usr.sbin: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

Remove $FreeBSD$: one-line nroff pattern

Remove /^\.\\"\s*\$FreeBSD\$$\n/

manpages: Remove telnetd references

Mostly remove from the SEE ALSO section, adding a mention of the port
where not removed. Elsewhere, remove as appropriate and change from .Xr
to .Nm where a mention of telnetd continues to make sense (or removing
it would require significant reworking of the surrounding text).

Reviewed by: imp, delphij, emaste
Differential Revision: https://reviews.freebsd.org/D36785

inetd(8): Fix a typo in the manual page

- s/similarily/similarly/

MFC after: 3 days

inetd.8: Sort options

While here:

- Cluster flags without arguments together.
- Simplify the synopsis of the -a flag. There is no need to distinguish
between address and hostname there.
- Add a missing argument to the -a flag in the description section.
- Fix some typos.

MFC after: 3 days

inetd.8: Lint the file

Remove Tn macros and fix other style warnings.

MFC after: 3 days

inetd: Add examples from manual page and other sources

The manual page lists a bunch of examples, some of which already exist
in this file. Since it's both easier to remember when all examples are
listed in the same location, move examples so they get installed into
/etc/inetd.conf

This also means users won't have to copy-paste, but can simply
uncomment one or more services to use them.

As such, it also becomes necessary to remove the examples from the
manual page, so instead add a note explaining where the previous
examples as well as others may be found.
Cross-references, including to ports, have also been added where
applicable.

The rsync example has lived in the bug tracker for too long,
considering how useful it can situationally be, for example when
backup jobs on client devices are run through periodic(8) weekly.

The microsoft-ds entry is necessary for Windows 10 compatibility
(this can be confirmed with packet capturing, as it is not readily
documented at time of writing).

While here, remove two examples for which compatible daemons could not
be found in ports.

Submitted by: David Yeske <dyeske at gmail.com> (in part, prev ver)
PR: 122037
Reviewed by: kevans, brueffer, lwhsu, yuripv
Differential Revision: https://reviews.freebsd.org/D28882

inetd(8): Add comments to all examples

Submitted by: debdrup (with some minor changes by kevans)
Reviewed by: bcr (manpages)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D24818

inetd(8): Provide HTTP proxy example using netcat

One of the fortunes that are included in freebsd-tips talks about how
the superserver can be used to proxy connections with netcat, but there are
no examples provided. This commit adds an example with comment explaining
what it does.

Submitted by: debdrup
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D24800

Renumber copyright clause 4

Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

o inetd(8) requires wait/nowait column in inetd.conf for
ONC services as well.

PR: bin/119203
Submitted by: Peter Jeremy
MFC atfer: 1 week

Removed T/TCP bits.

Perform minor rewording and grammatical improvement. Add a missing Xr.

inetd(8) requires that /etc/netconfig be present, and contain entries
for each of udp and tcp (and their IPv6 equivalents when INET6 is
enabled). Note that dependency here.

PR: docs/90435
Submitted by: Dmitry Kazarov <kazarov at mcm dot ru>
Pointed out by: Daniel Gerzo <danger at rulez dot sk>
MFC after: 8 days

Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely. There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat. It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.

Per letter dated July 22, 1999 remove 3rd clause of Berkeley derived software
(with permission of addtional copyright holders where appropriate)

Mechanically kill hard sentence breaks.

Revert previous change. The effect of -w or -W option is described in
another paragraph.
Obtained from: David Malone <dwmalone@maths.tcd.ie>

According to source code, under certain conditions, logging goes to the
"auth" facility not "daemon".
Submitted by: "Bill Richter (7X22KEY)" <richterb@binkley.foothill.net>

The .Xr utility

mdoc(7) police: Removed redundant .Ns calls.

Add capability for limiting the maximum number of simultaneous
invocations of each service from a single IP address.

Requested by: matusita
Reviewed by: dwmalone
Tested by: matusita on snapshots.jp.FreeBSD.org
MFC after: 2 weeks

add support for rpc IPv6 (rpc/udp/46 ...)

Submitted by: Jean-Luc Richier <Jean-Luc.Richier@imag.fr>

The .Nm utility

Correct spacing.

Fix a typo.

Reported by: Jurrien Koopmans <jjkoopmans@home.nl>

mdoc(7) police: s/BSD/.Bx/ where appropriate.

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

mdoc(7) police: fixed markup, sorted xrefs.

mdoc(7) police: fix spacing and punctuation issues.

Remove duplicate words.

