cd.4 new naming
Hello tech@,
When reading cd.4 and comparing it to sys/cdio.h I see that
CDIOREADTOCENTRYS is an alias to CDIOREADTOCENTRIES, while cd.4 still
points to CDIOREADTOCENTRYS.
Both definitions are used in tree:
$ grep -R CDIOREADTOCENTRIES /usr/src/{{,usr.}{s,}bin,sys}
/usr/src/sbin/mount_udf/mount_udf.c:error = ioctl(fd,
CDIOREADTOCENTRIES, t);
/usr/src/sys/sys/cdio.h:#define CDIOREADTOCENTRIES _IOWR('c', 5, struct
ioc_read_toc_entry)
/usr/src/sys/sys/cdio.h:#define CDIOREADTOCENTRYS CDIOREADTOCENTRIES
$ grep -R CDIOREADTOCENTRYS /usr/src/{{,usr.}{s,}bin,sys}
/usr/src/usr.bin/cdio/cdio.c: return (ioctl(fd, CDIOREADTOCENTRYS,
(char *) t));
/usr/src/usr.bin/cdio/cdio.c:* host order like
CDIOREADTOCENTRYS does.
/usr/src/sys/compat/linux/linux_cdrom.c:error =
(*fp-f_ops-fo_ioctl)(fp, CDIOREADTOCENTRYS,
/usr/src/sys/scsi/cd.c: case CDIOREADTOCENTRYS: {
/usr/src/sys/sys/cdio.h:#define CDIOREADTOCENTRYS CDIOREADTOCENTRIES
Would it make sense to point people to the proper spelling instead of
pointing out that the spelling is wrong?
Sincerely,
Martijn van Duren
Index: cd.4
===
RCS file: /cvs/src/share/man/man4/cd.4,v
retrieving revision 1.24
diff -u -p -r1.24 cd.4
--- cd.4 2 Jul 2014 22:35:42 - 1.24
+++ cd.4 26 Aug 2015 20:03:44 -
@@ -212,9 +212,8 @@ struct ioc_toc_header {
u_char ending_track;
};
.Ed
-.It Dv CDIOREADTOCENTRYS Fa struct ioc_read_toc_entry *
+.It Dv CDIOREADTOCENTRIES Fa struct ioc_read_toc_entry *
Return information from the table of contents entries mentioned.
-(Yes, this command name is misspelled.)
The argument structure is defined as follows:
.Bd -literal -offset indent
struct ioc_read_toc_entry {
[patch] httpd: fcgi/PATH_INFO not handled correctly
Hello,
While using httpd together uwsgi and Flask, I noticed that GET requests to /
returned 404. The same setup with nginx was returning 200.
The culprit is that PATH_INFO is not set when REQUEST_URI is /.
The following patch correctly set PATH_INFO in every case.
Denis
Index: httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.39
diff -u -p -r1.39 httpd.c
--- httpd.c 20 Aug 2015 13:00:23 - 1.39
+++ httpd.c 26 Aug 2015 18:12:34 -
@@ -695,7 +695,7 @@ path_info(char *path)
for (p = end; p start; p--) {
/* Scan every path component from the end and at each '/' */
- if (p end *p != '/')
+ if (p = end *p != '/')
continue;
/* Temporarily cut the path component out */
Re: doas authentication type
On 08/24/2015 03:47 PM, Renaud Allard wrote:
On 08/24/2015 11:15 AM, Renaud Allard wrote:
Hello,
Is there a plan to make it possible to specify the authentication type
in doas, like sudo -a does?
This is useful in the case you are using a login.conf with something
like: auth-defaults:auth=yubikey,passwd;.
Regards
Here is the patch
diff -ur src.orig/usr.bin/doas/doas.c src/usr.bin/doas/doas.c
--- src.orig/usr.bin/doas/doas.c2015-08-24 12:58:35.589668049 +0200
+++ src/usr.bin/doas/doas.c 2015-08-24 15:37:50.993618022 +0200
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, usage: doas [-ns] [-C config] [-u user] command
[args]\n);
+ fprintf(stderr, usage: doas [-ans] [-C config] [-u user] command
[args]\n);
exit(1);
}
@@ -318,6 +318,7 @@
const char *cmd;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
+ char *login_style = NULL;
struct passwd *pw;
struct rule *rule;
uid_t uid;
@@ -332,8 +333,11 @@
uid = getuid();
- while ((ch = getopt(argc, argv, C:nsu:)) != -1) {
+ while ((ch = getopt(argc, argv, a:C:nsu:)) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -409,7 +413,7 @@
if (!(rule-options NOPASS)) {
if (nflag)
errx(1, Authorization required);
- if (!auth_userokay(myname, NULL, NULL, NULL)) {
+ if (!auth_userokay(myname, login_style, NULL, NULL)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
failed password for %s, myname);
permfail();
Any comments about that patch? OK?
