lookup on the incoming IP, do a forward lookup on
the result and make sure that the IP is in the
resulting list. If it's not, put the IP number
in utmp/wtmp instead of the rogue name.
Stolen from: rlogind
Suggested by: sef
avoid crashing inside rtld (since it's easy) since everything else handles
it. Of course, if the target program checks argv[], it'll fall over.
Reviewed by: jdp
damn useful thing for using with serial consoles in clusters etc or secure
console locations. Using a custom gettytab entry for console with
an entry like 'al=root' means that there is *always* a root login ready on
the console. This should replace hacks like those which go with conserver
etc. (This is a loaded gun, watch out for those feet!)
Submitted by: "Andrew J. Korty" <ajk@purdue.edu>
There's not much point in having uucpd behave differently than
login(1) for this, and now uucpd is compatible to the default chat
script of Taylor UUCP which sends a single \r at first.
While i was at it, added a few strategic ``errno = 0;''s, so at least
an `Undefined error 0' will be returned for things like a closed
connection while reading the login ID or password, as opposed to an
even more bogus thing like `No such file or directory'.
on rshd and rlogind. However, note that:
1: rshd used to drop a connection with -a if the hostname != ip address.
This is unneeded, because iruserok() does it's own checking.
It was also wrong if .rhosts had an explicit IP address in it,
connections would be dropped from that host solely because the DNS was
mismatched even though it was explicitly intended to work by IP address.
2: rlogind and rshd check the hostname mappings by default now because that
is what goes into the utmp/wtmp and logs. If the hostname != ip address,
then it uses the IP address for logging/utmp/wtmp purposes. There isn't
much point logging ficticious hostnames.
3: rshd -a is now accepted (but ignored) for compatability. If you really
want to make life miserable for people with bad reverse DNS, use tcpd in
paranoid mode (which is questionable anyway, given DNS ttl tweaking).
Removed getuid() root check so ntalkd can be run from a tty sandbox.
It isn't suid root anyway, who knows why the getuid() check was even
in there in the first place!
rtld would accept the first shared library it found with the right
major version number, even if the minor version number was too low.
If a different version of the shared library with an adequate minor
version number appeared later in the search path, it would not be
found.
Now the rtld searches all locations first looking for a library
with a minor version that is high enough. Only if such a library
is not found will it fall back to accepting a minor version number
that is too low. As before, a warning comes out in that case.
This solves some problems encountered when building an older world
on a -current system.
References from GDB to "printf" and various other functions would
find the versions in the dynamic linker itself, rather than the
versions in the program's libc. This fix moves the GDB link map
entry for the dynamic linker to the end of the search list, where
its symbols will be found only if they are not found anywhere else.
It was suggested by Doug Rabson, though I implemented it a little
differently.
I personally would prefer to leave the dynamic linker's entry out
of the GDB search list altogether. But Doug argues that it is
handy there for such things as setting breakpoints on dlopen().
So it stays for now, at least.
Note, if we ever integrate the dynamic linker with libc (which has
several important benefits to recommend it), this whole problem
goes away.
dynamic linker itself dynamically allocated. All of them are
supposed to be dynamically allocated, but we cheated before. It
made gdb unhappy under some circumstances.
least 2 version numbers. This fixes the bug where the dynamic
linker would try to load an ELF shared library if it found one.
Note, this change also fixes the same thing in "ld", because the
code is shared.
For "ld" there is still a problem with ".a" libraries, which cannot
be distinguished by name. I haven't decided what, if anything, to
do about that.
a different file than the a.out hints, namely, "/var/run/ld-elf.so.hints".
These hints consist only of the directory search path. There is
no hash table as in the a.out hints, because ELF doesn't have to
search for the file with the highest minor version number. (It
doesn't have minor version numbers at all.)
A single run of ldconfig updates either the a.out hints or the ELF
hints, but not both. The set of hints to process is selected in
the usual way, via /etc/objformat, or ${OBJFORMAT}, or the "-aout"
or "-elf" command line option. The rationale is that you probably
want to search different directories for ELF than for a.out.
"ldconfig -r" is faked up to produce output like we are used to,
except that for ELF there are no minor version numbers. This should
enable "ldconfig -r" to be used for checking LIB_DEPENDS in ports
even for ELF.
I implemented the ELF functionality in a new source file, with an
eye toward eliminating the a.out code entirely at some point in
the future.
shared object. Note, this searches _only_ that object, and not its
needed objects, in accordance with the documentation.
Also fix dlopen(NULL, ...) so that the executable's needed objects
are searched as well as the executable itself.
it to sit right...
