Skip to content

Instantly share code, notes, and snippets.

@zeszyt

zeszyt/etc-61-62.diff

Created October 12, 2017 08:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zeszyt/c1c1fd8320e2d65e5b13b01af90c3c66 to your computer and use it in GitHub Desktop.
Save zeszyt/c1c1fd8320e2d65e5b13b01af90c3c66 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
etc-61-62.diff
diff -ur -x moduli 61/etc/daily 62/etc/daily
--- 61/etc/daily 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/daily 2017-10-04 05:13:09.000000000 +0200
@@ -1,5 +1,5 @@
#
-# $OpenBSD: daily,v 1.88 2016/04/29 13:05:33 schwarze Exp $
+# $OpenBSD: daily,v 1.90 2017/07/10 11:18:48 bluhm Exp $
# From: @(#)daily 8.2 (Berkeley) 1/25/94
#
# For local additions, create the file /etc/daily.local.
@@ -66,11 +66,15 @@
next_part "Purging accounting records:"
if [ -f /var/account/acct ]; then
- mv -f /var/account/acct.2 /var/account/acct.3
- mv -f /var/account/acct.1 /var/account/acct.2
- mv -f /var/account/acct.0 /var/account/acct.1
+ test -f /var/account/acct.2 && \
+ mv -f /var/account/acct.2 /var/account/acct.3
+ test -f /var/account/acct.1 && \
+ mv -f /var/account/acct.1 /var/account/acct.2
+ test -f /var/account/acct.0 && \
+ mv -f /var/account/acct.0 /var/account/acct.1
cp -f /var/account/acct /var/account/acct.0
sa -sq
+ lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PT]'
fi
# If ROOTBACKUP is set to 1 in the environment, and
diff -ur -x moduli 61/etc/disktab 62/etc/disktab
--- 61/etc/disktab 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/disktab 2017-10-04 05:13:09.000000000 +0200
@@ -1,9 +1,14 @@
-# $OpenBSD: disktab,v 1.18 2016/12/30 22:26:27 deraadt Exp $
+# $OpenBSD: disktab,v 1.20 2017/07/08 15:39:11 florian Exp $
-mini34|gzip bsd.rd disk image 4.34375MB:\
- :dt=rdroot:se#512:nt#1:ns#64:nc#140:\
- :pa#8896:oa#64:ba#8192:fa#1024:ta=4.2BSD: \
- :pc#8960:oc#0:
+mini34|gzip bsd.rd disk image 4.4.6875MB:\
+ :dt=rdroot:se#512:nt#1:ns#64:nc#150:\
+ :pa#9536:oa#64:ba#8192:fa#1024:ta=4.2BSD: \
+ :pc#9600:oc#0:
+
+install360|install.fs disk image 360MB:\
+ :dt=rdroot:se#512:nt#1:ns#64:nc#11520:\
+ :pa#737216:oa#64:ba#8192:fa#1024:ta=4.2BSD: \
+ :pc#737280:oc#0:
install280|install.fs disk image 280MB:\
:dt=rdroot:se#512:nt#1:ns#64:nc#8960:\
diff -ur -x moduli 61/etc/examples/bgpd.conf 62/etc/examples/bgpd.conf
--- 61/etc/examples/bgpd.conf 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/examples/bgpd.conf 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: bgpd.conf,v 1.4 2016/06/03 17:36:37 benno Exp $
+# $OpenBSD: bgpd.conf,v 1.8 2017/09/29 11:00:39 phessler Exp $
# sample bgpd configuration file
# see bgpd.conf(5)
@@ -39,6 +39,7 @@
group "peering AS65042" {
descr "peering AS 65042"
+ remote-as 65042
local-address 10.0.0.8
ipsec ah ike
neighbor 10.2.0.1
@@ -66,20 +67,29 @@
neighbor 10.0.0.0/24 {
descr "template for local peers"
+ enforce neighbor-as no
}
neighbor 10.2.1.1 {
remote-as 65023
local-address 10.0.0.8
- ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
+ ipsec esp in spi 1010 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
- ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
+ ipsec esp out spi 1012 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}
+# do not send or use routes from EBGP neighbors without
+# further explicit configuration
+deny from ebgp
+deny to ebgp
+
+# allow updates to and from IBGP neighbors
+allow from ibgp
+allow to ibgp
+
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
-deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
@@ -87,6 +97,10 @@
#allow from any prefix 0.0.0.0/0
#allow from any prefix ::/0
+# Honor requests to gracefully shutdown BGP sessions
+# https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut
+match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
+
# https://www.arin.net/announcements/2014/20140130.html
# This block will be subject to a minimum size allocation of /28 and a
# maximum size allocation of /24. ARIN should use sparse allocation when
diff -ur -x moduli 61/etc/examples/httpd.conf 62/etc/examples/httpd.conf
--- 61/etc/examples/httpd.conf 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/examples/httpd.conf 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
+# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
#
# Macros
@@ -50,8 +50,8 @@
listen on 127.0.0.1 tls port 443
# TLS certificate and key files created with acme-client(1)
- tls certificate "/etc/ssl/acme/fullchain.pem"
- tls key "/etc/ssl/acme/private/privkey.pem"
+ tls certificate "/etc/ssl/example.com.fullchain.pem"
+ tls key "/etc/ssl/private/example.com.key"
# Define server-specific log files relative to /logs
log { access "secure-access.log", error "secure-error.log" }
diff -ur -x moduli 61/etc/mtree/4.4BSD.dist 62/etc/mtree/4.4BSD.dist
--- 61/etc/mtree/4.4BSD.dist 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/mtree/4.4BSD.dist 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: 4.4BSD.dist,v 1.294 2017/02/12 08:56:17 landry Exp $
+# $OpenBSD: 4.4BSD.dist,v 1.299 2017/08/21 20:52:06 rpe Exp $
/set type=dir uname=root gname=wheel mode=0755
@@ -105,10 +105,6 @@
..
lib
..
