Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 31 Mar 2014 21:09:36 +0000 (UTC)
From:      Dru Lavigne <dru@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r44404 - head/en_US.ISO8859-1/books/handbook/security
Message-ID:  <201403312109.s2VL9aKA087253@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dru
Date: Mon Mar 31 21:09:35 2014
New Revision: 44404
URL: http://svnweb.freebsd.org/changeset/doc/44404

Log:
  White space fix only. Translators can ignore.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Mon Mar 31 20:39:26 2014	(r44403)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Mon Mar 31 21:09:35 2014	(r44404)
@@ -2514,12 +2514,12 @@ racoon_enable="yes"</programlisting>
       compatible with both <acronym>SSH</acronym> version 1 and 2
       protocols.</para>
 
-      <para>When data is sent over the network in an unencrypted form,
-	network sniffers anywhere in between the client and server
-	can steal user/password information or data transferred
-	during the session.  <application>OpenSSH</application> offers
-	a variety of authentication and encryption methods to prevent
-	this from happening.</para>
+    <para>When data is sent over the network in an unencrypted form,
+      network sniffers anywhere in between the client and server can
+      steal user/password information or data transferred during the
+      session.  <application>OpenSSH</application> offers a variety of
+      authentication and encryption methods to prevent this from
+      happening.</para>
 
     <sect2>
       <title>Using the SSH Client Utilities</title>
@@ -2587,14 +2587,14 @@ COPYRIGHT            100% |*************
 	arguments takes the form
 	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
 
-    <sect3 xml:id="security-ssh-keygen">
-      <title>Key-based Authentication</title>
+      <sect3 xml:id="security-ssh-keygen">
+	<title>Key-based Authentication</title>
 
-      <para>Instead of using passwords, &man.ssh-keygen.1; can be used
-	to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
-	keys to authenticate a user:</para>
+	<para>Instead of using passwords, &man.ssh-keygen.1; can be
+	  used to generate <acronym>DSA</acronym> or
+	  <acronym>RSA</acronym> keys to authenticate a user:</para>
 