The __error() hack gave out the wrong address. It returned the address of
errno in ld.so instead of the address of errno in the main program. Oops.
The hack is now correct, just in time to be obsoleted by elf.
or Elf64 based on the inclusion of the machine dependent header.
I've left the addition of the extra fields to handle the relocation
structures with addend for a separate commit after jdp has had a chance
to review what I've done. The current change is needed to compile
csu/alpha/crt1.c
alternative, I present .. ta! da! .. the __error() hack.
This patch to the a.out dynamic loader provides old a.out binaries
with __error() if they are linked with an older libc that lacks it,
but are also linked against a library that needs it.
There is a smaller, tricker hack that takes advantage of the fact
that ld.so has __error() too, courtesy of the new libc, but this
hack is the straightforward version.
Move a.out libraries to /usr/lib/aout to make space for ELF libs.
Make rtld usr /usr/lib/aout as default library path.
Make ldconfig reject /usr/lib as an a.out library path.
Fix various Makefiles for LIBDIR!=/usr/lib breakage.
This will after a make world & reboot give a system that no
longer uses /usr/lib/*, infact one could remove all the old
libraries there, they are not used anymore.
We are getting close to an ELF make world, but I'll let this
all settle for a week or two...
output for local users. FTP protocol RFC also says that 'ls' output is
not machine-readable. "always UTC" still possible with TZ= in ftpd
environment by price of having UTC in log files too.
Fix INTERNAL_LS to sense new /etc/localtime after chroot
any case.
It makes no difference for anon account (since chroot already makes it GMT),
but if you do mirror with special non-anon login, in old variant
your mirror will be wholy retransmitted twice in the year due to
time zone changes (/etc/localtime plays bad role here)
quite a few enhancements and bug fixes. There are still some known
deficiencies, but it should be adequate to get us started with ELF.
Submitted by: John Polstra <jdp@polstra.com>
MOUNT_LFS to "lfs" in one place. The merge was painful because it
conflicted with cosmetic FreeBSD changes. lfs_cleanerd still compiles
cleanly but has aproximately the same chance of working as before (0).
emacs a.out file, self-generated by emacs's "unexec" function in
"unexsunos4.c", is invalid. In particular, its "_end" symbol has
the wrong value. The dynamic linker was using the value of that
symbol to initialize its sbrk break level.
The workaround is to peek at the executable's a.out header in
memory, and calculate what "_end" should be based on the segment
sizes.
I will work out a fix for emacs and send it to the FSF. This
dynamic linker workaround is still worthwhile, if only to avoid
forcing all emacs users to build a new version.
Note: xemacs gives a bogus warning at startup, for related reasons.
The warning is harmless and can safely be ignored. I will send a
patch to the xemacs maintainers to get rid of it, and meanwhile
add a patch file to our port.
things so that it uses the same malloc as is used by the program
being executed. This has several advantages, the big one being
that you can now debug core dumps from dynamically linked programs
and get useful information out of them. Until now, that didn't
work. The internal malloc package placed the tables describing
the loaded shared libraries in a mapped region of high memory that
was not written to core files. Thus the debugger had no way of
determining what was loaded where in memory. Now that the dynamic
linker uses the application's malloc package (normally, but not
necessarily, the system malloc), its tables end up in the regular
heap area where they will be included in core dumps. The debugger
now works very well indeed, thank you very much.
Also ...
Bring the program a little closer to conformance with style(9).
There is still a long way to go.
Add minimal const correctness changes to get rid of compiler warnings
caused by the recent const changes in <dlfcn.h> and <link.h>.
Improve performance by eliminating redundant calculations of symbols'
hash values.
This change changes the default handling of linemode so that older and/or
stupider telnet clients can still get wakeup characters like <ESC> and
<CTRL>D to work correctly multiple times on the same line, as in csh
"set filec" operations. It also causes CR and LF characters to be read by
apps in certain terminal modes consistently, as opposed to returning
CR sometimes and LF sometimes, which broke existing apps. The change
was shown to fix the problem demonstrated in the FreeBSD telnet client,
along with the telnet client in Solaris, SCO, Windows '95 & NT, DEC OSF,
NCSA, and others.
A similar change will be incorporated in the crypto version of telnetd.
This resolves bin/771 and bin/1037.
is asking for trouble (sequential database enumerations can get caught
in an infinite loop). The yp_mkdb(8) utility avoids putting such records
into a database, but ypxfr does not. Today I got bit by a NULL entry in
one of the amd maps on my network, which is served by a SunOS master.
The map was transfered successfully to my FreeBSD slave, but attempting
to dump it with ypcat(1) caused ypserv(8) to transmit the same record
over and over again, making the map appear to be infinitely large. I
finally noticed the problem while testing a new version of amd under
development at the Columbia CS department, which began gobbling up insane
amounts of memory while trying to swallow the map.
