Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r271493,271688-271689,271696,271854,272139-272143:

Import HyperV Key-Value Pair (KVP) driver and daemon code by Microsoft,
many thanks for their continued support of FreeBSD.

While I'm there, also implement a new build knob, WITHOUT_HYPERV to
disable building and installing of the HyperV utilities when necessary.

The HyperV utilities are only built for i386 and amd64 targets.

Approved by: re (gjb)

Properly revert r272128.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Revert r272149, which introduces obscure vestiges from the
r272128 reversal.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Revert r272128:
Though this passes the buildworld test, this fails during
installworld with:

make[3]: "/releng/scripts-release/chroots/10/i386/release/etc/devd/Makefile"
line 13: Malformed conditional (${MK_HYPERV} != "no")

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r271493,271688,271689,271696,271854:

Import HyperV Key-Value Pair (KVP) driver and daemon code by Microsoft,
many thanks for their continued support of FreeBSD.

While I'm there, also implement a new build knob, WITHOUT_HYPERV to
disable building and installing of the HyperV utilities when necessary.

The HyperV utilities are only built for i386 and amd64 targets.

Approved by: re (gjb)

MFH (r266114, r266138): upgrade to latest ldns and unbound
MFH (r266139-r266143, r266145, r266149, r266150): fix props
MFH (r266179, r266180, r266193, r266238, r266777): misc cleanup
MFH (r266863): create and use /var/unbound/conf.d
MFH (r268839): import unblock-lan-zones patch from upstream
MFH (r268840): fix reverse lookups on private networks
MFH (r268883): avoid spamming source tree during build

PR: 190739 (for r268883)

MFC r258664:

Create /var/cache with mode 0755 instead of 0750.

This directory is used by many third party applications and having
permission 0750 makes it impossible to drop group privileges.

Approved by: re (glebius)

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove BIND.

Approved by: re (gjb)

Fix indentation.

Approved by: re (blanket)

Build and install the Unbound caching DNS resolver daemon.

Approved by: re (blanket)

authpf needs /var/authpf to exist and be writable by group authpf.

Fix location of /var/audit/dist and /var/audit/remote.
Note that those who did installworld after r243752 should
remove wrongly created /var/dist and /var/remote.

Reviewed by: pjd

Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
auditdistd (distributed audit daemon) to the build:

- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.

The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.

Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)

- Merge in OFED 1.5.3 from projects/ofed/head

Create the var/run/wpa_supplicant directory where the wpa_supplicant
RC script wants to save a pidfile for each interface.

MFC after: 2 weeks

Disable SSL renegotiation in order to protect against a serious
protocol flaw. [09:15]

Correctly handle failures from unsetenv resulting from a corrupt
environment in rtld-elf. [09:16]

Fix permissions in freebsd-update in order to prevent leakage of
sensitive files. [09:17]

Approved by: so (cperciva)
Security: FreeBSD-SA-09:15.ssl
Security: FreeBSD-SA-09:16.rtld
Security: FreeBSD-SA-09:17.freebsd-udpate

Add FreeBSD Update 2.0 client code. The build code is in the projects
repository.

Sponsored by: FreeBSD security development fundraiser

Change group for /var/audit to audit, so that audit review can be
delegated to non-administrators.

Obtained from: TrustedBSD Project

Add /var/audit, mode 750, which will hold audit trail files.

Obtained from: TrustedBSD Project

Add portsnap to the base system. This is a secure, easy to use,
fast, lightweight, and generally good way for users to keep their
ports trees up to date.

This is version 0.9.4 from the ports tree (sysutils/portsnap) with
the following changes:
1. The experimental pipelined http code is enabled. No seatbelts
in -CURRENT. (^_^)
2. The working directory has moved from /usr/local/portsnap to
/var/db/portsnap (as discussed on -arch two days ago).
3. Portsnap now fetches a list of mirrors (distributed as DNS SRV
records) and selects one randomly. This should help to avoid the
uneven loading which plagues the cvsup mirror network.
4. The license is now 2-clause BSD instead of 3-clause BSD.
5. Various incidental changes to make portsnap fit into the base
system's build mechanics.

