Markup Changes, place terms in:

* <application>
 * <username>
 * <command>
 * <literal>
 * <devicename>

Reviewed by:	murray
This commit is contained in:
Chern Lee 2001-08-14 22:06:11 +00:00
parent 388ddee70e
commit d9b1288ac8
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=10353
6 changed files with 102 additions and 60 deletions

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.85 2001/08/13 19:05:55 jim Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.86 2001/08/14 05:28:12 dd Exp $
-->
<chapter id="advanced-networking">
@ -2003,7 +2003,8 @@ ISDN BRI line</literallayout>
&prompt.root; <userinput>vi master.passwd</userinput></screen>
<para>You should remove all entries regarding system accounts
(bin, tty, kmem, games, etc), as well as any accounts that you
(<username>bin</username>, <username>tty</username>, <username>kmem</username>,
<username>games</username>, etc), as well as any accounts that you
don't want to be propagated to the NIS clients (for example
root and any other UID 0 (superuser) accounts).</para>
@ -2940,7 +2941,8 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2
<sect2>
<title>How It Works</title>
<indexterm><primary>UDP</primary></indexterm>
<para>When dhclient, the DHCP client, is executed on the client
<para>When <command>dhclient</command>, the DHCP client, is executed on
the client
machine, it begins broadcasting requests for configuration
information. By default, these requests are on UDP port 68. The
server replies on UDP 67, giving the client an IP address and
@ -2972,8 +2974,8 @@ lrwxr-xr-x 1 root wheel 14 Nov 8 14:27 libscrypt.so@ -> libscrypt.so.2
When configuring a network interface within sysinstall,
the first question asked is, "Do you want to try DHCP
configuration of this interface?" Answering affirmatively will
execute dhclient, and if successful, will fill in the network
configuration information automatically.</para>
execute <command>dhclient</command>, and if successful, will fill
in the network configuration information automatically.</para>
<para>There are two things you must do to have your system use
DHCP upon startup:</para>

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/disks/chapter.sgml,v 1.49 2001/08/11 21:25:52 dd Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/disks/chapter.sgml,v 1.50 2001/08/11 21:34:51 jim Exp $
-->
<chapter id="disks">
@ -710,7 +710,8 @@
linkend="nfs">Network Filesystem</link> and Coda, memory-based
filesystems such as <link linkend="disks-md">md</link> and
file-backed filesystems created by <link
linkend="disks-vnconfig">vnconfig</link> or mdconfig.</para>
linkend="disks-vnconfig">vnconfig</link> or
<command>mdconfig</command>.</para>
<sect2 id="disks-vnconfig">
<title>vnconfig: File-Backed Filesystem</title>

