IABSD.fr/src/usr.sbin

Branch :


Log

Author Commit Date CI Message
79d0c6f3 2025-05-24 02:56:41 Add [-w percent] and /etc/apm/warnlow hook So '-w25 -Z15' can log charge level and run the warnlow script to, e.g. play a sound or pop a window when running on battery below 25%, *before* life^work saving hibernate/suspend kicks in. OK tobhe Feedback jmc
b59df021 2025-05-23 14:33:23 Fix a mismerge in the tzcode2013d update
4e120550 2025-05-22 08:55:11 sync
ec3f7096 2025-05-22 05:58:36 Reinstate mention of chroot(2) and user quoting That should clarify the implications of, e.g. symlink behaviour inside the directory being served. Input OK schwarze jmc
43496798 2025-05-22 04:34:18 Fix OpenBSD RCS ID typos. from Andrius V
94488e84 2025-05-22 04:24:11 get rid of unecessary casts ok florian@
6359e523 2025-05-22 02:10:27 TAL stands for Trust Anchor Locator, not Location ok beck
d758b026 2025-05-22 01:40:21 pkg_delete -c does more than file cleanup
2bdc12ef 2025-05-21 09:42:21 unbreak build; typofix d{ea -> ae}mon; noticed by bluhm
f1a571bc 2025-05-21 05:09:17 Drop chroot(2) + rdaemon() and rely on pledge(2) to daemon(3) as usual Less code and a simpler mental model of dropping filesystem access. Same as usr.sbin/dhcrelay/dhcrelay.c r1.69. OK brynet
472bc62a 2025-05-21 05:05:33 Drop chroot(2) + rdaemon() and rely on pledge(2) to daemon(3) as usual "stdio route" denies file I/O, so confining to /var/empty/ is pointless, requiring a preopened /dev/null to later pass into custom rdaemon(). Drop all that and rely on tight promises after daemonising. OK brynet
812dc45b 2025-05-21 04:50:38 drop custom rdaemon(), daemon(3) as usual There is no chroot(2), only unveil(2) to a single file, see initial commit. Defer unveil for deamon(3) to see /dev/null and drop cargo-culted code. OK deraadt brynet
b93b3696 2025-05-21 03:15:40 Replace chroot(2) and custom rdaemon() with daemon(3) and unveil(2) Employ the "empty filesystem" idiom once in the background instead of preopening /dev/null, confining to /var/empty/ and using custom rdaemon(). Fix spaces in nfsd(8) (same unveil idiom) while here. Feedback OK brynet
1c23c815 2025-05-21 01:27:29 Merge remaining parts of tzcode2013d. Fixes potential issues on 32-bit systems where time_t is 64-bit but long is 32-bit. OK tb@
ee628601 2025-05-20 20:11:19 remove extra space for -c and -t args; ok millert
bde04a5b 2025-05-20 13:51:27 Back vmm(4) guest memory with UVM aobjs. For the past few years, vmm(4) would require vmd(8) to allocate virtual memory via mmap(2) in the vm process to use as guest physical memory. Then vmm(4) would create a new virtual address space itself to represent the guest and use uvm_share() to share map entries between them. This worked, but the userland dance of mmap/munmap to "find" space for guest memory and then having to teardown a full virtual address space not tied to a process caused some havoc in state management and potential race conditions. This commit simplifies how guest memory is represented and managed: 1. vmd(8) no longer calls mmap(2) to find memory for a vm. vmm(4) creates UVM aobjs to represent the memory ranges and maps them into the vmd process. 2. vmm(4) no longer faults pages into the vm's address space managed in the kernel and instead faults directly into the vmd userland process's address space. Nested page tables (EPT/RVI) are managed explicitly with pmap(9) functions. 3. vmd(8) shares guest memory between processes (e.g. virtio network & block devices) using the same ioctl as before, but vmm(4) now uses uvm_map(9) to map the aobj's into the new process. 4. The aobj mappings into the userland processes are now marked immutable. Tested with help from many: bluhm@, kirill@, hshoexer@, Jesper Wallin, xse[at]krkrkr.org. Thanks to Mischa Peters for providing access to an additional testing environment. Help from mpi@ on uvm aobj lifecycle management. ok mlarkin@
