We only write to stdio and never to any files if
in cat mode (-c, zcat), or in test mode (-t), or if there are no
file arguments and there is no -o outfile.  Due to fts(3) we require
rpath even for compress <in >out.

"seems sound" deraadt@

9 years agoSpell all "unexpected mode %u" panics in lower case, not just one of them.
stsp [Sat, 17 Oct 2015 21:30:29 +0000 (21:30 +0000)]
Spell all "unexpected mode %u" panics in lower case, not just one of them.

9 years agoremove some unneccessary macros; from michael reed
jmc [Sat, 17 Oct 2015 21:11:42 +0000 (21:11 +0000)]
remove some unneccessary macros; from michael reed

9 years agoadd missing underscore; from theo buehler
jmc [Sat, 17 Oct 2015 21:06:23 +0000 (21:06 +0000)]
add missing underscore; from theo buehler

9 years agoFix build with IFMEDIA_DEBUG defined; ok sthen@
stsp [Sat, 17 Oct 2015 20:41:41 +0000 (20:41 +0000)]
Fix build with IFMEDIA_DEBUG defined; ok sthen@

9 years agoPROTO_NORMAL for pledge(); ok guenther
deraadt [Sat, 17 Oct 2015 20:22:08 +0000 (20:22 +0000)]
PROTO_NORMAL for pledge(); ok guenther

9 years agologin_token needs pledge "flock" now.
bluhm [Sat, 17 Oct 2015 19:50:47 +0000 (19:50 +0000)]
login_token needs pledge "flock" now.
OK millert@

9 years agomakemap shout strip initial and trailing whitespaces using strip()
gilles [Sat, 17 Oct 2015 19:44:07 +0000 (19:44 +0000)]
makemap shout strip initial and trailing whitespaces using strip()

ok millert@, ok jung@

9 years agodocument handling of comments in makemap
gilles [Sat, 17 Oct 2015 19:42:12 +0000 (19:42 +0000)]
document handling of comments in makemap

ok millert@, ok sunil@, ok jung@

9 years agoDrop two useless defines.
mmcc [Sat, 17 Oct 2015 18:43:22 +0000 (18:43 +0000)]
Drop two useless defines.

ok nicm@

9 years agoAdd pledge "stdio unix sendfd proc exec tty" to tmux client process,
nicm [Sat, 17 Oct 2015 18:30:43 +0000 (18:30 +0000)]
Add pledge "stdio unix sendfd proc exec tty" to tmux client process,
"sendfd" is dropped after first message from the server.

9 years agoMove a system header include from the global header (sh.h) into the
mmcc [Sat, 17 Oct 2015 18:26:24 +0000 (18:26 +0000)]
Move a system header include from the global header (sh.h) into the
files that need it. No binary change.

"This looks fine" -nicm@

9 years agoboth of these are deprecated
gilles [Sat, 17 Oct 2015 18:00:32 +0000 (18:00 +0000)]
both of these are deprecated

9 years agoConvert some fgetln to getline.
sunil [Sat, 17 Oct 2015 16:20:46 +0000 (16:20 +0000)]
Convert some fgetln to getline.

tested and ok gilles@

9 years agoCleanup and simplify LMTP code.
sunil [Sat, 17 Oct 2015 16:07:03 +0000 (16:07 +0000)]
Cleanup and simplify LMTP code.

Ok millert@ gilles@

9 years agoLMTP delivery requires "inet unix".
sunil [Sat, 17 Oct 2015 16:03:20 +0000 (16:03 +0000)]
LMTP delivery requires "inet unix".

Ok millert@ gilles@

9 years agomake usage() less horrible
florian [Sat, 17 Oct 2015 15:43:31 +0000 (15:43 +0000)]
make usage() less horrible

9 years agoExit if a pledge call fails in non-interactive mode.
doug [Sat, 17 Oct 2015 15:00:11 +0000 (15:00 +0000)]
Exit if a pledge call fails in non-interactive mode.

ok semarie@

9 years agoPledge; OK millert@ tobias@
tim [Sat, 17 Oct 2015 14:33:01 +0000 (14:33 +0000)]
Pledge; OK millert@ tobias@

9 years agothis file is deprecated
gilles [Sat, 17 Oct 2015 13:35:45 +0000 (13:35 +0000)]
this file is deprecated

9 years agoChange allocarray() to areallocarray(), a full reallocarray clone. All
mmcc [Sat, 17 Oct 2015 13:32:46 +0000 (13:32 +0000)]
Change allocarray() to areallocarray(), a full reallocarray clone. All
the logic is already in aresize().

