Skip to content

Instantly share code, notes, and snippets.

@zeszyt

zeszyt/etc-45-46.diff

Created December 5, 2011 00:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zeszyt/1431796 to your computer and use it in GitHub Desktop.
Save zeszyt/1431796 to your computer and use it in GitHub Desktop.
Download ZIP
OpenBSD etc 4.5 -> 4.6
Raw
etc-45-46.diff
diff -ur etc45/.profile etc46/.profile
--- etc45/.profile Sat Feb 28 22:29:27 2009
+++ etc46/.profile Fri Jul 10 05:01:04 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: dot.profile,v 1.5 2005/03/30 21:18:33 millert Exp $
+# $OpenBSD: dot.profile,v 1.8 2009/05/06 22:02:05 millert Exp $
#
# sh/ksh initialization
@@ -9,5 +9,9 @@
umask 022
if [ -x /usr/bin/tset ]; then
- eval `/usr/bin/tset -sQ \?$TERM`
+ if [ X"$XTERM_VERSION" = X"" ]; then
+ eval `/usr/bin/tset -sQ '-munknown:?vt220' $TERM`
+ else
+ eval `/usr/bin/tset -IsQ '-munknown:?vt220' $TERM`
+ fi
fi
diff -ur etc45/etc/changelist etc46/etc/changelist
--- etc45/etc/changelist Sat Feb 28 22:29:26 2009
+++ etc46/etc/changelist Fri Jul 10 05:01:02 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: changelist,v 1.59 2008/10/02 07:27:57 sthen Exp $
+# $OpenBSD: changelist,v 1.60 2009/03/16 23:18:45 jacekm Exp $
#
# List of files which the security script backs up and checks
# for modifications.
@@ -62,10 +62,13 @@
/etc/mail/localhost.cf
/etc/mail/mailertable
/etc/mail/relay-domains
++/etc/mail/secrets
/etc/mail/sendmail.cf
+/etc/mail/smtpd.conf
/etc/mail/spamd.conf
/etc/mail/submit.cf
/etc/mail/trusted-users
+/etc/mail/virtual
/etc/mail/virtusertable
/etc/mailer.conf
/etc/man.conf
diff -ur etc45/etc/daily etc46/etc/daily
--- etc45/etc/daily Sat Feb 28 22:29:26 2009
+++ etc46/etc/daily Fri Jul 10 05:01:02 2009
@@ -1,32 +1,50 @@
-#!/bin/sh -
#
-# $OpenBSD: daily,v 1.56 2006/10/26 12:20:55 ajacoutot Exp $
+# $OpenBSD: daily,v 1.66 2009/05/26 22:59:15 schwarze Exp $
# From: @(#)daily 8.2 (Berkeley) 1/25/94
#
+# For local additions, create the file /etc/daily.local.
+# To get section headers, use the function next_part in daily.local.
+#
umask 022
-PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
-bak=/var/backups
+PARTOUT=/var/log/daily.part
+MAINOUT=/var/log/daily.out
+install -o 0 -g 0 -m 600 /dev/null $PARTOUT
+install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
-sysctl -n kern.version
-uptime
+start_part() {
+ TITLE=$1
+ exec > $PARTOUT 2>&1
+}
-if [ -f /etc/daily.local ]; then
+end_part() {
+ exec >> $MAINOUT 2>&1
+ test -s $PARTOUT || return
echo ""
- echo "Running daily.local:"
- . /etc/daily.local
-fi
+ echo "$TITLE"
+ cat $PARTOUT
+}
-TMP=`mktemp /tmp/_daily.XXXXXXXXXX` || exit 1
-OUT=`mktemp /tmp/_security.XXXXXXXXXX` || {
- rm -f ${TMP}
- exit 1
+next_part() {
+ end_part
+ start_part "$1"
}
-trap 'rm -f $TMP $OUT; exit 1' 0 1 15
+run_script() {
+ f=/etc/$1
+ test -e $f || return
+ if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
+ echo "$f has insecure permissions, skipping:"
+ ls -l $f
+ return
+ fi
+ . $f
+}
-echo ""
-echo "Removing scratch and junk files:"
+start_part "Running daily.local:"
+run_script "daily.local"
+
+next_part "Removing scratch and junk files:"
if [ -d /tmp -a ! -L /tmp ]; then
cd /tmp && {
find -x . \
@@ -58,33 +76,12 @@
find . ! -name . -mtime +7 -execdir rm -f -- {} \; ; }
fi
-#find / \( ! -fstype local -o -fstype rdonly \
-# -o -fstype procfs \) -a -prune -o \
-# -name 'lost+found' -a -prune -o \
-# -name '*.core' -a -print -o \
-# \( -name '[#,]*' -o -name '.#*' -o -name a.out \
-# -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
-# -a -atime +3 -a -execdir rm -f -- {} \; -a -print > $TMP
-
-if egrep -q '\.core$' $TMP; then
- echo ""
- echo "Possible core dumps:"
- egrep '\.core$' $TMP
-fi
-
-if egrep -qv '\.core$' $TMP; then
- echo ""
- echo "Deleted files:"
- egrep -v '\.core$' $TMP
-fi
-
if [ -d /var/msgs -a ! -L /var/msgs ]; then
msgs -c
fi
+next_part "Purging accounting records:"
if [ -f /var/account/acct ]; then
- echo ""
- echo "Purging accounting records:"
mv -f /var/account/acct.2 /var/account/acct.3
mv -f /var/account/acct.1 /var/account/acct.2
mv -f /var/account/acct.0 /var/account/acct.1
@@ -95,84 +92,109 @@
# If ROOTBACKUP is set to 1 in the environment, and
# if filesystem named /altroot is type ffs, on /dev/* and mounted "xx",
# use it as a backup root filesystem to be updated daily.
-[ "X$ROOTBACKUP" = X1 ] && {
- rootdev=`df -n / | awk '/^\/dev\// { print substr($1, 6) }'`
+next_part "Backing up root filesystem:"
+while [ "X$ROOTBACKUP" = X1 ]; do
rootbak=`awk '$2 == "/altroot" && $1 ~ /^\/dev\// && $3 == "ffs" && \
$4 ~ /xx/ \
{ print substr($1, 6) }' < /etc/fstab`
- [ X$rootdev != X -a X$rootbak != X -a X$rootdev != X$rootbak ] && {
- sync
- echo ""
- echo "Backing up root filesystem:"
- echo "copying /dev/r$rootdev to /dev/r$rootbak"
- dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
- conv=noerror
- fsck -y /dev/r$rootbak
- }
-}
+ if [ -z "$rootbak" ]; then
+ echo "No xx ffs /altroot device found in the fstab(5)."
+ break
+ fi
+ bakdisk=${rootbak%[a-p]}
+ sysctl -n hw.disknames | grep -Fqw $bakdisk || break
+ bakpart=${rootbak#$bakdisk}
+ baksize=`disklabel $bakdisk 2>/dev/null | \
+ awk -v "part=$bakpart:" '$1 == part { print $2 }'`
+ rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
+ { print substr($1, 6) }'`
+ if [ -z "$rootdev" ]; then
+ echo "The root filesystem is not local or not ffs."
+ break
+ fi
+ if [ X$rootdev = X$rootbak ]; then
+ echo "The device $rootdev holds both root and /altroot."
+ break
+ fi
+ rootdisk=${rootdev%[a-p]}
+ rootpart=${rootdev#$rootdisk}
+ rootsize=`disklabel $rootdisk 2>/dev/null | \
+ awk -v "part=$rootpart:" '$1 == part { print $2 }'`
+ if [ $rootsize -gt $baksize ]; then
+ echo "Root ($rootsize) is larger than /altroot ($baksize)."
+ break
+ fi
+ next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
+ sync
+ dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
+ conv=noerror
+ fsck -y /dev/r$rootbak
+ break
+done
-# Rotation of mail log now handled automatically by cron and 'newsyslog'
-
-echo ""
-echo "Checking subsystem status:"
-echo ""
-echo "disks:"
-df -kl
-echo ""
-dump W
-echo ""
-
-mailq > $TMP
-if ! grep -q "^/var/spool/mqueue is empty$" $TMP; then
+next_part "Checking subsystem status:"
+if [ "X$VERBOSESTATUS" != X0 ]; then
echo ""
- echo "mail:"
- cat $TMP
+ echo "disks:"
+ df -kl
+ echo ""
+ dump W
fi
-echo ""
-echo "network:"
-netstat -ivn
-echo ""
+# The first two regular expressions handle sendmail, the third postfix.
+# When the queue is empty, smtpd(8) and exim -bp keep silent.
+next_part "mail:"
+mailq | grep -v -e "^/var/spool/mqueue is empty$" \
+ -e "^[[:blank:]]*Total requests: 0$" \
+ -e "^Mail queue is empty$"
-t=/var/rwho/*
-if [ "$t" != '/var/rwho/*' ]; then
- echo ""
- ruptime
-fi
+next_part "network:"
+if [ "X$VERBOSESTATUS" != X0 ]; then
+ netstat -ivn
-echo ""
-if [ -d /var/yp/binding -a ! -d /var/yp/`domainname` -o "X$CALENDAR" = X0 ]
-then
- if [ "X$CALENDAR" = X0 ]; then
- echo "Not running calendar, (disabled)."
- else
- echo "Not running calendar, (yp client)."
+ t=/var/rwho/*
+ if [ "$t" != '/var/rwho/*' ]; then
+ echo ""
+ ruptime
fi
-else
- echo "Running calendar in the background."