2e4fc07e 2025-05-20 10:30:41 Fix qcpas matching pattern. Multiple ORed patterns go on multiple lines. Tested on a T14s in ACPI mode. ok deraadt@
deb78824 2025-05-20 09:28:05 Make pattern for amdsev firmware download more specific. Avoid matching unrelated device names. ccp is a substring of qccpucp(4), with ^ccp0 pattern this gets fixed. OK tobhe@
5420b35b 2025-05-20 00:46:50 Handle "processing" status by retrying as the RFC suggests. Previously we would give up with "unhandled status" and not get a certificate. While here limit the amount of retries we are willing to perform in the "pending" and "processing" state. Let's encrypt seems to enter the "processing" state farely often in the staging environment. problem reported & OK sthen
d91443a8 2025-05-19 20:38:53 zdump: add -t and -V options from tzcode2013d One difference between upstream is that when -t "lotime" is not specified, we use the same low time cutoff as when no -t option is used. Upstream uses (effectively) LLONG_MIN in this case. OK tb@
03d40029 2025-05-19 19:58:58 allow comments, to be used with bsd.re-config. ok kn
b1f1eed2 2025-05-19 15:51:50 rad.conf.5: mention default setting for "other configuration" OK florian@
7285fba8 2025-05-18 20:09:58 Correct the SYNOPSIS to show that having a program is required, remove a needless ambiguity, and do not use the same argument placeholder for two different arguments. Document what happens with the arguments. Better describe how -e works. Documentation issues reported by rsadowski@. Patch drafted using information provided by claudio@. OK kn@ rsadowski@ jmc@
afea3dac 2025-05-18 07:01:41 describe argument up front, cut chroot bits It is not an option, so hoist and simplify. Also reduce privdrop details to what's required for users to know. Feedback OK schwarze
6604a563 2025-05-16 13:53:41 Merge changes from tzcode2013a o Make min_time and max_time constants. o Mark functions that have no side effects with __pure. o The zone offset at the end of version-2-format zone files is now allowed to be 24:00, as per POSIX.1-2008. o Fix zic bug that mishandled Egypt's 2010 changes. OK tb@
64029920 2025-05-16 13:51:04 Merge changes from tzcode2013a Make absolute_min_time and absolute_max_time constants. Mark __pure for functions that have no side effects. OK tb@
0434c678 2025-05-16 05:47:30 fix synopsis, pcap-filter(5) expressions can be spread across argv quoting is not strictly needed per se, i.e. those are equivalent: # tcpdump -i iwx0 port 22 and port 80 # tcpdump -i iwx0 'port 22 and port 80'
25f4f1fd 2025-05-16 04:26:43 sync FILES and -s, fix one reference (lldpd does not talk to itself)
f84e98ba 2025-05-16 04:04:41 check pledge return, sort promises to match our idiom
5df0c612 2025-05-16 03:49:38 -v implies -d (not the other way around), so dedup
a4d50f0b 2025-05-16 02:51:01 do not throw away errno on pledge failure
468dc1f9 2025-05-15 12:49:05 close unveil, add RCS markers; OK dlg
99a14409 2025-05-13 14:52:42 fix overly strict AUTH PLAIN pass check don't reject single character AUTH PLAIN passwords. From Andle Blanke on github pull request: https://github.com/OpenSMTPD/OpenSMTPD/pull/1283 ok gilles@
d3634c06 2025-05-13 07:59:57 dedup -d text, point to -v; OK dlg
0de99af2 2025-05-12 23:48:12 Correctly delete files with spaces During uninstall, fw_update reads the list of installed filenames from +CONTENTS but would split commands before checking if there was a command. It now uses the full line as the filename as it should. Reported by Mikolaj Kucharski <mikolaj () kucharski ! name> OK (for a similar diff) lucas@
d9556adb 2025-05-12 20:58:27 the regex keyword must be used iff the argument to an option is a regular expression or a list of regular expressions, it requires no special handling; improvements to the wording by jmc@ and op@ ok gilles@, jmc@, and op@
b6767310 2025-05-12 17:23:41 Until vmctl has its imsg usage cleaned, copy macros over from vmd. This fixes building vmctl since I didn't commit this header change when updating vmd.