- acme
- private uname=root mode=0700
- ..
- ..
..
..
@@ -137,12 +133,6 @@
include gname=bin uname=root mode=0755
arpa gname=bin uname=root mode=0755
..
- g++ gname=bin uname=root mode=0755
- std gname=bin uname=root mode=0755
- ..
- ..
- objc gname=bin uname=root mode=0755
- ..
openssl gname=bin uname=root mode=0755
..
protocols gname=bin uname=root mode=0755
@@ -424,6 +414,10 @@
calendar
..
+ # ./usr/share/compile
+ compile
+ ..
+
# ./usr/share/dict
dict
papers
@@ -533,6 +527,8 @@
..
amd64
..
+ arm64
+ ..
armv7
..
hppa
diff -ur -x moduli 61/etc/mtree/BSD.x11.dist 62/etc/mtree/BSD.x11.dist
--- 61/etc/mtree/BSD.x11.dist 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/mtree/BSD.x11.dist 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: BSD.x11.dist,v 1.44 2017/02/26 16:51:18 matthieu Exp $
+# $OpenBSD: BSD.x11.dist,v 1.45 2017/08/05 14:13:39 jsg Exp $
/set type=dir uname=root gname=wheel mode=0755
.
@@ -419,6 +419,8 @@
xtrans
..
..
+ libdrm
+ ..
mk
..
util-macros
diff -ur -x moduli 61/etc/mtree/special 62/etc/mtree/special
--- 61/etc/mtree/special 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/mtree/special 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: special,v 1.123 2017/02/12 08:59:52 landry Exp $
+# $OpenBSD: special,v 1.124 2017/05/03 11:55:36 gsoares Exp $
#
# Hand-crafted mtree specification for the dangerous files.
#
@@ -111,6 +111,7 @@
.. #ssh
syslog.conf type=file mode=0644 uname=root gname=wheel
ttys type=file mode=0644 uname=root gname=wheel
+vm.conf type=file mode=0644 uname=root gname=wheel optional
weekly type=file mode=0644 uname=root gname=wheel
weekly.local type=file mode=0644 uname=root gname=wheel optional
ypldap.conf type=file mode=0600 uname=root gname=wheel optional
diff -ur -x moduli 61/etc/netstart 62/etc/netstart
--- 61/etc/netstart 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/netstart 2017-10-04 05:13:10.000000000 +0200
@@ -1,12 +1,13 @@
#!/bin/sh -
#
-# $OpenBSD: netstart,v 1.172 2016/12/06 14:01:43 mpi Exp $
+# $OpenBSD: netstart,v 1.186 2017/07/25 21:17:11 rpe Exp $
# Turn off Strict Bourne shell mode.
set +o sh
-# Strip comment lines from a file.
-# Strip leading and trailing whitespace if IFS is set.
+# Echo file $1 to stdout. Skip comment lines and delete everything
+# after the first '#' from other lines. Strip leading and trailing
+# whitespace if IFS is set.
# Usage: stripcom /path/to/file
stripcom() {
local _file=$1 _line
@@ -18,116 +19,106 @@
done <$_file
}
+# Parse and "unpack" a hostname.if(5) line given as positional parameters.
+# Fill the _cmds array with the resulting interface configuration commands.
+parse_hn_line() {
+ local _af=0 _name=1 _mask=2 _bc=3 _prefix=2 _c _cmd _prev _daddr
+ set -A _c -- "$@"
+ set -o noglob
+
+ case ${_c[_af]} in
+ ''|*([[:blank:]])'#'*)
+ return
+ ;;
+ inet) ((${#_c[*]} > 1)) || return
+ [[ ${_c[_name]} == alias ]] && _mask=3 _bc=4
+ [[ -n ${_c[_mask]} ]] && _c[_mask]="netmask ${_c[_mask]}"
+ if [[ -n ${_c[_bc]} ]]; then
+ _c[_bc]="broadcast ${_c[_bc]}"
+ [[ ${_c[_bc]} == *NONE ]] && _c[_bc]=
+ fi
+ _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
+ ;;
+ inet6) ((${#_c[*]} > 1)) || return
+ if [[ ${_c[_name]} == autoconf ]]; then
+ _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
+ V6_AUTOCONF=true
+ return
+ fi
+ [[ ${_c[_name]} == alias ]] && _prefix=3
+ [[ -n ${_c[_prefix]} ]] && _c[_prefix]="prefixlen ${_c[_prefix]}"
+ _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
+ ;;
+ dest) ((${#_c[*]} == 2)) && _daddr=${_c[1]} || return
+ _prev=$((${#_cmds[*]} - 1))
+ ((_prev >= 0)) || return
+ set -A _c -- ${_cmds[_prev]}
+ _name=3
+ [[ ${_c[_name]} == alias ]] && _name=4
+ _c[_name]="${_c[_name]} $_daddr"
+ _cmds[$_prev]="${_c[@]}"
+ ;;
+ dhcp) _c[0]=
+ _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} down;dhclient $_if"
+ V4_DHCPCONF=true
+ ;;
+ '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
+ _cmds[${#_cmds[*]}]="${_cmd#!}"
+ ;;
+ *) _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
+ ;;