+fi
+
+next_part "Running calendar in the background:"
+if [ "X$CALENDAR" != X0 -a \
+ \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
calendar -a &
fi
# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
# with the no-write flag.
+next_part "Checking filesystems:"
[ "X$CHECKFILESYSTEMS" = X1 ] && {
- echo ""
- echo "Checking filesystems:"
fsck -n | grep -v '^\*\* Phase'
}
+next_part "Running rdist:"
if [ -f /etc/Distfile ]; then
- echo ""
- echo "Running rdist:"
if [ -d /var/log/rdist ]; then
- logf=`date +%Y.%b.%e`
- rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/$logf
+ rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
else
rdist -f /etc/Distfile
fi
fi
-sh /etc/security 2>&1 > $OUT
-if [ -s $OUT ]; then
- mail -s "`hostname` daily insecurity output" root < $OUT
-fi
+end_part
+[ -s $MAINOUT ] && {
+ sysctl -n kern.version
+ uptime
+ cat $MAINOUT
+} 2>&1 | mail -s "`hostname` daily output" root
+
+
+MAINOUT=/var/log/security.out
+install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
+
+start_part "Running /etc/security:"
+run_script "security"
+end_part
+rm -f $PARTOUT
+
+[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT
diff -ur etc45/etc/ftpusers etc46/etc/ftpusers
--- etc45/etc/ftpusers Sat Feb 28 22:29:26 2009
+++ etc46/etc/ftpusers Fri Jul 10 05:01:02 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: ftpusers,v 1.36 2008/11/25 23:35:06 fkr Exp $
+# $OpenBSD: ftpusers,v 1.38 2009/05/20 21:10:06 thib Exp $
#
# list of users disallowed any ftp access.
# read by ftpd(8).
@@ -46,3 +46,5 @@
_rtadvd
_ypldap
_btd
+_smtpd
+_rwalld
diff -ur etc45/etc/group etc46/etc/group
--- etc45/etc/group Sat Feb 28 22:29:26 2009
+++ etc46/etc/group Fri Jul 10 05:01:02 2009
@@ -59,6 +59,8 @@
_rtadvd:*:92:
_ypldap:*:93:
_btd:*:94:
+_smtpd:*:95:
+_rwalld:*:96:
dialer:*:117:
nogroup:*:32766:
nobody:*:32767:
diff -ur etc45/etc/hosts etc46/etc/hosts
--- etc45/etc/hosts Sat Feb 28 22:29:26 2009
+++ etc46/etc/hosts Fri Jul 10 05:01:02 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: hosts,v 1.11 2002/09/26 23:35:51 krw Exp $
+# $OpenBSD: hosts,v 1.12 2009/03/10 00:42:13 deraadt Exp $
#
# Host Database
#
@@ -7,7 +7,5 @@
# 172.16.0.0 172.31.255.255
# 192.168.0.0 192.168.255.255
#
-::1 localhost.my.domain localhost
-127.0.0.1 localhost.my.domain localhost
-::1 noname.my.domain noname
-127.0.0.1 noname.my.domain noname
+127.0.0.1 localhost
+::1 localhost
diff -ur etc45/etc/login.conf etc46/etc/login.conf
--- etc45/etc/login.conf Sat Feb 28 22:29:27 2009
+++ etc46/etc/login.conf Fri Jul 10 05:01:04 2009
@@ -42,8 +42,8 @@
:umask=022:\
:datasize-max=512M:\
:datasize-cur=512M:\
- :maxproc-max=128:\
- :maxproc-cur=64:\
+ :maxproc-max=256:\
+ :maxproc-cur=128:\
:openfiles-cur=128:\
:stacksize-cur=4M:\
:localcipher=blowfish,6:\
@@ -71,7 +71,7 @@
staff:\
:datasize-cur=512M:\
:datasize-max=infinity:\
- :maxproc-max=256:\
+ :maxproc-max=512:\
:maxproc-cur=128:\
:ignorenologin:\
:requirehome@:\
diff -ur etc45/etc/lynx.cfg etc46/etc/lynx.cfg
--- etc45/etc/lynx.cfg Sat Feb 28 22:29:38 2009
+++ etc46/etc/lynx.cfg Fri Jul 10 05:01:18 2009
@@ -3,10 +3,10 @@
# or Lynx_Dir:lynx.cfg (VMS)
#
# $Format: "#PRCS LYNX_VERSION \"$ProjectVersion$\""$
-#PRCS LYNX_VERSION "2.8.5rel.4"
+#PRCS LYNX_VERSION "2.8.6rel.5"
#
# $Format: "#PRCS LYNX_DATE \"$ProjectDate$\""$
-#PRCS LYNX_DATE "Tue, 25 Oct 2005 17:40:26 -0700"
+#PRCS LYNX_DATE "Wed, 09 May 2007 17:29:16 -0700"
#
# Definition pairs are of the form VARIABLE:DEFINITION
# NO spaces are allowed between the pair items.
@@ -22,7 +22,7 @@
# An HTML'ized description of all settings (based on comments in this file,
# with alphabetical table of settings and with table of settings by category)
-# is available at http://www.hippo.ru/~hvv/lynxcfg_toc.html
+# is available at http://lynx.isc.org/release/lynx2-8-5/lynx_help/cattoc.html
#
### The conversion is done via the scripts/cfg2html.pl script.
### Several directives beginning with '.' are used for this purpose.
@@ -126,7 +126,8 @@
# An index to your CWIS can be placed here or a document containing
# pointers to lots of interesting places on the web.
#
-DEFAULT_INDEX_FILE:http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/MetaIndex.html
+#DEFAULT_INDEX_FILE:http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/MetaIndex.html
+DEFAULT_INDEX_FILE:http://lynx.isc.org/
.h1 Interaction
@@ -363,9 +364,10 @@
# Eastern European (windows-1250) windows-1250
# Latin 3 (ISO-8859-3) iso-8859-3
# Latin 4 (ISO-8859-4) iso-8859-4
-# Baltic Rim (ISO-8859-13) iso-8859-13
+# Baltic Rim (ISO-8859-13) iso-8859-13
# Baltic Rim (cp775) cp775
# Baltic Rim (windows-1257) windows-1257
+# Celtic (ISO-8859-14) iso-8859-14
# Cyrillic (ISO-8859-5) iso-8859-5
# Cyrillic (cp866) cp866
# Cyrillic (windows-1251) windows-1251
@@ -381,7 +383,7 @@
# Hebrew (cp862) cp862
# Hebrew (windows-1255) windows-1255
# Turkish (ISO-8859-9) iso-8859-9
-# ISO-8859-10 iso-8859-10
+# North European (ISO-8859-10) iso-8859-10
# Ukrainian Cyrillic (cp866u) cp866u
# Ukrainian Cyrillic (KOI8-U) koi8-u
# UNICODE (UTF-8) utf-8
@@ -1339,6 +1341,19 @@
#COOKIE_STRICT_INVALID_DOMAINS:
#COOKIE_QUERY_INVALID_DOMAINS:
+.h2 MAX_COOKIES_DOMAIN
+.h2 MAX_COOKIES_GLOBAL
+.h2 MAX_COOKIES_BUFFER
+# MAX_COOKIES_DOMAIN,
+# MAX_COOKIES_GLOBAL and
+# MAX_COOKIES_BUFFER are limits on the total number of cookies for each domain,
+# globally, and the per-cookie buffer size. These limits are by default large
+# enough for reasonable usage; if they are very high, some sites may present
+# undue performance waste.
+#
+#max_cookies_domain:50
+#max_cookies_global:500
+#max_cookies_buffer:4096
.h2 PERSISTENT_COOKIES
# PERSISTENT_COOKIES indicates that cookies should be read at startup from
@@ -2310,7 +2325,38 @@
# Sought in user's home (Unix) or sys$login (VMS) directory.
#PERSONAL_MAILCAP:.mailcap
+.h2 PREFERRED_MEDIA_TYPES
+# When doing a GET, lynx lists the MIME types which it knows how to present
+# (the "Accept:" string). Depending on your system configuration, the
+# mime.types or other data given by the GLOBAL_EXTENSION_MAP may include many
+# entries that lynx really does not handle. Use this option to select one
+# of the built-in subsets of the MIME types that lynx could list in the
+# Accept.
+#
+# Values for this option are keywords:
+# INTERNAL lynx's built-in types for internal conversions
+# CONFIGFILE adds lynx.cfg
+# USER adds PERSONAL_EXTENSION_MAP settings
+# SYSTEM adds GLOBAL_EXTENSION_MAP settings
+# ALL adds lynx's built-in types for external conversions
+#
+#PREFERRED_MEDIA_TYPES:internal
+.h2 PREFERRED_ENCODING
+# When doing a GET, lynx tells what types of compressed data it can decompress
+# (the "Accept-Encoding:" string). This is determined by compiled-in support
+# for decompression or external decompression programs.
+#
+# Values for this option are keywords:
+# NONE Do not request compressed data
+# GZIP For gzip
+# COMPRESS For compress
+# BZIP2 For bzip2
+# ALL All of the above.
+#PREFERRED_ENCODING:all
+
+
+
.h1 Keyboard Input
.h2 KEYBOARD_LAYOUT
@@ -2900,15 +2946,37 @@
#COLOR:7:magenta:cyan
+.h2 COLOR_STYLE
+# Also known as "lss" (lynx style-sheet), the color-style file assigns color
+# combination to tags and combinations of tags. Normally a non-empty value
+# is compiled into lynx, and the user can override that using the -lss
+# command-line option. The configure script allows one to compile in an
+# empty string. If lynx finds no value for this setting, it simulates the
+# non-color-style assignments using the COLOR settings.
+#
+# If neither the command-line "-lss" or this COLOR_STYLE setting are given,
+# lynx tries the environment variables "LYNX_LSS" and "lynx_lss". If neither
+# is set, lynx uses the compiled-in value (which as noted, may be empty).
+#
+#COLOR_STYLE: lynx.lss
+
+.h2 NESTED_TABLES
+# This is an experimental feature for improving table layout.
+# It is enabled by default when the COLOR_STYLE configuration is used,
+# and false otherwise.
+#
+#NESTED_TABLES: true
+
+
.h2 ASSUMED_COLOR
# If built with a library that recognizes default colors (usually ncurses or
-# slang), lynx initializes it to assume the corresponding foreground and
-# background colors. Default colors are those that the terminal (emulator)
-# itself is initialized to. For instance, you might have an xterm running with
-# black text on a white background, and want lynx to display colored text on
-# the white background, but leave the possibility of using the same
-# configuration to draw colored text on a different xterm, this time using its
-# background set to black.
