Re: how to make a etc/rc.d start at boot time
2013/8/11 Aryeh Friedman : > -- Forwarded message -- > From: Aryeh Friedman > Date: Sun, Aug 11, 2013 at 2:07 AM > Subject: Re: how to make a etc/rc.d start at boot time > To: Rui Paulo > > > #!/bin/sh > # > # Start/stop XXX at boot time > # > # Copyright (C) 2013 XXX > > . /etc/rc.subr > > name="XXX" rcvar=XXX_enable pidfile="/var/run/rXXX.pid" > start_cmd="${name}_start" > stop_cmd=":" > > XXX_start() { > echo "$name started." > /usr/local/openjdk6/bin/java -cp \ >/usr/local/share/XXX/XXX.jar \ >XXX.yyy \ >/usr/local/etc/XXX/YYY& > } You don't need to overwrite start_cmd java_command="%%LOCALBASE%%/bin/java" XXX_classpath="/usr/local/share/XXX/XXX.jar" XXX_start_cmd="${java_command} -cp ${XXX_classpath} ..." command="/usr/sbin/daemon" flags="-p ${pidfile} ${XXX_start_cmd}" > > load_rc_config $name This have to come earlier in the script See : http://www.freebsd.org/doc/en/books/porters-handbook/rc-scripts.html Joris > > run_rc_command "$1" > > > On Sun, Aug 11, 2013 at 1:37 AM, Rui Paulo wrote: >> On 10 Aug 2013, at 22:31, Aryeh Friedman wrote: >> >>> I am creating a port for something that needs to start a daemon at >>> boot time I have it so I can call onestart on it but XXX_enable="YES" >>> in /etc/rc.conf fails to load it i.e. >>> >>> >>> /usr/local/etc/rc.d/XXX onestart -- works >>> XXX_enable="YES" -- fails >> >> Please post your script. >> >> -- >> Rui Paulo >> >> >> > ___ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: rtld and noexec
2011/12/2 Alexander Kabaev : > On Fri, 2 Dec 2011 18:22:57 +0100 > joris dedieu wrote: > >> Hi, >> >> Here is a patch I use to prevent loading a shared object from a noexec >> mountpoint. It's an easy way, I found, after the last root exploit >> ((http://seclists.org/fulldisclosure/2011/Nov/452), to enhance the >> security of my web servers (with /home, /tmp and /var/tmp mounted with >> noexec). >> >> - the last ftpd/porftpd (libc ?) exploit does not work (indirect use >> of rtld via nsswitch) >> - the previous rtld security issue should have been more difficult to >> use in a noexec context. >> - It may help to prevent some miscellaneous usage of common softwares >> using dlopen like apache or php. >> >> I think it also makes sens because loading a shared object sounds like >> a kind of "execution". >> >> What do you think about this patch and the opportunity to open a PR on >> this subject? >> >> Cheers >> Joris >> >> >> --- libexec/rtld-elf/rtld.c.orig 2011-12-02 12:09:40.0 >> +0100 +++ libexec/rtld-elf/rtld.c 2011-12-02 13:45:18.0 >> +0100 @@ -1123,32 +1123,50 @@ >> { >> char *pathname; >> char *name; >> + struct statfs mnt; >> >> if (strchr(xname, '/') != NULL) { /* Hard coded pathname */ >> + name = NULL; >> if (xname[0] != '/' && !trust) { >> _rtld_error("Absolute pathname required for shared object >> \"%s\"", xname); >> return NULL; >> } >> if (refobj != NULL && refobj->z_origin) >> - return origin_subst(xname, refobj->origin_path); >> + pathname = origin_subst(xname, refobj->origin_path); >> else >> - return xstrdup(xname); >> + pathname = xstrdup(xname); >> + } >> + else { /* xname is not a path */ >> + if (libmap_disable || (refobj == NULL) || >> + (name = lm_find(refobj->path, xname)) == NULL) >> + name = (char *)xname; >> + >> + dbg(" Searching for \"%s\"", name); >> + >> + pathname = search_library_path(name, ld_library_path); >> + if (pathname == NULL && refobj != NULL) >> + pathname = search_library_path(name, refobj->rpath); >> + if (pathname == NULL) >> + pathname = search_library_path(name, gethints()); >> + if (pathname == NULL) >> + pathname = search_library_path(name, >> STANDARD_LIBRARY_PATH); >> + } >> + >> + if (pathname != NULL) { /* noexec mountpoint in pathname */ >> + if (statfs(pathname, &mnt) != 0) >> + free(pathname); >> + else { >> + if (mnt.f_flags & MNT_NOEXEC) { >> + _rtld_error("noexec violation for shared object >> \"%s\"", pathname); >> + free(pathname); >> + return NULL; >> + } >> + else >> + return pathname; >> + } >> } >> >> - if (libmap_disable || (refobj == NULL) || >> - (name = lm_find(refobj->path, xname)) == NULL) >> - name = (char *)xname; >> - >> - dbg(" Searching for \"%s\"", name); >> - >> - if ((pathname = search_library_path(name, ld_library_path)) != >> NULL || >> - (refobj != NULL && >> - (pathname = search_library_path(name, refobj->rpath)) != NULL) >> || >> - (pathname = search_library_path(name, gethints())) != NULL || >> - (pathname = search_library_path(name, >> STANDARD_LIBRARY_PATH)) != NULL) >> - return pathname; >> - >> if(refobj != NULL && refobj->path != NULL) { >> _rtld_error("Shared object \"%s\" not found, required by >> \"%s\"", name, basename(refobj->path)); >> ___ > > > 1. There is a race using statfs and then loading the file. I will look at this point. Maybe statfs on the dirname ? > 2. We already have the check in do_load_object It doesn't work with dlopen. mount |grep tank/t tank/t on /tank/t (zfs, local, noexec, nfsv4acls) so /tank/t is noexec Here the powerful libmoo source code : void say_moo() { printf("mo\n"); } it's in /tank/t so noexec ls -l /tank/t/ total 6 -rwxr-xr-x 1 joris jori
rtld and noexec
Hi, Here is a patch I use to prevent loading a shared object from a noexec mountpoint. It's an easy way, I found, after the last root exploit ((http://seclists.org/fulldisclosure/2011/Nov/452), to enhance the security of my web servers (with /home, /tmp and /var/tmp mounted with noexec). - the last ftpd/porftpd (libc ?) exploit does not work (indirect use of rtld via nsswitch) - the previous rtld security issue should have been more difficult to use in a noexec context. - It may help to prevent some miscellaneous usage of common softwares using dlopen like apache or php. I think it also makes sens because loading a shared object sounds like a kind of "execution". What do you think about this patch and the opportunity to open a PR on this subject? Cheers Joris --- libexec/rtld-elf/rtld.c.orig2011-12-02 12:09:40.0 +0100 +++ libexec/rtld-elf/rtld.c 2011-12-02 13:45:18.0 +0100 @@ -1123,32 +1123,50 @@ { char *pathname; char *name; +struct statfs mnt; if (strchr(xname, '/') != NULL) { /* Hard coded pathname */ + name = NULL; if (xname[0] != '/' && !trust) { _rtld_error("Absolute pathname required for shared object \"%s\"", xname); return NULL; } if (refobj != NULL && refobj->z_origin) - return origin_subst(xname, refobj->origin_path); + pathname = origin_subst(xname, refobj->origin_path); else - return xstrdup(xname); + pathname = xstrdup(xname); +} +else { /* xname is not a path */ + if (libmap_disable || (refobj == NULL) || + (name = lm_find(refobj->path, xname)) == NULL) + name = (char *)xname; + + dbg(" Searching for \"%s\"", name); + + pathname = search_library_path(name, ld_library_path); + if (pathname == NULL && refobj != NULL) +pathname = search_library_path(name, refobj->rpath); + if (pathname == NULL) +pathname = search_library_path(name, gethints()); + if (pathname == NULL) +pathname = search_library_path(name, STANDARD_LIBRARY_PATH); +} + +if (pathname != NULL) { /* noexec mountpoint in pathname */ + if (statfs(pathname, &mnt) != 0) +free(pathname); + else { +if (mnt.f_flags & MNT_NOEXEC) { + _rtld_error("noexec violation for shared object \"%s\"", pathname); + free(pathname); + return NULL; +} +else + return pathname; + } } -if (libmap_disable || (refobj == NULL) || - (name = lm_find(refobj->path, xname)) == NULL) - name = (char *)xname; - -dbg(" Searching for \"%s\"", name); - -if ((pathname = search_library_path(name, ld_library_path)) != NULL || - (refobj != NULL && - (pathname = search_library_path(name, refobj->rpath)) != NULL) || - (pathname = search_library_path(name, gethints())) != NULL || - (pathname = search_library_path(name, STANDARD_LIBRARY_PATH)) != NULL) - return pathname; - if(refobj != NULL && refobj->path != NULL) { _rtld_error("Shared object \"%s\" not found, required by \"%s\"", name, basename(refobj->path)); ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Concurrent execution of rc-scripts with rcorder(8)
2011/8/24 Vitaly Magerya : >> the idea to start services concurrently during boot isn't new and the >> question why FreeBSD doesn't do it has popped up on the forum and >> mailing list occasionally. So, why not give it a shot? > > As someone who uses FreeBSD on hist laptop and is constantly annoyed > by the lack of suspend-to-disk, every second trimmed of from boot > time is a win. > > In line of the recent FreeBSD problems & solutions discussion, would > any commiter take time to review and commit this? "FreeBSD 9.1 > introduces concurrent startup, improves boot speed" is the kind of > buzz we're after. > >> Any ideas and feedback are very welcome! > > One thing to try is to attach a diagnostics feature that will produce > data about rc