To deal with this problem, I'm modifying ypxfr to watch for records
with zero-length keys and turn them into something less destructive
before writing them to the database.
plain 0 should be used. This happens to work because we #define
NULL to 0, but is stylistically wrong and can cause problems
for people trying to port bits of code to other environments.
PR: 2752
Submitted by: Arne Henrik Juul <arnej@imf.unit.no>
by a repository copy from 1.1.5 and patched back to Lite1) and
rbootd/bootdir/SYSHPBSD (which is binary). All changed files have
already left the vendor branch.
on malformed /etc/group entries. This is a band-aid until I can pull
in the newer group parsing code from getgrent .
Pointed out by: branson@belmakor.hq.ferg.com (Branson Matheson)
Add a -Bforcedynamic option which generates a dynamic object even
if no shared libraries were given in the link.
Make RRS in text section warnings conditional on "-assert pure-text"
so that I can link non-PIC kernel modules without tons of link
errors. Changes to bsd.lib.mk to follow.
Fix a couple of bugs exposed by the fact that the kernel is not
linked at zero.
Reviewed by: jdp
calls. The cost is a little more up-front memory allocation, but the
effect seems minimal.
Problem noticed-by: bde
Added syslog at LOG_ERR when referencing an unknown gettytab entry
and for other cgetent() failues (circular reference et al).
To be merged into 2.2 after a few days testing.
modules from src/bin/ls, and handling exec(_PATH_LS,..) as a
special case, very useful in an environment where many users
are given chroot access. "~/etc/{s}pwd.db" files are still
needed if uid/gid->user/group translation is desired.
To enable this it must be compiled with the make variable
FTP_INTERNAL_LS defined, either in /etc/make.conf or the
environment.
ld-specific flags. LDFLAGS is really for ld-related flags for cc,
not for ld, and some flags, e.g., -Bshareable, mean completely
different things to cc and ld. Having the wrong things in LDFLAGS
also broke the standard ${PROG} target. This was kludged around
by using a special rule that depended on LDFLAGS being bogus.
Fixing `make depend' broke the special rule but fixed the standard
rule (except in the DESTDIR case, which was handled more strictly
here than elsewhere).
'sane' standard (not raw) settings before abort/exiting; move
responsibility of setting raw mode for chat-handling out of
chat.c to avoid doing redundant tc{s,g}etattr()s; move DE
pause prior setting standard mode before issue/login prompt to
avoid echoing modem connect strings. Fixed up comment styles
in a couple of places.
Rev 1.16 deraadt:
do not warn about valid options; invalid options correctly quit
Rev 1.15 deraadt:
need not clear options since bad ones cause exit;
provos@ws1.physnet.uni-hamburg.de
Rev 1.14 deraadt:
IPOPT_LSRR/IPOPT_SSRR must exit() due to tcp sequencing; pointed
out by provos@wserver.physnet.uni-hamburg.de. also another 1-char
buffer overflow.
Reviewed by: Peter Wemm
Obtained from: OpenSBD
Rev 1.13 deraadt:
do not warn about valid options; invalid options correctly quit
Rev 1.12 deraadt:
need not clear options since bad ones cause exit;
provos@ws1.physnet.uni-hamburg.de
Rev 1.11 deraadt:
IPOPT_LSRR/IPOPT_SSRR must exit() due to tcp sequencing; pointed
out by provos@wserver.physnet.uni-hamburg.de. also another 1-char
buffer overflow.
Reviewed by: Peter Wemm
Obtained from: OpenSBD
If it is set to a nonempty string, then simply skip any missing
shared libraries. This came up in a discussion long ago as a
potentially useful feature at sysinstall time. For example, an
X11 utility could be used without the X libraries being present,
provided the utility had a mode in which no X functions were actually
called.
- Use MAP_FAILED instead of the constant -1 to indicate
failure (required by POSIX).
- Removed flag arguments of '0' (required by POSIX).
- Fixed code which expected an error return of 0.
- Fixed code which thought any address with the high bit set
was an error.
- Check for failure where no checks were present.
Discussed with: bde
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
nonempty string, then function calls are relocated at program start-up
rather than lazily. This variable is standard on Sun and SVR4 systems.
The dlopen() function now supports both lazy and immediate binding, as
determined by its "mode" argument, which can be either 1 (RTLD_LAZY) or
2 (RTLD_NOW). I will add defines of these symbols to <dlfcn.h> as soon
as I've done a little more checking to make sure they won't cause
collisions or bootstrapping problems that would break "make world".