+ esac
+ unset _c
+ set +o noglob
+}
+
# Start a single interface.
# Usage: ifstart if1
ifstart() {
- if=$1
+ local _if=$1 _hn=$HN_DIR/hostname.$1 _cmds _i=0 _line _stat
+ set -A _cmds
+
# Interface names must be alphanumeric only. We check to avoid
# configuring backup or temp files, and to catch the "*" case.
- [[ $if != +([[:alpha:]])+([[:digit:]]) ]] && return
+ [[ $_if != +([[:alpha:]])+([[:digit:]]) ]] && return
- file=/etc/hostname.$if
- if ! [ -f $file ]; then
- echo "netstart: $file: No such file or directory"
+ if [[ ! -f $_hn ]]; then
+ echo "${0##*/}: $_hn: No such file or directory"
return
fi
+
# Not using stat(1), we can't rely on having /usr yet.
- set -A stat -- $(ls -nL $file)
- if [ "${stat[0]#???????} ${stat[2]} ${stat[3]}" != "--- 0 0" ]; then
- echo "WARNING: $file is insecure, fixing permissions"
- chmod -LR o-rwx $file
- chown -LR root.wheel $file
+ set -A _stat -- $(ls -nL $_hn)
+ if [[ "${_stat[0]}${_stat[2]}${_stat[3]}" != *---00 ]]; then
+ echo "WARNING: $_hn is insecure, fixing permissions"
+ chmod -LR o-rwx $_hn
+ chown -LR root:wheel $_hn
+ fi
+
+ # Check for ifconfig'able interface, except if -n option is specified.
+ if ! $PRINT_ONLY; then
+ (ifconfig $_if || ifconfig $_if create) >/dev/null 2>&1 ||
+ return
fi
- # Check for ifconfig'able interface.
- (ifconfig $if || ifconfig $if create) >/dev/null 2>&1 || return
- # Now parse the hostname.* file.
- while :; do
- if [ "$cmd2" ]; then
- # We are carrying over from the 'read dt dtaddr'
- # last time.
- set -- $cmd2
- af="$1" name="$2" mask="$3" bcaddr="$4" ext1="$5" cmd2=
- # Make sure and get any remaining args in ext2,
- # like the read below.
- i=1
- while [ $i -lt 6 -a -n "$1" ]; do shift; let i=i+1; done
- ext2="$@"
+ # Parse the hostname.if(5) file and fill _cmds array with interface
+ # configuration commands.
+ set -o noglob
+ while IFS= read -- _line; do
+ parse_hn_line $_line
+ done <$_hn
+
+ # Apply the interface configuration commands stored in _cmds array.
+ while ((_i < ${#_cmds[*]})); do
+ if $PRINT_ONLY; then
+ print -r -- "${_cmds[_i]}"
else
- # Read the next line or exit the while loop.
- read af name mask bcaddr ext1 ext2 || break
+ eval "${_cmds[_i]}"
fi
- # $af can be "dhcp", "up", "rtsol", an address family, commands,
- # or a comment.
- case "$af" in
- "#"*|"") # Skip comments and empty lines.
- continue
- ;;
- "!"*) # Parse commands.
- cmd="${af#*!} ${name} ${mask} ${bcaddr} ${ext1} ${ext2}"
- ;;
- "dhcp")
- [ "$name" = "NONE" ] && name=
- [ "$mask" = "NONE" ] && mask=
- [ "$bcaddr" = "NONE" ] && bcaddr=
- cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 down"
- cmd="$cmd;dhclient $if"
- dhcpif="$dhcpif $if"
- ;;
- "rtsol")
- rtsolif="$rtsolif $if"
- cmd="ifconfig $if $name $mask $bcaddr $ext1 $ext2 up"
- ;;
- *)
- read dt dtaddr
- if [ "$name" = "alias" ]; then
- # Perform a 'shift' of sorts.
- alias=$name
- name=$mask
- mask=$bcaddr
- bcaddr=$ext1
- ext1=$ext2
- ext2=
- else
- alias=
- fi
- cmd="ifconfig $if $af $alias $name"
- case "$dt" in
- dest)
- cmd="$cmd $dtaddr"
- ;;
- *)
- cmd2="$dt $dtaddr"
- ;;
- esac
- case $af in
- inet)
- if [ ! -n "$name" ]; then
- echo "/etc/hostname.$if: inet alone is invalid"
- return
- fi
- [ "$mask" ] && cmd="$cmd netmask $mask"
- if [ "$bcaddr" -a "X$bcaddr" != "XNONE" ]; then
- cmd="$cmd broadcast $bcaddr"
- fi
- ;;
- inet6)
- if [ ! -n "$name" ]; then
- echo "/etc/hostname.$if: inet6 alone is invalid"
- return
- fi
- [ "$mask" ] && cmd="$cmd prefixlen $mask"
- cmd="$cmd $bcaddr"
- ;;
- *)
- cmd="$cmd $mask $bcaddr"
- ;;
- esac
- cmd="$cmd $ext1 $ext2"
- ;;
- esac
- eval "$cmd"
- done </etc/hostname.$if
+ ((_i++))
+ done
+ unset _cmds
+ set +o noglob
}
# Start multiple interfaces by driver name.
@@ -153,50 +144,49 @@
done
}
-# IPv6 autoconf the interfaces in the $rtsolif list.