Re: [PATCH] doas authentication type
Hi Renauld, On 08/26/15 09:38, Renaud Allard wrote: I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the authentication style and administratively, in login.conf, you can restrict it. Any comments? OK? I left some comments inline Index: doas.1 === RCS file: /cvs/src/usr.bin/doas/doas.1,v retrieving revision 1.14 diff -u -r1.14 doas.1 --- doas.127 Jul 2015 17:57:06 -1.14 +++ doas.126 Aug 2015 13:34:14 - @@ -40,6 +40,16 @@ .Pp The options are as follows: .Bl -tag -width tenletters +.It Fl a Ar style The usage string under SYNOPSIS should be updated too. +The +.Fl a +(authentication style) option causes +.Nm +to use the specified authentication style when validating the user, +as allowed by /etc/login.conf. I think the two instances of `/etc/login.conf' should be specified using the Pa macro, so that doas(1) also shows up if `apropos Pa=/etc/login.conf' is executed, which currently gives plenty of results. +The system administrator may specify a list of doas-specific +authentication methods by adding an ``auth-doas'' Instead of ``...'', I think Sq or Dq should be used. +entry in /etc/login.conf. .It Fl C Ar config Parse and check the configuration file .Ar config , Regards, Michael
small uvm cleanup
miod@ added this back in 2002 (rev 1.36): Back out a few more uvm changes, especially wrt swap usage. This unbreaks m68k m88k sparc and perhaps others, which eventually froze when hitting swap. Tested by various people on various platforms. ok art@ I think it is fairly safe to assume it works well enough now. ok? Index: uvm_map.c === RCS file: /home/cvs/src/sys/uvm/uvm_map.c,v retrieving revision 1.194 diff -u -p -r1.194 uvm_map.c --- uvm_map.c 21 Aug 2015 16:04:35 - 1.194 +++ uvm_map.c 26 Aug 2015 22:38:55 - @@ -4160,7 +4160,6 @@ fail: * = caller must not write-lock map (read OK). * = we may sleep while cleaning if SYNCIO [with map read-locked] */ -intamap_clean_works = 1; /* XXX for now, just in case... */ int uvm_map_clean(struct vm_map *map, vaddr_t start, vaddr_t end, int flags) @@ -4215,8 +4214,6 @@ uvm_map_clean(struct vm_map *map, vaddr_ * - we're not deactivating or freeing pages. */ if (amap == NULL || (flags (PGO_DEACTIVATE|PGO_FREE)) == 0) - goto flush_object; - if (!amap_clean_works) goto flush_object; cp_start = MAX(entry-start, start);
Re: doas authentication type
On 08/26/2015 09:36 AM, Renaud Allard wrote:
On 08/26/2015 09:26 AM, Gregor Best wrote:
On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote:
[...]
+fprintf(stderr, usage: doas [-ans] [-C config] [-u user] command
[args]\n);
[...]
The usage string should probably be
usage: doas [-ns] [-a style] [-C config] [-u user] command [args]
and the new option should appear in doas(1).
True, I will change and add that
Here is the new patch with the man correct and an additional auth-doas
as suggested by Alexander Hall
diff -ur doas.orig/doas.1 doas/doas.1
--- doas.orig/doas.1Wed Aug 26 10:18:27 2015
+++ doas/doas.1 Wed Aug 26 10:17:21 2015
@@ -40,6 +40,12 @@
.Pp
The options are as follows:
.Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user, as
allowed by /etc/login.conf. The system administrator may specify a list
of sudo-specific authentication methods by adding an ``auth-doas'' entry
in /etc/login.conf.
.It Fl C Ar config
Parse and check the configuration file
.Ar config ,
diff -ur doas.orig/doas.c doas/doas.c
--- doas.orig/doas.cWed Aug 26 10:18:27 2015
+++ doas/doas.c Wed Aug 26 10:16:14 2015
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, usage: doas [-ns] [-C config] [-u user] command
[args]\n);
+ fprintf(stderr, usage: doas [-ns] [-a style] [-C config] [-u user]
command [args]\n);
exit(1);
}
@@ -318,6 +318,7 @@
const char *cmd;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
+ char *login_style = NULL;
struct passwd *pw;
struct rule *rule;
uid_t uid;
@@ -332,8 +333,11 @@
uid = getuid();
- while ((ch = getopt(argc, argv, C:nsu:)) != -1) {
+ while ((ch = getopt(argc, argv, a:C:nsu:)) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -409,7 +413,7 @@
if (!(rule-options NOPASS)) {
if (nflag)
errx(1, Authorization required);
- if (!auth_userokay(myname, NULL, NULL, NULL)) {
+ if (!auth_userokay(myname, login_style, auth-doas, NULL)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
failed password for %s, myname);
permfail();
OK?
fortune: remove OK_TO_WRITE_DISK ifdef + some teaks
Hi,
The following patch remove #ifdef OK_TO_WRITE_DISK which isn't used by
default.