acb6652b 2025-05-12 17:17:42 vmd(8): make imsg objects opaque and sanitize char[]s. vmd directly manipulated the inner members of imsg's throughout the codebase. Given a report of unchecked usage of some particular structs passed via imsg, this commit cleans up the imsg usage as well as santizes the embedded char[]'s in structs passed via imsg. All imsg metadata and data access now go through the imsg api (e.g. imsg_get_data(3)) and unmarshalling is handled in centralized locations with size checking and insertion of NUL-terminators in any char[]s. The result is no functional or behavioral change to vmd, but now all imsg's are treated opaquely and data santization is in a single function per type. NUL-termination issues reported by S. Ai, H. Lefeuvre, Systopia team. Review and guidance from claudio@. ok claudio@
957d03da 2025-05-11 15:38:48 Plug a few leaks after namespace_get() This patch fixes several memory leaks in ldapd caused by missing calls to ober_free_elements after using namespace_get. The namespace_get function eventually calls ober_read_element, which allocates memory for parsed BER elements. The most significant leak happens during processing of bind requests from non-root users in auth.c. The returned ber_element was not freed after being processed. Similar issues were found and fixed in ldape.c and modify.c. In these cases, ber_element returned by namespace_get was also left unfreed. From Anton Kasimov
0a3c375e 2025-05-11 15:30:43 Remove some NULL checks before ober_free_elements() From Anton Kasimov
07055c96 2025-05-08 21:14:18 Fix sign of %z output, and add DST offset doabbr: change penultimate arg from "isdst" to "stdoff", so that doabbr() has enough information to output the UTC offset on request. Fix the sign of z_gmtoff and add stdoff. backport of https://github.com/eggert/tz/commit/7c3e255 OK miod@
35d05b8e 2025-05-08 16:44:58 cap cpu stats at 99 to preserve column width and separation. feedback ok deraadt job miod
2c333898 2025-05-08 05:24:57 don't need endpwent() after getpwnam(), it's only for getpwent(). deraadt@ is worried about my ability to read man pages.
857ee269 2025-05-07 06:40:18 fix include order. poke by deraadt@
a2426b6f 2025-05-07 06:18:22 move pledge() to immediately after connect; was after (effectively) sendmsg(2); prodded by deraadt@
345ae754 2025-05-07 05:58:19 pledge after socket connected; ok dlg
be1b15fc 2025-05-07 05:42:43 Berkely -> Berkeley
ffe08980 2025-05-07 05:38:35 - -P before -p - text tweak - sunc usage()
2326f229 2025-05-07 03:11:14 Xr bpflogd 8
1cd4cb3b 2025-05-07 03:10:42 get rid of some redundant text.
cd6e87e8 2025-05-07 03:02:55 wire lldp, lldpd, and bpflogd up. poked by deraadt@
b9cb822a 2025-05-07 01:59:46 describe how bpflogd interacts with the log file on startup or sighup
04c419dd 2025-05-07 01:55:01 fix usage a big
bfa3ab5e 2025-05-07 01:41:59 bpflogd(8): capture packets from BPF and write them to a log file this is like pflogd(8), but different. the main differences are: - it can log on any type of BPF interface and DLT, not just pflog(4) - a single bpflogd can log packets from multiple BPF interfaces to the one log file - it uses libevent and non-blocking FDs instead of a blocking on pcap_dispatch in a loop with crazy signal handling - this also avoids restartable syscalls - it uses unveil and drops privs instead of chroot+privsep - this means the log file has to be writable by the user bpflogd runs as so it can reopen it after rotation. - it captures full packets by default, not just 160 bytes - you can provide a pcap-filter expression in a file - this makes the pexp handling in rc.subr a lot more robust - the .c files are about half the number of lines the reason it exists is because i needed to continously log some packets from span ports coming from multiple switches to try and help debug a network issue that only seems to occur every couple of months. pflogd provides that for a single pflog interface, but i needed it on multiple ethernet interfaces. ok deraadt@
bc6e01e3 2025-05-06 23:55:10 add some comments for future travellers
e27bc8c8 2025-05-06 23:48:47 have a go at decoding the 802.3 MAC/PHY Configuration/Status TLV the spec says the bits and media type are specified by RFC 4836, which says that iana manages these numbers, but the numbers my switch says don't match up with the iana numbers. anyway, i'll print the numbers for now.
