PR/58465: copypu: add wpa_supplicant.conf as optional

branches: 1.178.2;
etc/mtree/special: Fix spaces/tabs.

No functional change intended.

Now that we have /etc/openssl/certs.conf mentioned here, also
list /etc/openssl.

certctl(8): Set certs.conf 644 and add it to etc/mtree/special.

branches: 1.175.2;
build system: Revert all the recent additions of MK[...] knobs that
allow conditionally disabling the building of certain user space
programs in the 'base' set.

There is not enough consensus that this is the right way and a few
people had strong objections, see source-changes-d@.

mk: Allow setting MKDHCPD=no to build base without the ISC DHCP server,
useful for embedded images that don't need to act as one.

mk: Allow building base without the MBONE applications by setting
MKMBONE=no in mk.conf

Add /etc/sshd/ssh_host_ed25519_key* .

Add /etc/ip6addrctl.conf as optional file so it is backed up.

Fix /private/tmp mode to match etc/rc.d/perusertmp

Rename blacklist -> blocklist

dhcpcd: Empty the chroot

While here, set correct optional hooks.

branches: 1.167.2;
Add smtoff, an rc.d script that disables Simultaneous Multi-Threading. It
parses the output of cpuctl, and executes "cpuctl offline" for each CPU
that has SmtID!=0.

The default is "smtoff=NO", which means that SMT remains enabled.

capture /etc/route.conf in /var/backups.

For consistency use the user and group names for directory ownership.
Also do this for rtadvd, so that it can dump core.

Remove the userland part of ISDN. The kernel part is untouched for now.
ipppctl was actually an exact copy of pppoectl; there is no functional
change in pppoectl in this commit.

Remove dhclient from the base system.

Discussed here:
https://mail-index.netbsd.org/tech-userlevel/2018/06/21/msg011233.html

branches: 1.162.2; 1.162.4;
Merge autofs support from: Tomohiro Kusumi
XXX: Does not work yet

Add startup file for dhcp v6 with builtin isc-dhcp. Alas, this needs to
be a seperate process. On the positive side: this can't break the dhcpd
for IPv4 when tested.

branches: 1.160.4;
sort completely

Move the /etc/sasl stuff to proper position in collating sequence.

XXX Ideally we would sort the whole file...

Add /etc/rc.d/unbound per christos@

XXX should we move the /etc/sasl/ entries to their proper place in
XXX sort order? as of now they're sitting in the middle of /etc/rc.d !

Mark the entry for /etc/rc.d/nsd optional - it's not included in every
system.

branches: 1.156.2;
add nsd npfd

Add blacklistd.conf so it gets backed up, too.

Add npf.conf so it gets backed up.

branches: 1.153.2;
PR/49380: KAMADA Ken'ichi: ntpd_chrootdir does not work on NetBSD 7.0_BETA
Provide /etc/resolv.conf so that it can resolve names. This is needed because
of deferred name resolution.
XXX: pullup -7

Process /etc/modules.conf (if present) at startup, before securelevel is
raised, to allow module loading on ports without a module aware bootloader.

Add rc script for /sbin/iscsid.

Add entries, sort, etc.

More rtsold removal, thanks to Henning Petersen.
Fixes PR misc/49228.

branches: 1.148.2;
Remove "tags=nodiff" from /var/log/authlog as suggested by uebayasi@;
part of PR 49031.

Tag all 0600 files as "nodiff" (== secret).

branches: 1.146.4;
Add _rtadvd user and group.
Add a chroot dir for the _rtadvd user.
Drop privs to the user _rtadvd after acquiring our socket.
When rc.d/rtadvd starts or reloads, the rtadvd config file is copied
into the chroot before starting or reloading rtadvd itself.
Create a symlink from /var/run/rtadvd.dump to the chroot

Inital idea from OpenBSD patch rtadvd.c r1.36

try to sync lists of rc.d scripts

fix typo, from Henning Petersen

PR/47630: Petar Bogdanovic: add ssh_host_ecdsa_key to /etc/mtree/special

branches: 1.142.2;
add ldpd rc.d script here too

Add an rc.d(8) script for isibootd(8). Taken from ndbootd(8).

According to /etc/rc.d/mdnsd, /var/run/mdnsd is owned by _mdnsd:_mdnsd
if it created. So, set owner/group of /var/run/mdnsd.

