Date: Wed, 13 Jan 2010 22:17:33 GMT From: Rene Ladan <rene@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 173101 for review Message-ID: <201001132217.o0DMHXhI033815@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/chv.cgi?CH=173101 Change 173101 by rene@rene_self on 2010/01/13 22:16:40 IFC Affected files ... .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 integrate .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 integrate .. //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 integrate Differences ... ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 (text+ko) ==== @@ -1,7 +1,7 @@ <!-- The FreeBSD Documentation Project - $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.334 2009/01/28 03:39:01 ganbold Exp $ + $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.335 2010/01/13 21:07:24 bcr Exp $ --> <chapter id="security"> @@ -506,8 +506,10 @@ system are the suid-root and sgid binaries installed on the system. Most of these binaries, such as <application>rlogin</application>, reside - in <filename>/bin</filename>, <filename>/sbin</filename>, - <filename>/usr/bin</filename>, or <filename>/usr/sbin</filename>. + in <filename class="directory">/bin</filename>, <filename + class="directory">/sbin</filename>, <filename + class="directory">/usr/bin</filename>, or <filename + class="directory">/usr/sbin</filename>. While nothing is 100% safe, the system-default suid and sgid binaries can be considered reasonably safe. Still, <username>root</username> holes are occasionally found in these @@ -650,7 +652,8 @@ the system at a higher secure level but skip setting the <literal>schg</literal> flag for every system file and directory under the sun. Another possibility is to simply - mount <filename>/</filename> and <filename>/usr</filename> read-only. + mount <filename class="directory">/</filename> and <filename + class="directory">/usr</filename> read-only. It should be noted that being too draconian about what is permitted may prevent the all-important detection of an intrusion.</para> </sect2> @@ -663,9 +666,10 @@ system configuration and control files so much before the convenience factor rears its ugly head. For example, using <command>chflags</command> to set the <literal>schg</literal> bit - on most of the files in <filename>/</filename> and - <filename>/usr</filename> is probably counterproductive, because - while it may protect the files, it also closes a detection window. + on most of the files in <filename class="directory">/</filename> and + <filename class="directory">/usr</filename> is probably + counterproductive, because while it may protect the files, it also + closes a detection window. The last layer of your security onion is perhaps the most important — detection. The rest of your security is pretty much useless (or, worse, presents you with a false sense of @@ -702,14 +706,14 @@ scripts out of simple system utilities such as &man.find.1; and &man.md5.1;. It is best to physically md5 the client-box files at least once a day, and to test control files such as those - found in <filename>/etc</filename> and - <filename>/usr/local/etc</filename> even more often. When + found in <filename class="directory">/etc</filename> and <filename + class="directory">/usr/local/etc</filename> even more often. When mismatches are found, relative to the base md5 information the limited-access machine knows is valid, it should scream at a sysadmin to go check it out. A good security script will also check for inappropriate suid binaries and for new or deleted files - on system partitions such as <filename>/</filename> and - <filename>/usr</filename>.</para> + on system partitions such as <filename class="directory">/</filename> + and <filename class="directory">/usr</filename>.</para> <para>When using ssh rather than NFS, writing the security script is much more difficult. You @@ -1620,8 +1624,8 @@ <para>This is done on the Kerberos server only. First make sure that you do not have any old Kerberos databases around. You should change - to the directory <filename>/etc/kerberosIV</filename> and check that - only the following files are present:</para> + to the directory <filename class="directory">/etc/kerberosIV</filename> + and check that only the following files are present:</para> <screen>&prompt.root; <userinput>cd /etc/kerberosIV</userinput> &prompt.root; <userinput>ls</userinput> @@ -1789,11 +1793,10 @@ <para>We now have to extract all the instances which define the services on each machine. For this we use the <command>ext_srvtab</command> command. This will create a file - which must be copied or moved <emphasis>by secure - means</emphasis> to each Kerberos client's - <filename>/etc</filename> directory. This file must - be present on each server and client, and is crucial to the - operation of Kerberos.