902a7250 2025-05-06 18:36:20 Fix quirks handling in pkg_add -u As noticed by tb@, there is a bug in pkg_add where it runs an outdated version of quirks during an update. This is a side-effect of separating the updatedb in a different set: since the other set is not tagged "quirks" then the safeguards to prevent running quirks early won't trigger, and thus quirks will be loaded from the older installed version. The following patch takes a different approach: instead of excluding the quirks set from loading quirks, we only allow loading quirks once we're sure it's up-to-date (or as up-to-date as it can be, since pkg_delete won't try to do anything to it). This leads to somewhat cleaner code, as all the "don't do this to quirks" exceptions can disappear, thus removing a few tests. from espie
d97b3c17 2025-05-06 09:44:39 decode the link aggregation org tlv this is part of the 802.1 org, which is supposed to be documented in ieee 802.1Q, but that refers this tlv specifically to the ieee 802.1AX (link aggregation) spec.
fed8d34b 2025-05-06 08:41:55 decode some Org TLVs
a494ed46 2025-05-06 06:04:58 lldp(8): - zap trailing whitespace - add -s to SYNOPSIS lldp.c: - put -s after -i in usage() - sync the argument name for -i in usage()
94d8a661 2025-05-06 05:25:55 add -s socket to allow connecting to an lldpd on a different unix socket.
81f7c68e 2025-05-05 03:27:04 call an af_frame socket an af_frame socket
a41ee3cc 2025-05-03 09:21:16 make "backup" an option to srs as it only changes the state of the key we are setting, a random string that will be used as secret key for the Sender Rewriting Scheme, from active to backup. ok gilles@, jmc@
49b8b489 2025-05-03 05:26:23 the argument name for -s was internally inconsistent. to fix it, i used "socket", like for bgpctl(8); ok dlg
f7b96dac 2025-05-03 00:17:00 remove some debugging via printf add a closefrom() near the start ok dlg@
cb563479 2025-05-02 23:50:18 pledge; ok dlg@
30d594ba 2025-05-02 11:51:00 cut some unneeded words ok dlg@
c3a83f5e 2025-05-02 11:05:54 improve docs around pkg_add -U, which is a modifier around installing a package/s, not around updating, despite various recommendations on a third-party "handbook" site (which has other bad advice too) and repeated on forums etc. ok jmc
9ad4325d 2025-05-02 10:58:51 802.11AB -> 802.1AB
1649d3d8 2025-05-02 10:24:58 spelling
89551080 2025-05-02 09:56:01 lldpd will try and run as the _lldpd user, not _lldp.
