Making Use of <acronym>ACL</acronym>s

From owner-p4-projects@FreeBSD.ORG Wed Jan 13 22:17:35 2010 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 39813106575E; Wed, 13 Jan 2010 22:17:34 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 381EF1065692 for ; Wed, 13 Jan 2010 22:17:34 +0000 (UTC) (envelope-from rene@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 249438FC1F for ; Wed, 13 Jan 2010 22:17:34 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id o0DMHYFJ033817 for ; Wed, 13 Jan 2010 22:17:34 GMT (envelope-from rene@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id o0DMHXhI033815 for perforce@freebsd.org; Wed, 13 Jan 2010 22:17:33 GMT (envelope-from rene@FreeBSD.org) Date: Wed, 13 Jan 2010 22:17:33 GMT Message-Id: <201001132217.o0DMHXhI033815@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to rene@FreeBSD.org using -f From: Rene Ladan To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 173101 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jan 2010 22:17:35 -0000 http://p4web.freebsd.org/chv.cgi?CH=173101 Change 173101 by rene@rene_self on 2010/01/13 22:16:40 IFC Affected files ... .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 integrate .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 integrate .. //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 integrate Differences ... ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 (text+ko) ==== @@ -1,7 +1,7 @@ @@ -506,8 +506,10 @@ system are the suid-root and sgid binaries installed on the system. Most of these binaries, such as rlogin, reside - in /bin, /sbin, - /usr/bin, or /usr/sbin. + in /bin, /sbin, /usr/bin, or /usr/sbin. While nothing is 100% safe, the system-default suid and sgid binaries can be considered reasonably safe. Still, root holes are occasionally found in these @@ -650,7 +652,8 @@ the system at a higher secure level but skip setting the schg flag for every system file and directory under the sun. Another possibility is to simply - mount / and /usr read-only. + mount / and /usr read-only. It should be noted that being too draconian about what is permitted may prevent the all-important detection of an intrusion. @@ -663,9 +666,10 @@ system configuration and control files so much before the convenience factor rears its ugly head. For example, using chflags to set the schg bit - on most of the files in / and - /usr is probably counterproductive, because - while it may protect the files, it also closes a detection window. + on most of the files in / and + /usr is probably + counterproductive, because while it may protect the files, it also + closes a detection window. The last layer of your security onion is perhaps the most important — detection. The rest of your security is pretty much useless (or, worse, presents you with a false sense of @@ -702,14 +706,14 @@ scripts out of simple system utilities such as &man.find.1; and &man.md5.1;. It is best to physically md5 the client-box files at least once a day, and to test control files such as those - found in /etc and - /usr/local/etc even more often. When + found in /etc and /usr/local/etc even more often. When mismatches are found, relative to the base md5 information the limited-access machine knows is valid, it should scream at a sysadmin to go check it out. A good security script will also check for inappropriate suid binaries and for new or deleted files - on system partitions such as / and - /usr. + on system partitions such as / + and /usr. When using ssh rather than NFS, writing the security script is much more difficult. You @@ -1620,8 +1624,8 @@ This is done on the Kerberos server only. First make sure that you do not have any old Kerberos databases around. You should change - to the directory /etc/kerberosIV and check that - only the following files are present: + to the directory /etc/kerberosIV + and check that only the following files are present: &prompt.root; cd /etc/kerberosIV &prompt.root; ls @@ -1789,11 +1793,10 @@ We now have