diff --git a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
index 5db0989bf6..975c08dd39 100644
--- a/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
@@ -1,943 +1,943 @@
JimMockRestructured, reorganized, and parts
rewritten by IntroductionSynopsisThank you for your interest in FreeBSD! The following chapter
covers various aspects of the FreeBSD Project, such as its history,
goals, development model, and so on.After reading this chapter, you will know:How FreeBSD relates to other computer operating systems.The history of the FreeBSD Project.The goals of the FreeBSD Project.The basics of the FreeBSD open-source development model.And of course: where the name FreeBSD comes from.Welcome to FreeBSD!4.4BSD-LiteFreeBSD is a 4.4BSD-Lite based operating system for
Intel (x86 and &itanium;), AMD64, Alpha, Sun
&ultrasparc; computers. Ports to other
architectures are also underway.
You can also
read about the history of FreeBSD,
or the current release. If you
are interested in contributing something to the Project (code,
hardware, unmarked bills), see the Contributing to FreeBSD article.What Can FreeBSD Do?FreeBSD has many noteworthy features. Some of these
are:preemptive multitaskingPreemptive multitasking with
dynamic priority adjustment to ensure smooth and fair
sharing of the computer between applications and users, even
under the heaviest of loads.multi-user facilitiesMulti-user facilities which allow many
people to use a FreeBSD system simultaneously for a variety
of things. This means, for example, that system peripherals
such as printers and tape drives are properly shared between
all users on the system or the network and that individual
resource limits can be placed on users or groups of users,
protecting critical system resources from over-use.TCP/IP networkingStrong TCP/IP networking with
support for industry standards such as SLIP, PPP, NFS, DHCP,
and NIS. This means that your FreeBSD machine can
interoperate easily with other systems as well as act as an
enterprise server, providing vital functions such as NFS
(remote file access) and email services or putting your
organization on the Internet with WWW, FTP, routing and
firewall (security) services.memory protectionMemory protection ensures that
applications (or users) cannot interfere with each other. One
application crashing will not affect others in any way.FreeBSD is a 32-bit operating
system (64-bit on the Alpha, &itanium;, AMD64, and &ultrasparc;) and was
designed as such from the ground up.X Window SystemXFree86The industry standard X Window System
(X11R6) provides a graphical user interface (GUI) for the cost
of a common VGA card and monitor and comes with full
sources.binary compatibilityLinuxbinary compatibilitySCObinary compatibilitySVR4binary compatibilityBSD/OSbinary compatibilityNetBSDBinary compatibility with many
programs built for Linux, SCO, SVR4, BSDI and NetBSD.Thousands of ready-to-run
applications are available from the FreeBSD
ports and packages
collection. Why search the net when you can find it all right
here?Thousands of additional and
easy-to-port applications are available
on the Internet. FreeBSD is source code compatible with most
popular commercial &unix; systems and thus most applications
require few, if any, changes to compile.virtual memoryDemand paged virtual memory and
merged VM/buffer cache design efficiently
satisfies applications with large appetites for memory while
still maintaining interactive response to other users.Symmetric Multi-Processing (SMP)SMP support for machines with
multiple CPUs.compilersCcompilersC++compilersFORTRANA full complement of C,
C++, Fortran, and
Perl development tools.