It stop a useless warning in /etc/security.

Make the rndsave structure public -- the kernel will learn to read it
and sysinst may learn to write it (since, on some systems, most of
the keyboard input they ever get happens to be during install). Fix a
couple of minor problems with the random_seed rc script addition.

branches: 1.138.4;
provide a new 'bluetooth' rc.d script, to handle Bluetooth configuration
in a simpler manner. This replaces btattach, btconfig, bthcid, btdevctl
and sdpd scripts, and also should not require any configuration settings
other than "bluetooth=YES", though the full range of configurations is
still possible.

Get rid of var/chroot/tcpdump/etc

When run as root, tcpdump will chroot to /var/run/tcpdump - but it can
not look up /etc/protcols in there. So install a copy of /etc/protocols
into the chroot area.
Fixes PR bin/44721.

NPF checkpoint:
- Add libnpf(3) - a library to control NPF (configuration, ruleset, etc).
- Add NPF support for ftp-proxy(8).
- Add rc.d script for NPF.
- Convert npfctl(8) to use libnpf(3) and thus make it less depressive.
Note: next clean-up step should be a parser, once dholland@ will finish it.
- Add more documentation.
- Various fixes.

branches: 1.134.2;
Make tcpdump(8) to drop root privileges and chroot(2) by default.

Add directory for bind's managed keys.

Add "optional" keyword to rc.d/xdm and rc.d/xfs. Fixes PR misc/43307.

Multicast DNS ("Bonjour") support, based on Apple's mDNSResponder.

Remove "/etc/postfix/postfix-script" as the file was obsoleted by
the upgrade to Postfix 2.6.x.

Document recent gpio(4) changes and introduce a new config file for GPIO.
Integrate with the startup scripts in /etc/rc.d. Introduce new variable
"gpio" for /etc/rc.conf.

Split fsck during boot into two phases. Check the root file system
first, mount root and run the various disk providers. Add swap and
check the remaining file systems after that.
This breaks the dependency cycle for lvm, which needs writeable /dev.
Depend on rndctl in cgd.

branches: 1.127.2;
Fix a typo with /etc/rc.d/lvm.

Add lvm script to the lists.

Add rndctl

x68k pow(4) now uses MI sysmon_pswitch framework. suggested by tsutsui@.
- Make MD poffd(8) retire, and use MI powerd(8) instead of it.
- Make /dev/pow1 retire, because nobody holds /dev/pow0 any longer.
Use /dev/pow0 for pow(4) ioctl.
- POWIOCSSIGNAL ioctl which is for poffd(8) is also obsoleted.

Import rc.d/httpd script for httpd(8) daemon control.
See rc.conf(5) for options explanation.

Remove LKMs and switch to the module framework, pass 1.

Proposed on tech-kern@.

branches: 1.121.2;
Add entries for /etc/pf.conf and /etc/pf.os.

Suggested by Luke Mewburn in PR/35188.

merge yamt-pf42 branch.
(import newer pf from OpenBSD 4.2)

ok'ed by peter@. requested by core@

Hook dhcpcd into build.

branches: 1.118.2;
Give i386 and amd64 a default boot.cfg.

branches: 1.117.2;
some changes to serial bluetooth host controller interfaces

btuartd(8) should be named btattach(8) for consistency
with other parts of NetBSD

make btattach(8) a single-use tool for less complexity

device specicific initialisation (from btuart(4)) is carried
out prior to activating the line discipline (in btattach(8)),
which simplifies the API somewhat and means that the user
tool and the kernel do not need to be kept in sync.

btuart(4) driver is much reduced; naming is made consistent
and all tsleep() and delay() are removed to userland

branches: 1.116.2; 1.116.6;
Add example hotkey_button script

branches: 1.115.4;
fixsb has done its job.

Add the /etc/powerd/scripts/sensor_indicator to handle events on
indicator sensors.

Update powerd(8).

Add the /etc/rc.d/envsys script required by envsys2.

Imported envsys 2, a brief description of the new features:
(Part 4: documentation and configuration files)

* Support for detachable sensors.
* Cleaned up the API for simplicity and efficiency.
* Ability to send capacity/critical/warning events to powerd(8).
* Adapted all the code to the new locking order.
* Compatibility with the old envsys API: the ENVSYS_GTREINFO
and ENVSYS_GTREDATA ioctl(2)s are supported.
* Added support for a 'dictionary based communication channel' between
sysmon_power(9) and powerd(8), that means there is no 32 bytes event
size restriction anymore.
* Binary compatibility with old envstat(8) and powerd(8) via COMPAT_40.
* All drivers with the n^2 gtredata bug were fixed, PR kern/36226.