Additionnally, few disambiguisations suggested by cc(1) are added:
- parentheses around within ||
- explicit braces to avoid ambiguous 'else'
Comments ? OK ?
--
Sebastien Marie
Index: fortune.c
===
RCS file: /cvs/src/games/fortune/fortune/fortune.c,v
retrieving revision 1.42
diff -u -p -r1.42 fortune.c
--- fortune.c 6 Feb 2015 10:50:48 - 1.42
+++ fortune.c 26 Aug 2015 07:10:31 -
@@ -149,18 +149,14 @@ regex_t regex;
int
main(int ac, char *av[])
{
-#ifdef OK_TO_WRITE_DISK
- int fd;
-#endif /* OK_TO_WRITE_DISK */
-
getargs(ac, av);
if (Match)
exit(find_matches() != 0);
init_prob();
- if (Short_only minlen_in_list(File_list) SLEN ||
- Long_only maxlen_in_list(File_list) = SLEN)
+ if ((Short_only minlen_in_list(File_list) SLEN) ||
+ (Long_only maxlen_in_list(File_list) = SLEN))
exit(0);
do {
@@ -170,24 +166,6 @@ main(int ac, char *av[])
display(Fortfile);
-#ifdef OK_TO_WRITE_DISK
- if ((fd = creat(Fortfile-posfile, 0666)) 0) {
- perror(Fortfile-posfile);
- exit(1);
- }
- /*
-* if we can, we exclusive lock, but since it isn't very
-* important, we just punt if we don't have easy locking
-* available.
-*/
- (void) flock(fd, LOCK_EX);
- Fortfile-pos = htonl(Fortfile-pos);
- write(fd, (char *) Fortfile-pos, sizeof Fortfile-pos);
- Fortfile-pos = ntohl(Fortfile-pos);
- if (!Fortfile-was_pos_file)
- (void) chmod(Fortfile-path, 0666);
- (void) flock(fd, LOCK_UN);
-#endif /* OK_TO_WRITE_DISK */
if (Wait) {
if (Fort_len == 0)
(void) fortlen();
@@ -212,7 +190,6 @@ rot13(char *p, size_t len)
void
display(FILEDESC *fp)
{
- char*p, ch;
charline[BUFSIZ];
open_fp(fp);
@@ -337,13 +314,14 @@ form_file_list(char **files, int file_cn
int i, percent;
char*sp;
- if (file_cnt == 0)
+ if (file_cnt == 0) {
if (Find_files)
return add_file(NO_PROB, FORTDIR, NULL, File_list,
File_tail, NULL);
else
return add_file(NO_PROB, fortunes, FORTDIR,
File_list, File_tail, NULL);
+ }
for (i = 0; i file_cnt; i++) {
percent = NO_PROB;
if (!isdigit(files[i][0]))
@@ -504,9 +482,6 @@ over:
fp-next = *head;
*head = fp;
}
-#ifdef OK_TO_WRITE_DISK
- fp-was_pos_file = (access(fp-posfile, W_OK) = 0);
-#endif /* OK_TO_WRITE_DISK */
return 1;
}
@@ -603,9 +578,6 @@ all_forts(FILEDESC *fp, char *offensive)
obscene-datfile = datfile;
obscene-posfile = posfile;
obscene-read_tbl = 0;
-#ifdef OK_TO_WRITE_DISK
- obscene-was_pos_file = (access(obscene-posfile, W_OK) = 0);
-#endif /* OK_TO_WRITE_DISK */
}
/*
@@ -722,10 +694,6 @@ is_fortfile(char *file, char **datp, cha
*datp = datfile;
else
free(datfile);
-#ifdef OK_TO_WRITE_DISK
- if (posp != NULL)
- *posp = copy(file, .pos);
-#endif /* OK_TO_WRITE_DISK */
DPRINTF(2, (stderr, 1\n));