Many additional languages for advanced research
and development are also available in the ports and packages
collection.source codeSource code for the entire system
means you have the greatest degree of control over your
environment. Why be locked into a proprietary solution
at the mercy of your vendor when you can have a truly open
system?Extensive online
documentation.And many more!4.4BSD-LiteComputer Systems Research Group (CSRG)U.C. BerkeleyFreeBSD is based on the 4.4BSD-Lite release from Computer
Systems Research Group (CSRG) at the University of California at
Berkeley, and carries on the distinguished tradition of BSD
systems development. In addition to the fine work provided by
CSRG, the FreeBSD Project has put in many thousands of hours in
fine tuning the system for maximum performance and reliability in
real-life load situations. As many of the commercial giants
struggle to field PC operating systems with such features,
performance and reliability, FreeBSD can offer them
now!The applications to which FreeBSD can be put are truly
limited only by your own imagination. From software development
to factory automation, inventory control to azimuth correction of
remote satellite antennae; if it can be done with a commercial
&unix; product then it is more than likely that you can do it with
FreeBSD too! FreeBSD also benefits significantly from
literally thousands of high quality applications developed by
research centers and universities around the world, often
available at little to no cost. Commercial applications are also
available and appearing in greater numbers every day.Because the source code for FreeBSD itself is generally
available, the system can also be customized to an almost unheard
of degree for special applications or projects, and in ways not
generally possible with operating systems from most major
commercial vendors. Here is just a sampling of some of the
applications in which people are currently using FreeBSD:Internet Services: The robust TCP/IP
networking built into FreeBSD makes it an ideal platform for a
variety of Internet services such as:FTP serversFTP serversweb serversWorld Wide Web servers (standard or secure
[SSL])firewallIP masqueradingFirewalls and NAT (IP masquerading)
gatewayselectronic mailElectronic Mail serversUSENETUSENET News or Bulletin Board SystemsAnd more...With FreeBSD, you can easily start out small with an
inexpensive 386 class PC and upgrade all the way up to a
quad-processor Xeon with RAID storage as your enterprise
grows.Education: Are you a student of
computer science or a related engineering field? There is no
better way of learning about operating systems, computer
architecture and networking than the hands on, under the hood
experience that FreeBSD can provide. A number of freely
available CAD, mathematical and graphic design packages also
make it highly useful to those whose primary interest in a
computer is to get other work
done!Research: With source code for the
entire system available, FreeBSD is an excellent platform for
research in operating systems as well as other branches of
computer science. FreeBSD's freely available nature also makes
it possible for remote groups to collaborate on ideas or
shared development without having to worry about special
licensing agreements or limitations on what may be discussed
in open forums.routerDNS ServerNetworking: Need a new router? A
name server (DNS)? A firewall to keep people out of your
internal network? FreeBSD can easily turn that unused 386 or
486 PC sitting in the corner into an advanced router with
sophisticated packet-filtering capabilities.X Window SystemXFree86X Window SystemAccelerated-XX Window workstation: FreeBSD is a
fine choice for an inexpensive X terminal solution, either
- using the freely available &xfree86; server or one of the
+ using the freely available X11 server or one of the
excellent commercial servers provided by Xi Graphics. Unlike an
X terminal, FreeBSD allows many applications to be run
locally if desired, thus relieving the burden on a central
server. FreeBSD can even boot diskless, making
individual workstations even cheaper and easier to
administer.GNU Compiler CollectionSoftware Development: The basic
FreeBSD system comes with a full complement of development
tools including the renowned GNU C/C++ compiler and
debugger.FreeBSD is available in both source and binary form on CDROM,
DVD,
and via anonymous FTP. Please see
for more information about obtaining FreeBSD.Who Uses FreeBSD?UsersLarge sites running FreeBSDFreeBSD is used to power some of the biggest sites on the
Internet, including:Yahoo!Yahoo!ApacheApacheBlue Mountain ArtsBlue Mountain
ArtsPair NetworksPair
NetworksSony JapanSony
JapanNetcraftNetcraftWeathernewsWeathernewsSupervaluSupervaluTELEHOUSE AmericaTELEHOUSE
AmericaSophos Anti-VirusSophos
Anti-VirusJMA WiredJMA Wiredand many more.About the FreeBSD ProjectThe following section provides some background information on
the project, including a brief history, project goals, and the
development model of the project.JordanHubbardContributed by A Brief History of FreeBSD386BSD PatchkitHubbard, JordanWilliams, NateGrimes, RodFreeBSD ProjecthistoryThe FreeBSD project had its genesis in the early part of 1993,
partially as an outgrowth of the Unofficial 386BSD
Patchkit by the patchkit's last 3 coordinators: Nate
Williams, Rod Grimes and myself.386BSDOur original goal was to produce an intermediate snapshot of
386BSD in order to fix a number of problems with it that the
patchkit mechanism just was not capable of solving. Some of you
may remember the early working title for the project being
386BSD 0.5 or 386BSD Interim in
reference to that fact.Jolitz, Bill386BSD was Bill Jolitz's operating system, which had been up
to that point suffering rather severely from almost a year's worth
of neglect. As the patchkit swelled ever more uncomfortably with
each passing day, we were in unanimous agreement that something
had to be done and decided to assist Bill by providing
this interim cleanup snapshot. Those plans came to
a rude halt when Bill Jolitz suddenly decided to withdraw his
sanction from the project without any clear indication of what
would be done instead.Greenman, DavidWalnut Creek CDROMIt did not take us long to decide that the goal remained
worthwhile, even without Bill's support, and so we adopted the
name FreeBSD, coined by David Greenman. Our initial
objectives were set after consulting with the system's current
users and, once it became clear that the project was on the road
to perhaps even becoming a reality, I contacted Walnut Creek CDROM
with an eye toward improving FreeBSD's distribution channels for
those many unfortunates without easy access to the Internet.
