PERFORCE change 173101 for review
Rene Ladan
rene at FreeBSD.org
Wed Jan 13 22:17:35 UTC 2010
http://p4web.freebsd.org/chv.cgi?CH=173101
Change 173101 by rene at rene_self on 2010/01/13 22:16:40
IFC
Affected files ...
.. //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 integrate
.. //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 integrate
.. //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 integrate
Differences ...
==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/security/chapter.sgml#12 (text+ko) ====
@@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.334 2009/01/28 03:39:01 ganbold Exp $
+ $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.335 2010/01/13 21:07:24 bcr Exp $
-->
<chapter id="security">
@@ -506,8 +506,10 @@
system are the
suid-root and sgid binaries installed on the system. Most of
these binaries, such as <application>rlogin</application>, reside
- in <filename>/bin</filename>, <filename>/sbin</filename>,
- <filename>/usr/bin</filename>, or <filename>/usr/sbin</filename>.
+ in <filename class="directory">/bin</filename>, <filename
+ class="directory">/sbin</filename>, <filename
+ class="directory">/usr/bin</filename>, or <filename
+ class="directory">/usr/sbin</filename>.
While nothing is 100% safe, the system-default suid and sgid
binaries can be considered reasonably safe. Still,
<username>root</username> holes are occasionally found in these
@@ -650,7 +652,8 @@
the system at a higher secure level but skip setting
the <literal>schg</literal> flag for every system file and directory
under the sun. Another possibility is to simply
- mount <filename>/</filename> and <filename>/usr</filename> read-only.
+ mount <filename class="directory">/</filename> and <filename
+ class="directory">/usr</filename> read-only.
It should be noted that being too draconian about what is permitted
may prevent the all-important detection of an intrusion.</para>
</sect2>
@@ -663,9 +666,10 @@
system configuration and control files so much before the
convenience factor rears its ugly head. For example, using
<command>chflags</command> to set the <literal>schg</literal> bit
- on most of the files in <filename>/</filename> and
- <filename>/usr</filename> is probably counterproductive, because
- while it may protect the files, it also closes a detection window.
+ on most of the files in <filename class="directory">/</filename> and
+ <filename class="directory">/usr</filename> is probably
+ counterproductive, because while it may protect the files, it also
+ closes a detection window.
The last layer of your security onion is perhaps the most
important — detection. The rest of your security is pretty
much useless (or, worse, presents you with a false sense of
@@ -702,14 +706,14 @@
scripts out of simple system utilities such as &man.find.1; and
&man.md5.1;. It is best to physically md5 the client-box files
at least once a day, and to test control files such as those
- found in <filename>/etc</filename> and
- <filename>/usr/local/etc</filename> even more often. When
+ found in <filename class="directory">/etc</filename> and <filename
+ class="directory">/usr/local/etc</filename> even more often. When
mismatches are found, relative to the base md5 information the
limited-access machine knows is valid, it should scream at a
sysadmin to go check it out. A good security script will also
check for inappropriate suid binaries and for new or deleted files
- on system partitions such as <filename>/</filename> and
- <filename>/usr</filename>.</para>
+ on system partitions such as <filename class="directory">/</filename>
+ and <filename class="directory">/usr</filename>.</para>
<para>When using ssh rather than NFS,
writing the security script is much more difficult. You
@@ -1620,8 +1624,8 @@
<para>This is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
- to the directory <filename>/etc/kerberosIV</filename> and check that
- only the following files are present:</para>
+ to the directory <filename class="directory">/etc/kerberosIV</filename>
+ and check that only the following files are present:</para>
<screen>&prompt.root; <userinput>cd /etc/kerberosIV</userinput>
&prompt.root; <userinput>ls</userinput>
@@ -1789,11 +1793,10 @@
<para>We now have to extract all the instances which define the
services on each machine. For this we use the
<command>ext_srvtab</command> command. This will create a file
- which must be copied or moved <emphasis>by secure
- means</emphasis> to each Kerberos client's
- <filename>/etc</filename> directory. This file must
- be present on each server and client, and is crucial to the
- operation of Kerberos.</para>
+ which must be copied or moved <emphasis>by secure means</emphasis> to
+ each Kerberos client's <filename class="directory">/etc</filename>
+ directory. This file must be present on each server and client, and is
+ crucial to the operation of Kerberos.</para>
<screen>&prompt.root; <userinput>ext_srvtab grunt</userinput>
@@ -1815,8 +1818,8 @@
safe, then copy the
<filename><replaceable>client</replaceable>-new-srvtab</filename> to
removable media and transport it by secure physical means. Be sure to
- rename it to <filename>srvtab</filename> in the client's
- <filename>/etc</filename> directory, and make sure it is
+ rename it to <filename>srvtab</filename> in the client's <filename
+ class="directory">/etc</filename> directory, and make sure it is
mode 600:</para>
<screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput>
@@ -1866,8 +1869,8 @@
have correctly edited your <filename>/etc/rc.conf</filename> then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automatically get what
- they need from the <filename>/etc/kerberosIV</filename>
- directory.</para>
+ they need from the <filename
+ class="directory">/etc/kerberosIV</filename> directory.</para>
<screen>&prompt.root; <userinput>kerberos &</userinput>
Kerberos server starting
@@ -2669,8 +2672,8 @@
<application>Kerberos</application> web site
(<ulink url="http://web.mit.edu/Kerberos/www/"></ulink>)
is recommended. Be careful of path issues: the
- <acronym>MIT</acronym> port installs into
- <filename>/usr/local/</filename> by default, and the
+ <acronym>MIT</acronym> port installs into <filename
+ class="directory">/usr/local/</filename> by default, and the
<quote>normal</quote> system applications may be run instead
of <acronym>MIT</acronym> if your <envar>PATH</envar>
environment variable lists the system directories first.</para>
@@ -2728,9 +2731,9 @@
<para>In a multi-user environment,
<application>Kerberos</application> is less secure.