return 1;
}
@@ -816,7 +784,7 @@ init_prob(void)
exit(1);
}
percent = 100 - percent;
- if (Equal_probs)
+ if (Equal_probs) {
if (num_noprob != 0) {
if (num_noprob 1) {
frac = percent / num_noprob;
@@ -830,7 +798,7 @@ init_prob(void)
last-percent = percent;
DPRINTF(1, (stderr, , residual = %d%%, percent));
}
- else {
+ } else {
DPRINTF(1, (stderr,
, %d%% distributed over remaining fortunes\n,
percent));
@@ -1003,25 +971,9 @@ open_dat(FILEDESC *fp)
void
get_pos(FILEDESC *fp)
{
-#ifdef OK_TO_WRITE_DISK
- int fd;
-#endif /* OK_TO_WRITE_DISK */
-
assert(fp-read_tbl);
if (fp-pos == POS_UNKNOWN) {
-#ifdef OK_TO_WRITE_DISK
- if ((fd = open(fp-posfile, 0)) 0 ||
- read(fd, fp-pos, sizeof fp-pos) != sizeof fp-pos)
- fp-pos = arc4random_uniform(fp-tbl.str_numstr);
- else if (ntohl(fp-pos) = fp-tbl.str_numstr)
- fp-pos %= fp-tbl.str_numstr;
- else
- fp-pos = ntohl(fp-pos);
- if (fd = 0)
- (void) close(fd);
-#else
fp-pos = arc4random_uniform(fp-tbl.str_numstr);
-#endif /*
Re: doas authentication type
On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote: [...] + fprintf(stderr, usage: doas [-ans] [-C config] [-u user] command [args]\n); [...] The usage string should probably be usage: doas [-ns] [-a style] [-C config] [-u user] command [args] and the new option should appear in doas(1). -- Gregor
Re: fortune: remove OK_TO_WRITE_DISK ifdef + some teaks
On Wed, Aug 26, 2015 at 09:15:13AM +0200, Sebastien Marie wrote:
The following patch remove #ifdef OK_TO_WRITE_DISK which isn't used by
default.
Additionnally, few disambiguisations suggested by cc(1) are added:
- parentheses around within ||
- explicit braces to avoid ambiguous 'else'
Comments ? OK ?
ok doug@
Index: fortune.c
===
RCS file: /cvs/src/games/fortune/fortune/fortune.c,v
retrieving revision 1.42
diff -u -p -r1.42 fortune.c
--- fortune.c 6 Feb 2015 10:50:48 - 1.42
+++ fortune.c 26 Aug 2015 07:10:31 -
@@ -149,18 +149,14 @@ regex_t regex;
int
main(int ac, char *av[])
{
-#ifdef OK_TO_WRITE_DISK
- int fd;
-#endif /* OK_TO_WRITE_DISK */
-
getargs(ac, av);
if (Match)
exit(find_matches() != 0);
init_prob();
- if (Short_only minlen_in_list(File_list) SLEN ||
- Long_only maxlen_in_list(File_list) = SLEN)
+ if ((Short_only minlen_in_list(File_list) SLEN) ||
+ (Long_only maxlen_in_list(File_list) = SLEN))
exit(0);
do {
@@ -170,24 +166,6 @@ main(int ac, char *av[])
display(Fortfile);
-#ifdef OK_TO_WRITE_DISK
- if ((fd = creat(Fortfile-posfile, 0666)) 0) {
- perror(Fortfile-posfile);
- exit(1);
- }
- /*
- * if we can, we exclusive lock, but since it isn't very
- * important, we just punt if we don't have easy locking
- * available.