+# slang), and if the corresponding option is compiled into lynx, lynx
+# initializes it to assume the corresponding foreground and background colors.
+# Default colors are those that the terminal (emulator) itself is initialized
+# to. For instance, you might have an xterm running with black text on a white
+# background, and want lynx to display colored text on the white background,
+# but leave the possibility of using the same configuration to draw colored
+# text on a different xterm, this time using its background set to black.
#
# If built with conventional SVr3/SVr4 curses, tells lynx to use color pair 0
# when the given colors match this setting. That gives a similar effect,
@@ -2922,7 +2990,21 @@
# The first value given is the foreground, the second is the background.
#ASSUMED_COLOR:default:default
+.h2 DEFAULT_COLORS
+# If built with a library that recognizes default colors (usually ncurses or
+# slang), and if the corresponding option is compiled into lynx, lynx
+# initializes it to assume the corresponding foreground and background colors.
+# Default colors are those that the terminal (emulator) itself is initialized
+# to.
+#
+# Use this feature to disable the default-colors feature at runtime.
+# This is useful for constructing scripts which use the non-color-style
+# scheme, e.g., the oldlynx script.
+#
+# This should precede ASSUMED_COLOR settings.
+#DEFAULT_COLORS:true
+
.h1 External Programs
.h2 EXTERNAL
@@ -3161,7 +3243,7 @@
#
# This option is only available if Lynx was compiled with EXP_JUSTIFY_ELTS.
#
-#JUSTIFY:TRUE
+#JUSTIFY:FALSE
.h2 JUSTIFY_MAX_VOID_PERCENT
# JUSTIFY_MAX_VOID_PERCENT - Appearance
@@ -3262,7 +3344,9 @@
#ENABLE_LYNXRC:multi_bookmark:ON
#ENABLE_LYNXRC:personal_mail_address:ON
#ENABLE_LYNXRC:preferred_charset:ON
+#ENABLE_LYNXRC:preferred_encoding:OFF
#ENABLE_LYNXRC:preferred_language:ON
+#ENABLE_LYNXRC:preferred_media_types:OFF
#ENABLE_LYNXRC:raw_mode:OFF
#ENABLE_LYNXRC:run_all_execution_links:ON
#ENABLE_LYNXRC:run_execution_links_on_local_files:ON
@@ -3293,12 +3377,14 @@
#COMPRESS_PATH:
#COPY_PATH:
#GZIP_PATH:
+#INFLATE_PATH:
#INSTALL_PATH:
#MKDIR_PATH:
#MV_PATH:
#RLOGIN_PATH:
#RMDIR_PATH:
#RM_PATH:
+#SETFONT_PATH:
#TAR_PATH:
#TELNET_PATH:
#TN3270_PATH:
@@ -3328,6 +3414,29 @@
#FORCE_COOKIE_PROMPT:PROMPT
.h1 Appearance
+
+.h2 SCREEN_SIZE
# For win32, allow the console window to be resized to the given values. This
# requires PDCurses 2.5. The values given are width,height.
#SCREEN_SIZE:80,24
+
+.h2 NO_MARGINS
+# Disable left/right margins in the default style sheet.
+# This is the same as the command-line "-nomargins" option.
+#NO_MARGINS:FALSE
+
+.h2 NO_TITLE
+# Disable title and blank line from top of page.
+# This is the same as the command-line "-notitle" option.
+#NO_TITLE:FALSE
+
+.h1 External Programs
+
+.h2 SYSLOG_REQUESTED_URLS
+# Log the requested URLs using the syslog interface.
+#SYSLOG_REQUESTED_URLS:TRUE
+
+.h2 SYSLOG_TEXT
+# Add the given text to calls made to syslog, to distinguish Lynx from other
+# applications which use that interface.
+#SYSLOG_TEXT:
diff -ur etc45/etc/mail/Makefile etc46/etc/mail/Makefile
--- etc45/etc/mail/Makefile Sat Feb 28 22:29:38 2009
+++ etc46/etc/mail/Makefile Fri Jul 10 05:01:19 2009
@@ -1,10 +1,13 @@
-# $OpenBSD: Makefile,v 1.5 2007/02/27 02:22:01 beck Exp $
+# $OpenBSD: Makefile,v 1.7 2009/04/02 10:21:08 jacekm Exp $
#
# Generate the various .db versions from their source files.
# The sendmail .mc files are not built here. They live in
# /usr/share/sendmail/cf and have their own Makefile.
#
+SENDMAIL= /usr/libexec/sendmail/sendmail
+MAKEMAP= /usr/libexec/sendmail/makemap
+
.for DB in access aliases genericstable mailertable virtusertable userdb
. if exists(${DB})
DB_FILES+= ${DB}.db
@@ -23,20 +26,20 @@
${DESTDIR}/etc/mail/README
${INSTALL} -c -o root -g wheel -m 644 access \
${DESTDIR}/etc/mail/access
- makemap hash ${DESTDIR}/etc/mail/access < access
+ ${MAKEMAP} hash ${DESTDIR}/etc/mail/access < access
${INSTALL} -c -o root -g wheel -m 644 aliases \
${DESTDIR}/etc/mail/aliases
- /usr/libexec/sendmail/sendmail -C${DESTDIR}/etc/mail/sendmail.cf \
+ ${SENDMAIL} -C${DESTDIR}/etc/mail/sendmail.cf \
-bi -O AliasFile=${DESTDIR}/etc/mail/aliases \
-O DontBlameSendmail=mapinunsafedirpath
${INSTALL} -c -o root -g wheel -m 644 local-host-names \
${DESTDIR}/etc/mail/local-host-names
${INSTALL} -c -o root -g wheel -m 644 genericstable \
${DESTDIR}/etc/mail/genericstable
- makemap hash ${DESTDIR}/etc/mail/genericstable < genericstable
+ ${MAKEMAP} hash ${DESTDIR}/etc/mail/genericstable < genericstable
${INSTALL} -c -o root -g wheel -m 644 mailertable \
${DESTDIR}/etc/mail/mailertable
- makemap hash ${DESTDIR}/etc/mail/mailertable < mailertable
+ ${MAKEMAP} hash ${DESTDIR}/etc/mail/mailertable < mailertable
${INSTALL} -c -o root -g wheel -m 644 relay-domains \
${DESTDIR}/etc/mail/relay-domains
${INSTALL} -c -o root -g wheel -m 644 trusted-users \
@@ -45,29 +48,31 @@
${DESTDIR}/etc/mail/virtusertable
${INSTALL} -c -o root -g wheel -m 644 spamd.conf \
${DESTDIR}/etc/mail/spamd.conf
- makemap hash ${DESTDIR}/etc/mail/virtusertable < virtusertable
+ ${INSTALL} -c -o root -g wheel -m 644 smtpd.conf \
+ ${DESTDIR}/etc/mail/smtpd.conf
+ ${MAKEMAP} hash ${DESTDIR}/etc/mail/virtusertable < virtusertable
@for db in access.db aliases.db genericstable.db mailertable.db \
virtusertable.db; do \
chmod 644 ${DESTDIR}/etc/mail/$$db; \
done
access.db: access
- makemap hash ${.ALLSRC} < ${.ALLSRC}
+ ${MAKEMAP} hash ${.ALLSRC} < ${.ALLSRC}
aliases.db: aliases
- sendmail -bi
+ ${SENDMAIL} -bi
genericstable.db: genericstable
- makemap hash ${.ALLSRC} < ${.ALLSRC}
+ ${MAKEMAP} hash ${.ALLSRC} < ${.ALLSRC}
mailertable.db: mailertable
- makemap hash ${.ALLSRC} < ${.ALLSRC}
+ ${MAKEMAP} hash ${.ALLSRC} < ${.ALLSRC}
virtusertable.db: virtusertable
- makemap hash ${.ALLSRC} < ${.ALLSRC}
+ ${MAKEMAP} hash ${.ALLSRC} < ${.ALLSRC}
userdb.db: userdb
- makemap btree ${.ALLSRC} < ${.ALLSRC}
+ ${MAKEMAP} btree ${.ALLSRC} < ${.ALLSRC}
.PHONY: distribution
.include <bsd.own.mk>
diff -ur etc45/etc/mail/aliases etc46/etc/mail/aliases
--- etc45/etc/mail/aliases Sat Feb 28 22:29:38 2009
+++ etc46/etc/mail/aliases Fri Jul 10 05:01:20 2009
@@ -1,5 +1,5 @@
#
-# $OpenBSD: aliases,v 1.28 2008/11/26 12:55:14 fkr Exp $
+# $OpenBSD: aliases,v 1.30 2009/05/20 21:10:06 thib Exp $
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /usr/libexec/mail.local.