-      <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
+	<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
 Generating public/private dsa key pair.
 Enter file in which to save the key (/home/user/.ssh/id_dsa):
 Created directory '/home/user/.ssh'.
@@ -2605,179 +2605,182 @@ Your public key has been saved in /home/
 The key fingerprint is:
 bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 
-      <para>&man.ssh-keygen.1; will create a public and private key
-	pair for use in authentication.  The private key is stored
-	in <filename>~/.ssh/id_dsa</filename> or
-	<filename>~/.ssh/id_rsa</filename>, whereas the public key
-	is stored in <filename>~/.ssh/id_dsa.pub</filename> or
-	<filename>~/.ssh/id_rsa.pub</filename>, respectively for the
-	<acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
-	The public key must be placed in
-	<filename>~/.ssh/authorized_keys</filename> on the
-	remote machine for both <acronym>RSA</acronym> or
-	<acronym>DSA</acronym> keys in order for the setup to
-	work.</para>
-
-      <para>This setup allows connections to the remote machine based
-	upon <acronym>SSH</acronym> keys instead of passwords.</para>
-
-      <warning>
-	<para>Many users believe that keys are secure by design and
-	  will use a key without a passphrase.  This is
-	  <emphasis>dangerous</emphasis> behavior and the method
-	  an administrator may use to verify keys have a passphrase
-	  is to view the key manually.  If the private key file
-	  contains the word <literal>ENCRYPTED</literal> the key
-	  owner is using a passphrase.  While it may still be a weak
-	  passphrase, at least if the system is compromised, access
-	  to other sites will still require some level of password
-	  guessing.  In addition, to better secure end users, the
-	  <literal>from</literal> may be placed in the public key
-	  file.  For example, adding
-	  <literal>from="192.168.10.5</literal> in the front of
-	  <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
-	  prefix will only allow that specific user to login from
-	  that host <acronym>IP</acronym>.</para>
-      </warning>
-
-      <warning>
-	<para>The various options and files can be different according
-	  to the <application>OpenSSH</application> version.  To avoid
-	  problems, consult &man.ssh-keygen.1;.</para>
-      </warning>
-
-      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
-	will be prompted for the passphrase each time in order to use
-	the private key.  To load <acronym>SSH</acronym> keys into memory for use,
-	without needing to type the passphrase each time, use
-	&man.ssh-agent.1; and &man.ssh-add.1;.</para>
-
-      <para>Authentication is handled by &man.ssh-agent.1;, using the
-	private key(s) that are loaded into it.  Then,
-	&man.ssh-agent.1; should be used to launch another
-	application.  At the most basic level, it could spawn a shell
-	or a window manager.</para>
-
-      <para>To use &man.ssh-agent.1; in a shell, start it with a shell
-	as an argument.  Next, add the identity by running
-	&man.ssh-add.1; and providing it the passphrase for the
-	private key.  Once these steps have been completed, the user
-	will be able to &man.ssh.1; to any host that has the
-	corresponding public key installed.  For example:</para>
+	<para>&man.ssh-keygen.1; will create a public and private key
+	  pair for use in authentication.  The private key is stored
+	  in <filename>~/.ssh/id_dsa</filename> or
+	  <filename>~/.ssh/id_rsa</filename>, whereas the public key
+	  is stored in <filename>~/.ssh/id_dsa.pub</filename> or
+	  <filename>~/.ssh/id_rsa.pub</filename>, respectively for the
+	  <acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
+	  The public key must be placed in
+	  <filename>~/.ssh/authorized_keys</filename> on the remote
+	  machine for both <acronym>RSA</acronym> or
+	  <acronym>DSA</acronym> keys in order for the setup to
+	  work.</para>
+
+	<para>This setup allows connections to the remote machine
+	  based upon <acronym>SSH</acronym> keys instead of
+	  passwords.</para>
+
+	<warning>
+	  <para>Many users believe that keys are secure by design and
+	    will use a key without a passphrase.  This is
+	    <emphasis>dangerous</emphasis> behavior and the method an
+	    administrator may use to verify keys have a passphrase is
+	    to view the key manually.  If the private key file
+	    contains the word <literal>ENCRYPTED</literal> the key
+	    owner is using a passphrase.  While it may still be a weak
+	    passphrase, at least if the system is compromised, access
+	    to other sites will still require some level of password
+	    guessing.  In addition, to better secure end users, the
+	    <literal>from</literal> may be placed in the public key
+	    file.  For example, adding
+	    <literal>from="192.168.10.5</literal> in the front of
+	    <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
+	    prefix will only allow that specific user to login from
+	    that host <acronym>IP</acronym>.</para>
+	</warning>
+
+	<warning>
+	  <para>The various options and files can be different
+	    according to the <application>OpenSSH</application>
+	    version.  To avoid problems, consult
+	    &man.ssh-keygen.1;.</para>
+	</warning>
+
+	<para>If a passphrase is used in &man.ssh-keygen.1;, the user
+	  will be prompted for the passphrase each time in order to
+	  use the private key.  To load <acronym>SSH</acronym> keys
+	  into memory for use, without needing to type the passphrase
+	  each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
+
+	<para>Authentication is handled by &man.ssh-agent.1;, using
+	  the private key(s) that are loaded into it.  Then,
+	  &man.ssh-agent.1; should be used to launch another
+	  application.  At the most basic level, it could spawn a
+	  shell or a window manager.</para>
+
+	<para>To use &man.ssh-agent.1; in a shell, start it with a
+	  shell as an argument.  Next, add the identity by running
+	  &man.ssh-add.1; and providing it the passphrase for the
+	  private key.  Once these steps have been completed, the user
+	  will be able to &man.ssh.1; to any host that has the
+	  corresponding public key installed.  For example:</para>
 
-      <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
+	<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
 &prompt.user; ssh-add
 Enter passphrase for /home/user/.ssh/id_dsa:
 Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
 &prompt.user;</screen>
 
