From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 17 18:00:56 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E3350FBE for ; Sat, 17 Aug 2013 18:00:56 +0000 (UTC) (envelope-from cjpugmed@gmail.com) Received: from mail-ve0-x244.google.com (mail-ve0-x244.google.com [IPv6:2607:f8b0:400c:c01::244]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A64542413 for ; Sat, 17 Aug 2013 18:00:56 +0000 (UTC) Received: by mail-ve0-f196.google.com with SMTP id oz10so910936veb.3 for ; Sat, 17 Aug 2013 11:00:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=t3F+dcNRndTEl+PksMQPmABLC2wMDUMb0kIcipGIrAA=; b=LlPqLl//Bx192gh/MJ9ocT4Gnj/SoBtGaGgZdT+NnQBjNJtaBe120gNPh2vdazz0Vg PstL7LbInYsCUwYasp1cEgzATAsn3LlCyoHTIrq3LspI68Zdj9UJ3OP0LdP3HPZfbtXZ OiIgpgy+y7IqRFXrOMe+Z6fC++vCIpHj48MfNPBHYq0rCicuxQshgZ1Q63VRjURtfq/i FP+aESOr20X/5i5asgjlpGGBBIxaq+lRHlsSY5Gno70oNaH/UXm8buJxkQKhfvgoi2t4 BY/VwzhFOOZ1S5tsxWmSoARPCLq2NPrQX/XM4oNkzrzfTtg9zq8Xmb2/yFjyUGZhZYJJ 5BtQ== MIME-Version: 1.0 X-Received: by 10.52.164.102 with SMTP id yp6mr3627548vdb.14.1376762455784; Sat, 17 Aug 2013 11:00:55 -0700 (PDT) Received: by 10.220.1.17 with HTTP; Sat, 17 Aug 2013 11:00:55 -0700 (PDT) Date: Sat, 17 Aug 2013 20:00:55 +0200 Message-ID: Subject: ps_strings From: Carlos Jacobo Puga Medina To: freebsd-hackers@freebsd.org X-Mailman-Approved-At: Sun, 18 Aug 2013 02:23:00 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Aug 2013 18:00:57 -0000 Hi people, Despite I made a request not long ago[1], I'm looking for documentation to create the ps_strings structure man page because isn't covered in other man page such e.g. execve(2). So, I'm interested to know for what it's currently used. Any input will be appreciated. --CJPM [1] http://lists.freebsd.org/pipermail/freebsd-doc/2013-July/022422.html. From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 18 17:17:47 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2395A2C1 for ; Sun, 18 Aug 2013 17:17:47 +0000 (UTC) (envelope-from superbisquit@gmail.com) Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E286A2197 for ; Sun, 18 Aug 2013 17:17:46 +0000 (UTC) Received: by mail-oa0-f52.google.com with SMTP id n12so4296438oag.25 for ; Sun, 18 Aug 2013 10:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gvw9/VXjrk3LeHlZ4mExBXkNC5/4LgVyhoUFhrq+8AQ=; b=A3fH0n5vL+Ua62pzVyCfGEo74lVn7zGwvHzlfDGmiBi5+U7RicOk2RMxWj89VjG/LE dlrIENBW73G/s6+9UaHSo468t2jKpU3udx6YRVV4gxX6Z5dU5n+Ca4moEp9880FlihO9 l5X+S1l6IPxWKHQYCIzpWTY92Bk+y5P8eu6wlhzYj2gHWj5sa1E0IW74Vg8y4d69n2jl KdsdPW2K0GoLUKl5eaX7bY7QNH3crU3CN06GwGDUjSYlkh9EE4UBgR2kr1noNJ6tzVn1 OTjixyDkGUQ/d0Jncfr66zWBU/518zWJErUc+XOnDeMLU/uKWkkaaM4bGC/Gslj40ptM kYsg== MIME-Version: 1.0 X-Received: by 10.182.142.129 with SMTP id rw1mr1541586obb.67.1376846266197; Sun, 18 Aug 2013 10:17:46 -0700 (PDT) Received: by 10.182.97.162 with HTTP; Sun, 18 Aug 2013 10:17:46 -0700 (PDT) In-Reply-To: References: Date: Sun, 18 Aug 2013 13:17:46 -0400 Message-ID: Subject: Re: ps_strings From: Super Bisquit To: Carlos Jacobo Puga Medina Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2013 17:17:47 -0000 http://forums.freebsd.org/showthread.php?p=228128 http://www.dolphinburger.com/cgi-bin/bsdi-man?proto=1.1&query=ps_strings&msection=5&apropos=0 On Sat, Aug 17, 2013 at 2:00 PM, Carlos Jacobo Puga Medina < cjpugmed@gmail.com> wrote: > Hi people, > > Despite I made a request not long ago[1], I'm looking for documentation to > create the ps_strings structure man page because isn't covered in other man > page such e.g. execve(2). So, I'm interested to know for what it's > currently used. > > Any input will be appreciated. > > --CJPM > > > [1] http://lists.freebsd.org/pipermail/freebsd-doc/2013-July/022422.html. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 18 18:14:58 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 43358D05 for ; Sun, 18 Aug 2013 18:14:58 +0000 (UTC) (envelope-from fernando.apesteguia@gmail.com) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CDBD8244E for ; Sun, 18 Aug 2013 18:14:57 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id hq12so2310521wib.4 for ; Sun, 18 Aug 2013 11:14:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lSGNL9oVz5+jXCKLXBrrl87I+/H8JfhKaumVUy/HRhI=; b=Yj/T6G5C+nsY0tM5pOLy+FjzY56blpxSweFRU6h/B/mn/iCFY0Jj0yHOwAVedXXYOV daQ/YfprGwZZhNuetwFMCt9DvfqbKYB7IkhP5cjrJCd1ZZEPzDuvlfkrtyjZ0F8p3dkI GWYQLM433mEuZfSAZA8ybcJWysi8bAnXxakONADREgLCJ6yHwr6LZD7OIYGwebCzbvvW UkQF8dOtslMLVaE8cIZP3g9RDZRYZCZImIydfvin9wKUv6h1Ti6DLRzKr+91gAOl8Ru7 EBomdWw2/dj2xADybGdNmo71xzorC9rHuE1pF2KQWjpL+yyqgu//yWBIAFl2E1QK1PdC hOhQ== MIME-Version: 1.0 X-Received: by 10.180.185.97 with SMTP id fb1mr5378214wic.61.1376849696191; Sun, 18 Aug 2013 11:14:56 -0700 (PDT) Received: by 10.180.91.11 with HTTP; Sun, 18 Aug 2013 11:14:56 -0700 (PDT) In-Reply-To: References: Date: Sun, 18 Aug 2013 20:14:56 +0200 Message-ID: Subject: Re: ps_strings From: =?ISO-8859-1?Q?Fernando_Apestegu=EDa?= To: Carlos Jacobo Puga Medina Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2013 18:14:58 -0000 On Sat, Aug 17, 2013 at 8:00 PM, Carlos Jacobo Puga Medina < cjpugmed@gmail.com> wrote: > Hi people, > > Despite I made a request not long ago[1], I'm looking for documentation to > create the ps_strings structure man page because isn't covered in other man > page such e.g. execve(2). So, I'm interested to know for what it's > currently used. > > Any input will be appreciated. > It is for storing the vectors for program arguments and environment. They are placed at the top of the process stack. This information is used for instance, by the ps(1) program via the kvm(3) interface. The same structure is accesed from the linuxolator (linprocfs.c) to implement the "environ" pseudo-file. In the first case (libkvm interface) a sysctl is used to retrieve that information. Anyway, both paths end up calling proc_getenvv/proc_getargv in kern_proc.c. Those are "selectors" for the function that does the actual work: get_ps_strings. This function first calls get_proc_vector to copy the relevant memory area (look for vptr in the "case" statement) from the process stack and then it iterates to extract all the strings. Have a look at the comment in sys/exec.h All this is probably not needed for the man page, but hey, just my two cents. > > --CJPM > > > [1] http://lists.freebsd.org/pipermail/freebsd-doc/2013-July/022422.html. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 18 22:18:19 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5AC931BE for ; Sun, 18 Aug 2013 22:18:19 +0000 (UTC) (envelope-from torek@torek.net) Received: from elf.torek.net (50-73-42-1-utah.hfc.comcastbusiness.net [50.73.42.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 16B2B2FDC for ; Sun, 18 Aug 2013 22:18:18 +0000 (UTC) Received: from elf.torek.net (localhost [127.0.0.1]) by elf.torek.net (8.14.5/8.14.5) with ESMTP id r7IM5BQR062114; Sun, 18 Aug 2013 16:05:11 -0600 (MDT) (envelope-from torek@torek.net) Message-Id: <201308182205.r7IM5BQR062114@elf.torek.net> From: Chris Torek To: Carlos Jacobo Puga Medina Subject: Re: ps_strings In-reply-to: Your message of "Sat, 17 Aug 2013 20:00:55 +0200." Date: Sun, 18 Aug 2013 16:05:11 -0600 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (elf.torek.net [127.0.0.1]); Sun, 18 Aug 2013 16:05:11 -0600 (MDT) Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2013 22:18:19 -0000 >Despite I made a request not long ago[1], I'm looking for >documentation to create the ps_strings structure man page because >isn't covered in other man page such e.g. execve(2). So, I'm >interested to know for what it's currently used. Nothing. (Well, backwards compatibility, depending on how far backwards you go.) I invented the "ps_strings" struct a long time ago, about the same time libkvm was new. Some background: There was code in "ps" that would grub around in the top stack page of each user process and extract the argv strings. This code