@@ -46,6 +46,8 @@
_rstatd: /dev/null
_rtadvd: /dev/null
_rusersd: /dev/null
+_rwalld: /dev/null
+_smtpd: /dev/null
_snmpd: /dev/null
_spamd: /dev/null
_syslogd: /dev/null
Binary files etc45/etc/mail/aliases.db and etc46/etc/mail/aliases.db differ
diff -ur etc45/etc/mail/localhost.cf etc46/etc/mail/localhost.cf
--- etc45/etc/mail/localhost.cf Sat Feb 28 22:29:32 2009
+++ etc46/etc/mail/localhost.cf Fri Jul 10 05:01:11 2009
@@ -16,7 +16,7 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
-##### built by root@i386.openbsd.org on Sat Feb 28 14:23:50 MST 2009
+##### built by root@i386.openbsd.org on Wed Jul 8 15:44:48 MDT 2009
##### in /usr/src/gnu/usr.sbin/sendmail/cf/cf
##### using /usr/src/gnu/usr.sbin/sendmail/cf/cf/../ as configuration include directory
#####
diff -ur etc45/etc/mail/sendmail.cf etc46/etc/mail/sendmail.cf
--- etc45/etc/mail/sendmail.cf Sat Feb 28 22:29:32 2009
+++ etc46/etc/mail/sendmail.cf Fri Jul 10 05:01:11 2009
@@ -16,7 +16,7 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
-##### built by root@i386.openbsd.org on Sat Feb 28 14:23:50 MST 2009
+##### built by root@i386.openbsd.org on Wed Jul 8 15:44:48 MDT 2009
##### in /usr/src/gnu/usr.sbin/sendmail/cf/cf
##### using /usr/src/gnu/usr.sbin/sendmail/cf/cf/../ as configuration include directory
#####
Only in etc46/etc/mail: smtpd.conf
diff -ur etc45/etc/mail/submit.cf etc46/etc/mail/submit.cf
--- etc45/etc/mail/submit.cf Sat Feb 28 22:29:32 2009
+++ etc46/etc/mail/submit.cf Fri Jul 10 05:01:11 2009
@@ -16,7 +16,7 @@
#####
##### SENDMAIL CONFIGURATION FILE
#####
-##### built by root@i386.openbsd.org on Sat Feb 28 14:23:50 MST 2009
+##### built by root@i386.openbsd.org on Wed Jul 8 15:44:47 MDT 2009
##### in /usr/src/gnu/usr.sbin/sendmail/cf/cf
##### using /usr/src/gnu/usr.sbin/sendmail/cf/cf/../ as configuration include directory
#####
diff -ur etc45/etc/mailer.conf etc46/etc/mailer.conf
--- etc45/etc/mailer.conf Sat Feb 28 22:29:26 2009
+++ etc46/etc/mailer.conf Fri Jul 10 05:01:03 2009
@@ -1,10 +1,11 @@
-# $OpenBSD: mailer.conf,v 1.3 2000/04/06 18:24:19 millert Exp $
+# $OpenBSD: mailer.conf,v 1.4 2009/03/16 14:26:22 jacekm Exp $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
+makemap /usr/libexec/sendmail/makemap
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmail
diff -ur etc45/etc/master.passwd etc46/etc/master.passwd
--- etc45/etc/master.passwd Sat Feb 28 22:29:27 2009
+++ etc46/etc/master.passwd Fri Jul 10 05:01:04 2009
@@ -41,4 +41,6 @@
_rtadvd:*:92:92::0:0:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin
_ypldap:*:93:93::0:0:YP to LDAP Daemon:/var/empty:/sbin/nologin
_btd:*:94:94::0:0:Bluetooth Daemon:/var/empty:/sbin/nologin
+_smtpd:*:95:95::0:0:SMTP Daemon:/var/empty:/sbin/nologin
+_rwalld:*:96:96::0:0:rpc.rwalld:/var/empty:/sbin/nologin
nobody:*:32767:32767::0:0:Unprivileged user for NFS:/nonexistent:/sbin/nologin
diff -ur etc45/etc/monthly etc46/etc/monthly
--- etc45/etc/monthly Sat Feb 28 22:29:26 2009
+++ etc46/etc/monthly Fri Jul 10 05:01:02 2009
@@ -1,11 +1,49 @@
-#!/bin/sh -
-# $OpenBSD: monthly,v 1.7 2006/10/26 12:20:55 ajacoutot Exp $
+#
+# $OpenBSD: monthly,v 1.12 2009/05/25 21:31:24 schwarze Exp $
+#
+# For local additions, create the file /etc/monthly.local.
+# To get section headers, use the function next_part in monthly.local.
+#
umask 022
-if [ -f /etc/monthly.local ];then
+PARTOUT=/var/log/monthly.part
+MAINOUT=/var/log/monthly.out
+install -o 0 -g 0 -m 600 /dev/null $PARTOUT
+install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
+
+start_part() {
+ TITLE=$1
+ exec > $PARTOUT 2>&1
+}
+
+end_part() {
+ exec >> $MAINOUT 2>&1
+ test -s $PARTOUT || return
echo ""
- echo "Running monthly.local:"
- . /etc/monthly.local
-else
- echo "Nothing to do!"
-fi
+ echo "$TITLE"
+ cat $PARTOUT
+}
+
+next_part() {
+ end_part
+ start_part "$1"
+}
+
+run_script() {
+ f=/etc/$1
+ test -e $f || return
+ if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
+ echo "$f has insecure permissions, skipping:"
+ ls -l $f
+ return
+ fi
+ . $f
+}
+
+start_part "Running monthly.local:"
+run_script "monthly.local"
+
+end_part
+rm -f $PARTOUT
+
+[ -s $MAINOUT ] && mail -s "`hostname` monthly output" root < $MAINOUT
diff -ur etc45/etc/mtree/4.4BSD.dist etc46/etc/mtree/4.4BSD.dist
--- etc45/etc/mtree/4.4BSD.dist Sat Feb 28 22:29:27 2009
+++ etc46/etc/mtree/4.4BSD.dist Fri Jul 10 05:01:05 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: 4.4BSD.dist,v 1.195 2008/12/23 18:33:36 reyk Exp $
+# $OpenBSD: 4.4BSD.dist,v 1.198 2009/06/30 15:23:51 robert Exp $
/set type=dir uname=root gname=wheel mode=0755
# .
@@ -366,6 +366,11 @@
# ./libexec/sendmail
..
+# ./libexec/smtpd
+smtpd type=dir uname=root gname=wheel mode=0755
+# ./libexec/smtpd
+..
+
# ./usr/libexec
..
@@ -2580,6 +2585,11 @@
# ./var/db/pkg
..
+# ./var/db/sysmerge
+sysmerge
+# ./var/db/sysmerge
+..
+
# ./var/db
..
@@ -2736,6 +2746,11 @@
# ./var/spool/output
..
+# ./var/spool/smtpd
+smtpd type=dir uname=root gname=wheel mode=0711
+# ./var/spool/smtpd
+..
+
# ./var/spool/sockets
#sockets mode=777
# ./var/spool/sockets
@@ -2768,6 +2783,12 @@
# ./www
www type=dir uname=root gname=daemon mode=755
+
+# ./www/dev
+dev type=dir uname=root gname=daemon mode=755
+
+# ./www
+..
# ./www/icons
icons type=dir uname=root gname=daemon mode=755
diff -ur etc45/etc/mtree/special etc46/etc/mtree/special
--- etc45/etc/mtree/special Sat Feb 28 22:29:27 2009
+++ etc46/etc/mtree/special Fri Jul 10 05:01:05 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: special,v 1.80 2009/01/25 17:30:48 miod Exp $
+# $OpenBSD: special,v 1.84 2009/05/09 16:29:54 schwarze Exp $
# $NetBSD: special,v 1.4 1996/05/08 21:30:18 pk Exp $
# @(#)special 8.2 (Berkeley) 1/23/94
#
@@ -52,7 +52,10 @@
mail type=dir mode=0755 uname=root gname=wheel
aliases type=file mode=0644 uname=root gname=wheel optional
aliases.db type=file mode=0644 uname=root gname=wheel optional
+secrets type=file mode=0640 uname=root gname=_smtpd optional
+secrets.db type=file mode=0640 uname=root gname=_smtpd optional
sendmail.cf type=file mode=0644 uname=root gname=wheel optional
+smtpd.conf type=file mode=0644 uname=root gname=wheel
spamd.conf type=file mode=0644 uname=root gname=wheel optional
submit.cf type=file mode=0644 uname=root gname=wheel optional
.. #mail
diff -ur etc45/etc/ntpd.conf etc46/etc/ntpd.conf
--- etc45/etc/ntpd.conf Sat Feb 28 22:29:26 2009
+++ etc46/etc/ntpd.conf Fri Jul 10 05:01:03 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: ntpd.conf,v 1.9 2008/10/10 11:46:22 sthen Exp $
+# $OpenBSD: ntpd.conf,v 1.11 2009/05/18 16:13:48 stevesk Exp $
# sample ntpd configuration file, see ntpd.conf(5)
# Addresses to listen on (ntpd does not listen by default)
@@ -7,12 +7,12 @@
# sync to a single server
#server ntp.example.org
-# use a random selection of 8 public stratum 2 servers
+# use a random selection of NTP Pool Time Servers
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org
# use a specific local timedelta sensor (radio clock, etc)
#sensor nmea0
-# use any detected timedelta sensor
+# use all detected timedelta sensors
#sensor *
diff -ur etc45/etc/passwd etc46/etc/passwd
--- etc45/etc/passwd Sat Feb 28 22:29:27 2009
+++ etc46/etc/passwd Fri Jul 10 05:01:04 2009
@@ -41,4 +41,6 @@
_rtadvd:*:92:92:IPv6 Router Advertisement Daemon:/var/empty:/sbin/nologin
_ypldap:*:93:93:YP to LDAP Daemon:/var/empty:/sbin/nologin
_btd:*:94:94:Bluetooth Daemon:/var/empty:/sbin/nologin
+_smtpd:*:95:95:SMTP Daemon:/var/empty:/sbin/nologin
+_rwalld:*:96:96:rpc.rwalld:/var/empty:/sbin/nologin
nobody:*:32767:32767:Unprivileged user for NFS:/nonexistent:/sbin/nologin
diff -ur etc45/etc/pf.conf etc46/etc/pf.conf
--- etc45/etc/pf.conf Sat Feb 28 22:29:27 2009
+++ etc46/etc/pf.conf Fri Jul 10 05:01:04 2009
@@ -1,13 +1,11 @@
-# $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
+# $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
-set require-order no
set skip on lo
-scrub in
# NAT/filter rules and anchors for ftp-proxy(8)
#nat-anchor "ftp-proxy/*"
@@ -27,9 +25,9 @@
#no rdr on egress proto tcp from <spamd-white> to any port smtp
#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd
-pass in # to establish keep-state
+pass # to establish keep-state
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
-block in on ! lo0 proto tcp from any to any port 6000
+block in on ! lo0 proto tcp to port 6000:6010
Binary files etc45/etc/pwd.db and etc46/etc/pwd.db differ
diff -ur etc45/etc/rc etc46/etc/rc
--- etc45/etc/rc Sat Feb 28 22:29:26 2009
+++ etc46/etc/rc Fri Jul 10 05:01:02 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: rc,v 1.321 2008/12/11 15:44:00 naddy Exp $