Give inetd the ability to manage unix domain sockets. Details of
how to use this feature are in the man page. This is based on work
by Lyndon Nerenberg.

(The only difficult part about this patch is the fact that you
can't fchown a unix domain socket, which means the sockets must be
put in a secure directory).

Reviewed by: dillon

Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by: .Xr testing script

This patch cleans up the ident stuff in inetd. The code which has
been patched so many times it was a bit of a mess. There are style,
code and man page cleanups. The following are the functional changes:

The RFC only permits the returning of 4 possible error
codes, make sure we only return these (PR 27636).

Use MAXLOGNAME to determine the longest usernames.

Add a -i flag, which returns the uid instead of the username
(this is from a PR 25787, which also contained alot of the
cleanups in this patch).

PR: 25787, 27636
Partially Submitted by: Arne.Dag.Fidjestol@idi.ntnu.no
Reviewed by: Arne.Dag.Fidjestol@idi.ntnu.no, green
MFC after: 3 weeks

Don't spell requester as requestor.

Eliminate mdocNG warnings caused by misplaced or extraneous macro calls.

mdoc(7) police: split punctuation characters + misc fixes.

Don't mention /etc/protocols in inetd documentation or comments, as inetd
doesn't actually use it.

PR: 24307
Submitted by: opentrax@email.com

Prepare for mdoc(7)NG.

Add a -F option to the builtin ident service, which allows .fakeid files
to contain the name of other valid users.

PR: 22837
Submitted by: Andreas Gerstenberg <andy@andy.de>
Reviewed by: green
Reviewed by: sheldonh

mdoc(7) police: use the new features of the Nm macro.

Be explicit about the fact that you can only specify one IP address/hostname

Explain "-c" option more exactly and state the default in the man
page.

Add ability to run "inetd -R 0" to disable the default connection
per minute limit of 256 connections. Document this in man page.

Don't use maxchild as a boolean - instead check if it is greater
than zero.

Reviewed by: sheldonh
Based on a patch by: Alexander Langer <alex@big.endian.de>

specifer -> specifier

Clarify the use of the auth service's -d option for specifying
a fallback username.

Reviewed by: green

Allow using "-d username" without "-r". Example:
auth stream tcp nowait root internal auth -d "Only fools trust ident"

"can received" -> "can receive".

Clarify the facility used for logging with and without the wrapping
options.

PR: 17017
Submitted by: Doug Barton <Doug@gorean.org>

Remove broken hard sentence breaks, which mess up the typeset output.

Fix English, mdoc and layout of the previous commit, as requested by
the committer (shin). While I don't have permission for this change
from the inetd maintainer (des), I assume that shin has permission
and I'm just fixing his contribution up for him.

Okay, I couldn't resist, I made some extra changes:

* Replace ".Tn FreeBSD" with .Fx
* Make the illegal TCPMUX and IPSEC sections legal subsections
of the IMPLEMENTATION NOTES section.

Requested by: shin

several tcp apps IPv6 update
-inetd
-rshd
-rlogind
-telnetd
-rsh
-rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Do not dot terminate sentences inside FILES section. Lowercase
inside error messages.

Implement -g and -d options in my ident code. The -g flag uses a random
garbage value for the username (hex garbage, that is), and the -d flag
provides a default username for fallback purposes if the user cannot be
looked up. That is very useful for the case where inetd auth is
running on a NAT box.

While I'm here updating the manpage, clean up an English error and a
few small nits.

$Id$ -> $FreeBSD$

Correct a groff error in macro usage ("foo : bar" becomes "``foo: bar''").
Document the auth -n flag.

Document the -o and -t options to the internal auth service and give an
example of their usage in the sample config. Merge the two examples
for the green internal auth service.

This commit failed the first time around because Brian beat me to the
punch on inetd.8 . I like my descriptions better and I'm pretty sure
Brian won't mind.

As per DES's prodding, document _all_ the arguments to inetd's auth
service. This includes the -o "operating system" argument and the -t
"timeout" argument.

Document the new {auth,ident,tap} service and provide examples in the
configuration file.

Requested by: green

Fix ``:''.

PR: 12589

Allow internal and external wrapping to be enabled independantly of
each other. Instead of allowing the -w option to be specified twice,
we now take -w (wrap external) and -W (wrap internal).

Discussed with: markm

Allow service alias names from /etc/services to be used when specifying
internal services in inetd.conf .

The inetd(8) manpage used to say that the official name of a service
_must_ be used, yet inetd itself was hardcoded to used a service alias for
the auth service, namely ident!