knew how execve() worked inside the kernel (copying the argv and environment strings into the user stack, just below the signal trampoline code, and then setting up argv and envp pointers and invoking the libc/csu "start program" code at the entry point). We moved this grub-around-in-process-stack code to libkvm, but it was still rather horrible code. Meanwhile, we had programs like sendmail that would "set their process title" by saving, in some secret global variable, the space where the "argv" array itself and its strings lived, and then -- in setproctitle() -- carefully overwrite it. Of course there was only as much room there as the kernel provided, based on the actual strings at execve() time. I figured this would all be much cleaner if we created a small data structure, namely "ps_strings", to hold the information that libkvm would extract (and hence, ps would show). It would be simpler than the original code, because the ps_strings structure lived at a fixed, well known user-space virtual address (the same VA in every process). Moreover, a user program (like sendmail) could modify the ps_strings data to point to any other user-space area: libkvm was smart enough to extract arbitrary data (and verify the validity of the address too). This removed the limit on how large a "process title" could be. FreeBSD now, however, uses a per-process p_args field in the "proc" structure, with sysctl()s to set and get p_args. (I had nothing to do with this new code, but I approve, as if anyone cares. :-) ) This removes the fixed-virtual-address limitation. The cost is a bit more kernel code (for the sysctl()s) and this per-process data, but there is no more messing-about with "where is ps_strings in this memory-layout / emulation" etc. (Meanwhile libkvm still retrieves the arguments. It just does it now with sysctl().) Chris From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 19 07:44:58 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 644AF74C for ; Mon, 19 Aug 2013 07:44:58 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CBA9728B7 for ; Mon, 19 Aug 2013 07:44:57 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7J7irL3018772; Mon, 19 Aug 2013 10:44:53 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7J7irL3018772 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7J7iq8v018771; Mon, 19 Aug 2013 10:44:52 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 19 Aug 2013 10:44:52 +0300 From: Konstantin Belousov To: Chris Torek Subject: Re: ps_strings Message-ID: <20130819074452.GW4972@kib.kiev.ua> References: <201308182205.r7IM5BQR062114@elf.torek.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hPP31ZHTUnLyawCy" Content-Disposition: inline In-Reply-To: <201308182205.r7IM5BQR062114@elf.torek.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-hackers@freebsd.org, Carlos Jacobo Puga Medina X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 07:44:58 -0000 --hPP31ZHTUnLyawCy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Aug 18, 2013 at 04:05:11PM -0600, Chris Torek wrote: > FreeBSD now, however, uses a per-process p_args field in the > "proc" structure, with sysctl()s to set and get p_args. (I had > nothing to do with this new code, but I approve, as if anyone > cares. :-) ) This removes the fixed-virtual-address limitation. > The cost is a bit more kernel code (for the sysctl()s) and this > per-process data, but there is no more messing-about with "where > is ps_strings in this memory-layout / emulation" etc. (Meanwhile > libkvm still retrieves the arguments. It just does it now with > sysctl().) Yes, p_args caches the arguments, but not always. Right now, kernel does not cache arguments if the string is longer than 256 bytes. Look for ps_arg_cache_limit in kern_exec.c. setproctitle() always informs the kernel with sysctl and sets the pointers in ps_strings. kern.proc.args sysctl first tries the p_args, and falls back to reading ps_strings and following the pointers if p_args is NULL. --hPP31ZHTUnLyawCy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iQIcBAEBAgAGBQJSEczzAAoJEJDCuSvBvK1BU14P/A9dlLpY0sNwitz40JNLSElX ms7AY1e1+1ajWSdlMm0MWgqVbL4MPzCWojG1rRsKyCynHUQKw3yTlEYZLdYP1hvN l98DcVELcRKjYLUzCfl8aZsiNrd9wiyOIBQZym67Im044QsNeT2PHwxMh3qsZN+C kT79R4/QLnad0xBlb8FN2raEowwrT9mBLCoyRmOxVXP+a1PK8wgkAhT6hVqz3SWk GRyWn0bx0QEJ9cpSm3QqNoKNSGe5QT5b2dLAuwOFF/vybWXcHq9G1Hc1bBuvuEEY u6th4YkWoI7Rcogr7kwvTWudHYHtnyRg362pKss9KmS7CuEE7Qp1Zh5+Z2/+t/mN a5ZoIZuHgWF2BJZL8NduyYtLWWCQWPC/oimhIUbEgNpadP5P6ow63Ck8UBgyNwA6 /x3fgYbRsrirv5XgFs140U+4MwFEs62kYbuWr3iLz2qVbgr7i7X8hEvBK4EineKE rPtcWVx9a18mEGOzD90GGCh30eBjCzKSUetCnn56jCzadg0O/HdXXeXTgFITJMNp mSIgP7Kyj/m4Jq8DhB0pPUSEhhkZDCg20kSzygsgcKMXzyVRUxGy6WO/iTK5vgz0 2VzzjWu9j2zKWFuBfRu5PQKj+2N9U9NyWH0LSJRIR+tDiISntTraF0pJxGVSvpJv OgrGnUBY3FHnA1kGfJeG =cG7c -----END PGP SIGNATURE----- --hPP31ZHTUnLyawCy-- From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 20 00:39:46 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 78E3DDB0 for ; Tue, 20 Aug 2013 00:39:46 +0000 (UTC) (envelope-from cjpugmed@gmail.com) Received: from mail-vb0-x241.google.com (mail-vb0-x241.google.com [IPv6:2607:f8b0:400c:c02::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3A8C12308 for ; Tue, 20 Aug 2013 00:39:46 +0000 (UTC) Received: by mail-vb0-f65.google.com with SMTP id f12so1489332vbg.8 for ; Mon, 19 Aug 2013 17:39:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=h/dwm/WfUsp38CPCiwBrODzjMn+BC25HPMM3nCExXZE=; b=ghxwqNPijtewTL4zlQRcJrgcWCxqsQ8inFDOTLjKmMCq0owY8QZpLVOAwnkpGgygGV mNMY04vvwZv5dGqlab7jnI7uAF3ZLR42Zkii1LWrd4u3JxAxHAG0Huah3gkbTYCIlFxz XBaqTcYTsuHkd5bX+3BX3jSMHMcM2fx9IHveOsL2BJlIvNm6LLFDx9IGOo5eO3v9EMhA ghpIyKqI+BYjNnHYz/A4VPPwYi0Yj92XDs2FwbVV7cJ5SboTqLjGq6k48hhRZhksGvzD Q/fnqUvX+F+V393Gm1kSjROYu1lNVg0coA5teN4eGjQ0dqEWv5heNcI8hnFp8dqbmJjQ G/sA== MIME-Version: 1.0 X-Received: by 10.58.201.227 with SMTP id kd3mr16365177vec.14.1376959184266; Mon, 19 Aug 2013 17:39:44 -0700 (PDT) Received: by 10.220.1.17 with HTTP; Mon, 19 Aug 2013 17:39:44 -0700 (PDT) Date: Tue, 20 Aug 2013 02:39:44 +0200 Message-ID: Subject: ps_strings From: Carlos Jacobo Puga Medina To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 00:39:46 -0000 First, I want to thank Super Bisquit, Fernando and Chris for their inputs. Second, the ps_strings struct remains in use to report information about the running process back to the user and operating system, and as such enriches the content of the FreeBSD kernel, so it's worth create this man page. However, I'll consult this with a member of the doc team so that everything is in order. Attentively --CJPM From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 20 00:50:02 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8BE87FB5 for ; Tue, 20 Aug 2013 00:50:02 +0000 (UTC) (envelope-from torek@torek.net) Received: from elf.torek.net (50-73-42-1-utah.hfc.comcastbusiness.net [50.73.42.