-# Usage: ifv6autoconf
-ifv6autoconf() {
- local _if
-
- # $ip6kernel will not have been set if we were invoked with a
- # list of interface names
- ifconfig lo0 inet6 >/dev/null 2>&1 || return 0
-
- for _if in $rtsolif; do
- ifconfig $_if inet6 autoconf
- done
-}
-
# Parse /etc/mygate and add default routes for IPv4 and IPv6
# Usage: defaultroute
defaultroute() {
- [[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do
- [[ $gw == @(*:*) ]] && continue
- route -qn delete default >/dev/null 2>&1
- route -qn add -host default $gw && break
+ ! $V4_DHCPCONF && stripcom /etc/mygate |
+ while read gw; do
+ [[ $gw == @(*:*) ]] && continue
+ route -qn add -host default $gw && break
done
- [[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do
- [[ $gw == !(*:*) ]] && continue
- route -qn delete -inet6 default >/dev/null 2>&1
- route -qn add -host -inet6 default $gw && break
+ ! $V6_AUTOCONF && stripcom /etc/mygate |
+ while read gw; do
+ [[ $gw == !(*:*) ]] && continue
+ route -qn add -host -inet6 default $gw && break
done
}
-# Make sure the invoking user has the right privileges.
-if (($(id -u) != 0)); then
- echo "${0##*/}: need root privileges"
- exit 1
-fi
-
# Get network related vars from rc.conf using the parsing routine from rc.subr.
FUNCS_ONLY=1 . /etc/rc.d/rc.subr
_rc_parse_conf
+HN_DIR=${HN_DIR:-/etc}
+PRINT_ONLY=false
+USAGE="USAGE: ${0##*/} [-n] [interface ...]"
+V4_DHCPCONF=false
+V6_AUTOCONF=false
+
+while getopts ":n" opt; do
+ case $opt in
+ n) PRINT_ONLY=true;;
+ *) print -u2 "$USAGE"; exit 1;;
+ esac
+done
+shift $((OPTIND-1))
+
+# Option -n is only supported if interface names are specified as parameters.
+if $PRINT_ONLY && (($# == 0)); then
+ print -u2 "Missing parameters.\n$USAGE"
+ exit 1
+fi
+
# If we were invoked with a list of interface names, just reconfigure these
# interfaces (or bridges), add default routes and return.
if (($# > 0)); then
for _if; do ifstart $_if; done
- ifv6autoconf
defaultroute
return
fi
@@ -258,8 +248,6 @@
# Due to rare use of IPv4 compatible addresses, and security issues
# with it, we disable it by default.
route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null
-
- rtsolif=""
else
ip6kernel=NO
fi
@@ -274,9 +262,6 @@
# Configure all the carp interfaces which we know about before default route.
ifmstart "trunk svlan vlan carp"
-# Now that $rtsolif has been populated, IPv6 autoconf those interfaces
-ifv6autoconf
-
# Look for default routes in /etc/mygate.
defaultroute
diff -ur -x moduli 61/etc/rc 62/etc/rc
--- 61/etc/rc 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/rc 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: rc,v 1.493 2017/02/26 16:51:18 matthieu Exp $
+# $OpenBSD: rc,v 1.517 2017/08/29 16:56:13 rpe Exp $
# System startup script run by init on autoboot or after single-user.
# Output and error are redirected to console by init, and the console is the
@@ -9,7 +9,6 @@
# Subroutines (have to come first).
-
# Strip in- and whole-line comments from a file.
# Strip leading and trailing whitespace if IFS is set.
# Usage: stripcom /path/to/file
@@ -81,13 +80,12 @@
done
}
+# Push the old seed into the kernel, create a future seed and create a seed
+# file for the boot-loader.
random_seed() {
- # push the old seed into the kernel
dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none
chmod 600 /var/db/host.random
- # ... and create a future seed
dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none
- # and create a seed file for the boot-loader
dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none
chmod 600 /etc/random.seed
}
@@ -160,24 +158,18 @@
# Re-link libraries, placing the objects in a random order.
reorder_libs() {
- local _l _liba _libas _tmpdir _remount=false _error=false
- local _dkdev=$(df /usr/lib | sed '1d;s/ .*//')
- local _mp=$(mount | grep "^$_dkdev")
+ local _dkdev _liba _libas _mp _tmpdir _remount=false _error=false
+
+ [[ $library_aslr == NO ]] && return
+
+ _dkdev=$(df /usr/lib | sed '1d;s/ .*//')
+ _mp=$(mount | grep "^$_dkdev")
# Skip if /usr/lib is on a nfs mounted filesystem.
[[ $_mp == *' type nfs '* ]] && return
echo -n 'reordering libraries:'
- # Only choose the latest version of the libraries.