Rather than change inetd.conf and break existing configurations on next
upgrade, we now allow service aliases as well as official names. This
allows the software to work as expected and still support existing
configurations.

This should not breaking existing wrapped configurations either and the
inetd(8) manpage already states that it is the service name specified in
inetd.conf that is used for calls to hosts_access(3).

PR: 11796
Reported by: Alex Charalabidis <alex@wnm.net>
Approved by: des

Clarify that the services name, as specified in inetd.conf, for an
internal service should be used as the daemon name when constructing
hosts_access(5) rules.

Ommitted in previous commit message:

Submitted by: David Malone <dwmalone@maths.tcd.ie>

Enable wrapping for dgram services and fix logging so that -l really
does log all connections.

Fix the SYNOPSIS to reflect that the -w option can be specified twice.

Requested by: obrien
Approved by: mpp

Add command-line option (-w), specified once to enable wrapping and
twice to enable wrapping for internal wrapping as well. If the option is
not specified wrapping is turned off so that inetd will behave exactly
as it used to before TCP Wrappers was imported.

Change etc/defaults/rc.conf so as to encourage wrapping on new systems.

Clarify the use of TCP Wrappers in the IMPLEMENTATION NOTES of the
manual page.

Approved by: jkh

Use Dq mdoc tag for double-quoted words.

Various fixes for inetd's TCP Wrappers support:

1) Handle forking and non-forking internal services correctly.
Turn on wrapping for internal services because it works now.
2) Preserve server names for each service on HUP.
3) Honour hosts_options(5) severity option.
4) Add IMPLEMENTATION NOTES section to clarify TCP Wrappers
usage and limitations.

This change may cause previously allowed builtin services (e.g. daytime)
to be denied in existing configurations.

PR: 12097
Reviewed by: markm
1)
Reported by: Pierre Beyssac <pb@fasterix.freenix.org>
2)
Submitted by: Masachika ISHIZUKA <ishizuka@ish.org>
3)
Submitted by: David Malone <dwmalone@maths.tcd.ie>

MFS: sort reference list and embelish history.

Fix the "internal" wrapping as well as a nasty bug involving
the daemon name vs the path. Also fix some warnings and improve
the wrapper section of the man page.

Nice debugging work by: Sheldon Hearn

Now inetd(8) has direct support for tcp_wrappers! Not working at the
moment is support for the internal serfvices, so these are not
enabled. Volunteers welcome!

Spelling fixes.

PR: 6903
Reviewed by: phk
Submitted by: Josh Gilliam <josh@quick.net>

Small typo in T/TCP patch ("speicfy" -> "specify").

On request of Garrett, ad a way to specify that a service should be
reachable via T/TCP
Reviewed by: Garrett Wollman

Document the requirement for TCPMUX to also be enabled as an internal
service if any external TCPMUX servers are desired.

PR: 826

Make maxchild and max child-per-minute default values configurable from
the command line or Makefile.

Add possibility to specify maximum number of connections per minute
for a given IP address.
This should be very effective against DoS attacks.

Implement group part now, final syntax is:
user[:group][/login-class]

Implement login classes sepcification as user[/loginclass]

By default inetd run things with the same limits as from /etc/rc
(daemon class) to not break anything as in good old days.

Use err(3).

Import Lite2's src/usr.sbin, except for timed. All changed files
except one unimportant one have already left the vendor branch.

Revert $FreeBSD$ to $Id$

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Reviewed by: Bill fenner
Submitted by: Archie Cobbs (Archie@whistle.com)

Changes to allow inted to control the number of servers to
start on each service. This is a defence against a denial of service attack
in which the system is made unusable by
an external party. It also allows the behaviour of
small memory systems to be more accuratly predicted, by
bounding the extent to which processes can multiply.

Reviewed by: various
Submitted by: archie@whistle.com

changes to allow inetd to bind to a single interface
for more complicated options see xinetd in ports.

Obtained from: whistle.com

Call setsockopt(SO_PRIVSTATE) to renounce SS_PRIV on all the sockets
we create. (Nothing being called from inetd should use it anyway,
but you can never be too careful.)

Translate the man page back into -mdoc.

Fix a bunch of spelling errors in a bunch of man pages.

Record PID in /var/run/inetd.pid and document same.

Correct the "default rate" - it's 256/minute not 1000/minute.

Disable UDP service looping attack.

- increase TOOMANY, in line with 1.x
- add logging option from 1.x

Bring in handling of RPC services from 1.x
(Guess who forgot to replace his inetd until today ;-)

BSD 4.4 Lite usr.sbin Sources