The "LD_*" environment variables which alter dynamic linker behavior are
now treated as unset if they are set to the empty string. This agrees
with the standard SVR4 conventions for the dynamic linker.
Add a work-around for programs compiled with certain buggy versions of
crt0.o. The buggy versions failed to set the "crt_ldso" member of the
interface structure. This caused certain error messages from the
dynamic linker to begin with "(null)" instead of the pathname of the
dynamic linker.
nonempty string, then function calls are relocated at program start-up
rather than lazily. This variable is standard on Sun and SVR4 systems.
The dlopen() function now supports both lazy and immediate binding, as
determined by its "mode" argument, which can be either 1 (RTLD_LAZY) or
2 (RTLD_NOW). I will add defines of these symbols to <dlfcn.h> as soon
as I've done a little more checking to make sure they won't cause
collisions or bootstrapping problems that would break "make world".
more manageable and convenient referencing by login.conf (login
class database) and (e.g.) login.access.
This is the first of a group of commits which implements the login
class capabilities database.
emitting the initial prompt.
This is useful in a number of circumstances :
- you have (a) stupid modem(s) that assert(s) DCD too soon.
- you have dialin users with stupid diallers and poorly
written chatscripts. (esp. some Winsock diallers)
BSD/OS also has this capability.
Submitted by: damian@cablenet.net (Damian Hamill)
matches what's in ypserv/yp_extern.h (which I changed when I added the
async DNS stuff). The conflict broke the build of rpc.yppasswdd.
Pointed out by: bde
do it themselves. (Some of these programs actually depended on this
beyond compiling the definition of struct ifinfo!) Also fix up some
other #include messes while we're at it.
it is both uneeded and breaks certain lock-step timing in the rexec
protocol.
Yes, an attacker can "relay" connections using this trick, but a properly
configured firewall that would make this sort of subterfuge necessary in the
first place (instead of direct packet spoofing) would also thwart useful
attacks based on this.
succeeded.
Never allow the reverse channel to be to a privileged port.
Cannidate for: 2.1 and 2.2 branches
Reviewed by: pst (with local cleanups)
Submitted by: Cy Shubert <cy@cwsys.cwent.com>
Obtained from: Jaeger <jaeger@dhp.com> via BUGTRAQ
and YP_SECURE flags so that it can properly add them to newly created
maps when needed. This applies only when using the 'standard' method
for map transfers. When using rpc.ypxfrd, the whole map is copied
verbatim, along with any special entries that may be encoded in it.
Also made -Wall a little quieter for ypxfrd_getmap.c.
the main program, report them directly from the dynamic linker and die
there, rather than returning an error message to crt0.o. This enables
the printing of error messages even for old executables, whose version
of crt0.o is not able to print them.
This fix closes PR bin/1869.
The code in crt0.o for printing error messages from the dynamic linker
is no longer used, because of this change. But it must remain, for
backward compatibility with older dynamic linkers.
When an rsh is denied by rshd because the client is lacking appropriate
.rhosts permission, an error message is formatted for syslog which contains
the client's hostname. The hostname portion of the message relies on a pointer
to a field within gethostbyname()'s internal struct hostent which changes state
between when the pointer is initialized and when it is dereferenced to create th
e
message.
Submitted by: skynyrd@opus.cts.cwu.edu
>Description:
/usr/libexec/mail.local runs as root. As such is can fill up a
mailbox on a quota'd filesystem, and keep going... Makes quota's
almost useless in an ISP environment.
Closes: PR#bin/1111
Submitted by: Charles Henrich <henrich@crh.cl.msu.edu>
or rpc.ypxfrd processes on remote systems that aren't bound to reserved
ports. The servers already do reserved port checks on the clients.
Obtained from: scrutinizing the OpenBSD ypxfr sources. (Note that this
applies to the ypserv check only; OpenBSD doesn't have an rpc.ypxfrd.)
password: ask for it, but don't tell that S/key password required.
It looks like non-s/key system from outside.
Additionally tell that s/key required when it is so for normal case
It happens if 1) regular passwords not allowed, 2) skey database
not activated for given user.
Under some rare circumstanes skey_challenge can return empty
diagnostic or even previous buffer, fix it.
opened. After that, the directories are already present, and there is
no point in adding them again. This doesn't fix any bugs; it's just for
efficiency.
since rt_readenv() already takes care of not setting unsafe variables.
This was part of the changes I submitted to Peter and John during the
review which must have gotten missed.
how I managed to get this out of sync, but I did. I guess that's what I
get for directly committing from different machines that I was testing on.