- */
- (void) flock(fd, LOCK_EX);
- Fortfile-pos = htonl(Fortfile-pos);
- write(fd, (char *) Fortfile-pos, sizeof Fortfile-pos);
- Fortfile-pos = ntohl(Fortfile-pos);
- if (!Fortfile-was_pos_file)
- (void) chmod(Fortfile-path, 0666);
- (void) flock(fd, LOCK_UN);
-#endif /* OK_TO_WRITE_DISK */
if (Wait) {
if (Fort_len == 0)
(void) fortlen();
@@ -212,7 +190,6 @@ rot13(char *p, size_t len)
void
display(FILEDESC *fp)
{
- char*p, ch;
charline[BUFSIZ];
open_fp(fp);
@@ -337,13 +314,14 @@ form_file_list(char **files, int file_cn
int i, percent;
char*sp;
- if (file_cnt == 0)
+ if (file_cnt == 0) {
if (Find_files)
return add_file(NO_PROB, FORTDIR, NULL, File_list,
File_tail, NULL);
else
return add_file(NO_PROB, fortunes, FORTDIR,
File_list, File_tail, NULL);
+ }
for (i = 0; i file_cnt; i++) {
percent = NO_PROB;
if (!isdigit(files[i][0]))
@@ -504,9 +482,6 @@ over:
fp-next = *head;
*head = fp;
}
-#ifdef OK_TO_WRITE_DISK
- fp-was_pos_file = (access(fp-posfile, W_OK) = 0);
-#endif /* OK_TO_WRITE_DISK */
return 1;
}
@@ -603,9 +578,6 @@ all_forts(FILEDESC *fp, char *offensive)
obscene-datfile = datfile;
obscene-posfile = posfile;
obscene-read_tbl = 0;
-#ifdef OK_TO_WRITE_DISK
- obscene-was_pos_file = (access(obscene-posfile, W_OK) = 0);
-#endif /* OK_TO_WRITE_DISK */
}
/*
@@ -722,10 +694,6 @@ is_fortfile(char *file, char **datp, cha
*datp = datfile;
else
free(datfile);
-#ifdef OK_TO_WRITE_DISK
- if (posp != NULL)
- *posp = copy(file, .pos);
-#endif /* OK_TO_WRITE_DISK */
DPRINTF(2, (stderr, 1\n));
return 1;
}
@@ -816,7 +784,7 @@ init_prob(void)
exit(1);
}
percent = 100 - percent;
- if (Equal_probs)
+ if (Equal_probs) {
if (num_noprob != 0) {
if (num_noprob 1) {
frac = percent / num_noprob;
@@ -830,7 +798,7 @@ init_prob(void)
last-percent = percent;
DPRINTF(1, (stderr, , residual = %d%%, percent));
}
- else {
+ } else {
DPRINTF(1, (stderr,
, %d%% distributed over remaining fortunes\n,
percent));
@@ -1003,25 +971,9 @@ open_dat(FILEDESC *fp)
void
get_pos(FILEDESC *fp)
{
-#ifdef OK_TO_WRITE_DISK
- int fd;
-#endif /* OK_TO_WRITE_DISK */
-
assert(fp-read_tbl);
if (fp-pos == POS_UNKNOWN) {
-#ifdef OK_TO_WRITE_DISK
- if ((fd = open(fp-posfile, 0)) 0 ||
- read(fd, fp-pos, sizeof fp-pos) != sizeof fp-pos)
- fp-pos = arc4random_uniform(fp-tbl.str_numstr);
- else if (ntohl(fp-pos) = fp-tbl.str_numstr)
- fp-pos %= fp-tbl.str_numstr;
- else
- fp-pos = ntohl(fp-pos);
- if (fd = 0)
- (void)
Re: doas authentication type
On 08/26/2015 09:26 AM, Gregor Best wrote: On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote: [...] + fprintf(stderr, usage: doas [-ans] [-C config] [-u user] command [args]\n); [...] The usage string should probably be usage: doas [-ns] [-a style] [-C config] [-u user] command [args] and the new option should appear in doas(1). True, I will change and add that
Do not create IPv6 connected routes for lo0
Diff below makes sure that no connected route is created for
loopback/p2p interfaces for linklocal *and* non-linklocal addrs.
route(8)'s output will change:
-fe80::%lo10001/64 fe80::1%lo10001U 0
0 32768 4 lo10001
fe80::1%lo10001fe80::1%lo10001UHl0
0 32768 1 lo10001
This makes IPv6 automagically created routes coherent with IPv4
ones.
I'm unsure about the hack for DAD w/ p2p interfaces, so I left it.
Ok?