script dependencies and execution times, which can > be used to visualize which scripts take most time, and how to > reorganize dependencies to improve boot time (one example I noticed > is moused: it is only started after network is up, which is a shame, > since it could easily start while DHCP negotiation is in progress). Perhaps background_dhclient="YES" should solve it ? I think background approach (which is current archlinux one [1] ) is not so bad. It's clearly less powerful than automagic parallelization but it's maybe less invasive and more flexible for sysadmins. I gave it a try with a little patch for rc.subr that introduces a background keyword (eg: moused_enable="background"). It's surly buggy with some variables like rc_quiet. I have to check more. [1] https://wiki.archlinux.org/index.php/DAEMONS Joris > ___ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" > --- /etc/rc.subr 2011-05-02 08:49:11.0 +0200 +++ rc.subr 2011-08-25 13:50:29.300275783 +0200 @@ -142,8 +142,9 @@ debug "checkyesno: $1 is set to $_value." case $_value in - # "yes", "true", "on", or "1" - [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1) + # "yes", "true", "on", "1", "bg" or "background" + [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1|[Bb][Gg]|\ +[Bb][Aa][Cc][Kk][Gg][Rr][Oo][Uu][Nn][Dd]) return 0 ;; @@ -159,6 +160,25 @@ } # +# checkbg var +# Test $1 variable, and return 0 if it's background or bg. +# Return nonzero otherwise. +# +checkbg() +{ + eval _value=\$${1} + debug "checkbg: $1 is set to $_value." + case $_value in + [Bb][Gg]|[Bb][Aa][Cc][Kk][Gg][Rr][Oo][Uu][Nn][Dd]) + return 0 + ;; + *) + return 1 + ;; + esac +} + +# # reverse_list list # print the list in reverse order # @@ -735,54 +755,11 @@ ;; start) - if [ -z "$rc_fast" -a -n "$rc_pid" ]; then -echo 1>&2 "${name} already running? (pid=$rc_pid)." -return 1 + if checkbg ${rcvar}; then +eval _run_rc_start & + else +_run_rc_start fi - - if [ ! -x ${_chroot}${_chroot:+"/"}${command} ]; then -warn "run_rc_command: cannot run $command" -return 1 - fi - - if ! _run_rc_precmd; then -warn "failed precmd routine for ${name}" -return 1 - fi - - # setup the full command to run - # - check_startmsgs && echo "Starting ${name}." - if [ -n "$_chroot" ]; then -_doit="\ -${_nice:+nice -n $_nice }\ -chroot ${_user:+-u $_user }${_group:+-g $_group }${_groups:+-G $_groups }\ -$_chroot $command $rc_flags $command_args" - else -_doit="\ -${_chdir:+cd $_chdir && }\ -$command $rc_flags $command_args" -if [ -n "$_user" ]; then -_doit="su -m $_user -c 'sh -c \"$_doit\"'" -fi -if [ -n "$_nice" ]; then - if [ -z "$_user" ]; then - _doit="sh -c \"$_doit\"" - fi - _doit="nice -n $_nice $_doit" -fi - fi - - # run the full command - # - if ! _run_rc_doit "$_doit"; then -warn "failed to start ${name}" -return 1 - fi - - # finally, run postcmd - # - _run_rc_postcmd ;; stop) @@ -985,6 +962,59 @@ echo "$_cmd" } +_run_rc_start() +{ + if [ -z "$rc_fast" -a -n "$rc_pid" ]; then + echo 1>&2 "${name} already running? (pid=$rc_pid)." + return 1 + fi + + if [ ! -x ${_chroot}${_chroot:+"/"}${command} ]; then + warn "run_rc_command: cannot run $command" + return 1 + fi + + if ! _run_rc_precmd; then + warn "failed precmd routine for ${name}" + return 1 + fi + + # setup the full command to run + # + check_startmsgs && echo "Starting ${name}." + if [ -n "$_chroot" ]; then +_doit="\ +${_nice:+nice -n $_nice }\ +chroot ${_user:+-u $_user }${_group:+-g $_group }${_groups:+-G $_groups }\ +$_chroot $command $rc_flags $command_args" + else +_doit="\ +${_chdir:+cd $_chdir && }\ +$command $rc_flags $command_args" + if [ -n "$_user" ]; then + _doit="su -m $_user -c 'sh -c \"$_doit\"'" + fi + if [ -n "$_nice" ]; then + if [ -z "$_user" ]; then +_doit="sh -c \"$_doit\"" + fi + _doit="nice -n $_nice $_doit" + fi + fi + + # run the full command + # + if ! _run_rc_doit "$_doit"; then + warn
Re: Concurrent execution of rc-scripts with rcorder(8)