+# $OpenBSD: rc,v 1.328 2009/06/30 15:30:24 deraadt Exp $
# System startup script run by init on autoboot
# or after single-user.
@@ -106,7 +106,7 @@
> /dev/null 2>&1
dd if=/var/db/host.random of=/dev/arandom bs=1024 count=64 \
> /dev/null 2>&1
-
+
# reset seed file, so that if a shutdown-less reboot occurs,
# the next seed is not a repeat
dd if=/dev/urandom of=/var/db/host.random bs=1024 count=64 \
@@ -122,7 +122,7 @@
local _sysctl="net.inet.${_service}.baddynamic"
local _name _port _srv _junk _ban
local _i=0
- grep "/${_service}" /etc/services | {
+ grep "/${_service}" /etc/services | {
IFS=" /"
while read _name _port _srv _junk; do
[ "x${_srv}" = "x${_service}" ] || continue;
@@ -137,7 +137,7 @@
_ban=""
_i=0
fi
- done;
+ done;
if [ "x${_ban}" != "x" ]; then
sysctl ${_sysctl}=${_ban} >/dev/null
fi
@@ -268,11 +268,11 @@
RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
fi
- RULES="$RULES\npass proto carp"
+ RULES="$RULES\npass proto carp keep state (no-sync)"
case `sysctl vfs.mounts.nfs 2>/dev/null` in
*[1-9]*)
# don't kill NFS
- RULES="scrub in all no-df\n$RULES"
+ RULES="set reassemble yes no-df\n$RULES"
RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
;;
@@ -331,6 +331,10 @@
echo 'starting system logger'
rm -f /dev/log
+if [ X"${httpd_flags}" != X"-u" ]; then
+ rm -f /var/www/dev/log
+ syslogd_flags="${syslogd_flags} -a /var/www/dev/log"
+fi
if [ X"${named_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
@@ -467,10 +471,10 @@
savecore ${savecore_flags} /var/crash
fi
-if [ X"${afs}" = X"YES" -a -c /dev/xfs0 ]; then
+if [ X"${afs}" = X"YES" -a -c /dev/nnpfs0 ]; then
echo -n 'mounting afs:'
mkdir -p -m 0755 /afs
- mount -t xfs /dev/xfs0 /afs
+ mount -t nnpfs /dev/nnpfs0 /afs
/usr/libexec/afsd ${afsd_flags}
echo ' done.'
fi
@@ -698,6 +702,10 @@
echo -n ' sendmail'; ( /usr/sbin/sendmail ${sendmail_flags} >/dev/null 2>&1 & )
fi
+if [ X"${smtpd_flags}" != X"NO" ]; then
+ echo -n ' smtpd'; smtpd $smtpd_flags
+fi
+
if [ X"${httpd_flags}" != X"NO" ]; then
# Clean up left-over httpd locks
rm -f /var/www/logs/{ssl_mutex,httpd.lock,accept.lock}.*
@@ -805,7 +813,7 @@
fi
# Alternatively, on some architectures, xdm may be started in /etc/ttys.
-if [ X"${xdm_flags}" != X"NO" ]; then
+if [ X"${xdm_flags}" != X"NO" -a -x /usr/X11R6/bin/xdm ]; then
echo 'starting xdm...'; /usr/X11R6/bin/xdm ${xdm_flags}
fi
diff -ur etc45/etc/rc.conf etc46/etc/rc.conf
--- etc45/etc/rc.conf Sat Feb 28 22:29:26 2009
+++ etc46/etc/rc.conf Fri Jul 10 05:01:02 2009
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $OpenBSD: rc.conf,v 1.131 2008/11/27 00:52:06 uwe Exp $
+# $OpenBSD: rc.conf,v 1.133 2009/05/31 19:16:16 henning Exp $
# set these to "NO" to turn them off. otherwise, they're used as flags
ripd_flags=NO # for normal use: ""
@@ -41,6 +41,7 @@
ifstated_flags=NO # for normal use: ""
relayd_flags=NO # for normal use: ""
snmpd_flags=NO # for normal use: ""
+smtpd_flags=NO # for normal use: ""
# use -u to disable chroot, see httpd(8)
httpd_flags=NO # for normal use: "" (or "-DSSL" after reading ssl(8))
@@ -68,7 +69,7 @@
nfs_server=NO # see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
-pf=NO # Packet filter / NAT
+pf=YES # Packet filter / NAT
ipsec=NO # IPsec
bt=NO # Bluetooth
portmap=NO # Note: inetd(8) rpc services need portmap too
diff -ur etc45/etc/security etc46/etc/security
--- etc45/etc/security Sat Feb 28 22:29:26 2009
+++ etc46/etc/security Fri Jul 10 05:01:02 2009
@@ -1,6 +1,5 @@
-#!/bin/sh -
#
-# $OpenBSD: security,v 1.81 2008/07/23 16:05:47 sthen Exp $
+# $OpenBSD: security,v 1.88 2009/06/03 14:45:39 jj Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -9,17 +8,15 @@
umask 077
DIR=`mktemp -d /tmp/_secure.XXXXXXXXXX` || exit 1
-ERR=$DIR/_secure1
TMP1=$DIR/_secure2
TMP2=$DIR/_secure3
-TMP3=$DIR/_secure4
LIST=$DIR/_secure5
-OUTPUT=$DIR/_secure6
trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15
# Check the master password file syntax.
MP=/etc/master.passwd
+next_part "Checking the ${MP} file:"
awk -F: '{
if ($0 ~ /^[ ]*$/) {
printf("Line %d is a blank line.\n", NR);
@@ -54,22 +51,15 @@
printf("Login %s has a negative group ID.\n", $1);
if (int($7) != 0 && system("test "$7" -lt `date +%s`") == 0)
printf("Login %s has expired.\n", $1);
-}' < $MP > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking the ${MP} file:"
- cat $OUTPUT
-fi
+}' < $MP
-awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\n${MP} has duplicate user names."
- column $OUTPUT
-fi
+next_part "${MP} has duplicate user names."
+awk -F: '{ print $1 }' $MP | sort | uniq -d | column
+next_part "${MP} has duplicate user IDs."
awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 |
uniq -d -f 1 | awk '{ print $2 }' > $TMP2
if [ -s $TMP2 ] ; then
- echo "\n${MP} has duplicate user IDs."
while read uid; do
grep -w $uid $TMP1
done < $TMP2 | column
@@ -99,6 +89,7 @@
# Check the group file syntax.
GRP=/etc/group
+next_part "Checking the ${GRP} file:"
awk -F: '{
if ($0 ~ /^[ ]*$/) {
printf("Line %d is a blank line.\n", NR);
@@ -112,28 +103,21 @@
printf("Group %s has non-alphanumeric characters.\n", $1);
if (length($1) > 31)
printf("Group %s has more than 31 characters.\n", $1);
- if ($3 !~ /[0-9]*/)
- printf("Login %s has a negative group ID.\n", $1);
-}' < $GRP > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking the ${GRP} file:"
- cat $OUTPUT
-fi
+ if ($3 !~ /^[0-9]*$/)
+ printf("Group %s has an invalid group ID.\n", $1);
+}' < $GRP
-awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\n${GRP} has duplicate group names."
- column $OUTPUT
-fi
+next_part "${GRP} has duplicate group names."
+awk -F: '{ print $1 }' $GRP | sort | uniq -d | column
# Check for root paths, umask values in startup files.
# The check for the root paths is problematical -- it's likely to fail
# in other environments. Once the shells have been modified to warn
# of '.' in the path, the path tests should go away.
-> $OUTPUT
rhome=/root
umaskset=no
list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
+next_part "Checking root csh paths, umask values:\n${list}"
for i in $list ; do
if [ -s $i ] ; then
if egrep -aq '[[:space:]]*umask[[:space:]]' $i ; then
@@ -146,7 +130,7 @@
if ($2 % 10 ~ /^[0145]/)
print "Root umask is other writable";
}
- }' < $i >> $OUTPUT
+ }' < $i
SAVE_PATH=$PATH
unset PATH
/bin/csh -f -s << end-of-csh > /dev/null 2>&1
@@ -168,24 +152,18 @@
{ print "Root path directory " $10 " is group writable." } \
$1 ~ /^d.......w/ \
{ print "Root path directory " $10 " is other writable." }' \
- < $TMP1 >> $OUTPUT
+ < $TMP1
fi
done
-if [ $umaskset = "no" -o -s $OUTPUT ] ; then
- echo "\nChecking root csh paths, umask values:\n${list}"
- if [ -s $OUTPUT ] ; then
- cat $OUTPUT
- fi
- if [ $umaskset = "no" ] ; then
- echo "\nRoot csh startup files do not set the umask."
- fi
+if [ $umaskset = "no" ] ; then
+ echo "\nRoot csh startup files do not set the umask."
fi
-> $OUTPUT
> $TMP2
rhome=/root
umaskset=no
list="/etc/profile ${rhome}/.profile"
+next_part "Checking root sh paths, umask values:\n${list}"
for i in $list; do
if [ -s $i ] ; then
if egrep -a umask $i > /dev/null ; then
@@ -195,7 +173,7 @@
awk '$2 % 100 < 20 \
{ print "Root umask is group writable" } \
$2 % 10 < 2 \
- { print "Root umask is other writable" }' >> $OUTPUT
+ { print "Root umask is other writable" }'
SAVE_PATH=$PATH
SAVE_ENV=$ENV
unset PATH ENV
@@ -221,25 +199,19 @@
{ print "Root path directory " $10 " is group writable." } \
$1 ~ /^d.......w/ \
{ print "Root path directory " $10 " is other writable." }' \
- < $TMP1 >> $OUTPUT
+ < $TMP1
fi
done
-if [ $umaskset = "no" -o -s $OUTPUT ] ; then
- echo "\nChecking root sh paths, umask values:\n${list}"
- if [ -s $OUTPUT ] ; then
- cat $OUTPUT
- fi
- if [ $umaskset = "no" ] ; then
- echo "\nRoot sh startup files do not set the umask."