"Sure" nicm@

9 years agoremove unused variables
gilles [Sat, 17 Oct 2015 13:30:47 +0000 (13:30 +0000)]
remove unused variables

9 years agoCopy alloc()'s overflow check to aresize().
mmcc [Sat, 17 Oct 2015 13:27:55 +0000 (13:27 +0000)]
Copy alloc()'s overflow check to aresize().

Suggested by nicm@.

9 years agoNUMBOOT is dead! Nuke the variables and abstractions that were used
krw [Sat, 17 Oct 2015 13:27:08 +0000 (13:27 +0000)]
NUMBOOT is dead! Nuke the variables and abstractions that were used
to build boot blocks.

ok miod@

9 years agoImplement -w maxwait now that the -w flag is free in ping6. Same
florian [Sat, 17 Oct 2015 13:08:14 +0000 (13:08 +0000)]
Implement -w maxwait now that the -w flag is free in ping6. Same
behaviour as ping(8).

9 years agoDo no accept fds on the control socket; including the restricted socket.
reyk [Sat, 17 Oct 2015 13:07:07 +0000 (13:07 +0000)]
Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

9 years agomove -V option before -v and remove one spurious newline, now in sync
florian [Sat, 17 Oct 2015 13:07:02 +0000 (13:07 +0000)]
move -V option before -v and remove one spurious newline, now in sync
with ping.
No object change.

9 years agoKNF
gilles [Sat, 17 Oct 2015 13:06:03 +0000 (13:06 +0000)]
KNF

9 years agoour strip() function should use isspace()
gilles [Sat, 17 Oct 2015 12:59:52 +0000 (12:59 +0000)]
our strip() function should use isspace()

ok jung@, ok millert@

9 years agoRemove left over -N and -w. Adapt wording for the link local example.
florian [Sat, 17 Oct 2015 12:38:29 +0000 (12:38 +0000)]
Remove left over -N and -w. Adapt wording for the link local example.
Pointed out by, input & OK jmc

9 years agoTighten up snmpd's control socket: do not allow users to terminate the
reyk [Sat, 17 Oct 2015 10:20:33 +0000 (10:20 +0000)]
Tighten up snmpd's control socket: do not allow users to terminate the
daemon by sending corrupted imsgs to snmpd.  This is especially
important for the optional world-writeable restricted socket that is
used for AgentX.  In particular, don't fatal() in the daemon when imsg
size checks on control messages fail, do stricter validation of
expected messages (even assert zero-length imsgs), don't continue and
close the control socket on suspicious input, print a debug log
message on error.

OK gilles@ "the rationale behind it is quite clear"

9 years agoCleanup a bit.
rpe [Sat, 17 Oct 2015 08:47:24 +0000 (08:47 +0000)]
Cleanup a bit.

OK krw@ halex@

9 years agoadd "tty" for several subcommands of openssl
semarie [Sat, 17 Oct 2015 07:51:10 +0000 (07:51 +0000)]
add "tty" for several subcommands of openssl

it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.

passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).

problem reported by several
with and ok doug@

9 years agoThe file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"
deraadt [Sat, 17 Oct 2015 04:41:37 +0000 (04:41 +0000)]
The file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"
early on, then a set of getpwnam/setresuid/... before quickly dropping to
"stdio recvfd".  It receives fd's and runs the magic code on them in a
chroot'd "stdio" jail.  We can do better than that.

Before the recent change, "proc" contained both the concepts of "forking"
and "setuid".  "id" is now split out as a seperate request, and it is
exactly what this process needs momentarily.  So this loses another window
of opportunity, in case we have a major bug in .... hmm, it'd have to be
in getpwnam....

ok tedu doug semarie gilles