Index: netinet6/in6.c
===
RCS file: /cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.168
diff -u -p -r1.168 in6.c
--- netinet6/in6.c 24 Aug 2015 23:26:43 - 1.168
+++ netinet6/in6.c 26 Aug 2015 10:43:33 -
@@ -462,7 +462,7 @@ in6_control(struct socket *so, u_long cm
case SIOCAIFADDR_IN6:
{
- int plen, error = 0;
+ int error = 0;
/* reject read-only flags */
if ((ifra-ifra_flags IN6_IFF_DUPLICATED) != 0 ||
@@ -508,10 +508,9 @@ in6_control(struct socket *so, u_long cm
if (ia6-ia6_flags IN6_IFF_TENTATIVE)
nd6_dad_start(ia6-ia_ifa);
- plen = in6_mask2len(ifra-ifra_prefixmask.sin6_addr, NULL);
- if (plen == 128) {
+ if (ifp-if_flags (IFF_POINTOPOINT|IFF_LOOPBACK)) {
dohooks(ifp-if_addrhooks, 0);
- break; /* we don't need to install a host route. */
+ break; /* No need to install a connected route. */
}
s = splsoftnet();
@@ -966,7 +965,10 @@ in6_unlink_ifa(struct in6_ifaddr *ia6, s
/* Release the reference to the base prefix. */
if (ia6-ia6_ndpr == NULL) {
- rt_ifa_del(ifa, RTF_CLONING | RTF_CONNECTED, ifa-ifa_addr);
+ if ((ifp-if_flags (IFF_POINTOPOINT|IFF_LOOPBACK)) == 0) {
+ rt_ifa_del(ifa, RTF_CLONING | RTF_CONNECTED,
+ ifa-ifa_addr);
+ }
} else {
KASSERT(ia6-ia6_flags IN6_IFF_AUTOCONF);
ia6-ia6_flags = ~IN6_IFF_AUTOCONF;
Index: netinet6/in6_ifattach.c
===
RCS file: /cvs/src/sys/netinet6/in6_ifattach.c,v
retrieving revision 1.93
diff -u -p -r1.93 in6_ifattach.c
--- netinet6/in6_ifattach.c 24 Aug 2015 23:26:43 - 1.93
+++ netinet6/in6_ifattach.c 26 Aug 2015 10:43:18 -
@@ -332,47 +332,41 @@ in6_ifattach_linklocal(struct ifnet *ifp
ifra.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME;
/*
-* Now call in6_update_ifa() to do a bunch of procedures to configure
-* a link-local address. In the case of CARP, we may be called after
-* one has already been configured, so check if it's already there
-* with in6ifa_ifpforlinklocal() and clobber it if it exists.
+* XXX: Some P2P interfaces seem not to send packets just after
+* becoming up, so we skip p2p interfaces for safety.
*/
+ if (in6if_do_dad(ifp) ((ifp-if_flags IFF_POINTOPOINT) == 0))
+ ifra.ifra_flags |= IN6_IFF_TENTATIVE;
+
s = splsoftnet();
error = in6_update_ifa(ifp, ifra, in6ifa_ifpforlinklocal(ifp, 0));
splx(s);
-
- if (error != 0) {
- /*
-* XXX: When the interface does not support IPv6, this call
-* would fail in the SIOCSIFADDR ioctl. I believe the
-* notification is rather confusing in this case, so just
-* suppress it. (jin...@kame.net 20010130)
-*/
- if (error != EAFNOSUPPORT)
- nd6log((LOG_NOTICE, in6_ifattach_linklocal: failed to
- configure a link-local address on %s
- (errno=%d)\n,
- ifp-if_xname, error));
- return (-1);
- }
+ if (error != 0)
+ return (error);
ia6 = in6ifa_ifpforlinklocal(ifp, 0);
- /*
-* Perform DAD.
-*
-* XXX: Some P2P interfaces seem not to send packets just after
-* becoming up, so we skip p2p interfaces for safety.
-*/
- if (in6if_do_dad(ifp) ((ifp-if_flags IFF_POINTOPOINT) == 0)) {
- ia6-ia6_flags |= IN6_IFF_TENTATIVE;
+ /* Perform DAD, if needed. */
+ if (ia6-ia6_flags IN6_IFF_TENTATIVE)
nd6_dad_start(ia6-ia_ifa);
+
+ if (ifp-if_flags (IFF_POINTOPOINT|IFF_LOOPBACK)) {
+ dohooks(ifp-if_addrhooks, 0);
+ return (0); /* No need to install a connected route. */
}
+ s = splsoftnet();
error = rt_ifa_add(ia6-ia_ifa, RTF_UP|RTF_CLONING|RTF_CONNECTED,
ia6-ia_ifa.ifa_addr);
+ if
Re: [PATCH] doas authentication type
I rewrote a little bit the patch to remove a small kind-of typo in the
manpage and remove too long lines.
So with this patch, you add the user the right to choose the
authentication style and administratively, in login.conf, you can
restrict it.
Any comments? OK?
Index: doas.1
===
RCS file: /cvs/src/usr.bin/doas/doas.1,v
retrieving revision 1.14
diff -u -r1.14 doas.1
--- doas.1 27 Jul 2015 17:57:06 - 1.14
+++ doas.1 26 Aug 2015 13:34:14 -
@@ -40,6 +40,16 @@
.Pp
The options are as follows:
.Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user,
+as allowed by /etc/login.conf.
+The system administrator may specify a list of doas-specific
+authentication methods by adding an ``auth-doas''
+entry in /etc/login.conf.