</para> + which must be copied or moved <emphasis>by secure means</emphasis> to + each Kerberos client's <filename class="directory">/etc</filename> + directory. This file must be present on each server and client, and is + crucial to the operation of Kerberos.</para> <screen>&prompt.root; <userinput>ext_srvtab grunt</userinput> @@ -1815,8 +1818,8 @@ safe, then copy the <filename><replaceable>client</replaceable>-new-srvtab</filename> to removable media and transport it by secure physical means. Be sure to - rename it to <filename>srvtab</filename> in the client's - <filename>/etc</filename> directory, and make sure it is + rename it to <filename>srvtab</filename> in the client's <filename + class="directory">/etc</filename> directory, and make sure it is mode 600:</para> <screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput> @@ -1866,8 +1869,8 @@ have correctly edited your <filename>/etc/rc.conf</filename> then this will happen automatically when you reboot. This is only necessary on the Kerberos server. Kerberos clients will automatically get what - they need from the <filename>/etc/kerberosIV</filename> - directory.</para> + they need from the <filename + class="directory">/etc/kerberosIV</filename> directory.</para> <screen>&prompt.root; <userinput>kerberos &</userinput> Kerberos server starting @@ -2669,8 +2672,8 @@ <application>Kerberos</application> web site (<ulink url="http://web.mit.edu/Kerberos/www/"></ulink>) is recommended. Be careful of path issues: the - <acronym>MIT</acronym> port installs into - <filename>/usr/local/</filename> by default, and the + <acronym>MIT</acronym> port installs into <filename + class="directory">/usr/local/</filename> by default, and the <quote>normal</quote> system applications may be run instead of <acronym>MIT</acronym> if your <envar>PATH</envar> environment variable lists the system directories first.</para> @@ -2728,9 +2731,9 @@ <para>In a multi-user environment, <application>Kerberos</application> is less secure. - This is because it stores the tickets in the - <filename>/tmp</filename> directory, which is readable by all - users. If a user is sharing a computer with several other + This is because it stores the tickets in the <filename + class="directory">/tmp</filename> directory, which is readable by + all users. If a user is sharing a computer with several other people simultaneously (i.e. multi-user), it is possible that the user's tickets can be stolen (copied) by another user.</para> @@ -3662,7 +3665,8 @@ <para>The system-wide configuration files for both the <application>OpenSSH</application> daemon and client reside - within the <filename>/etc/ssh</filename> directory.</para> + within the <filename class="directory">/etc/ssh</filename> + directory.</para> <para><filename>ssh_config</filename> configures the client settings, while <filename>sshd_config</filename> configures the @@ -4053,10 +4057,12 @@ drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3 drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting> - <para>Here we see that the <filename>directory1</filename>, - <filename>directory2</filename>, and <filename>directory3</filename> - directories are all taking advantage of <acronym>ACL</acronym>s. The - <filename>public_html</filename> directory is not.</para> + <para>Here we see that the <filename + class="directory">directory1</filename>, <filename + class="directory">directory2</filename>, and <filename + class="directory">directory3</filename> directories are all taking + advantage of <acronym>ACL</acronym>s. The <filename + class="directory">public_html</filename> directory is not.</para> <sect2> <title>Making Use of <acronym>ACL</acronym>s</title> @@ -4310,9 +4316,10 @@ look over the output from <command>ident</command> on the affected files will help in determining the revision. For ports, the version number is listed after the port name - in <filename>/var/db/pkg</filename>. If the system does not - sync with the &os; <acronym>CVS</acronym> repository and rebuild - daily, chances are that it is affected.</para> + in <filename class="directory">/var/db/pkg</filename>. If the + system does not sync with the &os; <acronym>CVS</acronym> + repository and rebuild daily, chances are that it is + affected.</para> </callout> <callout arearefs="co-corrected"> ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 (text+ko) ==== @@ -1,7 +1,7 @@ <!-- The FreeBSD Documentation Project - $FreeBSD: doc/en_US.ISO8859-1/books/porters-handbook/book.sgml,v 1.1046 2010/01/09 06:16:56 linimon Exp $ + $FreeBSD: doc/en_US.ISO8859-1/books/porters-handbook/book.sgml,v 1.1047 2010/01/13 19:46:35 ed Exp $ --> <!