so that it only allows [word].html files (and .txt files for the
doc/ version.)

The previous version allowed users to get the source of our php
scripts - probably not too bad, since there should not be big secrets
in them, but it could help an attacker look for exploitable bugs.

jails.

playing with coding practices for comment.

the wrong file. Also bump PORTREVISION.

Also, remove some modles we don't actualy use, so that it can be
more easily compiled into a binary.

security.

Kirk, you should chime in since you now the resident expert after the
tutorial.

one is verified for argument handling correctness.

that capture connect on a reserved port. To do this, capture binds a
dynamic reserved port to connect to capserver, which verifies the
integrity of the sender by looking at the portnumber that accept
returns.

Note that this has the potential problem of burning a lot of reserved
ports on ops (128 tiplines) since the kernel keeps the client side in
TIME_WAIT for a minute or two after it is closed (the socket is in
actual use for just a moment before being closed). If we try to
restart capture too many times within a span of a minute or two, we
might have problems. Will have to switch to a fancier protocol then.
Yuck.

* If a reboot stuck node fails, move the node to hwdown, send email,
  and log an entry in the nodelog. Then continue on.

* If os_load fails, record the nodes that failed, and try again if the
  nodes fail to reload at the retry interval. Do not exit. I was going
  to call os_load again immediately, but decided not to since these
  changes were quite easy.

  The above change not really tested ... waiting for os_load to fail!

but they do work, so I put them into the repository.

contain the latest image suitable for running nse as opposed to being
tied to an old FBSD 4.5 image.

but since it is not integrated in the backend and we are giving the
source to others, I'm backing out to 1.10

Fix the directory for SWIG, it seems to have moved. For now, we'll
stay with version 1.1, since we haven't tested the new version (1.3)
yet.

Bump revision.

Also, add more interfaces to be re-numbered for Rayford from aero.

is correct.

* Download the eventkey with new tmcd call.

* Pass -k option to various agents so that they can verify the HMACs
  in the incoming notifications.

* Change program agent; The list of agents from tmcd now includes the
  command, which is written to a config file for the program-agent to
  read in. The command string in the event is now ignored.

* Build the local proxy for linux, and add the goo to start the local
  elvind and use the proxy. It has been this way on FreeBSD for a
  while, but I never got it installed for Linux before now.

is to add HMACs to events to ensure they that events cannot be
injected into an experiment by an unauthorized client.

* The frontend now generates a secret key for each experiment and
  stores that into a file and in the DB.

* Each of the event clients, as well as the event producers
  (scheduler, tevc) have a new -k option to specify the name of the
  file. Two new event library functions were added for clients to give
  the key:

    event_handle_t
    event_register_withkeyfile(char *name, int threaded, char *keyfile);

    event_handle_t
    event_register_withkeydata(char *name, int threaded,
	   		       unsigned char *keydata, int keylen);

* When the library is in possesion of a key, it will generate an HMAC
  and attach it to outgoing notifications. A client receiving a
  notification will compute an HMAC and compare it against the HMAC in
  the notification. If they do not compare, the notification is
  dropped with a warning message printed (the client callback never
  gets the notification). If the client has not provided a key, then
  the HMAC in the incoming notification is ignored.

* The scheduler also takes a -k option, and will compute HMACs for all
  of the static events ahead of time. That keeps it off the critical
  path.

* The tevc client also takes a -k option. However, tevc will always
  try to find the keyfile (default path) so that it can attach the
  HMAC to dynamic events before sending them to the scheduler (which
  will check to make sure it matches). The scheduler will not accept
  dynamic events without unless the HMAC is present and matches.

* I have rebuilt the elvin librarys, removing all of the X goop and
  the SSL goop. Smaller binaries. So, I had to add -lcrypto to all of
  the client makefiles to that programs link.

* The program-agent got a few more changes. The command string is no
  longer passed inside the event; it comes in when the program agent
  is started, via a config file generated from tmcd data. This gets
  rid of our mostly insecure remote execution facility.

* Generate a shared secret key for the event system. This key is
  stored into the DB, and passed to the node via tmcd. It is also
  stashed into a file in the experiment directory (can be accessed
  only by the project/group members). The key is used to attach a
  HMAC (hashed message authentication) to each event, which is checked
  by the receivers to ensure that the event is not bogus. More details
  on this later when I commit the event library/client changes.

* Added "virt_programs" table to store info about each program object
  defined by the user. The intent is to no longer send the command
  string in the event, but to fix it in the DB, and transfer it via
  tmcd. This removes our "remote execution facility" which was always
  a bad idea (we have ssh for that, and that is a lot more secure then
  the event system!).

  Note that for the time being we need to continue send the command in
  the event because of old images, but the new images will now ignore
  that part of the event.

in the php extensions directory, and the following two lines were
added to /usr/local/etc/php.ini:

	extension_dir = /usr/local/lib/php/20020429/
	extension="apc.so"

The new version is a little odd in that it is more difficult to clear
the cache, which we must do when we install new pages. Rather then
jump through too many hoops, I added a simple clearapc.php page, which
does nothing but make the call from within the webserver. I have
hooked this into the make install target using wget. If you care to
see what is currently in the cache, you can load this page:

	https://www.emulab.net/apc.php

which gives a non-pretty print dump of the cache. To clear the cache
from your web browser:

	https://www.emulab.net/clearapc.php

when trying to renew any node.  Needs further review later.

really eats the CPU!

1) properly disable alarm before exiting ForkCmd
   - this was causing SIGALRM to get sent when it shouldn't have, and
     probably caused the renewal failures.
   - was introduced accidentally yesterday when I unwittingly committed
     some beta libplab code along with the rootball version string fix.

2) Changed semantics of the renew daemon s.t. it only sends a single message
   for each invocation of the renewal loop - summarizes the ones that failed.

The rest of the code I committed accidentally yesterday seems to be working
just fine.  It all looks sane on perusal.

without them. But, use the 'inline' disposition instead of
'attachment', which seems to allow Mozilla et al to run them w/o
a dialog box. IE still pops one up, though.

Also, change the extension of the ssh files to tbssh - tbc conflicts
with other stuff under Windows.

getting confused by canfail code.

the new interfaces.