- for _liba in /usr/lib/libc.so.*.a; do
- _liba=$(ls ${_liba%%.[0-9]*}*.a | sort -V | tail -1)
- for _l in $_libas; do
- [[ $_l == $_liba ]] && continue 2
- done
- _libas="$_libas $_liba"
- done
-
# Remount read-write, if /usr/lib is on a read-only ffs filesystem.
if [[ $_mp == *' type ffs '*'read-only'* ]]; then
if mount -u -w $_dkdev; then
@@ -188,17 +180,37 @@
fi
fi
- for _liba in $_libas; do
- _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) && (
- set -o errexit
- _lib=${_liba#/usr/lib/}
- _lib=${_lib%.a}
- cd $_tmpdir
- ar x ${_liba}
+ # Only choose the latest version of the libraries.
+ for _liba in /usr/lib/lib{c,crypto}; do
+ _libas="$_libas $(ls $_liba.so.+([0-9.]).a | sort -rV | head -1)"
+ done
+ _libas=${_libas# }
+
+ for _liba in /usr/libdata/ld.so.a $_libas; do
+ _tmpdir=$(mktemp -dq /tmp/_librebuild.XXXXXXXXXXXX) &&
+ (
+ set -o errexit
+ _install='install -F -S -o root -g bin -m 0444'
+ _lib=${_liba##*/}
+ _lib=${_lib%.a}
+ cd $_tmpdir
+ ar x $_liba
+ if [[ $_lib == ld.so ]]; then
+ ld -g -x -e _dl_start \
+ --version-script=Symbols.map --shared -Bsymbolic \
+ --no-undefined -o ld.so.test $(ls *.o | sort -R)
+ chmod u+x test-ld.so
+ [[ $(./test-ld.so ok) == './test-ld.so: ok!' ]]
+ $_install /usr/libexec/ld.so /usr/libexec/ld.so.save
+ $_install ld.so.test /usr/libexec/ld.so
+ else
cc -shared -o $_lib $(ls *.so | sort -R) $(cat .ldadd)
[[ -s $_lib ]] && file $_lib | fgrep -q 'shared object'
LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}'
- install -F -S -o root -g bin -m 0444 $_lib /usr/lib/$_lib
+ LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \
+ x509 -in /etc/ssl/cert.pem -out /dev/null
+ $_install $_lib ${_liba%/*}/$_lib
+ fi
) || { _error=true; break; }
done
@@ -224,6 +236,7 @@
[[ -n $_suffix ]] || return 1
if [[ -f /etc/rc.$_suffix ]]; then
+ echo "running rc.$_suffix"
mv /etc/rc.$_suffix /etc/rc.$_suffix.run
. /etc/rc.$_suffix.run 2>&1 | tee /dev/tty |
mail -Es "$(hostname) rc.$_suffix output" root >/dev/null
@@ -277,12 +290,14 @@
domainname "$(stripcom /etc/defaultdomain)"
fi
-# Need to get local functions from rc.subr.
+# Get local functions from rc.subr to load rc.conf into scope.
FUNCS_ONLY=1 . /etc/rc.d/rc.subr
-
-# Load rc.conf into scope.
_rc_parse_conf
+# If executed with the 'shutdown' parameter by the halt, reboot or shutdown:
+# - update seed files
+# - execute the rc.d scripts specified by $pkg_scripts in reverse order
+# - bring carp interfaces down gracefully
if [[ $1 == shutdown ]]; then
if echo 2>/dev/null >>/var/db/host.random || \
echo 2>/dev/null >>/etc/random.seed; then
@@ -295,13 +310,13 @@
if (($(sysctl -n kern.securelevel) == 0)); then
echo 'single user: not running shutdown scripts'
else
- pkg_scripts=${pkg_scripts%%*( )}
- if [[ -n $pkg_scripts ]]; then
+ set -A _d -- $pkg_scripts
+ _i=${#_d[*]}
+ if ((_i)); then
echo -n 'stopping package daemons:'
- while [[ -n $pkg_scripts ]]; do
- _d=${pkg_scripts##* }
- pkg_scripts=${pkg_scripts%%*( )$_d}
- [[ -x /etc/rc.d/$_d ]] && /etc/rc.d/$_d stop
+ while ((--_i >= 0)); do
+ [[ -x /etc/rc.d/${_d[_i]} ]] &&
+ /etc/rc.d/${_d[_i]} stop
done
echo '.'
fi
@@ -309,7 +324,6 @@
[[ -f /etc/rc.shutdown ]] && sh /etc/rc.shutdown
fi
- # Bring carp interfaces down gracefully.
ifconfig | while read _if _junk; do
[[ $_if == carp+([0-9]): ]] && ifconfig ${_if%:} down
done
@@ -320,6 +334,7 @@
# Add swap block-devices.
swapctl -A -t blk
+# Run filesystem check unless a /fastboot file exists.
if [[ -e /fastboot ]]; then
echo "Fast boot: skipping disk checks."
elif [[ $1 == autoboot ]]; then
@@ -327,14 +342,24 @@
do_fsck
fi
+# From now on, allow user to interrupt (^C) the boot process.
trap "echo 'Boot interrupted.'; exit 1" 3
+# Unmount all filesystems except root.
umount -a >/dev/null 2>&1
+
+# Mount all filesystems except those of type NFS and VND.
mount -a -t nonfs,vnd
-mount -uw / # root on nfs requires this, others aren't hurt.
