cron: Implement full PAM session lifecycle for user jobs
Extend PAM integration beyond account checks to include credential
establishment and session management, allowing PAM modules to configure
the execution environment for user cron jobs.
Previously, cron only called pam_acct_mgmt() to verify account validity
but immediately terminated the PAM handle before job execution. This
prevented PAM modules from establishing sessions, setting credentials
(e.g., Kerberos tickets), or exporting environment variables needed by
jobs.
The PAM handle now persists in the intermediate process throughout the
job execution, enabling proper session open/close pairing. Credentials
are established and sessions opened while still running as root, before
dropping privileges in the grandchild. PAM environment variables are
exported in the job process with user crontab variables taking precedence.
A session rule (pam_permit.so) is added to /etc/pam.d/cron to enable
[9 lines not shown]
libexecinfo: tests: Expect failure on aarch64
Add a guard that expects a failure of the test on aarch64.
Reviewed by: emaste
Fixes: df1ea5887326 ("tests: Test libexecinfo backtrace call througth signal trampoline")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54675
(cherry picked from commit fef84fd8ae845e19cec0f6b9aac0e6451cca3d7a)
libexecinfo: tests: Expect failure on aarch64
Add a guard that expects a failure of the test on aarch64.
Reviewed by: emaste
Fixes: df1ea5887326 ("tests: Test libexecinfo backtrace call througth signal trampoline")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54675
(cherry picked from commit fef84fd8ae845e19cec0f6b9aac0e6451cca3d7a)
nfscl: Fix handling of case insensitive file systems
Name caching must be handled somewhat differently
for case insensitive file systems. Negative name
caching does not work and, for rename, all names
associated with the rename'd vnode must be disabled.
For a case insensitive ZFS file system that is exported,
the unpatched code did work, since the change in mtime
or ctime of the directory when other case names were
created or rename'd would disable the false name cache
hit. However, an export of an msdosfs file system
breaks the NFS client, because it only works if ctime/mtime
is changed whenever a name is added/removed. Depending
on what the server file system is, this may not happen,
due to clock resolution or lack of support for these
attributes.
This patch checks to see if the server file system is
[10 lines not shown]
netstat: fix a segfault with --libxo
Fix a segfault when printing the "protocol" field. The field-format and
encoding-format were expecting different numbers of arguments.
Also, fix the width of the tcp-state field in encoded output.
PR: 292228
Fixes: c2b08c13c20 netstat: add support for UDP-Lite endpoints
Sponsored by: ConnectWise
Reviewed by: tuexen, js, des
Differential Revision: https://reviews.freebsd.org/D54567
(cherry picked from commit 3b6615ec0332f901fcc9e9307f78717424f09c1e)
fusefs: Fix further intermittency in the BadServer.ShortWrite test case
After being unmounted, the mockfs server would occasionally read from
/dev/fuse again, if the main function didn't exit fast enough, getting
an ENODEV error. Handle that appropriately.
Reported by: Siva Mahadevan <me at svmhdvn.name>
Fixes: d86025c1d49c84c4dc8c3635c83c078ad56e5a53
Reviewed by: Siva Mahadevan <me at svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D54331
(cherry picked from commit f51e9d0e0988df58c94db586ab5c8b5fd091c004)
gpart: "gpart --libxo:JP list" duplicates attribute keys
Add leaf-list modifier to attrib as it's possible to have multiple
attributes on a gpart provider.
I purposely made it so that the normal output still says "attrib:" just
so we don't break any scripts people may be using to parse the output,
but the libxo output now says "attribute" just like `gpart show` will do
once https://reviews.freebsd.org/D53950 is merged.
PR: 291377
Reviewed by: asomers
Sponsored by: ConnectWise
Differential Revision: https://reviews.freebsd.org/D54080
(cherry picked from commit a0347b0f3a6088872c29eddb85154478d543dffb)
emulators/wine-devel: Streamline things a bit
Set BINARY_ALIAS and EXTRA_PATCHES using plain assignment (=) instead
of := since we do not have child ports any longer.