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5FEAF2377 for ; Tue, 20 Aug 2013 00:50:01 +0000 (UTC) Received: from elf.torek.net (localhost [127.0.0.1]) by elf.torek.net (8.14.5/8.14.5) with ESMTP id r7K0ntT4012366; Mon, 19 Aug 2013 18:49:55 -0600 (MDT) (envelope-from torek@torek.net) Message-Id: <201308200049.r7K0ntT4012366@elf.torek.net> From: Chris Torek To: Konstantin Belousov Subject: Re: ps_strings In-reply-to: Your message of "Mon, 19 Aug 2013 10:44:52 +0300." <20130819074452.GW4972@kib.kiev.ua> Date: Mon, 19 Aug 2013 18:49:55 -0600 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (elf.torek.net [127.0.0.1]); Mon, 19 Aug 2013 18:49:55 -0600 (MDT) Cc: freebsd-hackers@freebsd.org, Carlos Jacobo Puga Medina X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 00:50:02 -0000 >Yes, p_args caches the arguments, but not always. Right now, kernel >does not cache arguments if the string is longer than 256 bytes. Look >for ps_arg_cache_limit in kern_exec.c. > >setproctitle() always informs the kernel with sysctl and sets the >pointers in ps_strings. kern.proc.args sysctl first tries the p_args, >and falls back to reading ps_strings and following the pointers if >p_args is NULL. Ah, that's what I get for scanning through years of updates too fast. :-) This seems a bit of a "worst of both worlds": there's now some extra kernel code for poking through the ps_strings and the pointer-vectors (this code is no longer in libkvm at all -- that was where I looked first and found the sysctl), for the "no p_args" case. It seems like perhaps there could just be a sysctl to return the ps_strings address, and leave the "follow argv pointers" code in libkvm, if there is to be code for that. (The kernel saves a bit of time for the presumably-usual "p_args not NULL" case, and finding the location of the ps_strings structure when it *is* used is automatically correct. So that part is a straight-up improvement, at least.) Not that big a deal either way, but it does seem as though there should be documentation for ps_strings. Chris From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 18 23:23:56 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7E9B733B for ; Sun, 18 Aug 2013 23:23:56 +0000 (UTC) (envelope-from cjpugmed@gmail.com) Received: from mail-vb0-x22b.google.com (mail-vb0-x22b.google.com [IPv6:2607:f8b0:400c:c02::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3D0B22335 for ; Sun, 18 Aug 2013 23:23:56 +0000 (UTC) Received: by mail-vb0-f43.google.com with SMTP id h11so2798027vbh.16 for ; Sun, 18 Aug 2013 16:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rSNVK0QWDX1neW/QrNFpwo17PJY4z5MmLWUc/alXNEE=; b=hHzqFAwE44l1vuk71xjRWsURL1hydYmL7MywsKP+HSLdRO5kouuo5Tvdf+fDcCCWzj dnrg8onkuN5sd+IXWT32S211ZAiCI4h4LtqXHPNkEXhdBNuwUvKm/t+6Frfce8GiHT7O DHBtwnVFu00mAZGt+5HxTcSYTXc7MV079dVL7NmFMP8rK7O1UzxMMZHsRgP7ZbBEgImO VdrnWY2sB4rufyADrIXI1V1AbxbPW6x/mAebuFIWWYv/a4rb30DIWjI6KUMh8hr9SjXX uEYmcYQWfGzzrzgVxstb7vKhbwPx4Moavpd4xrn+MjJ9cxQCcbI/JRYrdr9bzs23e5RL Ks/w== MIME-Version: 1.0 X-Received: by 10.52.164.102 with SMTP id yp6mr9031344vdb.14.1376868235352; Sun, 18 Aug 2013 16:23:55 -0700 (PDT) Received: by 10.220.1.17 with HTTP; Sun, 18 Aug 2013 16:23:55 -0700 (PDT) In-Reply-To: <201308182205.r7IM5BQR062114@elf.torek.net> References: <201308182205.r7IM5BQR062114@elf.torek.net> Date: Mon, 19 Aug 2013 01:23:55 +0200 Message-ID: Subject: Re: ps_strings From: Carlos Jacobo Puga Medina To: superbisquit@gmail.com, fernando.apesteguia@gmail.com, Chris Torek X-Mailman-Approved-At: Tue, 20 Aug 2013 02:04:35 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2013 23:23:56 -0000 First, I want to thank Super Bisquit, Fernando and Chris for their inputs. Second, the ps_strings struct remains in use to report information about the running process back to the user and operating system, and as such enriches the content of the FreeBSD kernel, so it's worth create this man page. However, I'll consult this with a member of the doc team so that everything is in order. Attentively --CJPM 2013/8/19 Chris Torek > >Despite I made a request not long ago[1], I'm looking for > >documentation to create the ps_strings structure man page because > >isn't covered in other man page such e.g. execve(2). So, I'm > >interested to know for what it's currently used. > > Nothing. (Well, backwards compatibility, depending on how far > backwards you go.) > > I invented the "ps_strings" struct a long time ago, about the same > time libkvm was new. > > Some background: There was code in "ps" that would grub around in > the top stack page of each user process and extract the argv > strings. This code knew how execve() worked inside the kernel > (copying the argv and environment strings into the user stack, > just below the signal trampoline code, and then setting up argv > and envp pointers and invoking the libc/csu "start program" code > at the entry point). > > We moved this grub-around-in-process-stack code to libkvm, but it > was still rather horrible code. > > Meanwhile, we had programs like sendmail that would "set their > process title" by saving, in some secret global variable, the > space where the "argv" array itself and its strings lived, and > then -- in setproctitle() -- carefully overwrite it. Of course > there was only as much room there as the kernel provided, based on > the actual strings at execve() time. > > I figured this would all be much cleaner if we created a small > data structure, namely "ps_strings", to hold the information that > libkvm would extract (and hence, ps would show). It would be > simpler than the original code, because the ps_strings structure > lived at a fixed, well known user-space virtual address (the same > VA in every process). Moreover, a user program (like sendmail) > could modify the ps_strings data to point to any other user-space > area: libkvm was smart enough to extract arbitrary data (and > verify the validity of the address too). This removed the limit > on how large a "process title" could be. > > FreeBSD now, however, uses a per-process p_args field in the > "proc" structure, with sysctl()s to set and get p_args. (I had > nothing to do with this new code, but I approve, as if anyone > cares. :-) ) This removes the fixed-virtual-address limitation. > The cost is a bit more kernel code (for the sysctl()s) and this > per-process data, but there is no more messing-about with "where > is ps_strings in this memory-layout / emulation" etc. (Meanwhile > libkvm still retrieves the arguments. It just does it now with > sysctl().) > > Chris > From owner-freebsd-hackers@FreeBSD.ORG Tue Aug 20 20:46:12 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CCBC815C for ; Tue, 20 Aug 2013 20:46:12 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 53CF12B67 for ; Tue, 20 Aug 2013 20:46:12 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r7KKk7YO032375; Tue, 20 Aug 2013 23:46:07 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r7KKk7YO032375 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id r7KKk6GA032373; Tue, 20 Aug 2013 23:46:06 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 20 Aug 2013 23:46:06 +0300 From: Konstantin Belousov To: Chris Torek Subject: Re: ps_strings Message-ID: <20130820204606.GQ4972@kib.kiev.ua> References: <20130819074452.GW4972@kib.kiev.ua> <201308200049.r7K0ntT4012366@elf.torek.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Lnsp2IoRaSbaVT9J" Content-Disposition: inline In-Reply-To: <201308200049.r7K0ntT4012366@elf.torek.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: freebsd-hackers@freebsd.org, Carlos Jacobo Puga Medina X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 20:46:13 -0000 --Lnsp2IoRaSbaVT9J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 19, 2013 at 06:49:55PM -0600, Chris Torek wrote: > >Yes, p_args caches the arguments, but not always. Right now, kernel > >does not cache arguments if the string is longer than 256 bytes. Look > >for ps_arg_cache_limit in kern_exec.c. > > > >setproctitle() always informs the kernel with sysctl and sets the > >pointers in ps_strings. kern.proc.args sysctl first tries the p_args, > >and falls back to reading ps_strings and following the pointers if > >p_args is NULL. >=20 > Ah, that's what I get for scanning through years of updates too fast. > :-) >=20 > This seems a bit of a "worst of both worlds": there's now some > extra kernel code for poking through the ps_strings and the > pointer-vectors (this code is no longer in libkvm at all -- > that was where I looked first and found the sysctl), for the "no > p_args" case. It seems like perhaps there could just be a sysctl > to return the ps_strings address, and leave the "follow argv > pointers" code in libkvm, if there is to be code for that. There is a demand for other things besides arguments, e.g. environment, and most important for the debuggers, ELF aux vector. Also, moving this code