- This is because it stores the tickets in the
- <filename>/tmp</filename> directory, which is readable by all
- users. If a user is sharing a computer with several other
+ This is because it stores the tickets in the <filename
+ class="directory">/tmp</filename> directory, which is readable by
+ all users. If a user is sharing a computer with several other
people simultaneously (i.e. multi-user), it is possible that
the user's tickets can be stolen (copied) by another
user.</para>
@@ -3662,7 +3665,8 @@
<para>The system-wide configuration files for both the
<application>OpenSSH</application> daemon and client reside
- within the <filename>/etc/ssh</filename> directory.</para>
+ within the <filename class="directory">/etc/ssh</filename>
+ directory.</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures the
@@ -4053,10 +4057,12 @@
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
- <para>Here we see that the <filename>directory1</filename>,
- <filename>directory2</filename>, and <filename>directory3</filename>
- directories are all taking advantage of <acronym>ACL</acronym>s. The
- <filename>public_html</filename> directory is not.</para>
+ <para>Here we see that the <filename
+ class="directory">directory1</filename>, <filename
+ class="directory">directory2</filename>, and <filename
+ class="directory">directory3</filename> directories are all taking
+ advantage of <acronym>ACL</acronym>s. The <filename
+ class="directory">public_html</filename> directory is not.</para>
<sect2>
<title>Making Use of <acronym>ACL</acronym>s</title>
@@ -4310,9 +4316,10 @@
look over the output from <command>ident</command> on the
affected files will help in determining the revision.
For ports, the version number is listed after the port name
- in <filename>/var/db/pkg</filename>. If the system does not
- sync with the &os; <acronym>CVS</acronym> repository and rebuild
- daily, chances are that it is affected.</para>
+ in <filename class="directory">/var/db/pkg</filename>. If the
+ system does not sync with the &os; <acronym>CVS</acronym>
+ repository and rebuild daily, chances are that it is
+ affected.</para>
</callout>
<callout arearefs="co-corrected">
==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/porters-handbook/book.sgml#68 (text+ko) ====
@@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO8859-1/books/porters-handbook/book.sgml,v 1.1046 2010/01/09 06:16:56 linimon Exp $
+ $FreeBSD: doc/en_US.ISO8859-1/books/porters-handbook/book.sgml,v 1.1047 2010/01/13 19:46:35 ed Exp $
-->
<!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
@@ -13493,6 +13493,14 @@
<function>alphasort(3)</function> prototypes to
conform to SUSv4.</entry>
</row>
+ <row>
+ <entry>900007</entry>
+ <entry>January 13, 2010</entry>
+ <entry>9.0-CURRENT after the removal of utmp(5) and
+ the addition of utmpx (see
+ <function>getutxent(3)</function>) for improved
+ logging of user logins and system events.</entry>
+ </row>
</tbody>
</tgroup>
</table>
==== //depot/projects/docproj_nl/www/en/news/status/report-2009-10-2009-12.xml#2 (text+ko) ====
@@ -2,7 +2,7 @@
<!DOCTYPE report PUBLIC "-//FreeBSD//DTD FreeBSD XML Database for Status
Report//EN"
"http://www.FreeBSD.org/XML/www/share/sgml/statusreport.dtd">
-<!-- $FreeBSD: www/en/news/status/report-2009-10-2009-12.xml,v 1.1 2010/01/12 21:27:23 danger Exp $ -->
+<!-- $FreeBSD: www/en/news/status/report-2009-10-2009-12.xml,v 1.4 2010/01/13 15:47:01 gabor Exp $ -->
<report>
<date>
<month>October-December</month>
@@ -87,6 +87,12 @@
<description>Miscellaneous</description>
</category>
+ <category>
+ <name>bin</name>
+
+ <description>Userland utilities</description>
+ </category>
+
<project cat='vendor'>
<title>DAHDI (Zaptel) support for &os;</title>
@@ -613,6 +619,91 @@
</help>
</project>
+ <project cat='docs'>
+ <title>The FreeBSD Spanish Documentation Project</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Gábor</given>
+ <common>Kövesdán</common>
+ </name>
+ <email>gabor at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="Introduction to the Spanish Documentation Project">http://www.freebsd.org/doc/es/articles/fdp-es/</url>