-      <para>To use &man.ssh-agent.1; in
-	<application>&xorg;</application>, a call to &man.ssh-agent.1;
-	needs to be placed in <filename>~/.xinitrc</filename>.  This
-	provides the &man.ssh-agent.1; services to all programs
-	launched in <application>&xorg;</application>.  An example
-	<filename>~/.xinitrc</filename> might look like
-	this:</para>
-
-      <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
-
-      <para>This launches &man.ssh-agent.1;, which in turn launches
-	<application>XFCE</application>, every time
-	<application>&xorg;</application> starts.  Once
-	<application>&xorg;</application> has been restarted so that
-	the changes can take effect, run &man.ssh-add.1; to load all
-	of the <acronym>SSH</acronym> keys.</para>
-    </sect3>
+	<para>To use &man.ssh-agent.1; in
+	  <application>&xorg;</application>, a call to
+	  &man.ssh-agent.1; needs to be placed in
+	  <filename>~/.xinitrc</filename>.  This provides the
+	  &man.ssh-agent.1; services to all programs launched in
+	  <application>&xorg;</application>.  An example
+	  <filename>~/.xinitrc</filename> might look like this:</para>
+
+	<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
+
+	<para>This launches &man.ssh-agent.1;, which in turn launches
+	  <application>XFCE</application>, every time
+	  <application>&xorg;</application> starts.  Once
+	  <application>&xorg;</application> has been restarted so that
+	  the changes can take effect, run &man.ssh-add.1; to load all
+	  of the <acronym>SSH</acronym> keys.</para>
+      </sect3>
 
-    <sect3 xml:id="security-ssh-tunneling">
-      <title><acronym>SSH</acronym> Tunneling</title>
+      <sect3 xml:id="security-ssh-tunneling">
+	<title><acronym>SSH</acronym> Tunneling</title>
 
-      <indexterm>
-	<primary>OpenSSH</primary>
-	<secondary>tunneling</secondary>
-      </indexterm>
+	<indexterm>
+	  <primary>OpenSSH</primary>
+	  <secondary>tunneling</secondary>
+	</indexterm>
+
+	<para><application>OpenSSH</application> has the ability to
+	  create a tunnel to encapsulate another protocol in an
+	  encrypted session.</para>
 
-      <para><application>OpenSSH</application> has the ability to
-	create a tunnel to encapsulate another protocol in an
-	encrypted session.</para>
+	<para>The following command tells &man.ssh.1; to create a
+	  tunnel for &man.telnet.1;:</para>
 
-      <para>The following command tells &man.ssh.1; to create a
-	tunnel for &man.telnet.1;:</para>
-
-      <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
+	<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
 &prompt.user;</screen>
 
-      <para>This example uses the following options:</para>
+	<para>This example uses the following options:</para>
+
+	<variablelist>
+	  <varlistentry>
+	    <term><option>-2</option></term>
+
+	    <listitem>
+	      <para>Forces &man.ssh.1; to use version 2 to connect to
+		the server.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>-N</option></term>
+
+	    <listitem>
+	      <para>Indicates no command, or tunnel only.  If omitted,
+		&man.ssh.1; initiates a normal session.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>-f</option></term>
+
+	    <listitem>
+	      <para>Forces &man.ssh.1; to run in the
+		background.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>-L</option></term>
+
+	    <listitem>
+	      <para>Indicates a local tunnel in
+		<replaceable>localport:remotehost:remoteport</replaceable>
+		format.</para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><option>user@foo.example.com</option></term>
+
+	    <listitem>
+	      <para>The login name to use on the specified remote
+		<acronym>SSH</acronym> server.</para>
+	    </listitem>
+	  </varlistentry>
+	</variablelist>
+
+	<para>An <acronym>SSH</acronym> tunnel works by creating a
+	  listen socket on <systemitem>localhost</systemitem> on the
+	  specified port.  It then forwards any connections received
+	  on the local host/port via the <acronym>SSH</acronym>
+	  connection to the specified remote host and port.</para>
+
+	<para>In the example, port <replaceable>5023</replaceable> on
+	  <systemitem>localhost</systemitem> is forwarded to port
+	  <replaceable>23</replaceable> on
+	  <systemitem>localhost</systemitem> of the remote machine.
+	  Since <replaceable>23</replaceable> is used by
+	  &man.telnet.1;, this creates an encrypted &man.telnet.1;
+	  session through an <acronym>SSH</acronym> tunnel.</para>
+
+	<para>This can be used to wrap any number of insecure TCP
+	  protocols such as SMTP, POP3, and FTP.</para>
 