.It Fl C Ar config
Parse and check the configuration file
.Ar config ,
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.38
diff -u -r1.38 doas.c
--- doas.c 22 Aug 2015 16:01:05 - 1.38
+++ doas.c 26 Aug 2015 13:34:14 -
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, usage: doas [-ns] [-C config] [-u user] command
[args]\n);
+ fprintf(stderr, usage: doas [-ns] [-a style] [-C config] [-u user]
command [args]\n);
exit(1);
}
@@ -318,6 +318,7 @@
const char *cmd;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
+ char *login_style = NULL;
struct passwd *pw;
struct rule *rule;
uid_t uid;
@@ -332,8 +333,11 @@
uid = getuid();
- while ((ch = getopt(argc, argv, C:nsu:)) != -1) {
+ while ((ch = getopt(argc, argv, a:C:nsu:)) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -409,7 +413,7 @@
if (!(rule-options NOPASS)) {
if (nflag)
errx(1, Authorization required);
- if (!auth_userokay(myname, NULL, NULL, NULL)) {
+ if (!auth_userokay(myname, login_style, auth-doas, NULL)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
failed password for %s, myname);
permfail();
Re: doas authentication type
On August 26, 2015 10:21:23 AM GMT+02:00, Renaud Allard ren...@allard.it
wrote:
On 08/26/2015 09:36 AM, Renaud Allard wrote:
On 08/26/2015 09:26 AM, Gregor Best wrote:
On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote:
[...]
+fprintf(stderr, usage: doas [-ans] [-C config] [-u user]
command
[args]\n);
[...]
The usage string should probably be
usage: doas [-ns] [-a style] [-C config] [-u user] command
[args]
and the new option should appear in doas(1).
True, I will change and add that
Here is the new patch with the man correct and an additional auth-doas
as suggested by Alexander Hall
diff -ur doas.orig/doas.1 doas/doas.1
--- doas.orig/doas.1 Wed Aug 26 10:18:27 2015
+++ doas/doas.1Wed Aug 26 10:17:21 2015
@@ -40,6 +40,12 @@
.Pp
The options are as follows:
.Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user, as
allowed by /etc/login.conf. The system administrator may specify a list
of sudo-specific authentication methods by adding an ``auth-doas''
entry
in /etc/login.conf.
That is a horribly long line.
.It Fl C Ar config
Parse and check the configuration file
.Ar config ,
diff -ur doas.orig/doas.c doas/doas.c
--- doas.orig/doas.c Wed Aug 26 10:18:27 2015
+++ doas/doas.cWed Aug 26 10:16:14 2015
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, usage: doas [-ns] [-C config] [-u user] command
[args]\n);
+ fprintf(stderr, usage: doas [-ns] [-a style] [-C config] [-u user]
command [args]\n);
exit(1);
}
@@ -318,6 +318,7 @@
const char *cmd;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
+ char *login_style = NULL;
struct passwd *pw;
struct rule *rule;
uid_t uid;
@@ -332,8 +333,11 @@
uid = getuid();
- while ((ch = getopt(argc, argv, C:nsu:)) != -1) {
+ while ((ch = getopt(argc, argv, a:C:nsu:)) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -409,7 +413,7 @@
if (!(rule-options NOPASS)) {
if (nflag)
errx(1, Authorization required);
- if (!auth_userokay(myname, NULL, NULL, NULL)) {
+ if (!auth_userokay(myname, login_style, auth-doas, NULL)) {
Assuming the login_style is limited to the login type (or the default), which I
assume it is but could not deduce from the man page, I like this.
Whether it's adding to much to do as our not, I'm not to decide. I've already
received sort of ok's for the auth-doas part.
/Alexander
syslog(LOG_AUTHPRIV | LOG_NOTICE,
failed password for %s, myname);
permfail();
OK?
Re: [patch] httpd: fcgi/PATH_INFO not handled correctly
This patch fixes the problem I had previously that I mentioned on the
Github issues.
Kyle
On 8/26/2015 1:23 PM, Denis Fondras wrote:
Hello,
While using httpd together uwsgi and Flask, I noticed that GET requests to /
returned 404. The same setup with nginx was returning 200.
The culprit is that PATH_INFO is not set when REQUEST_URI is /.
The following patch correctly set PATH_INFO in every case.
Denis
Index: httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.39
diff -u -p -r1.39 httpd.c
--- httpd.c 20 Aug 2015 13:00:23 - 1.39
+++ httpd.c 26 Aug 2015 18:12:34 -
@@ -695,7 +695,7 @@ path_info(char *path)
for (p = end; p start; p--) {
/* Scan every path component from the end and at each '/' */
- if (p end *p != '/')
+ if (p = end *p != '/')
continue;
/* Temporarily cut the path component out */
the very first step towards MULTIPROCESSOR friendly PF
Hello,
I'm not sure I got everything right in Calgary. So this patch should roughly
illustrates how I think we should start moving forward to make PF MULTIPROCESSOR
friendly. It's quite likely my proposal/way is completely off, I'll be happy if
you put me back to ground.