- fi
+if [ $umaskset = "no" ] ; then
+ echo "\nRoot sh startup files do not set the umask."
fi
# A good .kshrc will not have a umask or path, that being set in .profile
# check anyway.
-> $OUTPUT
rhome=/root
list="/etc/ksh.kshrc `cat $TMP2`"
+next_part "Checking root ksh paths, umask values:\n${list}"
(cd $rhome
for i in $list; do
if [ -s $i ] ; then
@@ -247,7 +219,7 @@
awk '$2 % 100 < 20 \
{ print "Root umask is group writable" } \
$2 % 10 < 2 \
- { print "Root umask is other writable" }' >> $OUTPUT
+ { print "Root umask is other writable" }'
if egrep -a PATH= $i > /dev/null ; then
SAVE_PATH=$PATH
unset PATH
@@ -271,32 +243,29 @@
{ print "Root path directory " $10 " is group writable." } \
$1 ~ /^d.......w/ \
{ print "Root path directory " $10 " is other writable." }' \
- < $TMP1 >> $OUTPUT
+ < $TMP1
fi
fi
done
)
-if [ -s $OUTPUT ] ; then
- echo "\nChecking root ksh paths, umask values:\n${list}"
- cat $OUTPUT
-fi
+next_part "Checking configuration files:"
# Root and uucp should both be in /etc/ftpusers.
if egrep root /etc/ftpusers > /dev/null ; then
:
else
- echo "\nRoot not listed in /etc/ftpusers file."
+ echo "Root not listed in /etc/ftpusers file."
fi
if egrep uucp /etc/ftpusers > /dev/null ; then
:
else
- echo "\nUucp not listed in /etc/ftpusers file."
+ echo "Uucp not listed in /etc/ftpusers file."
fi
# Uudecode should not be in the /etc/mail/aliases file.
if egrep 'uudecode|decode' /etc/mail/aliases; then
- echo "\nThere is an entry for uudecode in the /etc/mail/aliases file."
+ echo "There is an entry for uudecode in the /etc/mail/aliases file."
fi
# hostname.if files may contain secrets and should not be
@@ -307,7 +276,7 @@
continue
fi
if [ "$(stat -Lf "%SLp" $f)" != "---" ]; then
- echo "\n$f is world readable."
+ echo "$f is world readable."
fi
done
@@ -319,7 +288,7 @@
if ($0 ~ /^\+@.*$/)
next;
if ($0 ~ /^\+.*$/)
- printf("\nPlus sign in %s file.\n", FILENAME);
+ printf("Plus sign in %s file.\n", FILENAME);
}' $f
fi
done
@@ -327,6 +296,7 @@
# Check for special users with .rhosts/.shosts files. Only root
# should have .rhosts/.shosts files. Also, .rhosts/.shosts
# files should not have plus signs.
+next_part "Checking for special users with .rhosts/.shosts files."
awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \
($3 < 100 || $1 == "ftp" || $1 == "uucp") \
{ print $1 " " $6 }' /etc/passwd |
@@ -338,12 +308,9 @@
echo "${uid}: ${rhost}"
fi
done
-done > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking for special users with .rhosts/.shosts files."
- cat $OUTPUT
-fi
+done
+next_part "Checking .rhosts/.shosts files syntax."
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
for j in .rhosts .shosts; do
@@ -357,14 +324,11 @@
}' ${homedir}/$j
fi
done
-done > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking .rhosts/.shosts files syntax."
- cat $OUTPUT
-fi
+done
# Check home directories. Directories should not be owned by someone else
# or writeable.
+next_part "Checking home directories."
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
if [ -d ${homedir}/ ] ; then
@@ -377,15 +341,12 @@
$2 ~ /^-....w/ \
{ print "user " $1 " home directory is group writable" }
$2 ~ /^-.......w/ \
- { print "user " $1 " home directory is other writable" }' > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking home directories."
- cat $OUTPUT
-fi
+ { print "user " $1 " home directory is other writable" }'
# Files that should not be owned by someone else or readable.
list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \
.pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa"
+next_part "Checking dot files."
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
for f in $list ; do
@@ -404,7 +365,7 @@
$3 ~ /^-....w/ \
{ print "user " $1 " " $2 " file is group writable" }
$3 ~ /^-.......w/ \
- { print "user " $1 " " $2 " file is other writable" }' > $OUTPUT
+ { print "user " $1 " " $2 " file is other writable" }'
# Files that should not be owned by someone else or writeable.
list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \
@@ -427,24 +388,18 @@
$3 ~ /^-....w/ \
{ print "user " $1 " " $2 " file is group writable" }
$3 ~ /^-.......w/ \
- { print "user " $1 " " $2 " file is other writable" }' >> $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking dot files."
- cat $OUTPUT
-fi
+ { print "user " $1 " " $2 " file is other writable" }'
# Mailboxes should be owned by user and unreadable.
+next_part "Checking mailbox ownership."
ls -l /var/mail | sed 1d | \
awk '$3 != $9 \
{ print "user " $9 " mailbox is owned by " $3 }
$1 != "-rw-------" \
- { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking mailbox ownership."
- cat $OUTPUT
-fi
+ { print "user " $9 " mailbox is " $1 ", group " $4 }'
# File systems should not be globally exported.
+next_part "Checking for globally exported file systems."
if [ -s /etc/exports ] ; then
awk '{
if (($1 ~ /^#/) || ($1 ~ /^$/))
@@ -460,38 +415,30 @@
print "File system " $1 " globally exported, read-only."
else
print "File system " $1 " globally exported, read-write."
- }' < /etc/exports > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "\nChecking for globally exported file systems."
- cat $OUTPUT
- fi
+ }' < /etc/exports
fi
# Display any changes in setuid/setgid files and devices.
-pending="\nChecking setuid/setgid files and devices:\n"
-(find / \( ! -fstype local \
- -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \
+next_part "Setuid/device find errors:"
+( set -o noglob
+ find / \
+ \( ! -fstype local -o -fstype procfs -o -fstype afs -o -fstype nnpfs \
+ `for f in $SUIDSKIP; do echo -o -path $f; done` \
+ \) -a -prune -o \
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
- -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
+ -print0 | xargs -0 -r ls -ldgT | sort +9 > $LIST
+)
-# Display any errors that occurred during system file walk.
-if [ -s $OUTPUT ] ; then
- echo "${pending}Setuid/device find errors:"
- pending=
- cat $OUTPUT
- echo ""
-fi
-
# Display any changes in the setuid/setgid file list.
+next_part "Checking setuid/setgid files and devices:"
FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0
FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0
egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1
if [ -s $TMP1 ] ; then
# Check to make sure uudecode isn't setuid.
if grep -aw uudecode $TMP1 > /dev/null ; then
- echo "${pending}\nUudecode is setuid."
- pending=
+ echo "Uudecode is setuid."
fi
CUR=/var/backups/setuid.current
@@ -501,46 +448,31 @@
if cmp -s $CUR $TMP1 ; then
:
else
- > $TMP2
- join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "${pending}Setuid additions:"
- pending=
- tee -a $TMP2 < $OUTPUT | column -t
- echo ""
- fi
+ next_part "Setuid additions:"
+ join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 | \
+ tee $TMP2 | column -t
- join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "${pending}Setuid deletions:"
- pending=
- tee -a $TMP2 < $OUTPUT | column -t
- echo ""
- fi
+ next_part "Setuid deletions:"
+ join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 | \
+ tee -a $TMP2 | column -t
+ next_part "Setuid changes:"
sort +9 $TMP2 $CUR $TMP1 | \
- sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "${pending}Setuid changes:"
- pending=
- column -t $OUTPUT
- echo ""
- fi
+ sed -e 's/[ ][ ]*/ /g' | uniq -u | column -t
cp $CUR $BACK
cp $TMP1 $CUR
fi
else
- echo "${pending}Setuid additions:"
- pending=
+ next_part "Setuid additions:"
column -t $TMP1
- echo ""
cp $TMP1 $CUR
fi
fi
# Check for block and character disk devices that are readable or writeable
# or not owned by root.operator.
+next_part "Checking disk ownership and permissions."
>$TMP1
DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
for i in $DISKLIST; do
@@ -550,12 +482,7 @@
awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
{ printf("Disk %s is user %s, group %s, permissions %s.\n", \
- $11, $3, $4, $1); }' < $TMP1 > $OUTPUT
-if [ -s $OUTPUT ] ; then
- echo "\nChecking disk ownership and permissions."
- cat $OUTPUT
- echo ""
-fi
+ $11, $3, $4, $1); }' < $TMP1
FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0
FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0
@@ -570,41 +497,30 @@
if cmp -s $CUR $TMP1 ; then
:
else
- > $TMP2
- join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "Device additions:"
- tee -a $TMP2 < $OUTPUT | column -t
- echo ""
- fi
+ next_part "Device additions:"
+ join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 | \
+ tee $TMP2 | column -t
- join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "Device deletions:"
- tee -a $TMP2 < $OUTPUT | column -t
- echo ""
- fi
+ next_part "Device deletions:"
+ join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 | \
+ tee -a $TMP2 | column -t
# Report any block device change. Ignore character
# devices, only the name is significant.
+ next_part "Block device changes:"
cat $TMP2 $CUR $TMP1 | \
sed -e '/^c/d' | \
sort +10 | \
sed -e 's/[ ][ ]*/ /g' | \
- uniq -u > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "Block device changes:"
- column -t $OUTPUT
- echo ""
- fi
+ uniq -u | \
+ column -t
cp $CUR $BACK
cp $TMP1 $CUR
fi
else
- echo "Device additions:"
+ next_part "Device additions:"
column -t $TMP1
- echo ""
cp $TMP1 $CUR
fi
fi
@@ -622,30 +538,17 @@
# the hacker can modify the tree specification to match the replaced binary.
# For details on really protecting yourself against modified binaries, see
# the mtree(8) manual page.
+next_part "Checking special files and directories.