-rm -f /fastboot # XXX (root now writeable)
-# Set flags on ttys. (Do early, in case they use tty for SLIP in netstart.)
+# Re-mount the root filesystem read/writeable. (root on nfs requires this,
+# others aren't hurt.)
+mount -uw /
+chmod og-rwx /bsd
+ln -fh /bsd /bsd.booted
+
+rm -f /fastboot
+
+# Set flags on ttys.
echo 'setting tty flags'
ttyflags -a
@@ -347,54 +372,58 @@
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
- RULES="block all"
- RULES="$RULES\npass on lo0"
- RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port domain keep state"
- RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state"
- RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps"
- RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc"
+ RULES="
+ block all
+ pass on lo0
+ pass in proto tcp from any to any port ssh keep state
+ pass out proto { tcp, udp } from any to any port domain keep state
+ pass out inet proto icmp all icmp-type echoreq keep state
+ pass out inet proto udp from any port bootpc to any port bootps
+ pass in inet proto udp from any port bootps to any port bootpc"
+
if ifconfig lo0 inet6 >/dev/null 2>&1; then
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv"
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv"
- RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
- RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
- fi
- RULES="$RULES\npass in proto carp keep state (no-sync)"
- RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
- if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
+ RULES="$RULES
+ pass out inet6 proto icmp6 all icmp6-type neighbrsol
+ pass in inet6 proto icmp6 all icmp6-type neighbradv
+ pass out inet6 proto icmp6 all icmp6-type routersol
+ pass in inet6 proto icmp6 all icmp6-type routeradv
+ pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server
+ pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
+ fi
+
+ RULES="$RULES
+ pass in proto carp keep state (no-sync)
+ pass out proto carp !received-on any keep state (no-sync)"
+
+ if (($(sysctl -n vfs.mounts.nfs 2>/dev/null) > 0)); then
# Don't kill NFS.
- RULES="set reassemble yes no-df\n$RULES"
- RULES="$RULES\npass in proto { tcp, udp } from any port { sunrpc, nfsd } to any"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
+ RULES="set reassemble yes no-df
+ $RULES
+ pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
+ pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any"
fi
+
print -- "$RULES" | pfctl -f -
pfctl -e
fi
-# Fill net.inet.(tcp|udp).baddynamic lists from /etc/services.
fill_baddynamic udp
fill_baddynamic tcp
sysctl_conf
+start_daemon slaacd >/dev/null 2>&1
+
echo 'starting network'
# Set carp interlock by increasing the demotion counter.
# Prevents carp from preempting until the system is booted.
ifconfig -g carp carpdemote 128
-# Recover resolv.conf in case dhclient died hard.
-if [[ -f /etc/resolv.conf.save ]]; then
- mv -f /etc/resolv.conf.save /etc/resolv.conf
- touch /etc/resolv.conf
-fi
-
sh /etc/netstart
-dmesg >/dev/random # Any write triggers a rekey.
+# Any write triggers a rekey.
+dmesg >/dev/random
# Load pf rules and bring up pfsync interface.
if [[ $pf != NO ]]; then
@@ -418,7 +447,8 @@
(cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; })
(cd /var/authpf && rm -rf -- *)
-dmesg >/var/run/dmesg.boot # Save a copy of the boot messages.
+# Save a copy of the boot messages.
+dmesg >/var/run/dmesg.boot
make_keys
@@ -473,7 +503,7 @@
chmod 666 /dev/tty[pqrstuvwxyzPQRST]*
chown root:wheel /dev/tty[pqrstuvwxyzPQRST]*
-# Check the password temp/lock file.
+# Check for the password temp/lock file.
if [[ -f /etc/ptmp ]]; then
logger -s -p auth.err \
'password file may be incorrect -- /etc/ptmp exists'
@@ -504,8 +534,7 @@
fi
if T=$(mktemp /tmp/_motd.XXXXXXXXXX); then
sysctl -n kern.version | sed 1q >$T
- echo "" >>$T
- sed '1,/^$/d' </etc/motd >>$T
+ sed -n '/^$/,$p' </etc/motd >>$T
cmp -s $T /etc/motd || cp $T /etc/motd
rm -f $T
fi
@@ -561,7 +590,8 @@
[[ -f /etc/rc.local ]] && sh /etc/rc.local
-ifconfig -g carp -carpdemote 128 # Disable carp interlock.
+# Disable carp interlock.
+ifconfig -g carp -carpdemote 128
mixerctl_conf
@@ -569,5 +599,9 @@
start_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm
echo '.'
+# Re-link the kernel, placing the objects in a random order.
+# Replace current with relinked kernel and inform root about it.