-      <variablelist>
-	<varlistentry>
-	  <term><option>-2</option></term>
-
-	  <listitem>
-	    <para>Forces &man.ssh.1; to use version 2 to connect to
-	      the server.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-N</option></term>
-
-	  <listitem>
-	    <para>Indicates no command, or tunnel only.  If omitted,
-	      &man.ssh.1; initiates a normal session.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-f</option></term>
-
-	  <listitem>
-	    <para>Forces &man.ssh.1; to run in the background.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>-L</option></term>
-
-	  <listitem>
-	    <para>Indicates a local tunnel in
-	      <replaceable>localport:remotehost:remoteport</replaceable>
-	      format.</para>
-	  </listitem>
-	</varlistentry>
-
-	<varlistentry>
-	  <term><option>user@foo.example.com</option></term>
-
-	  <listitem>
-	    <para>The login name to use on the specified remote
-	      <acronym>SSH</acronym> server.</para>
-	  </listitem>
-	</varlistentry>
-      </variablelist>
-
-      <para>An <acronym>SSH</acronym> tunnel works by creating a
-	listen socket on <systemitem>localhost</systemitem> on the
-	specified port.  It then forwards any connections received on
-	the local host/port via the <acronym>SSH</acronym> connection
-	to the specified remote host and port.</para>
-
-      <para>In the example, port <replaceable>5023</replaceable> on
-	<systemitem>localhost</systemitem> is forwarded to port
-	<replaceable>23</replaceable> on
-	<systemitem>localhost</systemitem> of the remote machine.
-	Since <replaceable>23</replaceable> is used by &man.telnet.1;,
-	this creates an encrypted &man.telnet.1; session through an
-	<acronym>SSH</acronym> tunnel.</para>
-
-      <para>This can be used to wrap any number of insecure TCP
-	protocols such as SMTP, POP3, and FTP.</para>
-
-      <example>
-	<title>Using &man.ssh.1; to Create a Secure Tunnel for
-	  SMTP</title>
+	<example>
+	  <title>Using &man.ssh.1; to Create a Secure Tunnel for
+	    SMTP</title>
 
-	<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
+	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
 user@mailserver.example.com's password: <userinput>*****</userinput>
 &prompt.user; <userinput>telnet localhost 5025</userinput>
 Trying 127.0.0.1...
@@ -2785,14 +2788,15 @@ Connected to localhost.
 Escape character is '^]'.
 220 mailserver.example.com ESMTP</screen>
 
-	<para>This can be used in conjunction with &man.ssh-keygen.1;
-	  and additional user accounts to create a more seamless
-	  <acronym>SSH</acronym> tunneling environment.  Keys can be
-	  used in place of typing a password, and the tunnels can be
-	  run as a separate user.</para>
-      </example>
+	  <para>This can be used in conjunction with
+	    &man.ssh-keygen.1; and additional user accounts to create
+	    a more seamless <acronym>SSH</acronym> tunneling
+	    environment.  Keys can be used in place of typing a
+	    password, and the tunnels can be run as a separate
+	    user.</para>
+	</example>
 
-      <example>
+	<example>
 	  <title>Secure Access of a POP3 Server</title>
 
 	  <para>In this example, there is an <acronym>SSH</acronym>
@@ -2939,11 +2943,10 @@ user@unfirewalled-system.example.org's p
       <primary>ACL</primary>
     </indexterm>
 
-    <para>Access Control Lists (<acronym>ACL</acronym>s)
-      extend the standard &unix; permission model in a &posix;.1e
-      compatible way.  This permits an administrator to
-      take advantage of a more fine-grained permissions
-      model.</para>
+    <para>Access Control Lists (<acronym>ACL</acronym>s) extend the
+      standard &unix; permission model in a &posix;.1e compatible way.
+      This permits an administrator to take advantage of a more
+      fine-grained permissions model.</para>
 