+
+ <url href="Translators' Mailing List">https://listas.es.freebsd.org/mailman/listinfo/doc</url>
+ </links>
+
+ <body>
+ <p>There is one article translation pending review. Apart from this,
+ neither translation nor maintainance work has been done. We need
+ more volunteers, mostly translators but we are glad to have
+ more reviewers, as well. One can join by simply subscribing to
+ the translators' mailing list, where all the work is done.</p>
+ </body>
+
+ <help>
+ <task>Update Handbook translation</task>
+
+ <task>Update webpage translation</task>
+
+ <task>Add more article translations</task>
+ </help>
+ </project>
+
+ <project cat='docs'>
+ <title>The FreeBSD Hungarian Documentation Project</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Gábor</given>
+ <common>Kövesdán</common>
+ </name>
+ <email>gabor at FreeBSD.org</email>
+ </person>
+
+ <person>
+ <name>
+ <given>Gábor</given>
+ <common>Páli</common>
+ </name>
+ <email>pgj at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="http://www.FreeBSD.org/hu">Hungarian Web Page for FreeBSD</url>
+
+ <url href="http://www.FreeBSD.org/doc/hu">Hungarian Documentation
+ for FreeBSD</url>
+
+ <url href="http://wiki.FreeBSD.org/HungarianDocumentationProject">The
+ FreeBSD Hungarian Documentation Project's Wiki Page</url>
+
+ <url href="http://p4web.freebsd.org/@md=d&cd=//depot/projects/docproj_hu/&c=aXw@//depot/projects/docproj_hu/?ac=83">Perforce
+ Depot for the FreeBSD Hungarian Documentation Project</url>
+ </links>
+
+ <body>
+ <p>In the last months, no new translation has been added.
+ Lacking human resources, we can only manage the existing
+ documentation and web page translations. If you are interested
+ in helping us, please contact us via the the email addresses
+ noted above.</p>
+ </body>
+
+ <help>
+ <task>Translate release notes</task>
+
+ <task>Add more article translations</task>
+ </help>
+ </project>
+
<project cat='misc'>
<title>The &os; Forums</title>
@@ -743,6 +834,40 @@
</help>
</project>
+ <project cat='kern'>
+ <title>Group Limit Increase</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Brooks</given>
+ <common>Davis</common>
+ </name>
+ <email>brooks at freebsd.org</email>
+ </person>
+ </contact>
+
+ <links/>
+
+ <body>
+ <p>Historically, FreeBSD has limited the number of supplemental
+ groups per process to 15 (NGROUPS_MAX was incorrectly declared to be
+ 16). In FreeBSD 8.0 we raised the limit to 1023, which should be
+ sufficient for most users and will be acceptably efficient for
+ incorrectly written applications that statically allocate
+ NGROUPS_MAX + 1 entries.</p>
+
+ <p>Because some systems such as Linux 2.6 support a larger
+ group limit, we have further relaxed this restriction in -CURRENT and
+ made kern.ngroups a tunable value, which supports values between 1023
+ and INT_MAX - 1. We plan to merge this to 8-STABLE before
+ 8.1-RELEASE.</p>
+ </body>
+
+ <help/>
+ </project>
+
+
<project cat='net'>
<title>Syncing pf(4) with OpenBSD 4.5</title>
@@ -972,6 +1097,97 @@
</help>
</project>
+ <project cat='arch'>
+ <title>Flattened Device Tree for embedded FreeBSD</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Rafal</given>
+ <common>Jaworowski</common>
+ </name>
+ <email>raj at semihalf.com</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="http://wiki.freebsd.org/FlattenedDeviceTree">Project wiki pages</url>
+
+ <url href="http://p4db.freebsd.org/changeList.cgi?FSPC=//depot/projects/fdt/...">Project P4 branch</url>
+ </links>
+
+ <body>
+ <p>The purpose of this project is to provide FreeBSD with support for the
+ Flattened Device Tree (FDT) technology, the mechanism for describing
+ computer hardware resources, which cannot be probed or self enumerated, in
+ a uniform and portable way. The primary consumer of this technology are
+ embedded FreeBSD platforms (ARM, AVR32, MIPS, PowerPC), where a lot of
+ designs are based on similar chips, but have different assignment of pins,