2011/8/21 kilian : > Hello, > > the idea to start services concurrently during boot isn't new and the > question why FreeBSD doesn't do it has popped up on the forum and > mailing list occasionally. So, why not give it a shot? > > rcorder(8) is normally used during boot to bring the rc-scripts into a > particular order, so when they are executed linearly by /etc/rc, all > constraints will be satisfied. I modified rcorder(8) to enable it to > run rc-scripts concurrently, while keeping track of the constraints as > rc-scripts start and finish. You can find the code at > https://github.com/kil/rcorder. As it works now, it will fall back to the > current mode of execution if anything goes wrong. So, if worst comes to > worst, booting takes a bit longer. > > If you feel brave, give it a try (Actually, not too much bravery is needed: > on all boots of my machine it worked perfectly every time.) > > I haven't done any measurements yet on how large the speedup is, but booting > feels a bit faster with it. Also, there probably is room for improvement. > Any ideas and feedback are very welcome! There is another implementation which had been posted here (maybe) some times ago. Maybe a good thing to compare. https://github.com/buganini/rcexecr Joris > > -kilian > ___ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Fwd: binding non local ip.
Hi Julian and many thanks for your comments. 2011/1/11 Julian Elischer : > On 1/9/11 3:01 PM, joris dedieu wrote: >> >> -- Forwarded message -- >> From: joris dedieu >> Date: 2011/1/9 >> Subject: Re: binding non local ip. >> To: Julian Elischer >> >> >> 2011/1/7 Julian Elischer: >>> >>> On 1/7/11 4:57 AM, joris dedieu wrote: >>>> >>>> Hi, >>>> I need a to bind non local ips daemons that don't >>>> implement IP_BINDANY sockopt. >>> >>> I'm not sure you need it >>> you can use the ipfw 'fwd' command to make a locally bound >>> socket act and look as if it is bound to a non local address >>> >>> You need to tell us a little more about what you need to do >>> >>> for example, >>> Is the socket just listenning? or is it initiating? >> >> listenning I think. >> Typicaly prepare a spare server. >> eg: >> - Failover as with carp but with more complexes actions has shutting >> down the power of the main server, check data consistency, check if >> the problem is not just a reboot or a buggy service that need to be >> restarted. > > A listenning server can be listenning on a local port and address. > Use ipfw 'fwd' to force it to accept a non-local address socket. > the local address of the listenning socket will be switched to that > of the address on the session. > > e.g. > ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0 > > your local server listenning on 127.0.0.1:80 will end up with a socket with > a local > address of 111.123.123.123 even if that is not any address of yours. > >> - Switch an ip from a main server to a already configured proxy (during a >> dos) >> - monitor that spare service is running. > > this is easy as shown above As I said above there are several workarounds depending on the context. I agree enabling ipfw is not the worst. In my thought, the goal of this patch is just to offer a simple answer to a simple question. How to bind a non local ip under FreeBSD ? For now the answer is implement it with IP_BINDANY or do has if (with firewalling) or do it an other way. I know it. I do it that way on my job every days. I just think "turn on sysctl.XXX.YYY", is one of those little things you are happy to find. Best regards Joris > >>>> There are several solutions as patching every single daemon >>>> or using carp (You may not want automatic failover), jailing >>>> the process and of course binding INADDR_ANY when possible ... >>>> >>>> As I'm too lazy for this, I wrote a little (maybe ugly as my >>>> kernel knowledges are really low) patch that add a sysctl >>>> entry in net.inet.ip that allow binding non local ips. It's >>>> maybe buggy and insecure but it seems to work. >>> >>> seems ok, but if the daemon is initiating, how does it know to bind to a >>> non >>> local address? >> >> It doesn't know. That's the goal. So when the address became local >> it's already ready. So you don't discover that it's misconfigured or >> broken, or that else your dummy colleague has imagined :) . You or a >> script ifconfig the alias and back to bed ! >>> >>> also. if you have source, a single setsockopt() in each one is not much >>> of a >>> job.. >> >> I already do this for haproxy and for apr. But (for haproxy) it seems >> to be too specific to be integrated upstreams. For other services (as >> tomcat) that don't know privileges dropping it's more problematic as >> IP_BINDANY needs in most case root privileges. >> >> I think that a system wide solution should be a good thing. >> Joris >>> > > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Fwd: binding non local ip.