+Output format is:\n\tfilename:\n\t\tcriteria (shouldbe, reallyis)"
if [ -d /etc/mtree ] ; then
cd /etc/mtree
- mtree -e -l -p / -f /etc/mtree/special > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "\nChecking special files and directories."
- echo "Output format is:\n\tfilename:"
- echo "\t\tcriteria (shouldbe, reallyis)"
- cat $OUTPUT
- fi
-
- > $OUTPUT
+ mtree -e -l -p / -f /etc/mtree/special
for file in *.secure; do
[ $file = '*.secure' ] && continue
tree=`sed -n -e '3s/.* //p' -e 3q $file`
- mtree -f $file -p $tree > $TMP1
- if [ -s $TMP1 ] ; then
- echo "\nChecking ${tree}:" >> $OUTPUT
- cat $TMP1 >> $OUTPUT
- fi
+ next_part "Checking system binaries in ${tree}:"
+ mtree -f $file -p $tree
done
- if [ -s $OUTPUT ] ; then
- echo "\nChecking system binaries:"
- cat $OUTPUT
- fi
else
echo /etc/mtree is missing
fi
@@ -660,33 +563,29 @@
for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do
CUR=/var/backups/$(_fnchg "$file").current
BACK=/var/backups/$(_fnchg "$file").backup
+ next_part "======\n${file} diffs (-OLD +NEW)\n======"
if [ -s $file -a ! -d $file ] ; then
if [ -s $CUR ] ; then
- diff -ua $CUR $file > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "\n======\n${file} diffs (-OLD +NEW)\n======"
- cat $OUTPUT
+ diff -ua $CUR $file
+ if [ -s $PARTOUT ] ; then
cp -p $CUR $BACK
cp -p $file $CUR
chown root:wheel $CUR $BACK
fi
else
- echo "\n======\n${file} diffs (-OLD +NEW)\n======"
diff -u /dev/null $file
cp -p $file $CUR
chown root:wheel $CUR
fi
fi
if [ ! -s $file -a -s $CUR ]; then
- echo "\n======\n${file} diffs (-OLD +NEW)\n======"
diff -u $CUR /dev/null
cp -p $CUR $BACK
rm -f $CUR
chown root:wheel $BACK
fi
done
- for file in `egrep "^\+" /etc/changelist`; do
- file="${file#+}"
+ for file in `sed -n 's/^+//p' /etc/changelist`; do
CUR=/var/backups/$(_fnchg "$file").current.md5
BACK=/var/backups/$(_fnchg "$file").backup.md5
if [ -s $file -a ! -d $file ] ; then
@@ -694,7 +593,7 @@
if [ -s $CUR ] ; then
MD5_OLD="`cat $CUR`"
if [ "$MD5_NEW" != "$MD5_OLD" ]; then
- echo "\n======\n${file} MD5 checksums\n======"
+ next_part "======\n${file} MD5 checksums\n======"
echo "OLD: $MD5_OLD"
echo "NEW: $MD5_NEW"
cp -p $CUR $BACK
@@ -703,7 +602,7 @@
chmod 600 $CUR
fi
else
- echo "\n======\n${file} new MD5 checksum\n======"
+ next_part "======\n${file} new MD5 checksum\n======"
echo "NEW: $MD5_NEW"
echo $MD5_NEW > $CUR
chown root:wheel $CUR
@@ -712,7 +611,7 @@
fi
if [ ! -s $file -a -s $CUR ]; then
MD5_OLD="`cat $CUR`"
- echo "\n======\n${file} removed MD5 checksum\n======"
+ next_part "======\n${file} removed MD5 checksum\n======"
echo "OLD: $MD5_OLD"
cp -p $CUR $BACK
rm $CUR
@@ -727,12 +626,11 @@
file=/var/backups/disklabel.$d
CUR=$file.current
BACK=$file.backup
+ next_part "======\n${d} diffs (-OLD +NEW)\n======"
if disklabel $d > $file 2>&1 ; then
if [ -s $CUR ] ; then
- diff -u $CUR $file > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "\n======\n${d} diffs (-OLD +NEW)\n======"
- cat $OUTPUT
+ diff -u $CUR $file
+ if [ -s $PARTOUT ] ; then
cp -p $CUR $BACK
cp -p $file $CUR
chown root:wheel $CUR $BACK
@@ -746,15 +644,14 @@
done
# Backup the list of installed packages and produce diffs when it changes.
+next_part "======\nPackage list changes (-OLD +NEW)\n======"
file=/var/backups/pkglist
CUR=$file.current
BACK=$file.backup
if pkg_info > $file 2>&1 ; then
if [ -s $CUR ] ; then
- diff -u $CUR $file > $OUTPUT
- if [ -s $OUTPUT ] ; then
- echo "\n======\nInstalled package changes (-OLD +NEW)\n======"
- cat $OUTPUT
+ diff -u $CUR $file
+ if [ -s $PARTOUT ] ; then
cp -p $CUR $BACK
cp -p $file $CUR
chown root:wheel $CUR $BACK
Only in etc46/etc/skel: .Xdefaults
diff -ur etc45/etc/skel/.login etc46/etc/skel/.login
--- etc45/etc/skel/.login Sat Feb 28 22:29:27 2009
+++ etc46/etc/skel/.login Fri Jul 10 05:01:05 2009
@@ -1,9 +1,13 @@
-# $OpenBSD: dot.login,v 1.4 2009/01/30 08:42:26 sobrado Exp $
+# $OpenBSD: dot.login,v 1.5 2009/05/06 22:02:05 millert Exp $
#
# csh login file
if ( ! $?TERMCAP ) then
- tset -Q '-mdialup:?vt100' $TERM
+ if ( $?XTERM_VERSION ) then
+ tset -IQ '-munknown:?vt220' $TERM
+ else
+ tset -Q '-munknown:?vt220' $TERM
+ endif
endif
stty newcrt crterase
diff -ur etc45/etc/skel/.mailrc etc46/etc/skel/.mailrc
--- etc45/etc/skel/.mailrc Sat Feb 28 22:29:27 2009
+++ etc46/etc/skel/.mailrc Fri Jul 10 05:01:05 2009
@@ -1,2 +1,3 @@
set ask
+set crt
ignore message-id received date fcc status resent-date resent-message-id resent-from in-reply-to
Binary files etc45/etc/spwd.db and etc46/etc/spwd.db differ
diff -ur etc45/etc/sudoers etc46/etc/sudoers
--- etc45/etc/sudoers Sat Feb 28 22:29:39 2009
+++ etc46/etc/sudoers Fri Jul 10 05:01:22 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: sudoers,v 1.21 2008/04/11 20:51:57 thib Exp $
+# $OpenBSD: sudoers,v 1.23 2009/06/03 20:25:23 millert Exp $
#
# sudoers file.
#
@@ -16,10 +16,10 @@
# Cmnd alias specification
# Defaults specification
-Defaults env_keep +="DESTDIR FETCH_CMD FLAVOR FTPMODE GROUP MAKE MULTI_PACKAGES"
-Defaults env_keep +="OKAY_FILES OWNER PKG_DBDIR PKG_DESTDIR PKG_CACHE PKG_PATH"
-Defaults env_keep +="PKG_TMPDIR PORTSDIR RELEASEDIR SUBPACKAGE WRKOBJDIR"
-Defaults env_keep +="SSH_AUTH_SOCK EDITOR VISUAL SHARED_ONLY"
+Defaults env_keep +="DESTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE"
+Defaults env_keep +="MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE PKG_DBDIR"
+Defaults env_keep +="PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR RELEASEDIR"
+Defaults env_keep +="SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL WRKOBJDIR"
# Uncomment to disable the lecture the first time you run sudo
#Defaults !lecture
diff -ur etc45/etc/sysctl.conf etc46/etc/sysctl.conf
--- etc45/etc/sysctl.conf Sat Feb 28 22:29:27 2009
+++ etc46/etc/sysctl.conf Fri Jul 10 05:01:04 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: sysctl.conf,v 1.46 2008/01/05 18:38:37 mbalmer Exp $
+# $OpenBSD: sysctl.conf,v 1.47 2009/06/09 11:52:54 sthen Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time. See sysctl(3) and sysctl(8) for more information on
@@ -7,6 +7,8 @@
#net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet.ip.multipath=1 # 1=Enable IP multipath routing
+#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
+#net.inet6.icmp6.rediraccept=0 # 0=Don't accept IPv6 ICMP redirects
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
diff -ur etc45/etc/weekly etc46/etc/weekly
--- etc45/etc/weekly Sat Feb 28 22:29:26 2009
+++ etc46/etc/weekly Fri Jul 10 05:01:03 2009
@@ -1,24 +1,53 @@
-#!/bin/sh -
#
-# $OpenBSD: weekly,v 1.19 2007/02/02 14:52:48 ajacoutot Exp $
+# $OpenBSD: weekly,v 1.23 2009/05/25 21:31:24 schwarze Exp $
#
+# For local additions, create the file /etc/weekly.local.
+# To get section headers, use the function next_part in weekly.local.
