etc/security: emit proper error message when there are dup groups.

...instead of erroring with "[: $grpname: unexpected operator".

Fix sysctl invocation testing for missing entropy.

security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based

security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.

Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.

XXX pullup-10

show more ...

Recognize argon2 passwords as valid in daily security reports.

from RVP in misc/56486

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy a

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

show more ...

Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb.

Save the entropy seed daily in /etc/security.

Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.

Fix an obvious botch in the previous rev, found by martin@

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless us

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)

show more ...

Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.

Record current raid configurations too in /etc/security.

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rat

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)

show more ...

Avoid nfs devices correctly.

Indent and space fixes.

- generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data

Split some long lines.

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

show more ...

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is th

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same

show more ...

Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.con

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.

show more ...

change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.

too much quoting. pointed by anon ymous

`` -> $()

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the pack

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.

show more ...