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml,v 1.86 2001/08/14 07:37:05 rpratt Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/install/chapter.sgml,v 1.87 2001/08/14 21:29:28 logo Exp $
-->
<chapter id="install">
@ -1073,13 +1073,14 @@ Mounting root from ufs:/dev/md0c
url="http://www.freebsd.org/search/search.html#mailinglists">searching
the mailing lists</ulink> (questions and bugs).</para>
<para>The "unexpected tag 14" or "unexpected small tag 14"
<para>The <errorname>unexpected tag 14</errorname> or
<errorname>unexpected small tag 14</errorname>
indication can be ignored. This should disappear in future
releases.</para>
<para>An ISA-device (AWE64 sound card) gave too many proposals for
possible PnP-Configurations and produced "isa0: too many
dependant configs (8)". This should be harmless. Support for
possible PnP-Configurations and produced <errorname>isa0: too many
dependant configs (8)</errorname>. This should be harmless. Support for
the sound card can be added after installation by building a new
kernel with the sound driver or by loading the sound modules
dynamically.</para>
@ -1800,7 +1801,8 @@ installation menus to try and retry whichever operations have failed.
"No" was selected with the arrow keys and <keycap>ENTER</keycap>
pressed.</para>
<para>Answering [Yes] will execute dhclient, and if successful,
<para>Answering [Yes] will execute <application>dhclient</application>,
and if successful,
will fill in the network configuration information
automatically. Refer to the <ulink
url="http://www.freebsd.org/handbook/dhcp.html">FreeBSD
@ -1889,8 +1891,8 @@ installation menus to try and retry whichever operations have failed.
<term>Extra options to ifconfig</term>
<listitem>
<para>Any interface-specific options to ifconfig you would
like to add. There were none in this case.</para>
<para>Any interface-specific options to <command>ifconfig</command>
you would like to add. There were none in this case.</para>
</listitem>
</varlistentry>
@ -2580,13 +2582,15 @@ when you've finished.</screen>
<para>The configuration can now be saved in the location indicated
and continue with the installation.</para>
<para>If the monitor display needs adjusted, xvidtune can be ran
<para>If the monitor display needs adjusted,
<application>xvidtune</application> can be ran
to adjust them. There are warnings that improper settings can
damage your equipment. Heed them. If in doubt, don't do
it. Instead, use the monitor controls to adjust the display for
x-windows. There may be some display differences when switching
back to text mode, but it's better than damaging equipment. The
xvidtune can be ran later using /stand/sysinstall.</para>
<application>xvidtune</application> can be ran later using
<command>/stand/sysinstall</command>.</para>
<para>If it doesn't appear or is distorted, kill the server with
<keycombo action='simul'>
@ -3200,7 +3204,8 @@ Please press any key to reboot.</screen>
<answer>
<para>If your machine is already running MS-DOS and has little
or no free space available for the FreeBSD installation, all
hope is not lost! You may find the FIPS utility, provided
hope is not lost! You may find the <application>FIPS</application>
utility, provided
in the <filename>tools</filename> directory on the FreeBSD
CDROM or various FreeBSD FTP sites to be quite
useful.</para>
@ -3208,13 +3213,16 @@ Please press any key to reboot.</screen>
<indexterm>
<primary><command>FIPS</command></primary>
</indexterm>
<para>FIPS allows you to split an existing MS-DOS partition
<para><application>FIPS</application> allows you to split an
existing MS-DOS partition
into two pieces, preserving the original partition and
allowing you to install onto the second free piece. You
first defragment your MS-DOS partition using the Windows
DEFRAG utility (go into Explorer, right-click on the
<application>DEFRAG</application> utility (go into Explorer,
right-click on the
hard drive, and choose to defrag your
hard drive), or Norton Disk Tools. You then must run FIPS. It
hard drive), or Norton Disk Tools. You then must run
<application>FIPS</application>. It
will prompt you for the rest of the information it needs.
Afterwards, you can reboot and install FreeBSD on the new
free slice. See the <emphasis>Distributions</emphasis> menu
@ -3228,11 +3236,13 @@ Please press any key to reboot.</screen>
product from <ulink
url="http://www.powerquest.com/">PowerQuest</ulink>
called <application>Partition Magic</application>. This
application has far more functionality than FIPS, and is
application has far more functionality than
<application>FIPS</application>, and is
highly recommended if you plan to often add/remove
operating systems (like me). However, it does cost
money, and if you plan to install FreeBSD once and then
leave it there, FIPS will probably be fine for you.</para>
leave it there, <application>FIPS</application> will probably
be fine for you.</para>
</answer>
</qandaentry>
@ -3471,7 +3481,8 @@ Please press any key to reboot.</screen>
</procedure>
<para>That's it! You should be able to control the headless
machine through your cu session now. It will ask you to put
machine through your <command>cu</command> session now. It will ask
you to put
in the <filename>mfsroot.flp</filename>, and then it will come
up with a selection of what kind of terminal to use. Just
select the FreeBSD color console and proceed with your