to extract all the instances which define the services on each machine. For this we use the ext_srvtab command. This will create a file - which must be copied or moved by secure - means to each Kerberos client's - /etc directory. This file must - be present on each server and client, and is crucial to the - operation of Kerberos. + which must be copied or moved by secure means to + each Kerberos client's /etc + directory. This file must be present on each server and client, and is + crucial to the operation of Kerberos. &prompt.root; ext_srvtab grunt @@ -1815,8 +1818,8 @@ safe, then copy the client-new-srvtab to removable media and transport it by secure physical means. Be sure to - rename it to srvtab in the client's - /etc directory, and make sure it is + rename it to srvtab in the client's /etc directory, and make sure it is mode 600: &prompt.root; mv grumble-new-srvtab srvtab @@ -1866,8 +1869,8 @@ have correctly edited your /etc/rc.conf then this will happen automatically when you reboot. This is only necessary on the Kerberos server. Kerberos clients will automatically get what - they need from the /etc/kerberosIV - directory. + they need from the /etc/kerberosIV directory. &prompt.root; kerberos & Kerberos server starting @@ -2669,8 +2672,8 @@ Kerberos web site () is recommended. Be careful of path issues: the - MIT port installs into - /usr/local/ by default, and the + MIT port installs into /usr/local/ by default, and the normal system applications may be run instead of MIT if your PATH environment variable lists the system directories first. @@ -2728,9 +2731,9 @@ In a multi-user environment, Kerberos is less secure. - This is because it stores the tickets in the - /tmp directory, which is readable by all - users. If a user is sharing a computer with several other + This is because it stores the tickets in the /tmp directory, which is readable by + all users. If a user is sharing a computer with several other people simultaneously (i.e. multi-user), it is possible that the user's tickets can be stolen (copied) by another user. @@ -3662,7 +3665,8 @@ The system-wide configuration files for both the OpenSSH daemon and client reside - within the /etc/ssh directory. + within the /etc/ssh + directory. ssh_config configures the client settings, while sshd_config configures the @@ -4053,10 +4057,12 @@ drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3 drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html - Here we see that the directory1, - directory2, and directory3 - directories are all taking advantage of ACLs. The - public_html directory is not. + Here we see that the directory1, directory2, and directory3 directories are all taking + advantage of ACLs. The public_html directory is not. Making Use of <acronym>ACL</acronym>s @@ -4310,9 +4316,10 @@ look over the output from ident on the affected files will help in determining the revision. For ports, the version number is listed after the port name - in /var/db/pkg. If the system does not - sync with the &os; CVS repository and rebuild - daily, chances are that it is affected. + in /var/db/pkg. If the + system does not sync with the &os; CVS + repository and rebuild daily, chances are that it is + affected. ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 (text+ko) ==== @@ -1,7 +1,7 @@ alphasort(3) prototypes to conform to SUSv4. + + 900007 + January 13, 2010 + 9.0-CURRENT after the removal of utmp(5) and + the addition of utmpx (see + getutxent(3)) for improved + logging of user logins and system events. + ==== //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 (text+ko) ==== @@ -2,7 +2,7 @@ - + October-December @@ -87,6 +87,12 @@ Miscellaneous + + bin + + Userland utilities + + DAHDI (Zaptel) support for &os; @@ -613,6 +619,91 @@ + + The FreeBSD Spanish Documentation Project + + + + + Gábor + Kövesdán + + gabor@FreeBSD.org + + + + + http://www.freebsd.org/doc/es/articles/fdp-es/ + + https://listas.es.freebsd.org/mailman/listinfo/doc + + + +