-- Forwarded message -- From: joris dedieu Date: 2011/1/9 Subject: Re: binding non local ip. To: Julian Elischer 2011/1/7 Julian Elischer : > On 1/7/11 4:57 AM, joris dedieu wrote: >> >> Hi, >> I need a to bind non local ips daemons that don't >> implement IP_BINDANY sockopt. > > I'm not sure you need it > you can use the ipfw 'fwd' command to make a locally bound > socket act and look as if it is bound to a non local address > > You need to tell us a little more about what you need to do > > for example, > Is the socket just listenning? or is it initiating? listenning I think. Typicaly prepare a spare server. eg: - Failover as with carp but with more complexes actions has shutting down the power of the main server, check data consistency, check if the problem is not just a reboot or a buggy service that need to be restarted. - Switch an ip from a main server to a already configured proxy (during a dos) - monitor that spare service is running. > >> There are several solutions as patching every single daemon >> or using carp (You may not want automatic failover), jailing >> the process and of course binding INADDR_ANY when possible ... >> >> As I'm too lazy for this, I wrote a little (maybe ugly as my >> kernel knowledges are really low) patch that add a sysctl >> entry in net.inet.ip that allow binding non local ips. It's >> maybe buggy and insecure but it seems to work. > > seems ok, but if the daemon is initiating, how does it know to bind to a non > local address? It doesn't know. That's the goal. So when the address became local it's already ready. So you don't discover that it's misconfigured or broken, or that else your dummy colleague has imagined :) . You or a script ifconfig the alias and back to bed ! > also. if you have source, a single setsockopt() in each one is not much of a > job.. I already do this for haproxy and for apr. But (for haproxy) it seems to be too specific to be integrated upstreams. For other services (as tomcat) that don't know privileges dropping it's more problematic as IP_BINDANY needs in most case root privileges. I think that a system wide solution should be a good thing. Joris > > >> What do you think about it ? >> >> Thanks >> Joris >> >> --- a/sys/netinet/in_pcb.c >> +++ b/sys/netinet/in_pcb.c >> @@ -321,6 +321,9 @@ in_pcbbind(struct inpcb *inp, struct sockaddr >> *nam, struct ucred *cred) >> * >> * On error, the values of *laddrp and *lportp are not changed. >> */ >> +static int bindany = 0; /* 1 allows to bind a non local ip */ >> +SYSCTL_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW,&bindany, 0, >> + "Allow to bind a non local ip"); >> int >> in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t >> *laddrp, >> u_short *lportp, struct ucred *cred) >> @@ -393,8 +396,12 @@ in_pcbbind_setup(struct inpcb *inp, struct >> sockaddr *nam, in_addr_t *laddrp, >> * to any endpoint address, local or not. >> */ >> if ((inp->inp_flags& INP_BINDANY) == 0&& >> - ifa_ifwithaddr_check((struct sockaddr *)sin) >> == 0) >> - return (EADDRNOTAVAIL); >> + ifa_ifwithaddr_check((struct sockaddr *)sin) >> == 0) { >> + if(bindany> 0) >> + inp->inp_flags |= INP_BINDANY; >> + else >> + return (EADDRNOTAVAIL); >> + } >> } >> laddr = sin->sin_addr; >> if (lport) { >> ___ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" >> > > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: binding non local ip.