+/usr/libexec/reorder_kernel &
+
date
exit 0
diff -ur -x moduli 61/etc/rc.conf 62/etc/rc.conf
--- 61/etc/rc.conf 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/rc.conf 2017-10-04 05:13:10.000000000 +0200
@@ -1,4 +1,4 @@
-# $OpenBSD: rc.conf,v 1.213 2017/02/26 16:51:18 matthieu Exp $
+# $OpenBSD: rc.conf,v 1.216 2017/05/30 12:04:26 tb Exp $
# DO NOT EDIT THIS FILE!!
#
@@ -57,6 +57,7 @@
# be sure to set net.inet6.ip6.forwarding=1
sasyncd_flags=NO
sensorsd_flags=NO
+slaacd_flags=
slowcgi_flags=NO
smtpd_flags=
sndiod_flags=
@@ -99,6 +100,7 @@
# miscellaneous other flags
amd_master=/etc/amd/master # AMD 'master' map
+library_aslr=YES # set to NO to disable library randomization
savecore_flags= # "-z" to compress
spamd_black=NO # set to YES to run spamd without greylisting
shlib_dirs= # extra directories for ldconfig, separated
diff -ur -x moduli 61/etc/rc.d/rc.subr 62/etc/rc.d/rc.subr
--- 61/etc/rc.d/rc.subr 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/rc.d/rc.subr 2017-10-04 05:13:10.000000000 +0200
@@ -1,6 +1,6 @@
-# $OpenBSD: rc.subr,v 1.118 2017/02/17 16:42:41 ajacoutot Exp $
+# $OpenBSD: rc.subr,v 1.127 2017/06/05 18:31:23 ajacoutot Exp $
#
-# Copyright (c) 2010, 2011, 2014-2016 Antoine Jacoutot <ajacoutot@openbsd.org>
+# Copyright (c) 2010, 2011, 2014-2017 Antoine Jacoutot <ajacoutot@openbsd.org>
# Copyright (c) 2010, 2011 Ingo Schwarze <schwarze@openbsd.org>
# Copyright (c) 2010, 2011, 2014 Robert Nagy <robert@openbsd.org>
#
@@ -45,7 +45,7 @@
}
_rc_write_runfile() {
- [ -d ${_RC_RUNDIR} ] || mkdir -p ${_RC_RUNDIR} && \
+ [ -d ${_RC_RUNDIR} ] || mkdir -p ${_RC_RUNDIR} &&
cat >${_RC_RUNFILE} <<EOF
daemon_class=${daemon_class}
daemon_flags=${daemon_flags}
@@ -79,11 +79,30 @@
[ X"$1" = X"ok" ] && exit 0 || exit 1
}
+_rc_alarm()
+{
+ trap - ALRM
+ kill -ALRM ${_TIMERSUB} 2>/dev/null # timer may not be running anymore
+ kill $! 2>/dev/null # kill last job if it's running
+}
+
_rc_wait() {
local _i=0
+ if [ X"$1" = X"start" ]; then # prevent hanging the boot sequence
+ trap "_rc_alarm" ALRM
+ while [ $_i -lt ${daemon_timeout} ]; do
+ if _rc_do rc_check; then
+ [ X"${rc_bg}" = X"YES" ] || [ -z "$$" ] && break
+ fi
+ sleep 1
+ _i=$((_i+1))
+ done & wait
+ pkill -ALRM -P $$
+ return
+ fi
while [ $_i -lt ${daemon_timeout} ]; do
case "$1" in
- reload|start)
+ reload)
_rc_do rc_check && return 0 ;;
stop)
_rc_do rc_check || return 0 ;;
@@ -121,8 +140,8 @@
typeset -l _key
local _l _rcfile _val
set -A _allowed_keys -- \
- accounting amd_master check_quotas ipsec multicast nfs_server \
- pexp pf pkg_scripts shlib_dirs spamd_black
+ accounting amd_master check_quotas ipsec library_aslr \
+ multicast nfs_server pexp pf pkg_scripts shlib_dirs spamd_black
[ $# -gt 0 ] || set -- /etc/rc.conf /etc/rc.conf.local
for _rcfile; do
@@ -130,15 +149,16 @@
while IFS=' ' read -r _l; do
[[ $_l == [!#=]*=* ]] || continue
_key=${_l%%*([[:blank:]])=*}
- [[ $_key == *_@(flags|rtable|user|timeout) ]] || \
- [[ " ${_allowed_keys[*]} " == *" $_key "* ]] || \
+ [[ $_key == *_@(flags|rtable|user|timeout) ]] ||
+ [[ " ${_allowed_keys[*]} " == *" $_key "* ]] ||
continue
[[ $_key == "" ]] && continue
_val=${_l##*([!=])=*([[:blank:]])}
_val=${_val%%#*}
_val=${_val%%*([[:blank:]])}
# remove leading and trailing quotes (backwards compat)
- [[ $_val == @(\"*\"|\'*\') ]] && _val=${_val#?} _val=${_val%?}
+ [[ $_val == @(\"*\"|\'*\') ]] &&
+ _val=${_val#?} _val=${_val%?}
eval "${_key}=\${_val}"
done < $_rcfile
done
@@ -150,7 +170,7 @@
[ -n "${FUNCS_ONLY}" ] && return
rc_start() {
- ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
+ ${rcexec} "${daemon} ${daemon_flags}"
}
rc_check() {
@@ -166,12 +186,12 @@
}
rc_cmd() {
- local _bg _n
+ local _to _n _ret
[ -n "${1}" ] && echo "${_rc_actions}" | grep -qw -- ${1} || _rc_usage
- [ "$(id -u)" -eq 0 ] || \
- [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] || \
+ [ "$(id -u)" -eq 0 ] ||
+ [ X"${rc_usercheck}" != X"NO" -a X"$1" = "Xcheck" ] ||
_rc_err "$0: need root privileges"
if _rc_not_supported $1; then
@@ -179,7 +199,6 @@
_rc_err "$0: $1 is not supported"
fi
- [ X"${rc_bg}" = X"YES" ] && _bg="&"
[ -n "${_RC_DEBUG}" ] || _n="-n"
_rc_do _rc_parse_conf ${_RC_RUNFILE}
@@ -200,10 +219,20 @@
if type rc_pre >/dev/null; then
_rc_do rc_pre || break
fi
- _rc_do rc_start || break
- _rc_do _rc_wait start || break
+ _rc_do _rc_wait start & _TIMERSUB=$!