     <para>The &os; <filename>GENERIC</filename> kernel provides
       <acronym>ACL</acronym> support for <acronym>UFS</acronym> file
@@ -2956,78 +2959,76 @@ user@unfirewalled-system.example.org's p
     <para>If this option is not compiled in, a warning message will be
       displayed when attempting to mount a file system with
       <acronym>ACL</acronym> support.  <acronym>ACL</acronym>s rely on
-      extended attributes which
-      are natively supported in
+      extended attributes which are natively supported in
       <acronym>UFS2</acronym>.</para>
 
     <para>This chapter describes how to enable
       <acronym>ACL</acronym> support and provides some usage
       examples.</para>
 
-   <sect2>
-     <title>Enabling <acronym>ACL</acronym> Support</title>
+    <sect2>
+      <title>Enabling <acronym>ACL</acronym> Support</title>
 
-    <para><acronym>ACL</acronym>s are enabled by the mount-time
-      administrative flag, <option>acls</option>, which may be added
-      to <filename>/etc/fstab</filename>.  The mount-time flag can
-      also be automatically set in a persistent manner using
-      &man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
-      flag in the file system header.  In general, it is preferred
-      to use the superblock flag for several reasons:</para>
-
-    <itemizedlist>
-      <listitem>
-	<para>The superblock flag cannot be
-	  changed by a remount using <option>mount -u</option> as it
-	  requires a complete <command>umount</command> and fresh <command>mount</command>.
-	  This means that <acronym>ACL</acronym>s cannot be enabled on
-	  the root file system after boot.  It also means that
-	  <acronym>ACL</acronym> support on
-	  a file system cannot be changed while the system is in
-	  use.</para>
-      </listitem>
-
-      <listitem>
-	<para>Setting the superblock flag causes the file system
-	  to always be mounted with <acronym>ACL</acronym>s enabled,
-	  even if there is not an <filename>fstab</filename> entry
-	  or if the devices re-order.  This prevents accidental
-	  mounting of the file system without <acronym>ACL</acronym>
-	  support.</para>
-      </listitem>
-    </itemizedlist>
+      <para><acronym>ACL</acronym>s are enabled by the mount-time
+	administrative flag, <option>acls</option>, which may be added
+	to <filename>/etc/fstab</filename>.  The mount-time flag can
+	also be automatically set in a persistent manner using
+	&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
+	flag in the file system header.  In general, it is preferred
+	to use the superblock flag for several reasons:</para>
 
-    <note>
-      <para>It is desirable to discourage accidental mounting without
-	<acronym>ACL</acronym>s enabled because nasty things can
-	happen if <acronym>ACL</acronym>s are enabled, then disabled,
-	then re-enabled without flushing the extended attributes.  In
-	general, once <acronym>ACL</acronym>s are enabled on a
-	file system, they should not be disabled, as the resulting file
-	protections may not be compatible with those intended by the
-	users of the system, and re-enabling <acronym>ACL</acronym>s
-	may re-attach the previous <acronym>ACL</acronym>s to files
-	that have since had their permissions changed, resulting in
-	unpredictable behavior.</para>
-    </note>
+      <itemizedlist>
+	<listitem>
+	  <para>The superblock flag cannot be changed by a remount
+	    using <option>mount -u</option> as it requires a complete
+	    <command>umount</command> and fresh
+	    <command>mount</command>.  This means that
+	    <acronym>ACL</acronym>s cannot be enabled on the root file
+	    system after boot.  It also means that
+	    <acronym>ACL</acronym> support on a file system cannot be
+	    changed while the system is in use.</para>
+	</listitem>
 
-    <para>File systems with <acronym>ACL</acronym>s enabled will
-      show a plus (<literal>+</literal>) sign in their permission
-      settings:</para>
+	<listitem>
+	  <para>Setting the superblock flag causes the file system to
+	    always be mounted with <acronym>ACL</acronym>s enabled,
+	    even if there is not an <filename>fstab</filename> entry
+	    or if the devices re-order.  This prevents accidental
+	    mounting of the file system without <acronym>ACL</acronym>
+	    support.</para>
+	</listitem>
+      </itemizedlist>
 
-    <programlisting>drwx------  2 robert  robert  512 Dec 27 11:54 private
+      <note>
+	<para>It is desirable to discourage accidental mounting
+	  without <acronym>ACL</acronym>s enabled because nasty things
+	  can happen if <acronym>ACL</acronym>s are enabled, then
+	  disabled, then re-enabled without flushing the extended
+	  attributes.  In general, once <acronym>ACL</acronym>s are
+	  enabled on a file system, they should not be disabled, as
+	  the resulting file protections may not be compatible with
+	  those intended by the users of the system, and re-enabling
+	  <acronym>ACL</acronym>s may re-attach the previous
+	  <acronym>ACL</acronym>s to files that have since had their
+	  permissions changed, resulting in unpredictable
+	  behavior.</para>
+      </note>
+
+      <para>File systems with <acronym>ACL</acronym>s enabled will
+	show a plus (<literal>+</literal>) sign in their permission
+	settings:</para>
+
+      <programlisting>drwx------  2 robert  robert  512 Dec 27 11:54 private
 drwxrwx---+ 2 robert  robert  512 Dec 23 10:57 directory1
 drwxrwx---+ 2 robert  robert  512 Dec 22 10:20 directory2
 drwxrwx---+ 2 robert  robert  512 Dec 27 11:57 directory3
 drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
 
-    <para>In this example,
-      <filename>directory1</filename>,
-      <filename>directory2</filename>, and
-      <filename>directory3</filename>
-      are all taking advantage of <acronym>ACL</acronym>s, whereas
-      <filename>public_html</filename>
-      is not.</para>
+      <para>In this example, <filename>directory1</filename>,
+	<filename>directory2</filename>, and
+	<filename>directory3</filename> are all taking advantage of
+	<acronym>ACL</acronym>s, whereas
+	<filename>public_html</filename> is not.</para>
     </sect2>
 
     <sect2>
@@ -3047,11 +3048,11 @@ drwxr-xr-x  2 robert  robert  512 Nov 10
 	other::r--</screen>
 
       <para>To change the <acronym>ACL</acronym> settings on this
-	file, use <command>setfacl</command>.  To remove all of the currently defined
-	<acronym>ACL</acronym>s from a file or file system, include
-	<option>-k</option>.  However, the preferred method is to use
-	<option>-b</option> as it leaves the basic fields required
-	for <acronym>ACL</acronym>s to work.</para>
+	file, use <command>setfacl</command>.  To remove all of the
+	currently defined <acronym>ACL</acronym>s from a file or file
+	system, include <option>-k</option>.  However, the preferred
+	method is to use <option>-b</option> as it leaves the basic
+	fields required for <acronym>ACL</acronym>s to work.</para>
 
       <screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
 
@@ -3060,12 +3061,12 @@ drwxr-xr-x  2 robert  robert  512 Nov 10
 
       <screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
 
-      <para>In this example, there were no
-	pre-defined entries, as they were removed by the previous
-	command.  This command restores the default options and assigns the
-	options listed.  If a user or group is added which does not
-	exist on the system, an <errorname>Invalid
-	  argument</errorname> error will be displayed.</para>
+      <para>In this example, there were no pre-defined entries, as
+	they were removed by the previous command.  This command
+	restores the default options and assigns the options listed.
+	If a user or group is added which does not exist on the
+	system, an <errorname>Invalid argument</errorname> error will
+	be displayed.</para>
 
       <para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
 	information about the options available for these
@@ -3494,13 +3495,13 @@ UWWemqWuz3lAZuORQ9KX
       their allocation among users, provide for system monitoring,
       and minimally track a user's commands.</para>
 
-    <para>Process accounting has both positive and negative points.  One
-      of the positives is that an intrusion may be narrowed down to
-      the point of entry.  A negative is the amount of logs
+    <para>Process accounting has both positive and negative points.
+      One of the positives is that an intrusion may be narrowed down
+      to the point of entry.  A negative is the amount of logs
       generated by process accounting, and the disk space they may
-      require.  This section walks an administrator through the
-      basics of process accounting.</para>
-      
+      require.  This section walks an administrator through the basics
+      of process accounting.</para>
+
     <note>
       <para>If more fine-grained accounting is needed, refer to
 	<xref linkend="audit"/>.</para>
@@ -3520,16 +3521,16 @@ UWWemqWuz3lAZuORQ9KX
       <para>Once enabled, accounting will begin to track information
 	such as <acronym>CPU</acronym> statistics and executed
 	commands.  All accounting logs are in a non-human readable
-	format which can be viewed using <command>sa</command>.  If issued
-	without any options, <command>sa</command> prints information relating to
-	the number of per-user calls, the total elapsed time in
-	minutes, total <acronym>CPU</acronym> and user time in
-	minutes, and the average number of <acronym>I/O</acronym> operations.  Refer to
-	&man.sa.8; for the list of available options which control the
-	output.</para>
+	format which can be viewed using <command>sa</command>.  If
+	issued without any options, <command>sa</command> prints
+	information relating to the number of per-user calls, the
+	total elapsed time in minutes, total <acronym>CPU</acronym>
+	and user time in minutes, and the average number of
+	<acronym>I/O</acronym> operations.  Refer to &man.sa.8; for
+	the list of available options which control the output.</para>
 
-      <para>To display the commands issued
-	by users, use <command>lastcomm</command>.  For example, this command
+      <para>To display the commands issued by users, use
+	<command>lastcomm</command>.  For example, this command
 	prints out all usage of <command>ls</command> by <systemitem
 	  class="username">trhodes</systemitem> on the
 	<literal>ttyp1</literal> terminal:</para>
@@ -3559,102 +3560,96 @@ UWWemqWuz3lAZuORQ9KX
       controlled through a flat file,
       <filename>/etc/login.conf</filename>.  While this method
       is still supported, any changes require a multi-step process of
-      editing this file in order to divide users into various group labels known as classes,
-      rebuilding the resource database using
-      <command>cap_mkdb</command>, making necessary changes
-      to <filename>/etc/master.passwd</filename>, and rebuilding
-      the password database using
-      <command>pwd_mkdb</command>.  This  could be
-      time consuming, depending upon the number of users to
+      editing this file in order to divide users into various group
+      labels known as classes, rebuilding the resource database using
+      <command>cap_mkdb</command>, making necessary changes to
+      <filename>/etc/master.passwd</filename>, and rebuilding the
+      password database using <command>pwd_mkdb</command>.  This
+      could be time consuming, depending upon the number of users to
       configure.</para>
 
     <para>Beginning with &os;&nbsp;9.0-RELEASE,
-      <command>rctl</command> can be used to provide a more fine-grained
-      method of controlling resources limits for users.  This
-      command supports much more than users as it can be used to set
-      resource constraints on processes, jails, and the original login
-      class.  These advanced features provide administrators and users
-      with methods to control resources through the command line and
-      to set rules on system initialization using a configuration
+      <command>rctl</command> can be used to provide a more
+      fine-grained method of controlling resources limits for users.
+      This command supports much more than users as it can be used to
+      set resource constraints on processes, jails, and the original
+      login class.  These advanced features provide administrators and
+      users with methods to control resources through the command line
+      and to set rules on system initialization using a configuration
       file.</para>
 
-   <sect2>
-     <title>Enabling and Configuring Resource Limits</title>
+    <sect2>
+      <title>Enabling and Configuring Resource Limits</title>
 
-     <para>By default, kernel support for <command>rctl</command> is
-       not built-in, meaning that the kernel will first need to be
-       recompiled using the instructions in <xref
-	linkend="kernelconfig"/>.  Add these lines to either
-      <filename>GENERIC</filename> or a custom kernel
-      configuration file, then rebuild the kernel:</para>
+      <para>By default, kernel support for <command>rctl</command> is
+	not built-in, meaning that the kernel will first need to be
+	recompiled using the instructions in <xref
+	  linkend="kernelconfig"/>.  Add these lines to either
+	<filename>GENERIC</filename> or a custom kernel configuration
+	file, then rebuild the kernel:</para>
 
-    <programlisting>options         RACCT
+      <programlisting>options         RACCT
 options         RCTL</programlisting>
 
-    <para>Once the system has rebooted into the new kernel,
-      <command>rctl</command> may be used to set rules for the
-      system.</para>
-
-    <para>Rule syntax is controlled through the use of
-      a subject,
-      subject-id, resource,
-      and action, as seen in this example
-      rule:</para>
-
-    <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
-
-    <para>In this rule, the subject
-      is <literal>user</literal>, the subject-id is
-      <literal>trhodes</literal>, the resource,
-      <literal>maxproc</literal>, is the maximum
-      number of processes, and the
-      action is <literal>deny</literal>, which blocks any
-      new processes from being created.  This means that the
-      user, <literal>trhodes</literal>, will be constrained to no greater than
-      <literal>10</literal> processes.  Other possible
-      actions include logging to the console, passing a
-      notification to &man.devd.8;, or sending a sigterm to the
-      process.</para>
-
-    <para>Some care must be taken when adding rules.  Since this user
-      is constrained to <literal>10</literal> processes, this example
-      will prevent the user from performing other
-      tasks after logging in and executing a
-      <command>screen</command> session.  Once a resource limit has
-      been hit, an error will be printed, as in this example:</para>
+      <para>Once the system has rebooted into the new kernel,
+	<command>rctl</command> may be used to set rules for the
+	system.</para>
+
+      <para>Rule syntax is controlled through the use of a subject,
+	subject-id, resource, and action, as seen in this example
+	rule:</para>
+
+      <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
+
+      <para>In this rule, the subject is <literal>user</literal>, the
+	subject-id is <literal>trhodes</literal>, the resource,
+	<literal>maxproc</literal>, is the maximum number of
+	processes, and the action is <literal>deny</literal>, which
+	blocks any new processes from being created.  This means that
+	the user, <literal>trhodes</literal>, will be constrained to
+	no greater than <literal>10</literal> processes.  Other
+	possible actions include logging to the console, passing a
+	notification to &man.devd.8;, or sending a sigterm to the
+	process.</para>
+
+      <para>Some care must be taken when adding rules.  Since this
+	user is constrained to <literal>10</literal> processes, this
+	example will prevent the user from performing other tasks
+	after logging in and executing a
+	<command>screen</command> session.  Once a resource limit has
+	been hit, an error will be printed, as in this example:</para>
 
-    <screen>&prompt.user; <userinput>man test</userinput>
+      <screen>&prompt.user; <userinput>man test</userinput>
     /usr/bin/man: Cannot fork: Resource temporarily unavailable
 eval: Cannot fork: Resource temporarily unavailable</screen>
 
-    <para>As another example,
-      a jail can be prevented from exceeding a memory limit.  This rule could be
-      written as:</para>
-
-    <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
-
-    <para>Rules will persist across reboots if they have been
-      added to <filename>/etc/rctl.conf</filename>.  The format is a
-      rule, without the preceding command.  For example, the previous
-      rule could be added as:</para>
+      <para>As another example, a jail can be prevented from exceeding
+	a memory limit.  This rule could be written as:</para>
+
+      <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
+
+      <para>Rules will persist across reboots if they have been added
+	to <filename>/etc/rctl.conf</filename>.  The format is a rule,
+	without the preceding command.  For example, the previous rule
+	could be added as:</para>
 
-    <programlisting># Block jail from using more than 2G memory:
+      <programlisting># Block jail from using more than 2G memory:
 jail:httpd:memoryuse:deny=2G/jail</programlisting>
 
-    <para>To remove a rule, use <command>rctl</command> to
-      remove it from the list:</para>
+      <para>To remove a rule, use <command>rctl</command> to remove it
+	from the list:</para>
 
-    <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
+      <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
 
-    <para>A method for removing all rules is documented in &man.rctl.8;.
-      However, if removing all rules for a single user is required,
-      this command may be issued:</para>
+      <para>A method for removing all rules is documented in
+	&man.rctl.8;.  However, if removing all rules for a single
+	user is required, this command may be issued:</para>
 
-    <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
+      <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
 
-    <para>Many other resources exist which can be used to exert
-      additional control over various <literal>subjects</literal>.
-      See &man.rctl.8; to learn about them.</para>
+      <para>Many other resources exist which can be used to exert
+	additional control over various <literal>subjects</literal>.
+	See &man.rctl.8; to learn about them.</para>
     </sect2>
   </sect1>
 </chapter>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403312109.s2VL9aKA087253>