2011/1/9 Eygene Ryabinkin : Sorry for my mail client broken that do not send mails to the list :) I'll take care. > Joris, good day. > > Sun, Jan 09, 2011 at 06:29:20PM +0100, joris dedieu wrote: >> Thanks Eygene for this greate review ! > > No problems ;)) > >> 2011/1/7 Eygene Ryabinkin : >> > Fri, Jan 07, 2011 at 01:57:21PM +0100, joris dedieu wrote: >> >> What do you think about it ? >> > [...] >> >> +static int bindany = 0; /* 1 allows to bind a non local ip */ >> >> +SYSCTL_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW, &bindany, 0, >> >> + "Allow to bind a non local ip"); >> > >> > On at least 8.x, you will likely want to use VNET_* macros to enable >> > your new sysctl to be virtualized. Something like this: >> > {{{ >> > VNET_DEFINE(int, inp_bindany) = 0; >> > SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW, >> > &VNET_NAME(inp_bindany), 0, "Force INP_BINDANY on all sockets"); >> > }}} >> > and use VNET(inp_bindany) in subsequent code. >> Ok it make sense. I will use VNET_*. There are a lot of SYSCTL_* in >> netinet and netinet6. Is changing this for VNET_* an open task? > > I think that the most of them that are applicable to VNET were > already converted. It is better to ask at freebsd-...@freebsd.org. > >> Greate. It makes me understand the way a lot of things are written. >> Avoid branching if you can. >> I see that OPSET macro in netinet/ip_output.c lock the inp struct. Is >> there a need of it there ? > > Yes. I had overlooked the need of locking here, sorry. I wrote a better patch that avoid locking and inp struct modification. diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index d742887..f41e4da 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -321,6 +321,9 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred) * * On error, the values of *laddrp and *lportp are not changed. */ +VNET_DEFINE(int, inp_bindany) = 0; +SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW, +&VNET_NAME(inp_bindany), 0, "Force INP_BINDANY on all sockets"); int in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, u_short *lportp, struct ucred *cred) @@ -392,7 +395,8 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, * If INP_BINDANY is set, then the socket may be bound * to any endpoint address, local or not. */ - if ((inp->inp_flags & INP_BINDANY) == 0 && + if (VNET(inp_bindany) == 0 && + (inp->inp_flags & INP_BINDANY) == 0 && ifa_ifwithaddr_check((struct sockaddr *)sin) == 0) return (EADDRNOTAVAIL); } diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 4ba19e6..3720121 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -467,6 +467,7 @@ VNET_DECLARE(int, ipport_randomcps); VNET_DECLARE(int, ipport_randomtime); VNET_DECLARE(int, ipport_stoprandom); VNET_DECLARE(int, ipport_tcpallocs); +VNET_DECLARE(int, inp_bindany); #defineV_ipport_reservedhigh VNET(ipport_reservedhigh) #defineV_ipport_reservedlowVNET(ipport_reservedlow) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index c91d4a9..17a2e78 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -897,6 +897,7 @@ rip_bind(struct socket *so, struct sockaddr *nam, struct thread *td) if (TAILQ_EMPTY(&V_ifnet) || (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) || (addr->sin_addr.s_addr && + VNET(inp_bindany) == 0 && (inp->inp_flags & INP_BINDANY) == 0 && ifa_ifwithaddr_check((struct sockaddr *)addr) == 0)) return (EADDRNOTAVAIL); > >> Do you mean there is a way to control user input (ie 0 or 42, but >> nothing else)? > > No, I meant that if you'll use the custom sysctl value handler (via > SYSCTL_VNET_PROC, not vie SYSCTL_VNET_INT), then you can convert any > non-zero value to INP_BINDANY and zero to zero. But given the need of > locking, I don't think that this won't be good to take this road: one > simple non-conditional logical instruction will be harmless even if it > is executed when it is not needed; but the block of > lock-logicalop-unlock will be worse. > -- > Eygene Ryabinkin ,,,^..^,,, > [ Life's unfair - but root password helps! | codelabs.ru ] > [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
binding non local ip.