to libkvm would mean that mismatched ABIs cannot be easily supported, like 64bit binary trying to get 32bit binary information. I would say that the current placement fullfill its goals. >=20 > (The kernel saves a bit of time for the presumably-usual "p_args > not NULL" case, and finding the location of the ps_strings > structure when it *is* used is automatically correct. So that > part is a straight-up improvement, at least.) >=20 > Not that big a deal either way, but it does seem as though there > should be documentation for ps_strings. >=20 > Chris --Lnsp2IoRaSbaVT9J Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSE9WNAAoJEJDCuSvBvK1B5uEP/ilAwzY+WcmBCFy8O60cI0r2 BixA9uatw5XaW86SXOAg4OVIlSoMZILVBMrOc0ibQh8FR6t/XOzcnjk100QCOjJz CwW/2/SP1rkRLERb+rvRZgmx/C87JCGLpM7H/ch0oqvH3tYsdeaYnjJLnoEAwT5p xeNLd4YZRnr0HCfa0Wqh/lvoWnbWJurHYmjxCNyFp41NfketT8mf+ZTmIceOK+M9 LjPsAlG/8rHBkNGN5/q1BxUEed3iKFcgfDV67vkJcDK9yL1CBrN53qnfHh4LxLlK LCij2fLrjWF2qOM+Awtdv5G3NkVoMCayuBirONzmekpmQlr84emr4UyNko81sQDb uU4VioaVTxHBJnYgBar33yju5bp77Zo10uZf9mMNisfrSaPy58hJPNFlnXOEkteY EDtFZH4LA1dfzSWEjcqAe75Ku3nMelJ2g2h7nUkHvdA9sYv61TO3JSLd7fhFpTPo LB073tSeBm6uSFGHzg7GT3KDTQtkbcfnDjEJgKeNW/oNCmmby2W4XMp06RqTTY9T hWafx4eKNqQvgvhRY7r4EAU3dGnSXk6YgTQ/hiofeR4sEMtM371hNC80PfAQ4ckA ScXxYG8L+i23DhTS6v3IqUPPiYamM1AMv7d5yoINQwi7ruE7felKGqg01SvsVBPp sm23SSyQGIX+uikcrhR+ =xJFA -----END PGP SIGNATURE----- --Lnsp2IoRaSbaVT9J-- From owner-freebsd-hackers@FreeBSD.ORG Thu Aug 22 20:50:06 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 77CA0D87 for ; Thu, 22 Aug 2013 20:50:06 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D31E32172 for ; Thu, 22 Aug 2013 20:50:05 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id 7DB85C0D26; Thu, 22 Aug 2013 20:49:58 +0000 (UTC) Date: Thu, 22 Aug 2013 22:49:58 +0200 From: Jeremie Le Hen To: freebsd-hackers@freebsd.org Subject: weekly periodic security status Message-ID: <20130822204958.GC24767@caravan.chchile.org> Mail-Followup-To: freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Aug 2013 20:50:06 -0000 --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I plan to commit the attached patch. This allows the turn the daily security checks into weekly checks. You do this by adding the following to periodic.conf(5): daily_status_security_enable=NO weekly_status_security_enable=YES All other $daily_status_security_whatever variables will be renamed to $security_status_whatever. The old variable name is supported but prints a warning. The idea is that for many personal servers, whether it is used as a NAS or for developement, you may not want to run I/O-expensive find(1) jobs every day, but you don't want to disable entirely because there's a little voice that tells you it's bad. Well, whatever, if you have any concerns, objections or comments, please speak now :). Note that once I will have committed this, I will make another commit to the manpage so as to move the security options into their own section, out of the daily section. But it is clearer for review that way I think. The patch is also available here: http://people.freebsd.org/~jlh/weekly_status_security.diff Cheers, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. --Kj7319i9nmIyA2yE Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="weekly_status_security.diff" Index: etc/defaults/periodic.conf =================================================================== --- etc/defaults/periodic.conf (revision 254638) +++ etc/defaults/periodic.conf (working copy) @@ -164,58 +164,58 @@ daily_local="/etc/daily.local" # Local scripts # These options are used by the security periodic(8) scripts spawned in # 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_noamd="NO" # Don't check amd mounts -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +security_status_inline="NO" # Run inline ? +security_status_output="root" # user or /file +security_status_noamd="NO" # Don't check amd mounts +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="YES" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="YES" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="YES" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="YES" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="YES" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="YES" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="YES" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="YES" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="YES" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="YES" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="YES" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="YES" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="YES" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="YES" # Weekly options @@ -248,6 +248,10 @@ weekly_status_pkg_enable="NO" # Find out-of-dat pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security; disabled by defaut because daily checks are enabled +weekly_status_security_enable="NO" # Security check +# See "Security options" above for more options + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -276,6 +280,16 @@ monthly_local="/etc/monthly.local" # Local scrip if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + daily_security_var_compat() { + local new=$1 old + + old=daily_status_security${#status_security} + [ -z "$old" ] && return + echo "Warning: Variable \$$old is deprecated," \ + "use \$$new instead." >&2 + eval \$$new=\""$old"\" + } + source_periodic_confs() { local i sourced_files Index: etc/periodic/security/100.chksetuid =================================================================== --- etc/periodic/security/100.chksetuid (revision 254638) +++ etc/periodic/security/100.chksetuid (working copy) @@ -39,7 +39,9 @@ fi rc=0 -case "$daily_status_security_chksetuid_enable" in +daily_security_var_compat security_status_chksetuid_enable + +case "$security_status_chksetuid_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking setuid files and devices:' Index: etc/periodic/security/110.neggrpperm =================================================================== --- etc/periodic/security/110.neggrpperm (revision 254638) +++ etc/periodic/security/110.neggrpperm (working copy) @@ -35,9 +35,11 @@ then source_periodic_confs fi +daily_security_var_compat security_status_neggrpperm_enable + rc=0 -case "$daily_status_security_neggrpperm_enable" in +case "$security_status_neggrpperm_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking negative group permissions:' Index: etc/periodic/security/200.chkmounts =================================================================== --- etc/periodic/security/200.chkmounts (revision 254638) +++ etc/periodic/security/200.chkmounts (working copy) @@ -40,12 +40,16 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +daily_security_var_compat security_status_chkmounts_ignore +daily_security_var_compat security_status_chkmounts_enable +daily_security_var_compat security_status_noamd + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in +case "$security_status_chkmounts_enable" in [Yy][Ee][Ss]) - case "$daily_status_security_noamd" in + case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac Index: etc/periodic/security/300.chkuid0 =================================================================== --- etc/periodic/security/300.chkuid0 (revision 254638) +++ etc/periodic/security/300.chkuid0 (working copy) @@ -36,7 +36,9 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in +daily_security_var_compat security_status_chkuid0_enable + +case "$security_status_chkuid0_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking for uids of 0:' Index: etc/periodic/security/400.passwdless =================================================================== --- etc/periodic/security/400.passwdless (revision 254638) +++ etc/periodic/security/400.passwdless (working copy) @@ -35,7 +35,9 