Tested by:

blymn: smsc(4).
bouyer: ipmi(4), mfi(4).
kefren: ug(4).
njoly: viaenv(4), adt7463.c.
riz: owtemp(4).
xtraeme: acpiacad(4), acpibat(4), acpitz(4), aiboost(4), it(4), lm(4).

Move .db files for services and netgroup to /var/db per gimpy's request.

Supprot Bluetooth HCI UART (H4) driver and daemon.

Add support for per-user /tmp.

Enabled via per_user_tmp in /etc/rc.conf (default off).

See security(8) and rc.conf(5) for more details.

Lots of input from thorpej@ & christos@, thanks!

Remove comment about "hand-crafted".

Mention this file may be overwritten on upgrades, where to put
custom specs instead, and point to manual page.

goodbye uucp

PR 34692: wpa_supplicant script.
By Jukka Salmi.

Add acadapter, lid_switch, and sleep_button powerd scripts.

Fix a sorting error in the last change. Pointed out by Jukka Salmi.

Add missing rc.d scripts (cgd, ftpd, hostapd, ifwatchd, ipfs, irdaattach,
moused, rtclocaltime, staticroute, tpctl).

From Jukka Salmi in PR misc/33626.

PR/18476: reed at reedmedia dot net: add /etc/skel to special mtree
Slightly different patch applied (entry was made optional), thanks!

update to bluetooth device attachment:

remove pseudo-device btdev(4) and inherent limitations

add bthub(4) which autoconfigures at bluetooth controllers as they
are enabled. bluetooth devices now attach here.

btdevctl(8) and its cache is updated to handle new semantics

etc/rc.d/btdevctl is updated to configure devices from a list
in /etc/bluetooth/btdevctl.conf

rename btcontrol(8) as btdevctl(8) to make it fit with the NetBSD naming
scheme for control programs. This fixes pr 34051.

branches: 1.99.2;
Bluetooth fixes by Iain Hibbert:
Create "/etc/rc.d/btcontrol" to attach bluetooth devices at boot.

Bluetooth fixes by Iain Hibbert:
Remove bluetooth.conf(5) and config parsing from libbluetooth(3)
as this is no longer required.

Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.

Remove entries for "/var/spool/mqueue" (used by "sendmail" only).

Remove obsolete entries for "sendmail". Patch suppled by Yoshito Komatsu
in PR misc/33658

Remove sendmail (approved by core)

Document the defaultroute6 rc.conf variable and the /etc/mygate6 file in
/etc/defaults/rc.conf, /etc/mtree/special, and rc.conf(5). Ok with wiz.

Remove some more kerberosIV remnants.

Install the iscsi/auths file as mode 600.

Add distribution entries and supporting files for the iSCSI target.

pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security

Remove (pf)spamd. Its right to exist in NetBSD has been questioned since it
appeared and whether it's really part of pf or not is still unclear. Looking
at the other *BSDs it seems that they have left out spamd when importing pf,
and now we do that too. Also, the name conflicted with another more popular
used tool, after the rename to pfspamd it was left with completely unusable
documentation which apparently no-one wanted to fix.

A port of the latest spamd will be imported into pkgsrc soon.

Suggested by several people, no objections on last proposal on tech-userlevel.

Consistently use 0664 root:utmp for /var/log/{lastlog,wtmp}{,x}.
Rest of PR 18670.

PR/30177: Rui Paulo: /var/chroot/pflogd isn't created by default

Add /etc/pam.conf and /etc/pam.d/*

Tweaks for the move of postinstall from /etc to /usr/sbin

/var/chroot/spamd is now /var/chroot/pfspamd.

branches: 1.82.2;
PR/18670: Charles Blundell: Add entries for lastlog and lastlogx

add ./var/chroot and subdirectories

enable rc.d fixsb script
initial testing suggests that it is working and I am confident it
will not cause irrevocable damage

branches: 1.79.2;
Add /etc/locate.conf

add identd

Add the veriexec rc.d script.