+ memory layout, addresses bindings, interrupts routing and other resources.</p>
+
+ <p>Current state highlights:</p>
+
+ <ul>
+ <li>Environment, support tools</li>
+
+ <ul>
+ <li>integrated device tree compiler (dtc) and libfdt into FreeBSD
+ userspace, kernel and loader build</li>
+ </ul>
+
+ <li>loader(8)</li>
+
+ <ul>
+ <li>full support for device tree blob handling</li>
+
+ <li>load, traverse, modify (including add/remove) device tree
+ nodes and properties</li>
+
+ <li>pass the device tree blob to the kernel</li>
+
+ <li>both ARM and PowerPC loader(8) supported</li>
+ </ul>
+
+ <li>kernel side FDT support (common)</li>
+
+ <ul>
+ <li>developed OF interface for FDT-backed platforms</li>
+
+ <li>ofw_bus I/F (and /dev/openfirm) available with FDT</li>
+
+ <li>integrated FDT resources representation with newbus (fdtbus
+ and simplebus drivers)</li>
+ </ul>
+
+ <li>PowerPC kernel (Freescale MPC85XX SOC)</li>
+
+ <ul>
+ <li>MPC8555CDS and MPC8572DS successfully converted to FDT
+ conventions</li>
+ </ul>
+
+ <li>ARM kernel (Marvell Orion, Kirkwood and Discovery SOC)</li>
+
+ <ul>
+ <li>work in progress on integrating FDT infrastructure with ARM
+ platform code</li>
+ </ul>
+ </ul>
+
+ <p>Work on this project is sponsored by the FeeBSD Foundation.</p>
+ </body>
+
+ <help>
+ <task>Complete missing pieces for PowerPC (PCI bridge driver conversion to
+ FDT)</task>
+
+ <task>Complete ARM support</task>
+
+ <task>Merge to SVN</task>
+ </help>
+ </project>
+
+
<project cat='proj'>
<title>HAST - Highly Available Storage</title>
@@ -1026,5 +1242,100 @@
Thank you!</p>
</body>
</project>
+
+ <project cat='proj'>
+ <title>Wireless mesh networking</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Rui</given>
+ <common>Paulo</common>
+ </name>
+ <email>rpaulo at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="http://wiki.freebsd.org/WifiMesh"/>
+ </links>
+
+ <body>
+ <p>Development of the FreeBSD 802.11s stack continues. The code in
+ FreeBSD HEAD has been updated to comply with draft 4.0. Merge to
+ FreeBSD 8-STABLE will be done soon.</p>
+
+ <p>The developer is looking for funding to be able to implement mesh
+ link security algorithms and/or coordinated channel access
+ (performance improvement).</p>
+ </body>
+
+ <help/>
+ </project>
+
+ <project cat='soc'>
+ <title>BSD-licensed iconv</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Gábor</given>
+ <common>Kövesdán</common>
+ </name>
+ <email>gabor at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2009/gabor_iconv">Sources in the Perforce repository</url>
+ </links>
+
+ <body>
+ <p>Good compatibility has been ensured and there are only few pending
+ items, which have to be reviewed/enhanced. Recently, an enhacement
+ has been completed, which makes it possible to accomplish better
+ transliteration, just like in the GNU version. An initial testing
+ patch is expected at the beginning of February.</p>
+ </body>
+
+ <help>
+ <task>Enhance conversion tables to make use of enhanced
+ transliteration.</task>
+
+ <task>A performance optimization might be done later.</task>
+ </help>
+ </project>
+
+ <project cat='bin'>
+ <title>BSD-licensed text processing tools</title>
+
+ <contact>
+ <person>
+ <name>
+ <given>Gábor</given>
+ <common>Kövesdán</common>
+ </name>
+ <email>gabor at FreeBSD.org</email>
+ </person>
+ </contact>
+
+ <links>
+ <url href="http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2008/gabor_textproc">Perforce repository</url>
+ </links>
+
+ <body>
+ <p>As 8.0-RELEASE is out, BSD bc/dc can be now committed, we are
+ only waiting for the portbuild exp-run to make sure there are no
+ regressions after this change. BSD grep is stalled because of
+ some regex library issues. We need first a fast and modern regex
+ library so that we can change to BSD grep. BSD sort has few
+ incomplete features and needs some performance review.</p>
+ </body>
+
+ <help>
+ <task>Commit BSD bc/dc</task>
+
+ <task>Implement remaining features for sort and optimize performance</task>
+ </help>
+ </project>
</report>
-
More information about the p4-projects
mailing list