X-MFC-After: 6.0-RELEASE
X-MFC-Before: 5.5-RELEASE
X-MFC-To: RELENG_6, RELENG_5, ports
discussed on: -arch and several other places
"yes please" from: simon, remko, flz, Diane Bruce
thinks this is a great idea: bsdimp
Hopes he didn't forget any files: cperciva

Remove a redundant "uname=root".

Forgotten by: dougb

Create a named chroot directory structure in /var/named, and use it
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.

Rather than using pax to copy device entries, mount devfs in the
chroot directory.

There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.

UPDATING has instructions on how to do the conversion for those
with existing configurations.

Add /var/db/ports/ (support directory necessary for
ports that use the new OPTIONS infrastructure)

Scheduled sweep using the README guidelines.

Approved by: re (rwatson)

Restore /var/games; lots of ports' games use it.

Do not build the majority of the games. Remaining are the
"utility-like" games and everyone's favourite, fortune(6).

Revert previous delta, setting the system immutable flag on /var/empty
instead of the user immutable flag, now that mergemaster handles
schg directories in its /var/tmp/temproot.

Tone down the previous delta: don't set the system immutable flag on
/var/empty, because it makes it difficult for mergemaster(8) to remove
/var/tmp/temproot/var.

The previous delta introduced /var/empty, for use by openssh-portable,
which needs an empty directory into which to chroot(2).

Hint to the operator that this directory really _should_ be empty
by creating it with mode 0555 and the system immutable flag (schg)
set.

Reviewed by: des

Add /var/empty for the OpenSSH privsep code.

In my continuing crusade to make life better for non-sendmail users, avoid
the creation of /var/spool/clientmqueue and therefore the need for the
smmsp user and group if NO_SENDMAIL is defined. This required breaking out
the creation of the directory into a new BSD.sendmail.dist mtree file.

MFC after: 1 week

Add /var/spool/clientmqueue for 8.12's non-set-user-ID root mail submission

Apply README style guidelines (this time checked).

Change mode for var/db/ipf to 0700

Fix a bug I introduced yesterday. People who built world since the
previous commit yesterday may wish to check /var/run for junk.

Add a directory in /var/run to store ppp(8) command sockets.

PR: bin/29966
Approved by: brian
MFC after: 4

Remove /var/spool/uucp subtree, not needed for 'cu'

The same unbreakage (0755 -> 0775) for /var/games and subdirs

Fix /var/mail, /var/rwho and /var/spool/lock back to 0775
Not sure about other dirs with the same damage (0755) by recent commit.

Style these once again.

Create /var/db/ipf

PR: 27070

Put back /var/spool/uucp so it can be used for serial port locking.

UUCP removal phase II. These directories are now created by the
freebsd-uucp port.

Invoke named with privilege of bind:bind.
Change pidfile location to /var/run/named/pid.

Build standard directory for kerberos 5 (Heimdal) database.

Mention the path to the README file in the header comment.

Submitted by: Rich Morin <rdm@cfcl.com>

Apparently, people do not listen for a plea to look into the
README file before making changes here. Fix them once again.

Move the process of storing entropy from /dev/random and reseeding with
it at boot time closer to the way we want it to be in the final version.

* Move the default directory to /var/db/entropy
* Run the entropy saving cron job every 11 minutes. This seems
to be a better default, although still bikeshed material.
* Feed /dev/random some cheesy "entropy" from various commands
and files before the disks are mounted. This gives /dev/random
a better chance of running without blocking early.
* Move the reseeding with previously stored entropy to the point
immediately after the disks are mounted.
* Make the harvesting script a little safer in regards to the
possibility of accidentally overwriting something other
than a regular file.

$Id$ -> $FreeBSD$

This cleans up all the white space errors so that the next
commit is easier to understand.

Fix script in README to actually work, empty lines produce as
much a diff as lines with the wrong stuff on it.

Add references in mtree data files to the README.

Explicitly specify mode 755 for /var/db/pkg -- it will be mode 700 otherwise.

Add /var/db/pkg.