6dacfa3f 2025-05-02 06:15:59 add lldp(8), a command line tool for interacting with lldpd(8). lldp can fetch LLDP packets from lldpd and then pulls them apart and displays them. by default it shows a brief summary of the lldp neighbor ports and systems on all interfaces, but you can request verbose info and/or info only from specific local interfaces. now that i've done the easy part (implementing AF_FRAME and lldpd) it would be nice to get some help with the hard stuff (pretty printing strings in c). ok djm@ deraadt@ general enthusiasm from many
0a394c10 2025-05-02 06:12:53 lldpd(8): a daemon that acts as an LLDP agent on Ethernet interfaces. lldpd uses the recently added AF_FRAME Ethernet sockets to listen for LLDP packets on all Ethernet interfaces in the system, and stores them so a lldp(8) client connecting to the control socket can fetch and display the packets. AF_FRAME means we can avoid BPF for receiving LLDP packets, which has a couple of benefits. firstly, BPF needs to look at all packets entering an interface so it can filter for the ones you're interested in, which is annoying for low packet/data rate protocols like LLDP. AF_FRAME is handled late in ether_input, and only after other protocols (like ip) are handled, so it's lower overhad compared to BPF listeners. secondly, attaching a BPF filter to new interfaces relies on having access to and the privileges to open /dev/bpf, while AF_FRAME provides a wildcard listener that is able to receive LLDP from all interfaces on a single socket, like how binding to on 0.0.0.0 with an AF_INET socket let's you receive packets for all the IPs on your system from a single socket. lldp can create and configure this socket when it starts up just use it from then on. this means lldpd is simpler and needs fewer privileges to operate than if it went the BPF route. at the moment lldpd only handles LLDP packet reception on all interfaces, you can't disable reception on interfaces yet. it also doesn't transmit LLDP packets (yet). there is no intention of implementing any protocol other than LLDP in this daemon either. ok djm@ deraadt@ general enthusiasm from many
9e51cf64 2025-05-01 15:05:05 Show file path in error messages Reporting failure without telling which file amongst those passed on the command line is bogus does not really help. OK millert
40051425 2025-04-28 18:56:25 Stop advising to remove files on update The following only make sense on for pkg_delete(1), yet pkg_add(1) prints them as well, which is confusing at best and trips up way too many people: "You should also run ..." (often "rm -rf /something/important*") "You should also remove ..." No longer print those when -u is used. There may be some commands "i like it" ian kirill OK phessler kmos
7cb2e45c 2025-04-27 20:28:51 Just print key identifiers as opaque blobs in filemode JSON output OK tb@
739f0e72 2025-04-27 16:23:04 Ensure we are getting send proper strings from the parent. OK claudio
d13e04c6 2025-04-25 06:46:19 The IMSG_LKA_OPEN_FORWARD passes directory and user as fixed size strings. Ensure that those strings are '\0' terminated since parent_forward_open() depends on that. OK op@
35b50d38 2025-04-25 00:06:52 Add checks that the passed strings from the unprivileged process have one char at least to make sure they are terminated by a null char. Reported by S. Ai, H. Lefeuvre, Systopia team ok claudio
d2b83bbe 2025-04-24 20:32:33 Ensure that string buffers are '\0' terminated when handling them in the privileged parent. Again code does not expect strings that are not terminated and by default nothing sends such strings but lets fix this bug anyway. Reported by S. Ai, H. Lefeuvre, Systopia team OK tb@ benno@
aa2ac6c4 2025-04-24 20:24:12 Both IMSG_CTL_RELOAD and IMSG_DEMOTE pass a string buffer that could theoretically be not '\0' terminated. For now just enforce a '\0' at the end of the buffer in question. This is enough to prevent any bad side-effects from an unterminated string. Reported by S. Ai, H. Lefeuvre, Systopia team OK tb@
da8f11c7 2025-04-24 20:17:49 Use strncmp() to compare strings in rib_find() which is has a similar problem like rde_peer_match(). OK tb@
a07aad4d 2025-04-14 14:52:34 The timeout API uses abolute timestamps internally so it makes sense to compare these times directly and only convert to a relative timeout right before calling poll(). Also convert pauseaccept to a deadline so that all comparisons are done the same way. Now using a proper timer for pauseaccept would be even better but that is a rainy day project. OK tb@