Walnut Creek CDROM not only supported the idea of distributing
FreeBSD on CD but also went so far as to provide the project with a
machine to work on and a fast Internet connection. Without Walnut
Creek CDROM's almost unprecedented degree of faith in what was, at
the time, a completely unknown project, it is quite unlikely that
FreeBSD would have gotten as far, as fast, as it has today.4.3BSD-LiteNet/2U.C. Berkeley386BSDFree Software FoundationThe first CDROM (and general net-wide) distribution was
FreeBSD 1.0, released in December of 1993. This was based on the
4.3BSD-Lite (Net/2) tape from U.C. Berkeley, with
many components also provided by 386BSD and the Free Software
Foundation. It was a fairly reasonable success for a first
offering, and we followed it with the highly successful FreeBSD
1.1 release in May of 1994.NovellU.C. BerkeleyNet/2AT&TAround this time, some rather unexpected storm clouds formed
on the horizon as Novell and U.C. Berkeley settled their
long-running lawsuit over the legal status of the Berkeley Net/2
tape. A condition of that settlement was U.C. Berkeley's
concession that large parts of Net/2 were encumbered
code and the property of Novell, who had in turn acquired it from
AT&T some time previously. What Berkeley got in return was
Novell's blessing that the 4.4BSD-Lite release, when
it was finally released, would be declared unencumbered and all
existing Net/2 users would be strongly encouraged to switch. This
included FreeBSD, and the project was given until the end of July
1994 to stop shipping its own Net/2 based product. Under the
terms of that agreement, the project was allowed one last release
before the deadline, that release being FreeBSD 1.1.5.1.FreeBSD then set about the arduous task of literally
re-inventing itself from a completely new and rather incomplete
set of 4.4BSD-Lite bits. The Lite releases were
light in part because Berkeley's CSRG had removed large chunks of
code required for actually constructing a bootable running system
(due to various legal requirements) and the fact that the Intel
port of 4.4 was highly incomplete. It took the project until
November of 1994 to make this transition, at which point it
released FreeBSD 2.0 to the net and on CDROM (in late December).
Despite being still more than a little rough around the edges,
the release was a significant success and was followed by the
more robust and easier to install FreeBSD 2.0.5 release in June of
1995.We released FreeBSD 2.1.5 in August of 1996, and it appeared
to be popular enough among the ISP and commercial communities that
another release along the 2.1-STABLE branch was merited. This was
FreeBSD 2.1.7.1, released in February 1997 and capping the end of
mainstream development on 2.1-STABLE. Now in maintenance mode,
only security enhancements and other critical bug fixes will be
done on this branch (RELENG_2_1_0).FreeBSD 2.2 was branched from the development mainline
(-CURRENT) in November 1996 as the RELENG_2_2
branch, and the first full release (2.2.1) was released in April
1997. Further releases along the 2.2 branch were done in the
summer and fall of '97, the last of which (2.2.8) appeared in
November 1998. The first official 3.0 release appeared in
October 1998 and spelled the beginning of the end for the 2.2
branch.The tree branched again on Jan 20, 1999, leading to the
4.0-CURRENT and 3.X-STABLE branches. From 3.X-STABLE, 3.1 was
released on February 15, 1999, 3.2 on May 15, 1999, 3.3 on
September 16, 1999, 3.4 on December 20, 1999, and 3.5 on
June 24, 2000, which was followed a few days later by a minor
point release update to 3.5.1, to incorporate some last-minute
security fixes to Kerberos. This will be the final release in the
3.X branch.There was another branch on March 13, 2000, which saw the
emergence of the 4.X-STABLE branch, now considered to be the
current -stable branch. There have been several releases
from it so far: 4.0-RELEASE was introduced in March 2000, and
the most recent &rel2.current;-RELEASE came out in
&rel2.current.date;. There will be additional releases
along the 4.X-stable (RELENG_4) branch well into 2003.The long-awaited 5.0-RELEASE was announced on January 19,
2003. The culmination of nearly three years of work, this
release started FreeBSD on the path of advanced multiprocessor
and application thread support and introduced support for the
&ultrasparc; and ia64 platforms. This release was followed by 5.1 in
June of 2003. Besides a number of new features, the 5.X
releases also contain a number of major developments in the
underlying system architecture. Along with these advances,
however, comes a system that incorporates a tremendous amount of
new and not-widely-tested code. For this reason, the 5.X
releases are considered New Technology releases, while the 4.X
series function as Production releases. In time, 5.X will be
declared stable and work will commence on the next development
branch, 6.0-CURRENT.For now, long-term development projects continue to take place in the
5.X-CURRENT (trunk) branch, and SNAPshot releases of 5.X on
CDROM (and, of course, on the net) are continually made available
from
the snapshot server as work progresses.JordanHubbardContributed by FreeBSD Project GoalsFreeBSD ProjectgoalsThe goals of the FreeBSD Project are to provide software that
may be used for any purpose and without strings attached. Many of
us have a significant investment in the code (and project) and
would certainly not mind a little financial compensation now and
then, but we are definitely not prepared to insist on it. We
believe that our first and foremost mission is to
provide code to any and all comers, and for whatever purpose, so
that the code gets the widest possible use and provides the widest