The brief summary of what patch is trying to achieve is as follows:
patch trades all splsoftnet() for KERNEL_LOCK() when it gets compiled
with MULTIPROCESSOR option on.
if MULTIPROCESSOR option is off, the compiler produces PF, which uses
splsoftnet.
To achieve this the patch introduces macros PF_LOCK()/PF_UNLOCK(),
which expand to KERNEL_LOCK()/KERNEL_UNLOCK(), when MULTIPROCESSOR is
on.
On the other hand if MULTIPROCESSOR is off the PF_*LOCK() macros become
splsoftnet()/splx()
Skip to =breakage= if you don't care about details/future plans. Currently PF
must synchronize all those guys:
- packets, which are running through pf_test(). IP stack already
serializes calls to pf_test() (there is always one running pf_test()
instance at most)
- ioctl() operations on PF driver with packets and with each other
(it looks like there might be more processes, which read state table,
those are allowed to run in parallel). To serialize ioctl() operations
with each other PF uses pf_consistency_lock (which is an RW-lock).
If particular ioctl() operation must be synchronized with packets it
must get splsotnet.
- purge thread, which expires states. purge thread must grab
pf_consistency_lock and splsoftnet.
The desired state is to break a giant pf_consistency_lock into few more
RW-locks. Which will protect various data PF keeps. Those RW-locks will
also synchronize packets. The list of locks, which I have on mind is as follows:
- pf_state_rw
- pf_anchors_rw (packets don't need to grab it as they grab rw-locks
bound to individual rulesets)
- pf_tables_rw (packets don't need to grab it as they grab rw-locks
bound to table instances).
The first major milestone in this effort is to introduce pf_state_rw. The patch
I'm proposing here buys us enough freedom to relatively safely decompose the
pf_consistency_lock and make pf_test() parallel for packets.
=breakage=
The proposed patch breaks 'return-*' action, when PF gets compiled with
MULTIPROCESSOR on. I think it is unsafe to call icmp_err*() functions, while
holding a KERNEL_LOCK(). And it is risky to give up KERNEL_LOCK(), execute
a send operation on response packet and re-grab KERNEL_LOCK() again as we
would arrive to different world (different in sense the pointer we remember
might be invalid now). To fix that we must introduce a reference counting
for objects, so it will become safe to drop and re-grab KERNEL_LOCK(), while
holding a reference.
The problem has been solved for pf_route*() functions, so PBR works in
MULTIPROCESSOR friendly PF.
My patch does not touch if_pfsync.c at all. The PF_SYNC support in
MULTIPROCESSOR PF will have to come in some later phase. You should consider it
to be broken in MULTIPROCESSOR version.
There should be no breakage in PF for GENERIC kernel.
regards
sasha
88---8-8
Index: pf.c
===
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.936
diff -u -p -r1.936 pf.c
--- pf.c19 Aug 2015 21:22:41 - 1.936
+++ pf.c26 Aug 2015 14:11:17 -
@@ -906,7 +906,7 @@ int
pf_state_insert(struct pfi_kif *kif, struct pf_state_key **skw,
struct pf_state_key **sks, struct pf_state *s)
{
- splsoftassert(IPL_SOFTNET);
+ PF_ASSERT_LOCKED(nothing);
s-kif = kif;
if (*skw == *sks) {
@@ -1150,12 +1150,13 @@ pf_state_export(struct pfsync_state *sp,
void
pf_purge_thread(void *v)
{
- int nloops = 0, s;
+ int nloops = 0;
+ PF_LOCK_INSTANCE(s);
for (;;) {
tsleep(pf_purge_thread, PWAIT, pftm, 1 * hz);
- s = splsoftnet();
+ PF_LOCK(s);
/* process a fraction of the state table every second */
pf_purge_expired_states(1 + (pf_status.states
@@ -1168,7 +1169,7 @@ pf_purge_thread(void *v)
nloops = 0;
}
- splx(s);
+ PF_UNLOCK(s);
}
}
@@ -1259,7 +1260,7 @@ pf_src_tree_remove_state(struct pf_state
void
pf_unlink_state(struct pf_state *cur)
{
- splsoftassert(IPL_SOFTNET);
+ PF_ASSERT_LOCKED(nothing);
/* handle load balancing related tasks */
pf_postprocess_addr(cur);
@@ -1294,7 +1295,7 @@ pf_free_state(struct pf_state *cur)
{
struct pf_rule_item *ri;
- splsoftassert(IPL_SOFTNET);
+ PF_ASSERT_LOCKED(nothing);
#if NPFSYNC 0
if