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in +daily_security_var_compat security_status_passwdless_enable + +case "$security_status_passwdless_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking for passwordless accounts:' Index: etc/periodic/security/410.logincheck =================================================================== --- etc/periodic/security/410.logincheck (revision 254638) +++ etc/periodic/security/410.logincheck (working copy) @@ -35,7 +35,9 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in +daily_security_var_compat security_status_logincheck_enable + +case "$security_status_logincheck_enable" in [Yy][Ee][Ss]) echo "" echo 'Checking login.conf permissions:' Index: etc/periodic/security/460.chkportsum =================================================================== --- etc/periodic/security/460.chkportsum (revision 254638) +++ etc/periodic/security/460.chkportsum (working copy) @@ -40,7 +40,7 @@ rc=0 echo "" echo 'Checking for ports with mismatched checksums:' -case "${daily_status_security_chkportsum_enable}" in +case "${security_status_chkportsum_enable}" in [Yy][Ee][Ss]) set -f pkg_info -ga 2>/dev/null | \ Index: etc/periodic/security/500.ipfwdenied =================================================================== --- etc/periodic/security/500.ipfwdenied (revision 254638) +++ etc/periodic/security/500.ipfwdenied (working copy) @@ -37,9 +37,11 @@ fi . /etc/periodic/security/security.functions +daily_security_var_compat security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in +case "$security_status_ipfwdenied_enable" in [Yy][Ee][Ss]) TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then Index: etc/periodic/security/510.ipfdenied =================================================================== --- etc/periodic/security/510.ipfdenied (revision 254638) +++ etc/periodic/security/510.ipfdenied (working copy) @@ -37,9 +37,11 @@ fi . /etc/periodic/security/security.functions +daily_security_var_compat security_status_ipfdenied_enable + rc=0 -case "$daily_status_security_ipfdenied_enable" in +case "$security_status_ipfdenied_enable" in [Yy][Ee][Ss]) TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then Index: etc/periodic/security/520.pfdenied =================================================================== --- etc/periodic/security/520.pfdenied (revision 254638) +++ etc/periodic/security/520.pfdenied (working copy) @@ -37,9 +37,11 @@ fi . /etc/periodic/security/security.functions +daily_security_var_compat security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in +case "$security_status_pfdenied_enable" in [Yy][Ee][Ss]) TMP=`mktemp -t security` if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then Index: etc/periodic/security/550.ipfwlimit =================================================================== --- etc/periodic/security/550.ipfwlimit (revision 254638) +++ etc/periodic/security/550.ipfwlimit (working copy) @@ -38,9 +38,11 @@ then source_periodic_confs fi +daily_security_var_compat security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in +case "$security_status_ipfwlimit_enable" in [Yy][Ee][Ss]) IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then Index: etc/periodic/security/610.ipf6denied =================================================================== --- etc/periodic/security/610.ipf6denied (revision 254638) +++ etc/periodic/security/610.ipf6denied (working copy) @@ -37,9 +37,11 @@ fi . /etc/periodic/security/security.functions +daily_security_var_compat security_status_ipf6denied_enable + rc=0 -case "$daily_status_security_ipf6denied_enable" in +case "$security_status_ipf6denied_enable" in [Yy][Ee][Ss]) TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then Index: etc/periodic/security/700.kernelmsg =================================================================== --- etc/periodic/security/700.kernelmsg (revision 254638) +++ etc/periodic/security/700.kernelmsg (working copy) @@ -40,9 +40,11 @@ fi . /etc/periodic/security/security.functions +daily_security_var_compat security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in +case "$security_status_kernelmsg_enable" in [Yy][Ee][Ss]) dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" Index: etc/periodic/security/800.loginfail =================================================================== --- etc/periodic/security/800.loginfail (revision 254638) +++ etc/periodic/security/800.loginfail (working copy) @@ -38,8 +38,11 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +daily_security_var_compat security_status_logdir +daily_security_var_compat security_status_loginfail_enable +LOG="${security_status_logdir}" + yesterday=`date -v-1d "+%b %e "` catmsgs() { @@ -55,7 +58,7 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in +case "$security_status_loginfail_enable" in [Yy][Ee][Ss]) echo "" echo "${host} login failures:" Index: etc/periodic/security/900.tcpwrap =================================================================== --- etc/periodic/security/900.tcpwrap (revision 254638) +++ etc/periodic/security/900.tcpwrap (working copy) @@ -38,8 +38,11 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +daily_security_var_compat security_status_logdir +daily_security_var_compat security_status_tcpwrap_enable +LOG="${security_status_logdir}" + yesterday=`date -v-1d "+%b %e "` catmsgs() { @@ -55,7 +58,7 @@ catmsgs() { [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in +case "$security_status_tcpwrap_enable" in [Yy][Ee][Ss]) echo "" echo "${host} refused connections:" Index: etc/periodic/security/security.functions =================================================================== --- etc/periodic/security/security.functions (revision 254638) +++ etc/periodic/security/security.functions (working copy) @@ -31,6 +31,8 @@ # Show differences in the output of an audit command # +daily_security_var_compat daily_status_security_logdir + LOG="${daily_status_security_logdir}" rc=0 Index: etc/periodic/weekly/Makefile =================================================================== --- etc/periodic/weekly/Makefile (revision 254638) +++ etc/periodic/weekly/Makefile (working copy) @@ -3,6 +3,7 @@ .include FILES= 340.noid \ + 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs Index: share/man/man5/periodic.conf.5 =================================================================== --- share/man/man5/periodic.conf.5 (revision 254638) +++ share/man/man5/periodic.conf.5 (working copy) @@ -450,7 +450,7 @@ is set to .Dq Li YES . This may not work with MTAs other than .Xr sendmail 8 . -.It Va daily_status_security_enable +.It Va security_status_enable .Pq Vt bool Set to .Dq Li YES @@ -462,46 +462,48 @@ The system defaults are in .Pa /etc/periodic/security . Local scripts should be placed in .Pa /usr/local/etc/periodic/security . +It makes to sense to be enabled along with +.Va weekly_status_security_enable . See the .Xr periodic 8 manual page for more information. -.It Va daily_status_security_inline +.It Va security_status_inline .Pq Vt bool Set to .Dq Li YES if you want the security check output inline. The default is to either mail or log the output according to the value of -.Va daily_status_security_output . -.It Va daily_status_security_output +.Va security_status_output . +.It Va security_status_output .Pq Vt str Where to send the output of the security check if -.Va daily_status_security_inline +.Va security_status_inline is set to .Dq Li NO . This variable behaves in the same way as the .