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.69 2001/08/14 06:30:58 dd Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.70 2001/08/14 06:43:35 dd Exp $
-->
<chapter id="security">
@ -51,7 +51,8 @@
overbuild your security or you will interfere with the detection
side, and detection is one of the single most important aspects of
any security mechanism. For example, it makes little sense to set
the schg flags (see &man.chflags.1;) on every system binary because
the <literal>schg</literal> flags (see &man.chflags.1;) on every
system binary because
while this may temporarily protect the binaries, it prevents an
attacker who has broken in from making an easily detectable change
that may result in your security mechanisms not detecting the attacker
@ -115,9 +116,12 @@
<secondary>account compromises</secondary>
</indexterm>
<para>A user account compromise is even more common than a D.O.S.
attack. Many sysadmins still run standard telnetd, rlogind, rshd,
and ftpd servers on their machines. These servers, by default, do
<para>A user account compromise is even more common than a DoS
attack. Many sysadmins still run standard
<application>telnetd</application>, <application>rlogind</application>,
<application>rshd</application>,
and <application>ftpd</application> servers on their machines.
These servers, by default, do
not operate over encrypted connections. The result is that if you
have any moderate-sized user base, one or more of your users logging
into your system from a remote location (which is the most common
@ -363,7 +367,8 @@
<para>The prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of imapd or
most bug-prone. For example, running an old version of
<application>imapd</application> or
popper is like giving a universal root ticket out to the entire
world. Never run a server that you have not checked out
carefully. Many servers do not need to be run as root. For
@ -482,23 +487,28 @@
is called the <devicename>bpf</devicename> device. An intruder
will commonly attempt to run a packet sniffer on a compromised
machine. You do not need to give the intruder the capability and
most systems should not have the bpf device compiled in.</para>
most systems should not have the <devicename>bpf</devicename>
device compiled in.</para>
<indexterm>
<primary><command>sysctl</command></primary>
</indexterm>
<para>But even if you turn off the bpf device, you still have
<filename>/dev/mem</filename> and <filename>/dev/kmem</filename>
<para>But even if you turn off the <devicename>bpf</devicename>
device, you still have
<devicename>/dev/mem</devicename> and
<devicename>/dev/kmem</devicename>
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
the module loader, &man.kldload.8;. An enterprising intruder can
use a KLD module to install his own bpf device, or other sniffing
use a KLD module to install his own <devicename>bpf</devicename>
device, or other sniffing
device, on a running kernel. To avoid these problems you have to
run the kernel at a higher secure level, at least securelevel 1.
The securelevel can be set with a <command>sysctl</command> on
the <varname>kern.securelevel</varname> variable. Once you have
set the securelevel to 1, write access to raw devices will be
denied and special chflags flags, such as <literal>schg</literal>,
denied and special <command>chflags</command> flags,
such as <literal>schg</literal>,
will be enforced. You must also ensure that the
<literal>schg</literal> flag is set on critical startup binaries,
directories, and script files &ndash; everything that gets run up
@ -573,7 +583,8 @@
<para>When using <application>ssh</application> rather than NFS,
writing the security script is much more difficult. You
essentially have to scp the scripts to the client box in order to
essentially have to <command>scp</command> the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
<command>scp</command> the binaries (such as find) that those
scripts use. The <application>ssh</application> daemon on the
@ -655,14 +666,17 @@
<para>A common DoS attack is against a forking server that attempts
to cause the server to eat processes, file descriptors, and memory,
until the machine dies. Inetd (see &man.inetd.8;) has several
until the machine dies. <application>inetd</application>
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
not generally possible to prevent a service from being disrupted
by the attack. Read the inetd manual page carefully and pay
by the attack. Read the <application>inetd</application> manual
page carefully and pay
specific attention to the <option>-c</option>, <option>-C</option>,
and <option>-R</option> options. Note that spoofed-IP attacks
will circumvent the <option>-C</option> option to inetd, so
will circumvent the <option>-C</option> option to
<application>inetd</application>, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.</para>
@ -748,14 +762,16 @@
it generates fast enough. The FreeBSD kernel has a new kernel
compile option called ICMP_BANDLIM which limits the effectiveness
of these sorts of attacks. The last major class of springboard
attacks is related to certain internal inetd services such as the
attacks is related to certain internal
<application>inetd</application> services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
address being server B's echo port, where server A and B are both
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
Similar problems exist with the internal chargen port. A
Similar problems exist with the internal
<application>chargen</application> port. A
competent sysadmin will turn off all of these inetd-internal test
services.</para>
@ -768,8 +784,9 @@
<command>netstat -rna | fgrep W3</command>. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
reduce the rtexpire but will never decrease it to less than
rtminexpire. There are two problems:</para>
reduce the <literal>rtexpire</literal> but will never decrease it
to less than <literal>rtminexpire</literal>. There are two
problems:</para>
<orderedlist>
<listitem>
@ -1562,8 +1579,8 @@ Principal: jane@GRONDAR.ZA
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZA</screen>
<para>Now try changing the password using <command>passwd</command> to
check if the kpasswd daemon can get authorization to the Kerberos
database:</para>
check if the <application>kpasswd</application> daemon can get
authorization to the Kerberos database:</para>
<screen>&prompt.user; <userinput>passwd</userinput>
realm GRONDAR.ZA
@ -1802,7 +1819,9 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<title>Proxy Servers</title>
<para>Proxy servers are machines which have had the normal system
daemons (telnetd, ftpd, etc) replaced with special servers. These
daemons (<application>telnetd</application>,
<application>ftpd</application>, etc) replaced with special servers.
These
servers are called <emphasis>proxy servers</emphasis> as they
normally only allow onward connections to be made. This enables you
to run (for example) a proxy telnet server on your firewall host,
@ -2390,7 +2409,8 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
through the firewall, so large FTP/http transfers, etc, will really
slow the system down. It also increases the latencies on those
packets as it requires more work to be done by the kernel before the
packet can be passed on. syslogd will also start using up a lot
packet can be passed on. <application>syslogd</application> will
also start using up a lot
more processor time as it logs all the extra data to disk, and it
could quite easily fill the partition <filename>/var/log</filename>
is located on.</para>
@ -2432,8 +2452,9 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
people (on the inside) using external archie (prospero) servers.
If you want to allow access to archie, you will have to allow
packets coming from ports 191 and 1525 to any internal UDP port
through the firewall. ntp is another service you may consider
allowing through, which comes from port 123.</para>
through the firewall. <application>ntp</application> is another
service you may consider allowing through, which comes from port
123.</para>
</listitem>
<listitem>
@ -2914,7 +2935,8 @@ Host 'foobardomain.com' added to the list of known hosts.
user@foobardomain.com's password: <userinput>*******</userinput></screen>
<para>The login will continue just as it would have if a session was
created using rlogin or telnet. SSH utilizes a key fingerprint
created using <command>rlogin</command> or telnet. SSH utilizes a
key fingerprint
system for verifying the authenticity of the server when the
client connects. The user is prompted to enter 'yes' only when
connecting for the first time. Future attempts to login are all