There is one article translation pending review. Apart from this, + neither translation nor maintainance work has been done. We need + more volunteers, mostly translators but we are glad to have + more reviewers, as well. One can join by simply subscribing to + the translators' mailing list, where all the work is done.

+ + + + Update Handbook translation + + Update webpage translation + + Add more article translations + + + + + The FreeBSD Hungarian Documentation Project + + + + + Gábor + Kövesdán + + gabor@FreeBSD.org + + + + + Gábor + Páli + + pgj@FreeBSD.org + + + + + Hungarian Web Page for FreeBSD + + Hungarian Documentation + for FreeBSD + + The + FreeBSD Hungarian Documentation Project's Wiki Page + + Perforce + Depot for the FreeBSD Hungarian Documentation Project + + + +

In the last months, no new translation has been added. + Lacking human resources, we can only manage the existing + documentation and web page translations. If you are interested + in helping us, please contact us via the the email addresses + noted above.

+ + + + Translate release notes + + Add more article translations + + + The &os; Forums @@ -743,6 +834,40 @@ + + Group Limit Increase + + + + + Brooks + Davis + + brooks@freebsd.org + + + + + + +

Historically, FreeBSD has limited the number of supplemental + groups per process to 15 (NGROUPS_MAX was incorrectly declared to be + 16). In FreeBSD 8.0 we raised the limit to 1023, which should be + sufficient for most users and will be acceptably efficient for + incorrectly written applications that statically allocate + NGROUPS_MAX + 1 entries.

+ +

Because some systems such as Linux 2.6 support a larger + group limit, we have further relaxed this restriction in -CURRENT and + made kern.ngroups a tunable value, which supports values between 1023 + and INT_MAX - 1. We plan to merge this to 8-STABLE before + 8.1-RELEASE.

+ + + + + + Syncing pf(4) with OpenBSD 4.5 @@ -972,6 +1097,97 @@ + + Flattened Device Tree for embedded FreeBSD + + + + + Rafal + Jaworowski + + raj@semihalf.com + + + + + Project wiki pages + + Project P4 branch + + + +

The purpose of this project is to provide FreeBSD with support for the + Flattened Device Tree (FDT) technology, the mechanism for describing + computer hardware resources, which cannot be probed or self enumerated, in + a uniform and portable way. The primary consumer of this technology are + embedded FreeBSD platforms (ARM, AVR32, MIPS, PowerPC), where a lot of + designs are based on similar chips, but have different assignment of pins, + memory layout, addresses bindings, interrupts routing and other resources.

+ +

Current state highlights:

+ +

Environment, support tools

integrated device tree compiler (dtc) and libfdt into FreeBSD + userspace, kernel and loader build

loader(8)

full support for device tree blob handling
load, traverse, modify (including add/remove) device tree + nodes and properties
pass the device tree blob to the kernel
both ARM and PowerPC loader(8) supported

kernel side FDT support (common)

developed OF interface for FDT-backed platforms
ofw_bus I/F (and /dev/openfirm) available with FDT
integrated FDT resources representation with newbus (fdtbus + and simplebus drivers)

PowerPC kernel (Freescale MPC85XX SOC)

MPC8555CDS and MPC8572DS successfully converted to FDT + conventions

ARM kernel (Marvell Orion, Kirkwood and Discovery SOC)

work in progress on integrating FDT infrastructure with ARM + platform code

+ +

Work on this project is sponsored by the FeeBSD Foundation.

+ + + + Complete missing pieces for PowerPC (PCI bridge driver conversion to + FDT) + + Complete ARM support + + Merge to SVN + + + + HAST - Highly Available Storage @@ -1026,5 +1242,100 @@ Thank you!

+ + + Wireless mesh networking + + + + + Rui + Paulo + + rpaulo@FreeBSD.org + + + + + + + + +

Development of the FreeBSD 802.11s stack continues. The code in + FreeBSD HEAD has been updated to comply with draft 4.0. Merge to + FreeBSD 8-STABLE will be done soon.

+ +

The developer is looking for funding to be able to implement mesh + link security algorithms and/or coordinated channel access + (performance improvement).

+ + + + + + + BSD-licensed iconv + + + + + Gábor + Kövesdán + + gabor@FreeBSD.org + + + + + Sources in the Perforce repository + + + +

Good compatibility has been ensured and there are only few pending + items, which have to be reviewed/enhanced. Recently, an enhacement + has been completed, which makes it possible to accomplish better + transliteration, just like in the GNU version. An initial testing + patch is expected at the beginning of February.

+ + + + Enhance conversion tables to make use of enhanced + transliteration. + + A performance optimization might be done later. + + + + + BSD-licensed text processing tools + + + + + Gábor + Kövesdán + + gabor@FreeBSD.org + + + + + Perforce repository + + + +

As 8.0-RELEASE is out, BSD bc/dc can be now committed, we are + only waiting for the portbuild exp-run to make sure there are no + regressions after this change. BSD grep is stalled because of + some regex library issues. We need first a fast and modern regex + library so that we can change to BSD grep. BSD sort has few + incomplete features and needs some performance review.

+ + + + Commit BSD bc/dc + + Implement remaining features for sort and optimize performance + + -