Re: zmore diff

2015-04-09 Thread Todd C. Miller
On Thu, 09 Apr 2015 08:37:31 +0200, Tim van der Molen wrote: > This diff makes zmore and zless recognise options starting with + so > that commands like "zless +G foo.gz" work. > > It makes sense to do this for zmore, too, because the less > implementation of more also supports + options. Thanks

Re: libressl-2.1.6 on AIX

2015-04-09 Thread Theo de Raadt
> Just to make sure I understand what is expected of isssetguid() - could you > perhaps, in terms of ls -l output with suid programs describe the > sequence(s) where the value should be 1 - and especially, when they might > (read should) be 0. > > >From memory of what I read (how I understood) the

ps(1) getopt flags are not counters

2015-04-09 Thread Okan Demirmen
Hi, kflag and wflag don't need to be counters; wflag only needs to know if greater than 0 for its one test case. Expanded diff context below. OK? Thanks, Okan Index: ps.c === RCS file: /home/open/cvs/src/bin/ps/ps.c,v retrieving r

Re: libressl-2.1.6 on AIX

2015-04-09 Thread Michael Felt
I shall look at collecting the in-tree stuff. My servers are in the netherlands, and I am in austin atm. I have a meeting with the security team in about 30 minutes and I am going to mention libressl and get a discussion going. One of the things I wanted to discuss is about priv escalation. Just

prevent short transfer in nvramread()

2015-04-09 Thread Martin Natano
Below another min() -> ulmin() conversion to prevent integer overflow. The size (tmp - buf) passed to uiomovei() is essentially bound by the 'count' variable, thus convert to uiomove(). Index: arch/amd64/amd64/nvram.c === RCS file: /c

prevent short transfer in lptwrite()

2015-04-09 Thread Martin Natano
uio_resid may overflow when coerced to u_int, causing lptwrite() to return early. Also, uiomovei() can be replaced with uiomove(), the size argument is of type size_t anyway. Index: dev/ic/lpt.c === RCS file: /cvs/src/sys/dev/ic/lpt.c

Re: falloc and related stuff

2015-04-09 Thread kanonenvogel....@gmail.com
Struct file again. f_flag isn’t modified often, so it’s modifacation can be atomic. f_msgcount and f_rxfer, f_wxfer, f_seek, f_rbytes, f_wbytes can be protected by rwlock. f_offset protection is actual for vnodes only. FIF_MARK and FIF_DEFER flags are used only by unpc garbage collector. This f

bridge(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Like vlan(4) and carp(4), bridge(4) also need to be tweaked to still work during the if_input() transition. Removing the ether_input() calls in this driver was a bit tricky *because* bridge_input() is called after ether_input(). See how 3 M_PREPEND() are converted to 1? And soon none will be req

Re: whois(1): use whois.nic.tld where possible

2015-04-09 Thread Ted Unangst
Stuart Henderson wrote: > There is a standard (required) hostname scheme, whois.nic.tld, for the > new gTLDs. For months whois-servers.net didn't list any of the new ones, > they are starting to catch up but are still behind, > > $ unbound-host sucks.whois-servers.net > Host sucks.whois-servers.ne

carp(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Same problem as with vlan(4). carp(4) also need to stop calling ether_input() directly and that implies having a mbuf with the correct Ethernet header prepended. Index: netinet/ip_carp.c === RCS file: /cvs/src/sys/netinet/ip_carp.c,v

vlan(4) and Ethernet header

2015-04-09 Thread Martin Pieuchot
Right now vlan_input() is called *after* ether_input(). More precisely it is called after the mbuf has been m_adj(9)'usted to skip the Ethernet header. This is not a problem in se but... To make sure vlan(4) keeps working during the if_input() transition, it has to stop calling ether_input() and

Re: pfi_kif leaks for PBR rules

2015-04-09 Thread Mike Belopuhov
On 8 April 2015 at 19:16, Mike Belopuhov wrote: > On Sun, Apr 05, 2015 at 12:06 +0200, Alexandr Nedvedicky wrote: >> Hello, >> >> while testing PBR on Solaris we found out the pfi_kif instances >> are not removed from pfi_ifs table. We took a look at crashdump >> and have seen pfik_route counter a

Re: autoinstall(8) tweaks

2015-04-09 Thread Theo de Raadt
> The example I have is one of a cluster of about 50 small machines with > 16GB flash cards each. Currently the alloc_big scheme is used by > disklabel for these (as with anything > about 8GB, depending on RAM). On > a 16GB flash card it will allocate about 17% of total space to /usr/src > and

Re: autoinstall(8) tweaks

2015-04-09 Thread Alex Wilson
On 09/04/15 10:53, Theo de Raadt wrote: If you have very small disk, disklabel will give you one partition. No problem. DONE. If you have ample disk, it will try to give you more partitions, because the split partition scheme is MORE SECURE. It will stepwise increase the number of partitions

Re: whois(1): use whois.nic.tld where possible

2015-04-09 Thread Stuart Henderson
On 2015/04/09 10:25, Stuart Henderson wrote: > There is a standard (required) hostname scheme, whois.nic.tld, for the > new gTLDs. For months whois-servers.net didn't list any of the new ones, > they are starting to catch up but are still behind, > > $ unbound-host sucks.whois-servers.net > Host s

Re: autoinstall(8) tweaks

2015-04-09 Thread Theo de Raadt
> But it seems people are expected to build a custom bsd.rd if they > want something different so I'll bow out of this conversation. No, the situation is that less than 1% of the user community apparently have a secret usage case, but never manage to explain it.

Run ifp detach hooks before ether_ifdetach()

2015-04-09 Thread Martin Pieuchot
Changes done by pseudo-driver *after* ether_ifattach() must be undone *before* ether_ifdetach(). Otherwise it is impossible to ensure we're leaving a stacked pseudo-interface in a correct state. Since I don't want to modify every single driver calling ether_ifdetach() I'm using a new function, if

whois(1): use whois.nic.tld where possible

2015-04-09 Thread Stuart Henderson
There is a standard (required) hostname scheme, whois.nic.tld, for the new gTLDs. For months whois-servers.net didn't list any of the new ones, they are starting to catch up but are still behind, $ unbound-host sucks.whois-servers.net Host sucks.whois-servers.net not found: 3(NXDOMAIN). $ unbound

Re: autoinstall(8) tweaks

2015-04-09 Thread Alexander Hall
On April 9, 2015 9:33:57 AM GMT+02:00, Stuart Henderson wrote: >On 2015/04/09 09:13, Alexander Hall wrote: >> >> I don't think tweaking an existing auto label is unnecessary and >overly . Hardcoding mount points and their sizes should be enough, and >leave the rest unallocated. > >At least, s

Re: autoinstall(8) tweaks

2015-04-09 Thread Stuart Henderson
On 2015/04/09 09:13, Alexander Hall wrote: > > I don't think tweaking an existing auto label is unnecessary and overly . > Hardcoding mount points and their sizes should be enough, and leave the rest > unallocated. At least, specifying in % is pretty important. But it seems people are expecte

Re: autoinstall(8) tweaks

2015-04-09 Thread Alexander Hall
On April 9, 2015 2:44:28 AM GMT+02:00, Stuart Henderson wrote: >On 2015/04/09 01:53, Alexander Hall wrote: >> On April 8, 2015 9:13:27 AM GMT+02:00, Stuart Henderson >> wrote: >> >On 2015/04/07 20:02, Alex Wilson wrote: >> >> On the topic of local tweaks to autoinstall, I was trying to use >it