Remove kvm.db, reminded by atatat.

etc/mail/aliases.db is optional. From [misc/18536] by Jeremy Reed.

etc/powerd/** is optional

Add a reset_button script.

Add powerd rc.d script and configuration scripts.

Change ipsec.conf not to be world-readable and nodiff, so we don't expose keys
if they happen to be in that file. Also add /etc/racoon stuff.

remove superfluous "uname=root gname=wheel" from etc/postfix/** entries

Add the new queue directory for the sendmail "mail submission" mode.

it is okay for the sendmail and postfix .cf files to be writable by root

Remove /usr/local (and children) from the base distribution; we shouldn't
be creating directories or modifying permissions under there.

(/usr/local/* is still retained in various default PATHs, for convenience)

Added cgd rc.d script and put it in the appropriate postinstall and
mtree files.

add wtmpx

Split raidframe parity checking/rebuild out into raidframeparity, which is
called after quota so we don't end up with fsck and raidframe parity rebuild
taking forever after a crash/reboot.
While we are here check for raid[0-9].conf & raid[1-9][0-9].conf not
raid[0-9].conf & raid[0-9][0-9].conf

Add /var/run/utmpx, requested by soren.

Add exclude tag to dumpdates so that diffs do not show up in the daily security
report. This file is expected to change daily, and this is not a security
problem. (Also, the most recent dumps are already shown in the daily report.)

add wdogctl

Remove unused user and group "news" as discussed on "tech-userlevel".

add wsmoused

Add mixerctl rc.d script.

branches: 1.57.2;
Complete the conversion back to the OpenSSH default configuration files of
"/etc/ssh/ssh_config" (from "/etc/ssh/ssh.conf") for ssh(1) and other
userland tools, and "/etc/ssh/sshd_config (from "/etc/ssh/sshd.conf")
for sshd(8).

etc/postinstall will detect this, and if "fix" is given, rename the files.

add (optional) etc/postinstall

etc/ssh is mode 0755 not 0644. Noted by Toru TAKAMIZU on current-users.

move ssh config file to /etc/ssh

add postfix config files. PR15659

Mark mk.conf optional, addressing install/15572.

Add ./etc/ipf6.conf

etc/rc.d/NETWORK was renamed to etc/rc.d/NETWORKING

Use "nodiff" instead of "nomail" for the tag which is used to exclude
files from having the changes diff generated. Suggested by Michael Graff.

monitor etc/changelist again

Major overhaul, with help from Andrew Brown <atatat@netbsd.org>.

Features:
- Add a bunch of stuff to /etc/mtree/special to enable removal of
/etc/changelist:
- files which we want to monitor for changes but don't want to
see the diffs of (master.passwd, ssh_host_key, ...) are
tagged with "nomail"
- files which we don't want to monitor are tagged with "exclude"
(such as netgroup.db, kvm.db, ...)
- monitor /etc/mtree/special.local, /root/.ssh/*
- remove /etc/changelist, and a bunch of XXX comments
- use mtree(8)'s -D, -I, and -E to generate lists of files to
actually do the changelist stuff on.
- support /etc/mtree/special.local as an optional user-provided
version of /etc/mtree/special (effectively, an enhanced
/etc/changelist)
- Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/*
including support for these files being added and removed at will.
- If /sbin/fdisk exists, backup the output of "fdisk $disk" for all
the active disk drives as part of $check_disklabels
- Check permissions on: ~/.ssh/* ~/.shosts

Details:
- Reorder initialisation of defaults
- Remove special case for /etc/master.passwd "monitor but don't email diffs"
with general case for other similar files.
- Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...)
in "$backup_dir/work", to minimise name clashes.
- Add migrate_file(old, new) to do the hard work of migrating files
from the old `top level' /var/backups mechanism to the `full path'
mechanism recently added. Use this appropriately.
- Add backup_and_diff(file, printdiffs), to the hard work of backing-up
and diff-ing files.
- Cleanup use of shell redirects
- /bin/sh supports ~root globbing, so use it.
- Improve umask checking; use awk regex rather than awk math

Take advantage of mtree(8)'s recently added support for absolute paths.
Use a default "/set uname=root gname=wheel".
This drastically reduces the size of the file, as well as making it
far more maintainable. The differences are:
lines words bytes filename
342 1633 16272 special-relative
295 998 11971 special-absolute

add /etc/defaults/*.conf

remove rule for pkgsrc - we don't have one for any of the other source
directories. requested in [bin/13818]

add etc/rc.d/*. fixes [bin/12729]

rc.local is technically an optional file...

