cron: Implement full PAM session lifecycle for user jobs
Extend PAM integration beyond account checks to include credential
establishment and session management, allowing PAM modules to configure
the execution environment for user cron jobs.
Previously, cron only called pam_acct_mgmt() to verify account validity
but immediately terminated the PAM handle before job execution. This
prevented PAM modules from establishing sessions, setting credentials
(e.g., Kerberos tickets), or exporting environment variables needed by
jobs.
The PAM handle now persists in the intermediate process throughout the
job execution, enabling proper session open/close pairing. Credentials
are established and sessions opened while still running as root, before
dropping privileges in the grandchild. PAM environment variables are
exported in the job process with user crontab variables taking precedence.
A session rule (pam_permit.so) is added to /etc/pam.d/cron to enable
[9 lines not shown]
libexecinfo: tests: Expect failure on aarch64
Add a guard that expects a failure of the test on aarch64.
Reviewed by: emaste
Fixes: df1ea5887326 ("tests: Test libexecinfo backtrace call througth signal trampoline")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54675
(cherry picked from commit fef84fd8ae845e19cec0f6b9aac0e6451cca3d7a)
libexecinfo: tests: Expect failure on aarch64
Add a guard that expects a failure of the test on aarch64.
Reviewed by: emaste
Fixes: df1ea5887326 ("tests: Test libexecinfo backtrace call througth signal trampoline")
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54675
(cherry picked from commit fef84fd8ae845e19cec0f6b9aac0e6451cca3d7a)
nfscl: Fix handling of case insensitive file systems
Name caching must be handled somewhat differently
for case insensitive file systems. Negative name
caching does not work and, for rename, all names
associated with the rename'd vnode must be disabled.
For a case insensitive ZFS file system that is exported,
the unpatched code did work, since the change in mtime
or ctime of the directory when other case names were
created or rename'd would disable the false name cache
hit. However, an export of an msdosfs file system
breaks the NFS client, because it only works if ctime/mtime
is changed whenever a name is added/removed. Depending
on what the server file system is, this may not happen,
due to clock resolution or lack of support for these
attributes.
This patch checks to see if the server file system is
[10 lines not shown]
netstat: fix a segfault with --libxo
Fix a segfault when printing the "protocol" field. The field-format and
encoding-format were expecting different numbers of arguments.
Also, fix the width of the tcp-state field in encoded output.
PR: 292228
Fixes: c2b08c13c20 netstat: add support for UDP-Lite endpoints
Sponsored by: ConnectWise
Reviewed by: tuexen, js, des
Differential Revision: https://reviews.freebsd.org/D54567
(cherry picked from commit 3b6615ec0332f901fcc9e9307f78717424f09c1e)
fusefs: Fix further intermittency in the BadServer.ShortWrite test case
After being unmounted, the mockfs server would occasionally read from
/dev/fuse again, if the main function didn't exit fast enough, getting
an ENODEV error. Handle that appropriately.
Reported by: Siva Mahadevan <me at svmhdvn.name>
Fixes: d86025c1d49c84c4dc8c3635c83c078ad56e5a53
Reviewed by: Siva Mahadevan <me at svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D54331
(cherry picked from commit f51e9d0e0988df58c94db586ab5c8b5fd091c004)
gpart: "gpart --libxo:JP list" duplicates attribute keys
Add leaf-list modifier to attrib as it's possible to have multiple
attributes on a gpart provider.
I purposely made it so that the normal output still says "attrib:" just
so we don't break any scripts people may be using to parse the output,
but the libxo output now says "attribute" just like `gpart show` will do
once https://reviews.freebsd.org/D53950 is merged.
PR: 291377
Reviewed by: asomers
Sponsored by: ConnectWise
Differential Revision: https://reviews.freebsd.org/D54080
(cherry picked from commit a0347b0f3a6088872c29eddb85154478d543dffb)
ktrace: do not enqueue request if the process' ktrioparams are freed
The p_ktrioparms are freed on termination of tracing. Any ktr requests
added to the queue after that would hang there and leak on the struct
proc recycling, or trigger an assert in the process destructor for debug
builds.