Hi, I need a to bind non local ips daemons that don't implement IP_BINDANY sockopt. There are several solutions as patching every single daemon or using carp (You may not want automatic failover), jailing the process and of course binding INADDR_ANY when possible ... Has I'm too lazy for this, I wrote a little (maybe ugly as my kernel knowledges are really low) patch that add a sysctl entry in net.inet.ip that allow binding non local ips. It's maybe buggy and insecure but it seems to work. What do you think about it ? Thanks Joris --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -321,6 +321,9 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred) * * On error, the values of *laddrp and *lportp are not changed. */ +static int bindany = 0; /* 1 allows to bind a non local ip */ +SYSCTL_INT(_net_inet_ip, OID_AUTO, bindany, CTLFLAG_RW, &bindany, 0, +"Allow to bind a non local ip"); int in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, u_short *lportp, struct ucred *cred) @@ -393,8 +396,12 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, in_addr_t *laddrp, * to any endpoint address, local or not. */ if ((inp->inp_flags & INP_BINDANY) == 0 && - ifa_ifwithaddr_check((struct sockaddr *)sin) == 0) - return (EADDRNOTAVAIL); + ifa_ifwithaddr_check((struct sockaddr *)sin) == 0) { + if(bindany > 0) + inp->inp_flags |= INP_BINDANY; + else + return (EADDRNOTAVAIL); + } } laddr = sin->sin_addr; if (lport) { ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
netinet6 little cleanup
Hi, As I was reading netinet6 code, I found some redundant SYSCTL_DECL. I don't know if it's really useful but here is a patch to clean it. - remove SYSCTL_DECL(_net_inet6_ip6) and SYSCTL_DECL(_net_inet6) from c files + add them to netinet6/in6_var.h header (like for netinet). Cheers Joris diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 43b2d11..d1d1f6d 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -175,7 +175,6 @@ SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count, "Number of static rules"); #ifdef INET6 -SYSCTL_DECL(_net_inet6_ip6); SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0, diff --git a/sys/netinet6/in6_gif.c b/sys/netinet6/in6_gif.c index e786836..1cf0cc6 100644 --- a/sys/netinet6/in6_gif.c +++ b/sys/netinet6/in6_gif.c @@ -74,7 +74,6 @@ __FBSDID("$FreeBSD$"); VNET_DEFINE(int, ip6_gif_hlim) = GIF_HLIM; #defineV_ip6_gif_hlim VNET(ip6_gif_hlim) -SYSCTL_DECL(_net_inet6_ip6); SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_GIF_HLIM, gifhlim, CTLFLAG_RW, &VNET_NAME(ip6_gif_hlim), 0, ""); diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index 1438c32..9f33cb7 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -148,7 +148,6 @@ static int in6p_set_multicast_if(struct inpcb *, struct sockopt *); static int in6p_set_source_filters(struct inpcb *, struct sockopt *); static int sysctl_ip6_mcast_filters(SYSCTL_HANDLER_ARGS); -SYSCTL_DECL(_net_inet6_ip6); /* XXX Not in any common header. */ SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, mcast, CTLFLAG_RW, 0, "IPv6 multicast"); diff --git a/sys/netinet6/in6_rmx.c b/sys/netinet6/in6_rmx.c index 2a13646..1943945 100644 --- a/sys/netinet6/in6_rmx.c +++ b/sys/netinet6/in6_rmx.c @@ -204,7 +204,6 @@ in6_matroute(void *v_arg, struct radix_node_head *head) return rn; } -SYSCTL_DECL(_net_inet6_ip6); static VNET_DEFINE(int, rtq_reallyold6) = 60*60; /* one hour is ``really old'' */ diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index 49bc715..bb60996 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -989,7 +989,6 @@ struct walkarg { }; static int in6_src_sysctl(SYSCTL_HANDLER_ARGS); -SYSCTL_DECL(_net_inet6_ip6); SYSCTL_NODE(_net_inet6_ip6, IPV6CTL_ADDRCTLPOLICY, addrctlpolicy, CTLFLAG_RD, in6_src_sysctl, ""); diff --git a/sys/netinet6/in6_var.h b/sys/netinet6/in6_var.h index 00342fd..23f927d 100644 --- a/sys/netinet6/in6_var.h +++ b/sys/netinet6/in6_var.h @@ -653,6 +653,11 @@ im6s_get_mode(const struct in6_multi *inm, const struct ip6_msource *ims, @@ -653,6 +653,11 @@ im6s_get_mode(const struct in6_multi *inm, const struct ip6_msource *ims, @@ -653,6 +653,11 @@ im6s_get_mode(const struct in6_multi *inm, const struct ip6_msource *ims, diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 43b2d11..d1d1f6d 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -175,7 +175,6 @@ SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count, "Number of static rules"); #ifdef INET6 -SYSCTL_DECL(_net_inet6_ip6); SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_VNET_INT(_net_inet6_ip6_fw, OID_AUTO, deny_unknown_exthdrs, CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(fw_deny_unknown_exthdrs), 0, diff --git a/sys/netinet6/in6_gif.c b/sys/netinet6/in6_gif.c index e786836..1cf0cc6 100644 --- a/sys/netinet6/in6_gif.c +++ b/sys/netinet6/in6_gif.c @@ -74,7 +74,6 @@ __FBSDID("$FreeBSD$"); VNET_DEFINE(int, ip6_gif_hlim) = GIF_HLIM; #defineV_ip6_gif_hlim VNET(ip6_gif_hlim) -SYSCTL_DECL(_net_inet6_ip6); SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_GIF_HLIM, gifhlim, CTLFLAG_RW, &VNET_NAME(ip6_gif_hlim), 0, ""); diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index 1438c32..9f33cb7 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -148,7 +148,6 @@ static int in6p_set_multicast_if(struct inpcb *, struct sockopt *); static int in6p_set_source_filters(struct inpcb *, struct sockopt *); static int sysctl_ip6_mcast_filters(SYSCTL_HANDLER_ARGS); -SYSCTL_DECL(_net_inet6_ip6); /* XXX Not in any common header. */ SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, mcast, CTLFLAG_RW, 0, "IPv6 multicast"); diff --git a/sys/netinet6/in6_rmx.c b/sys/netinet6/in6_rmx.c index 2a13646..1943945 100644 --- a/sys/netinet6/in6_rmx.c +++ b/sys/netinet6/in6_rmx.c @@ -204,7 +204,6 @@ in6_matroute(void *v_arg, struct radix_node_head *head) return rn; } -SYSCTL_DECL(_net_inet6_ip6); static VNET_DEFINE(int, rtq_reallyold6) = 60*60; /* one hour is ``really old'' */ diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index 49bc715..bb60996 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netin
Re: [PATCH] allow empty files creation with install
2010/7/17 Garrett Cooper : > On Sat, Jul 17, 2010 at 6:34 AM, joris dedieu wrote: >> This patch add a -t switch to install(3). This is a small feature for >> lazy sysadmins. >> >> before : >> >> touch /usr/home/foo/.history /usr/home/foo/.bash_history >> chown foo /usr/home/foo/.history /usr/home/foo/.bash_history >> chmod 600 /usr/home/foo/.history /usr/home/foo/.bash_history >> chflags sappend /usr/home/foo/.history /usr/home/foo/.bash_history >> >> after : >> >> install -o foo -g foo -m 600 -f sappend /usr/home/foo/.history >> /usr/home/foo/.bash_history > > And why isn't creating a 4-command bourne shell script which does There are a lot of one shot things that don't need a script. > all of these operations an option? install is used a lot in the build > process both on the FreeBSD side and the ports side, so I'd prefer if > it was as minimalist as possible. Well, install is also powerful cp, mkdir, useful on everyday administration so I thought it should also be a powerful touch. And why not more than that ? a powerful file management tool. I understand that build process is critical and with FreeBSD it's "just work". In this perspective this patch is maybe not a necessity. It was fun to do it :) Joris > Thanks, > -Garrett > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: [PATCH] allow empty files creation with install
2010/7/17 Anonymous : > joris dedieu writes: > >> This patch add a -t switch to install(3). This is a small feature for >> lazy sysadmins. >> >> before : >> >> touch /usr/home/foo/.history /usr/home/foo/.bash_history >> chown foo /usr/home/foo/.history /usr/home/foo/.bash_history >> chmod 600 /usr/home/foo/.history /usr/home/foo/.bash_history >> chflags sappend /usr/home/foo/.history /usr/home/foo/.bash_history > > for f in .history .bash_history; do > install -o foo -g foo -m 600 -f sappend /dev/null /usr/home/foo/$f > done > >> >> after : >> >> install -o foo -g foo -m 600 -f sappend /usr/home/foo/.history >> /usr/home/foo/.bash_history > > Your example doesn't use `-t' option. And it doesn't work sorry. install -o foo -g foo -m 600 -f sappend -t /usr/home/foo/.history > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: [PATCH] allow empty files creation with install
2010/7/17 Kostik Belousov : > On Sat, Jul 17, 2010 at 03:34:08PM +0200, joris dedieu wrote: >> This patch add a -t switch to install(3). This is a small feature for >> lazy sysadmins. >> >> before : >> >> touch /usr/home/foo/.history /usr/home/foo/.bash_history >> chown foo /usr/home/foo/.history /usr/home/foo/.bash_history >> chmod 600 /usr/home/foo/.history /usr/home/foo/.bash_history >> chflags sappend /usr/home/foo/.history /usr/home/foo/.bash_history >> >> after : >> >> install -o foo -g foo -m 600 -f sappend /usr/home/foo/.history >> /usr/home/foo/.bash_history >> > > Isn't /dev/null as a source file work better ? Damned ! Why I never thought about this ? > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
[PATCH] allow empty files creation with install
This patch add a -t switch to install(3). This is a small feature for lazy sysadmins. before : touch /usr/home/foo/.history /usr/home/foo/.bash_history chown foo /usr/home/foo/.history /usr/home/foo/.bash_history chmod 600 /usr/home/foo/.history /usr/home/foo/.bash_history chflags sappend /usr/home/foo/.history /usr/home/foo/.bash_history after : install -o foo -g foo -m 600 -f sappend /usr/home/foo/.history /usr/home/foo/.bash_history Regards, Joris xinstall.patch Description: Binary data ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"