add ssh{,d}.conf, ssh_known_hosts{,2}, ssh_host_{[rd]sa_,}key{.pub,}

add a bunch of optional etc stuff from changelist:
Distfile bootparams bootptab ccd.conf daily.local defaultdomain
dhclient-enter-hooks dhclient-exit-hooks dhclient.conf dhcpd.conf
disktab ethers ftpd.conf ftpwelcome gateways hesiod.conf hosts.allow
hosts.deny hosts.lpd ifaliases ipf.conf ipnat.conf ipsec.conf
monthly.local mygate myname netgroup netgroup.db netstart.local
ntp.conf passwd.conf rbootd.conf rtadvd.conf security.local
ttyaction usermgmt.conf weekly.local
- add required stuff from changelist:
etc/floppytab etc/netconfig etc/sysctl.conf
var/cron/tabs/root
var/yp/Makefile
sort mail/ into its proper place
add some comments to remind us of things to look at in the future

Another place where primes was used. Change it to moduli.

Look after /etc/primes.

Remove named.boot (only used by BIND 4.x).

The script called dhclient-script no longer lives in /etc.

remove sendmail-IPv4only.cf from checklist. PR 12075.

/etc/disklabels is obsolete -- remove it

Add an entry for optional dumpdates.

remove rc.wscons

synchronize with /etc/mail content.
NetBSD PR 10836 from koji@jp.above.net.

branches: 1.30.4;
remove netstart

make default sendmail.cf IPv4-only again.
roll sendmail-IPv6.cf, which does IPv4/v6.

sync with sendmail 8.10.1 migration. /etc -> etc/mail
From: Andrew Brown <atatat@atatdot.net>

oops, pppd doesn't require /etc/ppp/options now.

forgot to add /etc/ppp/options to special(5)

create /etc/ppp when building install sets
add this and a lot of files not previously looked at in special(5)

we have no group root by default, set gname=wheel for include.

Change /etc/mtree/special and /etc/sendmail.cf to mode 444, and
/usr/include to owner:group root:wheel, to match how these files
are shipped in a distribution.

From PR misc/6736 from Soren Jorvang.

branches: 1.22.2;
/var/spool/ftp/pub (if present) is better 0775 thane 0777.
From Paul Goyette <paul@whooppee.com>

Make /var/spool/news owned by news:news.

A basic /etc/rc.shutdown. Bails out if do_rcshutdown!=YES in /etc/rc.conf
(default is YES). Kills xdm and waits for it to terminate if it was enabled
in rc.conf (based on a code snippet from Ignatios).

Nuke /usr/src and /usr/pkgsrc from here. They are created when the source
tar files are unpacked, so having them here is pointless.

get rid of secretmail residue -- suggested in pr-4568 from Carl Shapiro

/usr/{src,obj,pkgsrc} -> root:wsrc, 0775

make root owner of /usr/games/hide to match NetBSD.dist, fixes PR 4658

make /usr/games/hide mode 750, and remove bogus /var/games/save entry.

branches: 1.14.2;
fix /var/mail permissions so that "dot locking" works.

make some more files optional; from Erik Bertelsen in PR 4048

add some files from /etc: inetd.conf, newsyslog.conf, protocols, rc.subr,
rpc, and services (required); ld.so.conf and resolv.conf (optional).
remove pointless 'ignore' keyword from /dev/mem

make some items 'optional' -- per pr-3663 from Erik Bertelsen

add /etc/profile

/usr/games/hide is owned by games.games, /usr/src has mode 755,
/var/at is owned by root.wheel.

/etc/netstart doesn't need to be executable.
use four digits for all of the modes.

update to match reality; PR misc/1075.
also added new files in /etc.

AUTHPRIV syslog messages go to /var/log/authlog instead of /var/log/secure
(in line with other systems)

Update name of KVM database.

A master.passwd has mode 0600 (PR#1405).

/var/db shouldn't have had the 'ignore' flag set.
(from Masanobu Saitoh <saitoh@spa.is.uec.ac.jp>, pr 981)

kvm_vmunix.db -> kvm_netbsd.db

branches: 1.1.1;
update to Lite