+ trap "_rc_alarm" ALRM
+ _rc_do rc_start; _ret=$?
+ kill -ALRM ${_TIMERSUB}
+ wait ${_TIMERSUB} 2>/dev/null # don't print Alarm clock
+ [[ "${_ret}" == 142 ]] && [ X"${rc_bg}" != X"YES" ] &&
+ _to="timeout"
+ # XXX for unknown reason, rc_check can fail (e.g. redis)
+ # while it just succeeded in _rc_wait; the check is
+ # needed to cope with failing daemons returning 0
+ #[[ "${_ret}" == @(0|142) ]] && _rc_do rc_check || break
+ [[ "${_ret}" == @(0|142) ]] || break
_rc_do _rc_write_runfile
- _rc_exit ok
+ _rc_exit ${_to:=ok}
done
# handle failure
type rc_post >/dev/null && _rc_do rc_post
@@ -215,7 +244,7 @@
echo $_n "${INRC:+ }${_name}"
_rc_do rc_stop || _rc_exit failed
_rc_do _rc_wait stop || _rc_exit failed
- if type rc_post >/dev/null; then \
+ if type rc_post >/dev/null; then
_rc_do rc_post || _rc_exit failed
fi
_rc_do _rc_rm_runfile
@@ -228,7 +257,7 @@
_rc_exit ok
;;
restart)
- $0 ${_RC_DEBUG} ${_RC_FORCE} stop && \
+ $0 ${_RC_DEBUG} ${_RC_FORCE} stop &&
$0 ${_RC_DEBUG} ${_RC_FORCE} start
;;
*)
@@ -264,14 +293,14 @@
eval _rctimeout=\${${_name}_timeout}
# set default values; duplicated in rcctl(8)
-getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
- daemon_class=${_name} || daemon_class=daemon
+getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && daemon_class=${_name} ||
+ daemon_class=daemon
[ -z "${daemon_rtable}" ] && daemon_rtable=0
[ -z "${daemon_user}" ] && daemon_user=root
[ -z "${daemon_timeout}" ] && daemon_timeout=30
# use flags from the rc.d script if daemon is not enabled
-[ -n "${_RC_FORCE}" -o "$1" != "start" ] && [ X"${_rcflags}" = X"NO" ] && \
+[ -n "${_RC_FORCE}" -o "$1" != "start" ] && [ X"${_rcflags}" = X"NO" ] &&
unset _rcflags
[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
@@ -289,5 +318,5 @@
unset _rcflags _rcrtable _rcuser _rctimeout
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
-[ "${daemon_rtable}" -eq 0 ] || \
+[ "${daemon_rtable}" -eq 0 ] ||
rcexec="route -T ${daemon_rtable} exec ${rcexec}"
Tylko w 62/etc/rc.d: slaacd
diff -ur -x moduli 61/etc/rc.d/ypbind 62/etc/rc.d/ypbind
--- 61/etc/rc.d/ypbind 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/rc.d/ypbind 2017-10-04 05:13:10.000000000 +0200
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $OpenBSD: ypbind,v 1.5 2015/10/18 03:51:11 deraadt Exp $
+# $OpenBSD: ypbind,v 1.7 2017/05/27 19:55:48 ajacoutot Exp $
daemon="/usr/sbin/ypbind"
Tylko w 61/etc/signify: openbsd-59-base.pub
Tylko w 61/etc/signify: openbsd-59-fw.pub
Tylko w 61/etc/signify: openbsd-59-pkg.pub
Tylko w 62/etc/signify: openbsd-63-base.pub
Tylko w 62/etc/signify: openbsd-63-fw.pub
Tylko w 62/etc/signify: openbsd-63-pkg.pub
Tylko w 61/etc/ssl: acme
diff -ur -x moduli 61/etc/weekly 62/etc/weekly
--- 61/etc/weekly 2017-04-01 21:38:28.000000000 +0200
+++ 62/etc/weekly 2017-10-04 05:13:10.000000000 +0200
@@ -1,5 +1,5 @@
#
-# $OpenBSD: weekly,v 1.27 2015/08/14 03:02:07 rzalamena Exp $
+# $OpenBSD: weekly,v 1.28 2017/04/15 13:12:08 schwarze Exp $
#
# For local additions, create the file /etc/weekly.local.
# To get section headers, use the function next_part in weekly.local.
@@ -63,7 +63,7 @@
fi
next_part "Rebuilding whatis databases:"
-/usr/sbin/makewhatis ${MAKEWHATISARGS:--Q}
+/usr/sbin/makewhatis $MAKEWHATISARGS
next_part "Doing login accounting:"
[ "X$LOGINACCOUNTING" = X1 ] && {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment