wireguard-openbsd/libexec/security, branch jd/histogram

Remove user uucp and group news from base.

2016-12-27T09:17:52Z

When checking ownership and modes of files in /var/mail/,

2016-10-22T18:35:12Z

ignore *.lock files, to avoid pointless warning mails reported by Philippe Meunier ; OK florian@ jca@

When reading untrusted user files, don't risk blocking, such that

2015-07-21T19:07:13Z

users can't mount a DOS attack against security(8), and for additional safety against race attacks, make sure they are regular files after opening and before actually reading them. Issue originally hinted at by Sevan Janiyan based on a NetBSD commit message, then commented on by tedu@, problem finally confirmed by guenther@, who also provided feedback on the actual patch.

When diff(1) finds differences, it returns an exit status of 1.

2015-04-21T10:24:22Z

In that particular case, refrain from printing "diff: exit code 1" because that exit status doesn't indicate an error condition. Issue noticed by and patch OK'ed by ajacoutot@. "I agree with the goal, and I suspect the diff actually achieves it" guenther@.

In mount(8) output, do not misparse lines where fs_spec ends with the

2015-03-27T13:26:19Z

two characters "on", which can for example happen for NFS mounts. Patch from Lauri Tirkkonen on bugs@.

If /etc/passwd contains incomplete lines ending before the

2015-03-27T12:33:36Z

home directory field, warn explicitly rather than stumbling into Perl "uninitialized value" warnings. Issue reported by Denis Lapshin . OK afresh1@

AnonCVS is designed to work with a user account that has no password and a

2014-12-04T00:07:21Z

very special shell, so do not complain about that particular combination. Idea originally brought up by landry@ five years ago, repeatedly forgotten. Using feedback from sthen@ millert@ halex@; OK landry@ ajacoutot@.

The file /etc/exports is now optional and not installed by default,

2014-07-14T08:49:27Z

so do not complain when it is absent. issue found by and patch ok by ajacoutot@ "I don't do perl, but seems ok" deraadt@

Do not redirect STDERR of the main security(8) script to /dev/null,

2014-06-26T16:00:16Z

not even for calling three particular functions, as that carries a risk of hiding serious errors in the security(8) script itself: otto@ found and reported a bug (already fixed by now) where that hurt him. Instead, only do the redirection where it is really needed, that is, inside the forked csh(1) child process. The csh(1) "eval" builtin is required because the csh(1) "source" builtin apparently ignores redirections. No objections came up when showing this diff on tech@.

The Perl close() function, when called on pipe file descriptors,

2014-06-24T16:18:30Z

provides information from wait(2), which needs careful inspection in order to not hide errors. Problem identified by florian@ after a bug report from otto@. Fix based on a patch from florian@, considerably tweaked by me. OK florian@