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. -.It Va daily_status_security_diff_flags +.It Va security_status_diff_flags .Pq Vt str Set to the arguments to pass to the .Xr diff 1 utility when generating differences. The default is .Fl b u . -.It Va daily_status_security_chksetuid_enable +.It Va security_status_chksetuid_enable .Pq Vt bool Set to .Dq Li YES to compare the modes and modification times of setuid executables with the previous day's values. -.It Va daily_status_security_chkportsum_enable +.It Va security_status_chkportsum_enable .Pq Vt bool Set to .Dq Li YES to verify checksums of all installed packages against the known checksums in .Pa /var/db/pkg . -.It Va daily_status_security_neggrpperm_enable +.It Va security_status_neggrpperm_enable .Pq Vt bool Set to .Dq Li YES @@ -509,35 +511,35 @@ to check for files where the group of a file has l the world at large. When users are in more than 14 supplemental groups these negative permissions may not be enforced via NFS shares. -.It Va daily_status_security_chkmounts_enable +.It Va security_status_chkmounts_enable .Pq Vt bool Set to .Dq Li YES to check for changes mounted file systems to the previous day's values. -.It Va daily_status_security_noamd +.It Va security_status_noamd .Pq Vt bool Set to .Dq Li YES if you want to ignore .Xr amd 8 mounts when comparing against yesterday's file system mounts in the -.Va daily_status_security_chkmounts_enable +.Va security_status_chkmounts_enable check. -.It Va daily_status_security_chkuid0_enable +.It Va security_status_chkuid0_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with UID 0. -.It Va daily_status_security_passwdless_enable +.It Va security_status_passwdless_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with empty passwords. -.It Va daily_status_security_logincheck_enable +.It Va security_status_logincheck_enable .Pq Vt bool Set to .Dq Li YES @@ -546,49 +548,49 @@ to check ownership, see .Xr login.conf 5 for more information. -.It Va daily_status_security_ipfwdenied_enable +.It Va security_status_ipfwdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipfw 8 since yesterday's check. -.It Va daily_status_security_ipfdenied_enable +.It Va security_status_ipfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipf 8 since yesterday's check. -.It Va daily_status_security_pfdenied_enable +.It Va security_status_pfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr pf 4 since yesterday's check. -.It Va daily_status_security_ipfwlimit_enable +.It Va security_status_ipfwlimit_enable .Pq Vt bool Set to .Dq Li YES to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_kernelmsg_enable +.It Va security_status_kernelmsg_enable .Pq Vt bool Set to .Dq Li YES to show new .Xr dmesg 8 entries since yesterday's check. -.It Va daily_status_security_loginfail_enable +.It Va security_status_loginfail_enable .Pq Vt bool Set to .Dq Li YES to display failed logins from .Pa /var/log/messages in the previous day. -.It Va daily_status_security_tcpwrap_enable +.It Va security_status_tcpwrap_enable .Pq Vt bool Set to .Dq Li YES @@ -709,6 +711,23 @@ An orphaned file is one with an invalid owner or g A list of directories under which orphaned files are searched for. This would usually be set to .Pa / . +.It Va weekly_status_security_enable +.Pq Vt bool +Set to +.Dq Li YES +if you want to run the security check. +The security check is another set of +.Xr periodic 8 +scripts. +The system defaults are in +.Pa /etc/periodic/security . +Local scripts should be placed in +.Pa /usr/local/etc/periodic/security . +It makes to sense to be enabled along with +.Va daily_status_security_enable . +See the +.Xr periodic 8 +manual page for more information. .It Va weekly_status_pkg_enable .Pq Vt bool Set to --Kj7319i9nmIyA2yE-- From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 23 13:25:30 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BFBB2EF4 for ; Fri, 23 Aug 2013 13:25:30 +0000 (UTC) (envelope-from trtrmitya@gmail.com) Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 46C7026F8 for ; Fri, 23 Aug 2013 13:25:30 +0000 (UTC) Received: by mail-la0-f46.google.com with SMTP id eh20so472450lab.19 for ; Fri, 23 Aug 2013 06:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=SiVxDzttwmVcgIVgPI4X4MmA0Utun6L8gI6m8a1Pdgc=; b=uBX4GlS9zL76wJK1bPXQ0c8iFNzVyayDz/s2q2tLJeWjNYhzGG0TzAbv3NApH8B7YO Kby9p5M+yBJ53MWOhPiuXDkSu3F+mZJtTxPYkbuJLlY2Cp2pbtxv9yO/XcWnCiT0s5TO Lpdw9D1LP6JfkXFzftsUlHSLtcuIxLK/vA0/vLAgIPAVarvSo09VU03vOgdiL58c7xqZ NGe4bZiz8NRz2KIwFlbedx8rpPQyeoFO4vYrtQgwQNoA/4QKkCpCGakI93KYVm/XyrC+ N6ANRLUIcflqJLcMpSB3HzwOKon6rH0/78/w2Rb/E4vGnoJssLj1BAcgxmsv8s68Ygpl wXVw== X-Received: by 10.152.26.72 with SMTP id j8mr15406300lag.19.1377264328121; Fri, 23 Aug 2013 06:25:28 -0700 (PDT) Received: from [10.0.1.20] (ip-95-220-140-40.bb.netbynet.ru. [95.220.140.40]) by mx.google.com with ESMTPSA id o1sm6703932lah.8.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 06:23:51 -0700 (PDT) From: Dmitry Sivachenko Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: About CPU cores numbering an processor affinity Message-Id: <1D21F5BC-63CD-4B33-9286-6687E62FDB15@gmail.com> Date: Fri, 23 Aug 2013 17:23:51 +0400 To: hackers@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) X-Mailer: Apple Mail (2.1508) X-Mailman-Approved-At: Fri, 23 Aug 2013 15:16:33 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 13:25:30 -0000 Hello! I am using FreeBSD-9-STABLE on the following hardware: FreeBSD/SMP: Multiprocessor System Detected: 24 CPUs FreeBSD/SMP: 2 package(s) x 6 core(s) x 2 SMT threads So I have 2 physical CPUs with 6 core each. # cpuset -g pid -1 mask: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, = 17, 18, 19, 20, 21, 22, 23 So each of 24 cores are numbered 0..23. 1) In what particular order are these cores numbered? Can I assume that = 0..11 correspond to 1st physical CPU and 12..23 to second? How SMT = threads are numbered within each core? 2) This machine has Intel network adapter (em driver). I want to pin = network interrupt thread and proxy software to the same processor so = they share at least L2 or L3 cache. How can I do this? =46rom the one = hand, I see the following processes: 11 root -92 - 0K 720K WAIT 19 146:38 0.00% = intr{irq260: em1:rx 0} 11 root -92 - 0K 720K WAIT 19 15:11 0.00% = intr{irq261: em1:tx 0} =46rom the other hand, the following processes seems to be unrelated to = network but they share same PID: 11 root -60 - 0K 720K WAIT 1 131:20 0.00% = intr{swi4: clock} 11 root -88 - 0K 720K WAIT 17 40:03 0.00% = intr{irq263: ahci0} 11 root -72 - 0K 720K WAIT 22 17:35 0.00% = intr{swi1: netisr 0} 11 root -88 - 0K 720K WAIT 3 3:08 0.00% = intr{irq256: mfi0} Should I use "-x" option of cpuset for that purpose (to bind irq 260 and = 261 in my example)? Thanks in advance! From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 23 18:44:52 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5BF08C22 for ; Fri, 23 Aug 2013 18:44:52 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [IPv6:2607:f2f8:a450::66]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 435DE2AF4 for ; Fri, 23 Aug 2013 18:44:52 +0000 (UTC) Received: from chombo.houseloki.net (c-76-27-220-79.hsd1.wa.comcast.net [76.27.220.79]) by yoshi.bluerosetech.com (Postfix) with ESMTPSA id 45BC5E6001 for ; Fri, 23 Aug 2013 11:44:51 -0700 (PDT) Received: from [192.168.1.102] (static-71-242-248-73.phlapa.east.verizon.net [71.242.248.73]) by chombo.houseloki.net (Postfix) with ESMTPSA id A8058C3B for ; Fri, 23 Aug 2013 11:44:49 -0700 (PDT) Message-ID: <5217AD9E.1000100@bluerosetech.com> Date: Fri, 23 Aug 2013 14:44:46 -0400 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: weekly periodic security status References: <20130822204958.GC24767@caravan.chchile.org> In-Reply-To: <20130822204958.GC24767@caravan.