This forward ports most of commit 0535ec4919 for emulators/wine.
astro/osmium-tool: Upgrade to v1.19.0
ChangeLog: https://github.com/osmcode/osmium-tool/blob/master/CHANGELOG.md
Added
* Add integration tests for show command output formats.
Changed
* Switch to C++17 as minimum requirement.
* Use std::back_inserter instead of boost::function_output_iterator removing
one dependency on Boost.
* Various small fixes and code cleanups.
Fixed
* Fix ID comparison in osmium merge to match osmium sort behavior.
* Extract in "simple" mode: Check all nodes in a way for overlap with the
[3 lines not shown]
ktrace: do not enqueue request if the process' ktrioparams are freed
The p_ktrioparms are freed on termination of tracing. Any ktr requests
added to the queue after that would hang there and leak on the struct
proc recycling, or trigger an assert in the process destructor for debug
builds.
Reported and tested by: pho
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54804
openssh: Include <fcntl.h> explicitly in includes.h
This was previously included due to nested includes in Heimdal's
headers. Without this, the build fails with an error due to redefining
AT_FDCWD.
clang:
In file included from crypto/openssh/sshd-session.c:46:
/usr/obj/.../tmp/usr/include/fcntl.h:232:9: error: 'AT_FDCWD' macro redefined [-Werror,-Wmacro-redefined]
232 | #define AT_FDCWD -100
| ^
crypto/openssh/openbsd-compat/bsd-misc.h:69:10: note: previous definition is here
69 | # define AT_FDCWD (-2)
| ^
GCC (can't be disabled):
In file included from crypto/openssh/sshd-session.c:46:
[14 lines not shown]
openssh: Don't include an unused EVP_CIPHER_CTX_get_iv() stub
This stub isn't actually used on modern versions of OpenSSL for which
OpenSSH uses EVP_CIPHER_CTX_get_updated_iv instead via a wrapper macro.
However, the wrapper macro conflicted with the existing namespace
macro triggering an error on GCC:
In file included from crypto/openssh/sshd-session.c:65:
crypto/openssh/openbsd-compat/openssl-compat.h:71:11: error: "EVP_CIPHER_CTX_get_iv" redefined [-Werror]
71 | # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
| ^~~~~~~~~~~~~~~~~~~~~
In file included from <command-line>:
crypto/openssh/ssh_namespace.h:12:9: note: this is the location of the previous definition
12 | #define EVP_CIPHER_CTX_get_iv Fssh_EVP_CIPHER_CTX_get_iv
| ^~~~~~~~~~~~~~~~~~~~~
The error was masked on clang due to MIT krb5 adding a blanket
-Wno-macro-redefined. Building sshd-session without Kerberos support
[6 lines not shown]
openssh: blocklist: Use NetBSD probes
Use NetBSD probe locations for consistency. We have submitted all
improved or missing probes, keeping them synchronized with NetBSD (our
blocklist upstream) should simplify upgrades and maintenance, as the
locations of these probes are a moving target, depending on upstream
OpenSSH changes.
Additionally, use BLACKLIST_AUTH_FAIL exclusively for now. At the time
of this commit BLACKLIST_BAD_USER, is a no-op. However, it will change
in a future upgrade.
Also, enhance blacklist notification messages for better debugging by
making them more descriptive.
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52749
[5 lines not shown]
OpenSSH: Update to 10.0p2
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
[17 lines not shown]
pf: fix min-ttl and set-tos for nat64
If we have both af-to and min-ttl or set-tos on a single rule we didn't
apply the new ttl or tos.
That's because the scrub code still applied the change, but we
subsequently create a new header for the new address family. That's done
based on the ttl/tos saved in the struct pf_pdesc, which are the values
from the incoming packet, before the scrub modification(s).
Also update the struct pf_pdesc values when we update packets.
Reported by: Marek Zarychta
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit cdbc9b76ff4901816b5ebdca5d0b7e9947a015cb)