possible benefit. This is, I believe, one of the most fundamental
goals of Free Software and one that we enthusiastically
support.GNU General Public License (GPL)GNU Lesser General Public License (LGPL)BSD CopyrightThat code in our source tree which falls under the GNU
General Public License (GPL) or Library General Public License
(LGPL) comes with slightly more strings attached, though at
least on the side of enforced access rather than the usual
opposite. Due to the additional complexities that can evolve
in the commercial use of GPL software we do, however, prefer
software submitted under the more relaxed BSD copyright when
it is a reasonable option to do so.SatoshiAsamiContributed by The FreeBSD Development ModelFreeBSD Projectdevelopment modelThe development of FreeBSD is a very open and flexible
process, being literally built from the contributions
of hundreds of people around the world, as can be seen from
our list of
contributors. FreeBSD's development infrastructure allow
these hundreds of developers to collaborate over the Internet.
We are constantly on the lookout for
new developers and ideas, and those interested in becoming
more closely involved with the project need simply contact us
at the &a.hackers;. The &a.announce; is also available to
those wishing to make other FreeBSD users aware of major areas
of work.Useful things to know about the FreeBSD project and its
development process, whether working independently or in close
cooperation:The CVS repositoryCVSrepositoryConcurrent Versions SystemCVSThe central source tree for FreeBSD is maintained by
CVS
(Concurrent Versions System), a freely available source code
control tool that comes bundled with FreeBSD. The primary
CVS
repository resides on a machine in Santa Clara CA, USA
from where it is replicated to numerous mirror machines
throughout the world. The CVS tree, which contains the -CURRENT and -STABLE trees,
can all be easily replicated to your own machine as well.
Please refer to the Synchronizing
your source tree section for more information on
doing this.The committers listcommittersThe committers
are the people who have write access to
the CVS tree, and are authorized to make modifications
to the FreeBSD source (the term committer
comes from the &man.cvs.1; commit
command, which is used to bring new changes into the CVS
repository). The best way of making submissions for review
by the committers list is to use the &man.send-pr.1;
command. If something appears to be jammed in the
system, then you may also reach them by sending mail to
the &a.committers;.The FreeBSD core teamcore teamThe FreeBSD core team
would be equivalent to the board of directors if the FreeBSD
Project were a company. The primary task of the core team
is to make sure the project, as a whole, is in good shape
and is heading in the right directions. Inviting dedicated
and responsible developers to join our group of committers
is one of the functions of the core team, as is the
recruitment of new core team members as others move on.
The current core team was elected from a pool of committer
candidates in July 2004. Elections are held every 2 years.
Some core team members also have specific areas of
responsibility, meaning that they are committed to
ensuring that some large portion of the system works as
advertised. For a complete list of FreeBSD developers
and their areas of responsibility, please see the Contributors
ListMost members of the core team are volunteers when it
comes to FreeBSD development and do not benefit from the
project financially, so commitment should
also not be misconstrued as meaning guaranteed
support. The board of directors
analogy above is not very accurate, and it may be
more suitable to say that these are the people who gave up
their lives in favor of FreeBSD against their better
judgment!Outside contributorscontributorsLast, but definitely not least, the largest group of
developers are the users themselves who provide feedback and
bug fixes to us on an almost constant basis. The primary
way of keeping in touch with FreeBSD's more non-centralized
development is to subscribe to the &a.hackers; where such
things are discussed. See for more information about
the various FreeBSD mailing lists.The
FreeBSD Contributors List is a long
and growing one, so why not join it by contributing
something back to FreeBSD today?Providing code is not the only way of contributing to
the project; for a more complete list of things that need
doing, please refer to the FreeBSD Project web
site.In summary, our development model is organized as a loose set
of concentric circles. The centralized model is designed for the
convenience of the users of FreeBSD, who are
provided with an easy way of tracking one central code
base, not to keep potential contributors out! Our desire is to
present a stable operating system with a large set of coherent
application programs that the users
can easily install and use — this model works very well in
accomplishing that.All we ask of those who would join us as FreeBSD developers is
some of the same dedication its current people have to its
continued success!The Current FreeBSD ReleaseNetBSDOpenBSD386BSDFree Software FoundationU.C. BerkeleyComputer Systems Research Group (CSRG)FreeBSD is a freely available, full source 4.4BSD-Lite based
release for Intel &i386;, &i486;, &pentium;,
&pentium; Pro,
&celeron;,
&pentium; II,
&pentium; III,
&pentium; 4 (or compatible),
&xeon;, DEC Alpha
and Sun &ultrasparc; based computer
systems. It is based primarily on software from U.C. Berkeley's
CSRG group, with some enhancements from NetBSD, OpenBSD, 386BSD, and
the Free Software Foundation.Since our release of FreeBSD 2.0 in late 94, the performance,
feature set, and stability of FreeBSD has improved dramatically.