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 18:44:52 -0000 Thank you for this, but if I may make one suggestion: don't combine all the security report settings--keep both daily_* and weekly_*. This makes possible running some security tasks on a daily basis and others on a weekly basis. For example, daily pkg/portaudit checks, but weekly filesystem scans. From owner-freebsd-hackers@FreeBSD.ORG Fri Aug 23 21:08:12 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BC0DA211 for ; Fri, 23 Aug 2013 21:08:12 +0000 (UTC) (envelope-from superbisquit@gmail.com) Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8A2052441 for ; Fri, 23 Aug 2013 21:08:12 +0000 (UTC) Received: by mail-ob0-f169.google.com with SMTP id wc20so1217736obb.0 for ; Fri, 23 Aug 2013 14:08:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=gXdYgqwDTcSQuG4cbiqwvdvYJdp54KRpXRTSh8BvFUM=; b=QgCzAHYYAGr7DVl5ZHz8vjTeUaIWuUsMRtWzQjg9QW5gNwrUGQd+gPHGeiPfAWzFSH s+SM5HqsIfUlUb1CJA1jhhShxI/b5nk5OYMbJrt8VFmqFAqfEfDaX+SJcD36EN5M6EdP nojN/lQAvbErQAzl1MceJ2P9W/xc0S8U6TIrJyH2I3X7S7LtjBNMYc6P8mG7m6ltk3/O 5dwJrBsV08w6yoeUDOKToyUTkOCWee5HRE3eZSurodU8UJOYbZg5jd+rLGL0baWMzBcW TFMd5W5EkbISphYO2XPjxT6m+BxwaQXAj1on9xgOvSLg75m76K+AqRgDTLuFA9R8DcsL 0vcg== MIME-Version: 1.0 X-Received: by 10.60.52.101 with SMTP id s5mr1378726oeo.56.1377292091836; Fri, 23 Aug 2013 14:08:11 -0700 (PDT) Received: by 10.182.78.100 with HTTP; Fri, 23 Aug 2013 14:08:11 -0700 (PDT) Date: Fri, 23 Aug 2013 17:08:11 -0400 Message-ID: Subject: mpx on laptop produces pointer but does not show usb mouse From: Super Bisquit To: FreeBSD Hackers Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 21:08:12 -0000 Says right there. http://alec.mooo.com/mpx.html Followed the instructions in the link. Second part will have more info. Thanks much and apologies. From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 04:36:18 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 68B15943 for ; Sat, 24 Aug 2013 04:36:18 +0000 (UTC) (envelope-from royce.williams@gmail.com) Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E40182A4B for ; Sat, 24 Aug 2013 04:36:17 +0000 (UTC) Received: by mail-lb0-f180.google.com with SMTP id q8so116806lbi.39 for ; Fri, 23 Aug 2013 21:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=g/3NSljGTvm2XmGYrn1WvtE5+hQHcPq//dipgv8gNGQ=; b=zzePRNP0xQIG46iIcHnYRJ88pyA5CZ5tMLziVjw9rFPZ5sbatC414F0mjnSqvKJ6n+ LaAM8Vy3ujUA/NqzxgeBzIP0o9XubignSep5LmSt6tLVU7Q4wMOlcWSJnIsTFFLOr1AI LSBtexIdOh+80yLpYQmaq1AVkhvxVOXHO0xJq9MZLgWAqPuICRpXkMNhi1P3XnurPu3l +DA9XbS35iElWBvY6kM8a4DbdS4H0Q0dNiO/h+JV8osVv4ufOsgnLgGhPOpWQPiJ5PBg iwXed6wfEwX2Dq0BX/4AeSjVhxo8ZobqgPaZmBbVaw36VtuWF2g9OOlnfn4QNAR0mrYV yl0Q== X-Received: by 10.112.35.52 with SMTP id e20mr38651lbj.11.1377318975726; Fri, 23 Aug 2013 21:36:15 -0700 (PDT) MIME-Version: 1.0 Sender: royce.williams@gmail.com Received: by 10.112.138.227 with HTTP; Fri, 23 Aug 2013 21:35:55 -0700 (PDT) In-Reply-To: <5217AD9E.1000100@bluerosetech.com> References: <20130822204958.GC24767@caravan.chchile.org> <5217AD9E.1000100@bluerosetech.com> From: Royce Williams Date: Fri, 23 Aug 2013 20:35:55 -0800 X-Google-Sender-Auth: YYgbOUb0pnF9skJG_leZxPuiAmg Message-ID: Subject: Re: weekly periodic security status To: Darren Pilgrim Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 04:36:18 -0000 On Fri, Aug 23, 2013 at 10:44 AM, Darren Pilgrim < list_freebsd@bluerosetech.com> wrote: > Thank you for this, but if I may make one suggestion: don't combine all > the security report settings--keep both daily_* and weekly_*. This makes > possible running some security tasks on a daily basis and others on a > weekly basis. For example, daily pkg/portaudit checks, but weekly > filesystem scans. > Agreed. I welcome and would use the weekly option at this level of granularity, but would like to retain daily for many checks, and so would not use weekly if was an all-or-nothing option. Royce From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 13:38:20 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 38DAE132 for ; Sat, 24 Aug 2013 13:38:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C34AB2EA4 for ; Sat, 24 Aug 2013 13:38:19 +0000 (UTC) Received: by mail-we0-f173.google.com with SMTP id x54so1454106wes.32 for ; Sat, 24 Aug 2013 06:38:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=rNJhx+EKD+YU83sLRw+ZmWUFCSuOOn4Oh287aSOXrIg=; b=hskvA9t+Yhpj+/IGIb2Wb4hvaeHBJIKLjtmzIWoABq6ab6fgCrFvRk9K5Yxm6bVHdz 8Bqov96oqWIZmULYEpOHaYElHOeZIm8gWRxI7ned/fET5v+ebnDcVf8X3DEk/SwukQE0 iEm0wwc8zL8rCgYUbFmzZ+vf7qhSwoB5UW59B2cRQsfnXqJmhTFYZ6C117JfY41+V72i 8YhhqRu0L5CVXrCz9aijAw1zgH/9mKa8l2/KKF0A6Ij92KHapLOBm+hds5qKItjsYw3H 087jGIO0NRF3e9wtRRAjMsMY3Y3IdQMoZBJq0S/1a4b73yd7pxFzp+9qsNeXYYfEYb0b 1xFw== X-Received: by 10.180.72.134 with SMTP id d6mr1548189wiv.8.1377351498166; Sat, 24 Aug 2013 06:38:18 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPSA id ee5sm4196750wib.3.1969.12.31.16.00.00 (version=SSLv3 cipher=RC4-SHA bits=128/128); Sat, 24 Aug 2013 06:38:17 -0700 (PDT) Date: Sat, 24 Aug 2013 14:38:15 +0100 From: RW To: freebsd-hackers@freebsd.org Subject: Re: weekly periodic security status Message-ID: <20130824143815.39ea88f3@gumby.homeunix.com> In-Reply-To: <20130822204958.GC24767@caravan.chchile.org> References: <20130822204958.GC24767@caravan.chchile.org> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 13:38:20 -0000 On Thu, 22 Aug 2013 22:49:58 +0200 Jeremie Le Hen wrote: > Hi, > > I plan to commit the attached patch. This allows the turn the daily > security checks into weekly checks. You do this by adding the > following to periodic.conf(5): > > daily_status_security_enable=NO > weekly_status_security_enable=YES > > All other $daily_status_security_whatever variables will be renamed to > $security_status_whatever. The old variable name is supported but > prints a warning. > All daily_status_security_enable does is control whether the security scripts are run from daily, but security is a periodic dirctory in its own right. You can simply set daily_status_security_enable=NO and put a separate security entry in crontab (or anacrontab). You can also symlink the lightweight security scripts in a separate directory and run those on all, or some, of the days you don't run the full security pass. In short the current support is more powerful and flexible than anything suggested in this thread so far. From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 14:42:27 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7906E3EB for ; Sat, 24 Aug 2013 14:42:27 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 513BD2193 for ; Sat, 24 Aug 2013 14:42:27 +0000 (UTC) Received: by mail-pa0-f47.google.com with SMTP id kl13so1763356pab.34 for ; Sat, 24 Aug 2013 07:42:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=8O8eJ17uZoIS++huuhFUcVfdJrRBUW0Tft7/693DSqI=; b=Jss4+71zAjQEk8ROwEDLbV91dX6gG8dXhxrEHM3Gvt6KIAaTyl0GsTCRNo2sNOpizp nxhiWwe9MOFiBP6Wj+Xn7K50P2dofo3RJvm7fFETfYnGLlTl767uMwF1yU0EjybDoPNr gcq2mvozsWzQtqhveSJUPQG1VdUITmZwG2VXQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=8O8eJ17uZoIS++huuhFUcVfdJrRBUW0Tft7/693DSqI=; b=m3JZTdfRMjNlMwJ6oLh34gFMBEiExa5MoMKRDnaoF0LZ1PxnGjX+kuQu4cEpcwEhQr yDQ3AQwNFgoXptJGHSZeug53mCmGB03OoeWDEULGQ6z1iLtZzsASgVETF1FCXXVwAfVu lJXOolqJSwLQ/lJjiN3dW0R09MpKrYNPjmQ9RDHrioSjRNJs21qwupm13lPIMH4WisRG M4eYFCth7Re2haYTKE+GzryMiBFFCVGzTPtbn15/Lci9MoK0789nzxW9u9++3k8DRmE0 iytz73r0nsFWvjVv9w46kGsSIS+OL03endYuthMcWfxo3l34k8zVrf7pK/PL6Px+L/Lu 4dJg== X-Gm-Message-State: ALoCoQnTmOtyOfOliDF2cwc68d4A5UtrVntY+5nWPXTARjk22TBIKP/6FcN9fxWYSzYApuv4+Rei X-Received: by 10.68.245.133 with SMTP id xo5mr817711pbc.198.1377355346973; Sat, 24 Aug 2013 07:42:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.70.6.3 with HTTP; Sat, 24 Aug 2013 07:41:56 -0700 (PDT) In-Reply-To: <20130822204958.GC24767@caravan.chchile.org> References: <20130822204958.GC24767@caravan.chchile.org> From: Eitan Adler Date: Sat, 24 Aug 2013 10:41:56 -0400 Message-ID: Subject: Re: weekly periodic security status To: FreeBSD Hackers Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 14:42:27 -0000 On Thu, Aug 22, 2013 at 4:49 PM, Jeremie Le Hen wrote: > Well, whatever, if you have any concerns, objections or comments, please > speak now :). This LGTM but please include a comment above the warning with a date / release number when this compatibility can be removed. -- Eitan Adler