Pointed out by: Paul Traina <pst@freebsd.org>
configurable fallback search paths, as well as new crt interface version.
Also:
- even faster getenv(), get all environment variable settings in a single
pass.
- ldd printf-like format specifications
- minor code cleanups, one vsprintf -> vsnprintf (harmless)
The library search sequence is a little more complete now. Before,
it'd search $LD_LIBRARY_PATH (by opendir/readdir/closedir), then read
the hints file, then read /usr/lib (again by scanning thr directory). It
would then fail if there was no "found" library.
Now, it does LD_LIBRARY_PATH and the hints file the same, but then uses
a longer fallback path. The -R path is fetched from the executable if
specified at build time, the ldconfig path is appended, and /usr/lib is
appended to that. Duplicates are suppressed. This means that simply
placing a new library in /usr/local/lib will work (the same as it did in
/usr/lib) without needing ldconfig -m. It will find it quicker if the
ldconfig is run though.
Similar changes have been made to the NetBSD ld.so, but ours is rather
different now due to John Polstra's speedups and fixes from a while back.
The ldd printf-like format support came direct from NetBSD.
Reviewed by: nate, jdp
with the -R option and store the path in the dynamic header when specified.
The $LD_RUN_PATH environment variable is not checked yet.
While here, split up the code a bit more to enable more selective replacing
of GPL'ed components that are linked with ld.so with others.
Obtained from: NetBSD (mostly, the breakup is my fault)
Reviewed by: Garrett Wollman <wollman@freebsd.org>
Submitted by: Warner Losh <imp@village.org>
Close PR bin/1145:
Add -s flag to tftpd. This enables the so-called secure mode
of tftpd where it chroots to a given directory before allowing access
to the files. In addition, it runs as nobody when in this mode.
Reviewed a long time ago by Bill and Garrett. Apply my patch from the
pr, and close the PR.
for gcc >= 2.5 and no-ops for gcc >= 2.6. Converted to use __dead2
or __pure2 where it wasn't already done, except in math.h where use
of __pure was mostly wrong.
as atomically as possible.
(Immutable targets can't be renamed without opening a window when
neither the source nor the target is immutable. Perhaps there
should be a rename_immutable syscall to do this if unsetting the
immutable flags would work.)
"." means the object directory, so it is just confusing to use it
when nothing is included from the object directory unless the object
directory is also the source directory. It is confusing for "."
not to mean the source directory anyway, so used `-I.'s should be
replaced by `-I${.OBJDIR}'.
Document the new -R (relax paranoia) option.
From NetBSD/Lite2: code and man page cleanups, Kerberos IV hooks
(relax, we're still exportable), and /etc/ftpchroot feature for
semi-anonymous accounts
or addresses other than the requestor's address. This violates the FTP
protocol (hmm...as I write this, I'm going to change this to a run-time var.)
Require login before PASV and RNTO commands.
Close unused PASV ports so they don't hang around forever.
Do not allow file overwrites via rename or STOR when anonymous
(suspenders).
Clean up buffer utilization.
My code, but heavily inspired by Hobbit's changes to wu-ftpd as pointed out
by Mike Prettejohn and Kit Knox.
hash table size from 256 to 1024.
Generate output that looks more like the SunOS mknetid: uses a space
instead of tabs for white space.
Fix typo in comment in hash.h: Groupit -> Groupid.
the Himalayas and become a hermit.)
Import new mknetid program. This replaces the crufty, soon to be defunct
mknetid script packaged with ypserv.
This program parses the group, passwd, hosts and netid databases into
the netid.byname map. Duplicate checking is performed using hash tables.
Testing on my 486DX2/66 with FreeBSD 2.1.0 showed that this program can
process a 30,000-entry passwd database into a netid map (along with
assorted group and hosts information) in about 22 seconds. On my SPARC IPX
with SunOS 4.1.3, it takes about 15 seconds. This compares favorably with
the SunOS mknetid program, which parses the same database(s) in 13 seconds.
(With smaller databases, my program is actually slightly faster. Go
figure.)
which ypxfr links with. (Sorry: left over development bogon.)
Just a reminder: you must rebuild librpcsvc before you build
this program.
Pointed out by: Stephen Hocking
Also generallize the yp_dbwrite functions a little: allow the caller
to specify certain flags. I need this mostly for some changes to
rpc.yppasswdd to allow in-place updates.
Also change Makefile a little to use the same format as ypserv.
been loaded, look for a match by device and inode number if the
traditional pathname comparisons don't find a match. This detects
the case in which a library is requested using two different names
which are really links to the same file, and avoids loading it
twice.
Requested by: peter@freebsd.org
Reviewed by: peter@freebsd.org