Reported and tested by: pho
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D54804
openssh: Include <fcntl.h> explicitly in includes.h
This was previously included due to nested includes in Heimdal's
headers. Without this, the build fails with an error due to redefining
AT_FDCWD.
clang:
In file included from crypto/openssh/sshd-session.c:46:
/usr/obj/.../tmp/usr/include/fcntl.h:232:9: error: 'AT_FDCWD' macro redefined [-Werror,-Wmacro-redefined]
232 | #define AT_FDCWD -100
| ^
crypto/openssh/openbsd-compat/bsd-misc.h:69:10: note: previous definition is here
69 | # define AT_FDCWD (-2)
| ^
GCC (can't be disabled):
In file included from crypto/openssh/sshd-session.c:46:
[14 lines not shown]
openssh: Don't include an unused EVP_CIPHER_CTX_get_iv() stub
This stub isn't actually used on modern versions of OpenSSL for which
OpenSSH uses EVP_CIPHER_CTX_get_updated_iv instead via a wrapper macro.
However, the wrapper macro conflicted with the existing namespace
macro triggering an error on GCC:
In file included from crypto/openssh/sshd-session.c:65:
crypto/openssh/openbsd-compat/openssl-compat.h:71:11: error: "EVP_CIPHER_CTX_get_iv" redefined [-Werror]
71 | # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
| ^~~~~~~~~~~~~~~~~~~~~
In file included from <command-line>:
crypto/openssh/ssh_namespace.h:12:9: note: this is the location of the previous definition
12 | #define EVP_CIPHER_CTX_get_iv Fssh_EVP_CIPHER_CTX_get_iv
| ^~~~~~~~~~~~~~~~~~~~~
The error was masked on clang due to MIT krb5 adding a blanket
-Wno-macro-redefined. Building sshd-session without Kerberos support
[6 lines not shown]
openssh: blocklist: Use NetBSD probes
Use NetBSD probe locations for consistency. We have submitted all
improved or missing probes, keeping them synchronized with NetBSD (our
blocklist upstream) should simplify upgrades and maintenance, as the
locations of these probes are a moving target, depending on upstream
OpenSSH changes.
Additionally, use BLACKLIST_AUTH_FAIL exclusively for now. At the time
of this commit BLACKLIST_BAD_USER, is a no-op. However, it will change
in a future upgrade.
Also, enhance blacklist notification messages for better debugging by
making them more descriptive.
Reviewed by: emaste
Approved by: emaste (mentor)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52749
[5 lines not shown]
OpenSSH: Update to 10.0p2
Full release notes are available at
https://www.openssh.com/txt/release-10.0
Selected highlights from the release notes:
Potentially-incompatible changes
- This release removes support for the weak DSA signature algorithm.
[This change was previously merged to FreeBSD main.]
- This release has the version number 10.0 and announces itself as
"SSH-2.0-OpenSSH_10.0". Software that naively matches versions using
patterns like "OpenSSH_1*" may be confused by this.
- sshd(8): this release removes the code responsible for the user
authentication phase of the protocol from the per-connection
sshd-session binary to a new sshd-auth binary.
[17 lines not shown]
pf: fix min-ttl and set-tos for nat64
If we have both af-to and min-ttl or set-tos on a single rule we didn't
apply the new ttl or tos.
That's because the scrub code still applied the change, but we
subsequently create a new header for the new address family. That's done
based on the ttl/tos saved in the struct pf_pdesc, which are the values
from the incoming packet, before the scrub modification(s).
Also update the struct pf_pdesc values when we update packets.
Reported by: Marek Zarychta
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit cdbc9b76ff4901816b5ebdca5d0b7e9947a015cb)
LinuxKPI: 802.11: fix build for non-debug kernels
lkpi_nl80211_band_name() is only available under LINUXKPI_DEBUG_80211.
IMPROVE in theory should be as well or defined to nothing but we cannot
do that in cfg80211.h mac80211.h where we possibly (re-)define this.
Put an #ifdef around the IMPROVE call for now (untested).
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Fixes: 768332d61948
Reported by: CI
netstat: fix a segfault with --libxo
Fix a segfault when printing the "protocol" field. The field-format and
encoding-format were expecting different numbers of arguments.
Also, fix the width of the tcp-state field in encoded output.
PR: 292228
Fixes: c2b08c13c20 netstat: add support for UDP-Lite endpoints
Sponsored by: ConnectWise
Reviewed by: tuexen, js, des
Differential Revision: https://reviews.freebsd.org/D54567
(cherry picked from commit 3b6615ec0332f901fcc9e9307f78717424f09c1e)
fusefs: Fix further intermittency in the BadServer.ShortWrite test case
After being unmounted, the mockfs server would occasionally read from
/dev/fuse again, if the main function didn't exit fast enough, getting
an ENODEV error. Handle that appropriately.
Reported by: Siva Mahadevan <me at svmhdvn.name>
Fixes: d86025c1d49c84c4dc8c3635c83c078ad56e5a53
Reviewed by: Siva Mahadevan <me at svmhdvn.name>
Differential Revision: https://reviews.freebsd.org/D54331
(cherry picked from commit f51e9d0e0988df58c94db586ab5c8b5fd091c004)
gpart: "gpart --libxo:JP list" duplicates attribute keys
Add leaf-list modifier to attrib as it's possible to have multiple
attributes on a gpart provider.
I purposely made it so that the normal output still says "attrib:" just
so we don't break any scripts people may be using to parse the output,
but the libxo output now says "attribute" just like `gpart show` will do
once https://reviews.freebsd.org/D53950 is merged.
PR: 291377
Reviewed by: asomers
Sponsored by: ConnectWise
Differential Revision: https://reviews.freebsd.org/D54080
(cherry picked from commit a0347b0f3a6088872c29eddb85154478d543dffb)
OptionalObsoleteFiles.inc: Treat compat runtime loaders as libraries
Binaries require the runtime loader to use shared libraries, and
removing the runtime loader in `make delete-old` while leaving the
libraries around makes it impossible to use those shared libraries.
Treat rtld as a de facto dependency of shared libraries to ensure it
is not removed until the corresponding shared libraries are removed.
Differential Revision: https://reviews.freebsd.org/D52210
nanobsd: Avoid unnecessary subshell execution
Mimic c99bb5747f5e ("nanobsd: minor formatting cleanup") and cleanup
_create_code_slice(), somehow I missed it when rebasing.
No functional change intended.
Fixes: ecc039be7fdd ("nanobsd: Add a NO_ROOT build option")
MFC after: 3 days
nanobsd: Use NANO_DEF_{UNAME,GNAME}
Prefer to use NANO_DEF_UNAME and NANO_DEF_GNAME instead of a fixed
"root/wheel".
Fixes: 61ac7309c366 ("nanobsd: Add a provisional populate_part function")
MFC after: 3 days
makeman.lua: Update for src.conf in the src tree
Copy the text change from the shell makeman to makeman.lua.
Fixes: dd8c666d8b78 ("src.sys.mk: Support src.conf in SRCTOP")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 2619d439fa860db734dbbf4b153c5ac9b15c7e49)
pf tests: give rules_counter:4G more time
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 8217075f9ecb12fa9a4cf746541b9d3e1dc57e79)
net80211: correct return code for ieee80211_ampdu_request()
We used to return the result of (*ic_send_action) directly but
ieee80211_ampdu_request() returns 1 on success and 0 on error,
which is contrary to the result of (*ic_send_action). Deal with
that accordingly and update the documentation of the function.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D54794
LinuxKPI: 802.11: factor out rate logic for mandatory channels
I was looking at rate work for another problem and found more flags
in ath9k (which we will likely never need). The documentation then
revealed the "mandatory" flags as well and with discussions about
cfg80211 going on I decided to use the momentum and split our
"supp_rates" setup between lkpi_lsta_alloc() and wiphy_register().
There should be no functional change.
While there also initialize max_rc_amsdu_len.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