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml,v 1.41 2001/08/10 22:58:17 chern Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/serialcomms/chapter.sgml,v 1.42 2001/08/11 21:34:53 jim Exp $
-->
<chapter id="serialcomms">
@ -847,7 +847,8 @@ ttyd5 "/usr/libexec/getty std.19200" vt100 on insecure
<para>Make sure that a <command>getty</command> process is running
and serving the terminal. For example, to get a list of
running getty processes with <command>ps</command>, type:</para>
running <command>getty</command> processes with
<command>ps</command>, type:</para>
<screen>&prompt.root; <userinput>ps -axww|grep getty</userinput></screen>
@ -872,7 +873,8 @@ ttyd5 "/usr/libexec/getty std.19200" vt100 on insecure
<listitem>
<para>Make sure the terminal and FreeBSD agree on the bps rate and
parity settings. Check the getty processes to make sure the
parity settings. Check the <command>getty</command> processes
to make sure the
correct <replaceable>getty</replaceable> type is in use. If
not, edit <filename>/etc/ttys</filename> and run <command>kill
-HUP 1</command>.</para>
@ -1621,7 +1623,8 @@ AT&amp;B2&amp;W</programlisting>
<screen>&prompt.root; <userinput>cd /dev</userinput>
&prompt.root; <userinput>MAKEDEV cuaa0</userinput></screen>
<para>Or use cu as root with the following command:</para>
<para>Or use <command>cu</command> as root with the following
command:</para>
<screen>&prompt.root; <userinput>cu -l<replaceable>line</replaceable> -s<replaceable>speed</replaceable></userinput></screen>
@ -1661,7 +1664,7 @@ tip57600|Dial any phone number at 57600 bps:\
<screen>&prompt.root; <userinput>tip -115200 5551234</userinput></screen>
<para>If you prefer <command>cu</command> over <command>tip</command>,
use a generic cu entry:</para>
use a generic <literal>cu</literal> entry:</para>
<programlisting>cu115200|Use cu to dial any number at 115200bps:\
:dv=/dev/cuaa1:br#57600:at=hayes:pa=none:du:</programlisting>

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/x11/chapter.sgml,v 1.41 2001/08/11 01:17:28 nik Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/x11/chapter.sgml,v 1.42 2001/08/11 04:37:42 kuriyama Exp $
-->
<chapter id="x11">
@ -311,7 +311,8 @@ EndSection</programlisting>
may find your first introduction to X to be something of a culture
shock.</para>
<para>Today, as Unix desktop environments such as KDE and GNOME become
<para>Today, as Unix desktop environments such as
<application>KDE</application> and <application>GNOME</application> become
more prevalent it is less necessary to understand all the
behind-the-scenes interaction between the various X components, or what
those components actually are. However, one of X's strengths is its
@ -525,12 +526,14 @@ EndSection</programlisting>
<para>The upshot of this is that you can not expect X applications to
have a common look and feel. There are several popular widget sets
(and variations), including the original Athena widget set (developed
at MIT), Motif (on which the widget set in Microsoft Windows was
modeled, all bevelled edges and three shades of grey), OpenLook, and
others.</para>
at MIT), <application>Motif</application> (on which the widget set in
Microsoft Windows was modeled, all bevelled edges and three shades of
grey), <application>OpenLook</application>, and others.</para>
<para>Most newer X applications today will use a modern-looking widget
set, probably either Qt, used by KDE, or GTK, used by the GNOME
set, probably either Qt, used by <application>KDE</application>, or
<application>GTK</application>, used by the
<application>GNOME</application>
project. In this respect we are beginning to see a convergence in
look-and-feel on the Unix desktop, which certainly makes things easier
for the novice user. However, the sudden rise in popularity of