Submitted by: John Hay <jhay@mikom.csir.co.za>

Old nit lying around in a source tree: Slightly optimize the number of
uname/gname overrides and /sets.

Simplify these now that default owner is root.wheel.

Partially reviewed by: bde

Change file ownership from bin.bin to root.wheel.

/etc/opielocks -> /var/spool/opielocks

Disallow o+rwx for /var/games/hackdir hierarchy, it helps to make hack
non-setuid back

Create missing /var/games/hackdir/save

Change games from setuid games to setgid games.

Reviewed by: maybe@yes.no
Obtained from: OpenBSD (mostly deraadt@openbsd.org)

Change /var/run owner to root - sendmail can't write sendmail.pid
otherwise due to safeopen

Change group ownership of /var/mail to mail and permission
to 0775.

This does *not* instantly make any program which "ensures"
mail spool consistency by creating lock files safe in any way
since other tools, like mail.local, will be using flock() semantics
and any such lock file will simply be ignored. It does, however,
allow a lot of things which are currently suid root in order to create
such bogus lockfiles to, at least, be bogus at a much lower level of
privilege (and this is good). Ultimately, of course, everybody should
just use flock.

Larn needs /var/games/larn to exist so that it can create its scorefile.
Closes PR# 1944.

Revert $FreeBSD$ to $Id$

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Uncomment the "raw" lp entry in /etc/printcap. We start lpd by
default, so there's no use in running it without any printer
definition in printcap. Also added a bunch of hints about the printer
setup, to guide the admin about the printer setup (handbook,
"apsfilter"), and a commented-out sample setup for a remote printer.

In the same line, add /var/spool/lpd/output to BSD.var.dist since it
is referred to by the "lp" entry in printcap.

Fix buffer overrun, and run as nobody

Change owner of msgs to daemon, sendmail msgs alias not works in other case,
sendmail change itself to daemon.daemon before executing program.

Regenerate these using mtree -cdinx -kuname,gname,mode on a very recently
built release after fixing all the wrong directory permissions in that release.

Then use diff -c -b to verify them against the old versions, nothing but
new directories added :-). And a lot of alphabetizing done!

Fix "at" directories owner

Make /var/yp.
Suggested by: se

These are mtree generated versions of these files using the
new mtree options.

I will be updating these shortly to remove some old stuff and add some
new stuff. These currently produce the exact same trees as they did.

Secure /var/{backups, crash, and cron} by changing them to mode 750.

Reviewed by: davidg

Fix missing .. before phantasia. Caused by incorectly adding a directory,
you MUST add the directory name and the .. entry to close the directory.

If you do not understand mtree files, do not modify them, it is very
easy to trash someones box with a mistake in here. Especially with
regards to .. entries.

Add the missing . entries to BSD.*.dist files.

New file BSD.release.dist is used for creating release area top level
directories.

Add /var/games/phantasia to list of targets, as per Rod's earlier suggestion.
Submitted by: jkh

Mode 0775 for /var/spool/lock

Change /var/spool/uucp/* modes to 0775

Intruduce new group for uucp, gid 66
Change uucp directories group too
Change "lock" directory group to "dialer" to allow various
dialout applications to access it

Gordon Burditt <gordon@sneaky.lonestar.org>

Fix ownership of catpages, make ~uucp/uucppublic really public.

mail a+rwxt changes backed out

Change default permission of /var/mail to 01777, because
MUA must have s-bit in other case (security hole).
This fix needed for procmail too, because procmail
uses NFS-locks in /var/mail directory

General cleanup for 1.1 release, mostly add zoneinfo stuff to BSD.usr.dist

Add /var/at/jobs & /var/at/spool, remove /var/at/past

Added directories needed for at/atrun

We've got accounting, might as well have a directory for it.

Miss spelled backups in BSD.var.dist, should have been backups, was backup.

Added var/backup for daily scripts

The updated mtree changed a couple things which required changes in
the mtree files.

Updated BSD.*.dist files to reflect FreeBSD as it is now.

This commit was generated by cvs2svn to compensate for changes in r37,
which included commits to RCS files with non-trunk default branches.

Initial import of 386BSD 0.1 othersrc/etc