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [ @@ -13493,6 +13493,14 @@ <function>alphasort(3)</function> prototypes to conform to SUSv4.</entry> </row> + <row> + <entry>900007</entry> + <entry>January 13, 2010</entry> + <entry>9.0-CURRENT after the removal of utmp(5) and + the addition of utmpx (see + <function>getutxent(3)</function>) for improved + logging of user logins and system events.</entry> + </row> </tbody> </tgroup> </table> ==== //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 (text+ko) ==== @@ -2,7 +2,7 @@ <!DOCTYPE report PUBLIC "-//FreeBSD//DTD FreeBSD XML Database for Status Report//EN" "http://www.FreeBSD.org/XML/www/share/sgml/statusreport.dtd"> -<!-- $FreeBSD: www/en/news/status/report-2009-10-2009-12.xml,v 1.1 2010/01/12 21:27:23 danger Exp $ --> +<!-- $FreeBSD: www/en/news/status/report-2009-10-2009-12.xml,v 1.4 2010/01/13 15:47:01 gabor Exp $ --> <report> <date> <month>October-December</month> @@ -87,6 +87,12 @@ <description>Miscellaneous</description> </category> + <category> + <name>bin</name> + + <description>Userland utilities</description> + </category> + <project cat='vendor'> <title>DAHDI (Zaptel) support for &os;</title> @@ -613,6 +619,91 @@ </help> </project> + <project cat='docs'> + <title>The FreeBSD Spanish Documentation Project</title> + + <contact> + <person> + <name> + <given>Gábor</given> + <common>Kövesdán</common> + </name> + <email>gabor@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="Introduction to the Spanish Documentation Project">http://www.freebsd.org/doc/es/articles/fdp-es/</url> + + <url href="Translators' Mailing List">https://listas.es.freebsd.org/mailman/listinfo/doc</url> + </links> + + <body> + <p>There is one article translation pending review. Apart from this, + neither translation nor maintainance work has been done. We need + more volunteers, mostly translators but we are glad to have + more reviewers, as well. One can join by simply subscribing to + the translators' mailing list, where all the work is done.</p> + </body> + + <help> + <task>Update Handbook translation</task> + + <task>Update webpage translation</task> + + <task>Add more article translations</task> + </help> + </project> + + <project cat='docs'> + <title>The FreeBSD Hungarian Documentation Project</title> + + <contact> + <person> + <name> + <given>Gábor</given> + <common>Kövesdán</common> + </name> + <email>gabor@FreeBSD.org</email> + </person> + + <person> + <name> + <given>Gábor</given> + <common>Páli</common> + </name> + <email>pgj@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="http://www.FreeBSD.org/hu">Hungarian Web Page for FreeBSD</url> + + <url href="http://www.FreeBSD.org/doc/hu">Hungarian Documentation + for FreeBSD</url> + + <url href="http://wiki.FreeBSD.org/HungarianDocumentationProject">The + FreeBSD Hungarian Documentation Project's Wiki Page</url> + + <url href="http://p4web.freebsd.org/@md=d&cd=//depot/projects/docproj_hu/&c=aXw@//depot/projects/docproj_hu/?ac=83">Perforce + Depot for the FreeBSD Hungarian Documentation Project</url> + </links> + + <body> + <p>In the last months, no new translation has been added. + Lacking human resources, we can only manage the existing + documentation and web page translations. If you are interested + in helping us, please contact us via the the email addresses + noted above.</p> + </body> + + <help> + <task>Translate release notes</task> + + <task>Add more article translations</task> + </help> + </project> + <project cat='misc'> <title>The &os; Forums</title> @@ -743,6 +834,40 @@ </help> </project> + <project cat='kern'> + <title>Group Limit Increase</title> + + <contact> + <person> + <name> + <given>Brooks</given> + <common>Davis</common> + </name> + <email>brooks@freebsd.org</email> + </person> + </contact> + + <links/> + + <body> + <p>Historically, FreeBSD has limited the number of supplemental + groups per process to 15 (NGROUPS_MAX was incorrectly declared to be + 16). In FreeBSD 8.0 we raised the limit to 1023, which should be + sufficient for most users and will be acceptably efficient for + incorrectly written applications that statically allocate + NGROUPS_MAX + 1 entries.</p> + + <p>Because some systems such as Linux 2.6 support a larger + group limit, we have further relaxed this restriction in -CURRENT and + made kern.ngroups a tunable value, which supports values between 1023 + and INT_MAX - 1. We plan to merge this to 8-STABLE before + 8.1-RELEASE.