From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 16:57:12 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E3152BA5 for ; Sat, 24 Aug 2013 16:57:12 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AA64E2879 for ; Sat, 24 Aug 2013 16:57:12 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id 9CFA2C1E06; Sat, 24 Aug 2013 16:57:04 +0000 (UTC) Date: Sat, 24 Aug 2013 18:57:04 +0200 From: Jeremie Le Hen To: Royce Williams Subject: Re: weekly periodic security status Message-ID: <20130824165704.GD24767@caravan.chchile.org> Mail-Followup-To: Royce Williams , Darren Pilgrim , FreeBSD Hackers References: <20130822204958.GC24767@caravan.chchile.org> <5217AD9E.1000100@bluerosetech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD Hackers , Darren Pilgrim X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 16:57:13 -0000 On Fri, Aug 23, 2013 at 08:35:55PM -0800, Royce Williams wrote: > On Fri, Aug 23, 2013 at 10:44 AM, Darren Pilgrim < > list_freebsd@bluerosetech.com> wrote: > > > Thank you for this, but if I may make one suggestion: don't combine all > > the security report settings--keep both daily_* and weekly_*. This makes > > possible running some security tasks on a daily basis and others on a > > weekly basis. For example, daily pkg/portaudit checks, but weekly > > filesystem scans. > > > > Agreed. I welcome and would use the weekly option at this level of > granularity, but would like to retain daily for many checks, and so would > not use weekly if was an all-or-nothing option. Sounds like a good idea. However I don't know how to implement this because, in the current state of the periodic security scripts, there is no way to know whether a script had been called from daily or weekly periodic scripts, so no way to know which variable to check. The easy way to work around this would be to declare an environment variable from 450.status-security, but it sounds like a hackish way because you create an additional dependency for the periodic security scripts. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 16:59:20 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C5449EB1 for ; Sat, 24 Aug 2013 16:59:20 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8EA382894 for ; Sat, 24 Aug 2013 16:59:20 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id EE782C1E27; Sat, 24 Aug 2013 16:59:18 +0000 (UTC) Date: Sat, 24 Aug 2013 18:59:18 +0200 From: Jeremie Le Hen To: RW Subject: Re: weekly periodic security status Message-ID: <20130824165918.GE24767@caravan.chchile.org> Mail-Followup-To: RW , freebsd-hackers@freebsd.org References: <20130822204958.GC24767@caravan.chchile.org> <20130824143815.39ea88f3@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130824143815.39ea88f3@gumby.homeunix.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 16:59:20 -0000 On Sat, Aug 24, 2013 at 02:38:15PM +0100, RW wrote: > On Thu, 22 Aug 2013 22:49:58 +0200 > Jeremie Le Hen wrote: > > > Hi, > > > > I plan to commit the attached patch. This allows the turn the daily > > security checks into weekly checks. You do this by adding the > > following to periodic.conf(5): > > > > daily_status_security_enable=NO > > weekly_status_security_enable=YES > > > > All other $daily_status_security_whatever variables will be renamed to > > $security_status_whatever. The old variable name is supported but > > prints a warning. > > > > All daily_status_security_enable does is control whether the security > scripts are run from daily, but security is a periodic dirctory in its > own right. > > You can simply set daily_status_security_enable=NO and put a > separate security entry in crontab (or anacrontab). You can also > symlink the lightweight security scripts in a separate directory and > run those on all, or some, of the days you don't run the full security > pass. > > In short the current support is more powerful and flexible than > anything suggested in this thread so far. Nothing of what you say is wrong, but culturally I think it is more common to configure things with variable assignments in configuration files a-la rc.conf(5), rather than creating directories and symlinks. I don't say one or the other is better, it is just a matter of tradition. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 20:47:28 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A2491774 for ; Sat, 24 Aug 2013 20:47:28 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 693DF2243 for ; Sat, 24 Aug 2013 20:47:28 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id 056DCC1ED9; Sat, 24 Aug 2013 20:47:25 +0000 (UTC) Date: Sat, 24 Aug 2013 22:47:25 +0200 From: Jeremie Le Hen To: Eitan Adler Subject: Re: weekly periodic security status Message-ID: <20130824204725.GF24767@caravan.chchile.org> Mail-Followup-To: Eitan Adler , FreeBSD Hackers References: <20130822204958.GC24767@caravan.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 20:47:28 -0000 On Sat, Aug 24, 2013 at 10:41:56AM -0400, Eitan Adler wrote: > On Thu, Aug 22, 2013 at 4:49 PM, Jeremie Le Hen wrote: > > Well, whatever, if you have any concerns, objections or comments, please > > speak now :). > > This LGTM but please include a comment above the warning with a date / > release number when this compatibility can be removed. If the old variable names are deprecated in releng/10, they can be removed in releng/11, can't they? -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 24 22:04:08 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 362FFD88 for ; Sat, 24 Aug 2013 22:04:08 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0C1E8267A for ; Sat, 24 Aug 2013 22:04:08 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id y10so1987503pdj.8 for ; Sat, 24 Aug 2013 15:04:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=yVEohdlTpURb5GgFk8Zml+wDFVs+l7ond/SvgsMYr3I=; b=S0QH1zUak5SzQs8FYLfB902XMz0kPPKPX3eUoQAdZGlbWBzwFbUjHExGwvVPVIHWBp CKsbipMMwVKIHAlfmjxOQGxpGtrw+07XxPd09WbRuJGvaSb1IlJhQETP0Nwhjc20n6Sf gHdiu4DkmsFcw+ynjSNnwyn4uOL3oml/ri5ec= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=yVEohdlTpURb5GgFk8Zml+wDFVs+l7ond/SvgsMYr3I=; b=YUeBjDNhUGaphgP9ZKuK2hwhPiiIHP/zdInLkx3cNiAthV4YHsoFUnNt5ARvMzpPNb M/MSbYEmtktHG8ok0RtKqouhr1gh2dwNiyPT6Z5QjKFSrFbRmXhqL784jBC2lquKB8pZ moljf0AzleklRwK5hQ9MdzcQrJklJWK5dwlJgJMY0IZl3UbsBmNMW+IfhiqOZyJGDd5S s9MowqcoTc2EHD7t63qeQNr/3xOfIeQoTdvzj8xuB6zKPM3t+mkDSmCb7xDLIfuYk4Vm nsWWpR+p7ndrMhP/9bX5uV3KmJ4GLHejojsPR8B3pte3bDS5UPVOKs8ZEY1QDCX/1DN8 3wGQ== X-Gm-Message-State: ALoCoQnwQYXuENzQDaUgYNZlvfg8jd04TpUvZM95QqhSte9NO622AIyLAfF1esBpOyFjAPZ7q74x X-Received: by 10.66.190.198 with SMTP id gs6mr6136748pac.49.1377381847666; Sat, 24 Aug 2013 15:04:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.70.6.3 with HTTP; Sat, 24 Aug 2013 15:03:37 -0700 (PDT) In-Reply-To: <20130824204725.GF24767@caravan.chchile.org> References: <20130822204958.GC24767@caravan.chchile.org> <20130824204725.GF24767@caravan.chchile.org> From: Eitan Adler Date: Sat, 24 Aug 2013 18:03:37 -0400 Message-ID: Subject: Re: weekly periodic security status To: Eitan Adler , FreeBSD Hackers Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2013 22:04:08 -0000 On Sat, Aug 24, 2013 at 4:47 PM, Jeremie Le Hen wrote: > On Sat, Aug 24, 2013 at 10:41:56AM -0400, Eitan Adler wrote: >> On Thu, Aug 22, 2013 at 4:49 PM, Jeremie Le Hen wrote: >> > Well, whatever, if you have any concerns, objections or comments, please >> > speak now :). >> >> This LGTM but please include a comment above the warning with a date / >> release number when this compatibility can be removed. > > If the old variable names are deprecated in releng/10, they can be > removed in releng/11, can't they? Yes, and this should be indicated in a comment. When I see "deprecated" or "old hack" or similar terms in code it takes some archaeology to figure out when it was added and when it could be removed. It would be nice to help the future reader a bit. -- Eitan Adler