+#
umask 022
-PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/libexec
-export PATH
+PARTOUT=/var/log/weekly.part
+MAINOUT=/var/log/weekly.out
+install -o 0 -g 0 -m 600 /dev/null $PARTOUT
+install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
-if [ -f /etc/weekly.local ]; then
+start_part() {
+ TITLE=$1
+ exec > $PARTOUT 2>&1
+}
+
+end_part() {
+ exec >> $MAINOUT 2>&1
+ test -s $PARTOUT || return
echo ""
- echo "Running weekly.local:"
- . /etc/weekly.local
-fi
+ echo "$TITLE"
+ cat $PARTOUT
+}
-echo ""
+next_part() {
+ end_part
+ start_part "$1"
+}
+
+run_script() {
+ f=/etc/$1
+ test -e $f || return
+ if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
+ echo "$f has insecure permissions, skipping:"
+ ls -l $f
+ return
+ fi
+ . $f
+}
+
+start_part "Running weekly.local:"
+run_script "weekly.local"
+
+next_part "Rebuilding locate database:"
if [ -f /var/db/locate.database ]; then
TMP=`mktemp /var/db/locate.database.XXXXXXXXXX`
if [ $? -eq 0 ]; then
trap 'rm -f $TMP; exit 1' 0 1 15
- echo "Rebuilding locate database:"
UPDATEDB="/usr/libexec/locate.updatedb"
echo "${UPDATEDB} --fcodes=- --tmpdir=${TMPDIR:-/var/tmp}" | \
nice -5 su -m nobody 2>/dev/null 1>$TMP
@@ -32,18 +61,17 @@
else
echo "Not rebuilding locate database; can't create temp file"
fi
-else
- echo "Not rebuilding locate database; no /var/db/locate.database"
fi
-echo ""
-echo "Rebuilding whatis databases:"
-makewhatis
+next_part "Rebuilding whatis databases:"
+/usr/libexec/makewhatis
-# If LOGINACCOUNTING is set to 1 in the environment, report user
-# accounting information
+next_part "Doing login accounting:"
[ "X$LOGINACCOUNTING" = X1 ] && {
- echo ""
- echo "Doing login accounting:"
ac -p | sort -nr -k 2
}
+
+end_part
+rm -f $PARTOUT
+
+[ -s $MAINOUT ] && mail -s "`hostname` weekly output" root < $MAINOUT
Only in etc46/root: .Xdefaults
diff -ur etc45/root/.login etc46/root/.login
--- etc45/root/.login Sat Feb 28 22:29:27 2009
+++ etc46/root/.login Fri Jul 10 05:01:04 2009
@@ -1,15 +1,19 @@
-# $OpenBSD: dot.login,v 1.11 2005/03/30 19:50:07 deraadt Exp $
+# $OpenBSD: dot.login,v 1.13 2009/05/06 22:02:05 millert Exp $
#
# csh login file
-set tterm='?'$TERM
-set noglob
-onintr finish
-eval `tset -s -Q $tterm`
-finish:
-unset noglob
-unset tterm
-onintr
+if ( -x /usr/bin/tset ) then
+ set noglob histchars=""
+ onintr finish
+ if ( $?XTERM_VERSION ) then
+ eval `tset -IsQ '-munknown:?vt220' $TERM`
+ else
+ eval `tset -sQ '-munknown:?vt220' $TERM`
+ endif
+ finish:
+ unset noglob histchars
+ onintr
+endif
if ( `logname` == `whoami` ) then
echo "Read the afterboot(8) man page for administration advice."
diff -ur etc45/root/.profile etc46/root/.profile
--- etc45/root/.profile Sat Feb 28 22:29:27 2009
+++ etc46/root/.profile Fri Jul 10 05:01:04 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: dot.profile,v 1.5 2005/03/30 21:18:33 millert Exp $
+# $OpenBSD: dot.profile,v 1.8 2009/05/06 22:02:05 millert Exp $
#
# sh/ksh initialization
@@ -9,5 +9,9 @@
umask 022
if [ -x /usr/bin/tset ]; then
- eval `/usr/bin/tset -sQ \?$TERM`
+ if [ X"$XTERM_VERSION" = X"" ]; then
+ eval `/usr/bin/tset -sQ '-munknown:?vt220' $TERM`
+ else
+ eval `/usr/bin/tset -IsQ '-munknown:?vt220' $TERM`
+ fi
fi
diff -ur etc45/var/cron/tabs/root etc46/var/cron/tabs/root
--- etc45/var/cron/tabs/root Sat Feb 28 22:29:27 2009
+++ etc46/var/cron/tabs/root Fri Jul 10 05:01:04 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: crontab,v 1.15 2007/02/27 16:04:16 beck Exp $
+# $OpenBSD: crontab,v 1.18 2009/05/09 17:15:49 schwarze Exp $
#
# /var/cron/tabs/root - root's crontab
#
@@ -17,7 +17,7 @@
#1-59 * * * * /usr/bin/newsyslog -m
#
# do daily/weekly/monthly maintenance
-30 1 * * * umask 077; /bin/sh /etc/daily 2>&1 | tee /var/log/daily.out | mail -s "`/bin/hostname` daily output" root
-30 3 * * 6 umask 077; /bin/sh /etc/weekly 2>&1 | tee /var/log/weekly.out | mail -s "`/bin/hostname` weekly output" root
-30 5 1 * * umask 077; /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root
+30 1 * * * /bin/sh /etc/daily
+30 3 * * 6 /bin/sh /etc/weekly
+30 5 1 * * /bin/sh /etc/monthly
#0 * * * * /usr/libexec/spamd-setup
diff -ur etc45/var/mail/root etc46/var/mail/root
--- etc45/var/mail/root Sat Feb 28 22:29:39 2009
+++ etc46/var/mail/root Fri Jul 10 05:01:22 2009
@@ -1,9 +1,9 @@
-From deraadt@do-not-reply.openbsd.org Fri May 1 05:45:45 MDT 2009
+From deraadt@do-not-reply.openbsd.org Thu Oct 1 06:46:46 MDT 2009
Return-Path: root
-Date: May 1 05:45:45 MDT 2009
+Date: Oct 1 06:46:46 MDT 2009
From: deraadt@do-not-reply.openbsd.org (Theo de Raadt)
To: root
-Subject: Welcome to OpenBSD 4.5! Secure by Default!
+Subject: Welcome to OpenBSD 4.6!
This message attempts to describe the most basic initial questions that a
system administrator of an OpenBSD box might have. You are urged to save
@@ -14,26 +14,26 @@
"man afterboot"). If you are not familiar with how to read man pages, type
"man man" at a shell prompt and read the entire thing. Pay specific
attention to the "man -k keyword" option, which will permit you to find the
-man page you are looking for more easily; for instance, "man -k ethernet". The
-GNU "info" subsystem is also installed with further documentation resources:
-to read info pages type "info". (The info subsystem behaves like the
-popular emacs editor.)
+man page you are looking for more easily; for instance, "man -k ethernet".
+The GNU "info" subsystem is also installed with further documentation
+resources: to read info pages type "info". (The info subsystem behaves like
+the popular emacs editor.)
Again, PLEASE READ THE MANUAL PAGES. Our developers have spent countless
hours improving them so that they are clear and precise.
-If you have installed the X11 packages during the install process, you can find
-further information regarding configuration in the file /usr/X11R6/README.
+If you have installed the X11 packages during the install process, you can
+find further information regarding configuration in the file /usr/X11R6/README.
Several popular binary packages (pre-compiled applications) are available
for most architectures. If you installed from a CD-ROM the packages
-are on the same CD-ROM you installed from in the directory 4.5/packages.
+are on the same CD-ROM you installed from in the directory 4.6/packages.
CD-ROM space permitted us to include a subset of the full FTP packages
for the most common architectures. Please see the FTP sites to see a
full list of packages for each architecture:
- ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/
+ ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/
If you do not find a package you want on the CD, please go look at your
nearest FTP mirror site.
@@ -41,15 +41,10 @@
Select your architecture and download the tarballs of your choice. For example
to install the emacs package for i386, execute:
# mount /dev/cd0a /cdrom
- # pkg_add -v /cdrom/4.5/packages/i386/emacs-21.4p7.tgz
+ # pkg_add -v /cdrom/4.6/packages/i386/emacs-21.4p8.tgz
or alternatively install them via FTP this way:
- # pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/i386/emacs-21.4p7.tgz
+ # pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/emacs-21.4p8.tgz
-You are STRONGLY urged to use ssh instead of telnet, rlogin, or rsh! ssh is
-included in all OpenBSD systems. The implementation is OpenSSH, which we are
-the developers of. For more information, see
- http://www.OpenSSH.com
-
Significant efforts were made to centralize all system configuration in the
/etc directory. You should be able to find each of the configuration files
you seek there, lightly documented. In particular, much of the configuration
@@ -86,6 +81,5 @@
and GENERIC kernels are appreciated.) The device driver information we get from
this helps us fix existing drivers. Thank you!
-(If you used 'mail' to read this message and it scrolled by too quickly,
-type "more ." If you wish to save it, use the "x" command.)
+(If you wish to save it, use the "x" command.)
diff -ur etc45/var/www/conf/httpd.conf etc46/var/www/conf/httpd.conf
--- etc45/var/www/conf/httpd.conf Sat Feb 28 22:29:32 2009
+++ etc46/var/www/conf/httpd.conf Fri Jul 10 05:01:12 2009
@@ -1,4 +1,4 @@
-# $OpenBSD: httpd.conf,v 1.24 2008/06/07 01:59:36 jdixon Exp $
+# $OpenBSD: httpd.conf,v 1.26 2009/06/03 18:28:21 robert Exp $
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
@@ -169,7 +169,7 @@
#
# MaxFOOPerChild: these directives set the current and hard rlimits for
-# the child processes. Attempts to exceed them will cause the the OS to
+# the child processes. Attempts to exceed them will cause the OS to
# take appropriate action. See the setrlimit(2) and signal(3).
#
MaxCPUPerChild 0
@@ -850,14 +850,17 @@
#
# Allow server status reports, with the URL of http://servername/server-status
-# Change the ".your_domain.com" to match your domain to enable.
+# Change the ".your_domain.com" to match your domain to enable. By default we
+# allow server-status requests from 127.0.0.1 to make apachectl's status and
+# fullstatus commands work.
#
-#<Location /server-status>
-# SetHandler server-status
-# Order deny,allow
-# Deny from all
-# Allow from .your_domain.com
-#</Location>
+<Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+# Allow from .your_domain.com
+</Location>
#
# Allow remote server configuration reports, with the URL of
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment