manipulating tape drives -> means gid operator on device nodes). This group
is also used with group-access bit on the setuid-root shutdown command
(mode ug+x,u+s). Some people use this to shutdown/reboot their machines, but
use of that group is giving them disk read access also, which is wrong.
It would be a pain to re-gid all the device nodes, so instead let's renumber
the operator execution gid into group "_shutdown".
Users using this shutdown/reboot functionality will notice it no longer works,
and move themselves to the correct group.
Various choices discussed at large, this seems our best choice.
ok sthen
for https (HTTP/3 over QUIC). Add it to /etc/services so that it's included
when /etc/rc populates sysctl net.inet.udp.baddynamic.
suggested by Renauld Allard, ok tb@
While florian rightly points out that this is likely to be overlooked, it
may help someone. Also doesn't affect the adjust-config-with-sed-ability
of the example file after input by a few.
no objection florian
ok espie millert
we are running netstart, and then load the pf.conf ruleset after all of the
interfaces are loaded.
Allow in and out IPv6 neighbor advertisement traffic without state during
that time.
suggestions/OK from saschan@
OK sthen@ kn@ florian@ deraadt@
of pinsyscall(2) policy. Report such findings in daily mail like
other security violations. User has to turn on accounting=YES in
rc.conf.local to utilize this feature.
OK deraadt@
- show a demo of a strong random string for psk, for some types of
configuration psk makes sense. the previous example hinted at.not
using it.
- change the EAP MSCHAPv2 example so that more than one client can
connect (previous used address config but with only a single address not
a pool), and use the newer keywords to show how to route all traffic
from dynamic-ip clients over the tunnel
ok tobhe@
While netstart is busy setting up the network and waiting for a
default route we can already start with reordering libraries since
this does not depend on running network, speeding things up.
Idea & input deraadt
Input & OK kn
vifscreate() always creates all virtual interfaces up-front.
To check whether a given interface exists, ifstart() uses ifcreate()
which tries to create nonexistent ones.
Virtual ones are guaranteed to be present and physical ones cannot be
created, so replace the ifcreate() call with a simpler ifconfig test and
clarify the comment.
OK martijn afresh1
When booting from slow media, the boot can appear to stall at the
"reordering libs" line for quite some time. For my example, my G4
PowerMac booting from USB 1.1 takes a full minute to reorder the
libraries.
Let's print the name of each library before it is relinked. This
gives the operator a better sense of what the machine is doing. In
particular, it signals to the operator that the machine did not hang.
With input from kn@, deraadt@. Positive feedback from sthen@.
Link: https://marc.info/?l=openbsd-tech&m=165914104421476&w=2
ok kn@