fd182005 2025-04-14 14:50:29 The timeout API uses abolute timestamps internally so it makes sense to compare these times directly and only convert to a relative timeout right before calling poll(). OK tb@
013ed4c0 2025-04-14 12:09:51 Align attr_optadd() return value check with all the others ok claudio
0d195f59 2025-04-14 11:49:39 In attr_optadd() avoid allocating the attribute before checking if the rde_aspath already contains that attribute. The check does not depend on the allocation so switching the code simplifies the error handling since a possible allocation does not need to be rolled back anymore. OK tb@
b672376e 2025-04-14 11:46:52 In attr_diff() return early when oa->len == 0 since memcmp(a, NULL, 0) is UB. Defining memcmp(a, NULL, 0) as undefined behaviour is one of those absurdities of the C standard. Right now this does not happen since BGP has no 0 size attributes. OK tb@
76a00bd5 2025-04-13 15:42:59 Remove useless function indirect, it just returns a const string. While here, remove an outdated comment. From Jan Stary. OK millert
bb3de3e2 2025-04-08 17:35:01 bump smtpd version
d4aa16fa 2025-04-08 17:31:06 mail.lmtp: return EX_TEMPFAIL only on 4.x.x This properly passes perm failures (5.x.x) over to smtpd. Issue reported by Runxy Yu over at github: <https://github.com/OpenSMTPD/OpenSMTPD/issues/1276> Thank you! ok gilles@
2aa6361f 2025-04-08 09:28:25 Fix a RRDP repo stall because of bad internal state When rrdp_handle_file() fails because of an IO error the repo is put into REPO_FAILED state. This state must be cleared in rrdp_clear() so that the fallback from delta to snapshot sync works. Without this reset the snapshot sync wont properly work and worse repo_done() is never called and files depending on this repo will not be processed. This stalls the validation process since the entity queue never becomes empty. Reported by N. Vogel, O. Jacobsen, H. Schulmann from ATHENE With and OK tb@
c3618c0b 2025-04-06 10:42:27 Only set BootOrder if our boot option isn't already part of it. This means sysupgrade (or reinstalls) will not longer set OpenBSD as the default OS if users change the boot order by some other means. Fresh installs will still make OpenBSD the default OS. ok kn@
f9c15953 2025-04-05 12:53:45 Tweak previous: don't warn if hw.perfpolicy isn't available Reported by mlarkin@, ok kettenis@ mlarkin@
235d2486 2025-04-03 14:30:17 rpki-client: bump version discussed with claudio
757906db 2025-04-03 14:29:44 rpki-client: add a counter for non-functional CAs ok claudio
d0022ec3 2025-04-02 09:51:42 Minimal gbr validation and printing fixes Job noticed a while back that one of the two .gbr in the ecosystem is malformed. Worse, it made filemode error out in json_do_string() when dumping JSON because its vCard is an empty octet string (which means it is the byte string 0x04 0x00, so it contains a control character): SEQUENCE { # rpkiGhostbusters OBJECT_IDENTIFIER { 1.2.840.113549.1.9.16.1.35 } [0] { OCTET_STRING { OCTET_STRING {} } } } A valid vCard contains a printable UTF-8 string and looks like this: SEQUENCE { # rpkiGhostbusters OBJECT_IDENTIFIER { 1.2.840.113549.1.9.16.1.35 } [0] { OCTET_STRING { "BEGIN:VCARD\r\nVERSION:4.0\r\n..." } } } Now vCards are crazy complicated (despite the simplifications RFC 6493 added to the full RFC 6350 madness) since the format is overly flexible and they are defined to contain a subset of UTF-8 (for which no sane portable C API exists). As a minimal sanity check/validation, verify that it starts as expected, and strvisx() the whole thing. Again this is an ugly kludge, but better than more complicated logic right now. ok claudio
4938cdce 2025-04-02 09:42:57 tak: strvis the UTF-8 comment section This is an ugly kludge until we can do better validation. Now is not the right time in the release cycle to fiddle with even more complicated and more broken legacy messes than we already have to deal with in here. ok claudio
25b9b90e 2025-04-02 09:27:16 takey_print: don't emit empty line between comments and URIs It was probably an oversight in RFC 8630 that TALs don't allow an empty line between the comment section and the URI section. Or maybe a comment of only one or two lines was intended rather than the ugly blob we now have in arin.tal. Be that as it may, the output is supposed to be a TAL and it should conform to the RFC. ok claudio
ba39e1c3 2025-04-02 09:16:26 json.c: sync with bgpctl/json.c r1.11: escape ASCII control characters ok claudio
09f48385 2025-04-02 09:15:04 Properly escape ASCII control characters in JSON rather than erroring shared pain with/ok claudio