</p> + </body> + + <help/> + </project> + + <project cat='net'> <title>Syncing pf(4) with OpenBSD 4.5</title> @@ -972,6 +1097,97 @@ </help> </project> + <project cat='arch'> + <title>Flattened Device Tree for embedded FreeBSD</title> + + <contact> + <person> + <name> + <given>Rafal</given> + <common>Jaworowski</common> + </name> + <email>raj@semihalf.com</email> + </person> + </contact> + + <links> + <url href="http://wiki.freebsd.org/FlattenedDeviceTree">Project wiki pages</url> + + <url href="http://p4db.freebsd.org/changeList.cgi?FSPC=//depot/projects/fdt/...">Project P4 branch</url> + </links> + + <body> + <p>The purpose of this project is to provide FreeBSD with support for the + Flattened Device Tree (FDT) technology, the mechanism for describing + computer hardware resources, which cannot be probed or self enumerated, in + a uniform and portable way. The primary consumer of this technology are + embedded FreeBSD platforms (ARM, AVR32, MIPS, PowerPC), where a lot of + designs are based on similar chips, but have different assignment of pins, + memory layout, addresses bindings, interrupts routing and other resources.</p> + + <p>Current state highlights:</p> + + <ul> + <li>Environment, support tools</li> + + <ul> + <li>integrated device tree compiler (dtc) and libfdt into FreeBSD + userspace, kernel and loader build</li> + </ul> + + <li>loader(8)</li> + + <ul> + <li>full support for device tree blob handling</li> + + <li>load, traverse, modify (including add/remove) device tree + nodes and properties</li> + + <li>pass the device tree blob to the kernel</li> + + <li>both ARM and PowerPC loader(8) supported</li> + </ul> + + <li>kernel side FDT support (common)</li> + + <ul> + <li>developed OF interface for FDT-backed platforms</li> + + <li>ofw_bus I/F (and /dev/openfirm) available with FDT</li> + + <li>integrated FDT resources representation with newbus (fdtbus + and simplebus drivers)</li> + </ul> + + <li>PowerPC kernel (Freescale MPC85XX SOC)</li> + + <ul> + <li>MPC8555CDS and MPC8572DS successfully converted to FDT + conventions</li> + </ul> + + <li>ARM kernel (Marvell Orion, Kirkwood and Discovery SOC)</li> + + <ul> + <li>work in progress on integrating FDT infrastructure with ARM + platform code</li> + </ul> + </ul> + + <p>Work on this project is sponsored by the FeeBSD Foundation.</p> + </body> + + <help> + <task>Complete missing pieces for PowerPC (PCI bridge driver conversion to + FDT)</task> + + <task>Complete ARM support</task> + + <task>Merge to SVN</task> + </help> + </project> + + <project cat='proj'> <title>HAST - Highly Available Storage</title> @@ -1026,5 +1242,100 @@ Thank you!</p> </body> </project> + + <project cat='proj'> + <title>Wireless mesh networking</title> + + <contact> + <person> + <name> + <given>Rui</given> + <common>Paulo</common> + </name> + <email>rpaulo@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="http://wiki.freebsd.org/WifiMesh"/> + </links> + + <body> + <p>Development of the FreeBSD 802.11s stack continues. The code in + FreeBSD HEAD has been updated to comply with draft 4.0. Merge to + FreeBSD 8-STABLE will be done soon.</p> + + <p>The developer is looking for funding to be able to implement mesh + link security algorithms and/or coordinated channel access + (performance improvement).</p> + </body> + + <help/> + </project> + + <project cat='soc'> + <title>BSD-licensed iconv</title> + + <contact> + <person> + <name> + <given>Gábor</given> + <common>Kövesdán</common> + </name> + <email>gabor@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2009/gabor_iconv">Sources in the Perforce repository</url> + </links> + + <body> + <p>Good compatibility has been ensured and there are only few pending + items, which have to be reviewed/enhanced. Recently, an enhacement + has been completed, which makes it possible to accomplish better + transliteration, just like in the GNU version. An initial testing + patch is expected at the beginning of February.</p> + </body> + + <help> + <task>Enhance conversion tables to make use of enhanced + transliteration.</task> + + <task>A performance optimization might be done later.</task> + </help> + </project> + + <project cat='bin'> + <title>BSD-licensed text processing tools</title> + + <contact> + <person> + <name> + <given>Gábor</given> + <common>Kövesdán</common> + </name> + <email>gabor@FreeBSD.org</email> + </person> + </contact> + + <links> + <url href="http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2008/gabor_textproc">Perforce repository</url> + </links> + + <body> + <p>As 8.0-RELEASE is out, BSD bc/dc can be now committed, we are + only waiting for the portbuild exp-run to make sure there are no + regressions after this change. BSD grep is stalled because of + some regex library issues. We need first a fast and modern regex + library so that we can change to BSD grep. BSD sort has few + incomplete features and needs some performance review.</p> + </body> + + <help> + <task>Commit BSD bc/dc</task> + + <task>Implement remaining features for sort and optimize performance</task> + </help> + </project> </report> -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001132217.o0DMHXhI033815>