The largest change is a revamped virtual memory system with a merged
VM/file buffer cache that not only increases performance, but also
reduces FreeBSD's memory footprint, making a 5 MB configuration a
more acceptable minimum. Other enhancements include full NIS client
and server support, transaction TCP support, dial-on-demand PPP,
integrated DHCP support, an improved SCSI subsystem, ISDN support,
support for ATM, FDDI, Fast and Gigabit Ethernet (1000 Mbit)
adapters, improved support for the latest Adaptec controllers, and
many thousands of bug fixes.In addition to the base distributions, FreeBSD offers a
ported software collection with thousands of commonly
sought-after programs. At the time of this printing, there
were over &os.numports; ports! The list of ports ranges from
http (WWW) servers, to games, languages, editors, and almost
everything in between. The entire ports collection requires
approximately &ports.size; of storage, all ports being expressed as
deltas to their original sources. This makes
it much easier for us to update ports, and greatly reduces the
disk space demands made by the older 1.0 ports collection. To
compile a port, you simply change to the directory of the
program you wish to install, type make
install, and let the system do the rest. The full
original distribution for each port you build is retrieved
dynamically off the CDROM or a local FTP site, so you need
only enough disk space to build the ports you want. Almost
every port is also provided as a pre-compiled
package, which can be installed with a simple
command (pkg_add) by those who do not wish
to compile their own ports from source. More information on
packages and ports can be found in .A number of additional documents which you may find very helpful
in the process of installing and using FreeBSD may now also be found
in the /usr/share/doc directory on any recent
FreeBSD machine. You may view the locally installed
manuals with any HTML capable browser using the following
URLs:The FreeBSD Handbook/usr/share/doc/handbook/index.htmlThe FreeBSD FAQ/usr/share/doc/faq/index.htmlYou can also view the master (and most frequently updated)
copies at .
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index e902dad898..9ed07a885d 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -1,2290 +1,2290 @@
TomRhodesWritten by Mandatory Access ControlSynopsisMACMandatory Access Control&os; 5.X introduced new security extensions from the
TrustedBSD project based on the &posix;.1e draft. Two of the most
significant new security mechanisms are file system Access Control
Lists (ACLs) and Mandatory Access Control
(MAC) facilities. Mandatory Access Control allows
new access control modules to be loaded, implementing new security
policies. Some provide protections of a narrow subset of the
system, hardening a particular service, while others provide
comprehensive labeled security across all subjects and objects.
The mandatory part
of the definition comes from the fact that the enforcement of
the controls is done by administrators and the system, and is
not left up to the discretion of users as is done with
discretionary access control (DAC, the standard
file and System V IPC permissions on &os;).This chapter will focus on the
Mandatory Access Control Framework (MAC Framework), and a set
of pluggable policy modules implementing various security
policies.After reading this chapter, you will know:What MAC modules are currently
included in &os; and their associated policies.What MAC policies are capable of
implementing, the difference between a label and non-labeled
policy.How to efficiently configure a system to use
the MAC framework.How to configure the different policies used by the
MAC modules.How to implement a more secure environment using the
MAC framework and the examples
shown.How to test the MAC configuration
to ensure the framework has been properly implemented.Before reading this chapter, you should:Understand &unix; and &os; basics
().Be familiar with
the basics of kernel configuration/compilation
().Have some familiarity with security and how it
pertains to &os; ().The improper use of the
information in this chapter may cause loss of access to the system,
aggravation of users, or inability to access the features
- provided by &xfree86;. More importantly, MAC should not
+ provided by X11. More importantly, MAC should not
be relied upon to completely secure a system. The
MAC framework only augments
existing security policy; without sound security practices and
regular security checks, the system will never be completely
secure.It should also be noted that the examples contained
within this chapter are just that, examples. It is not
recommended that these particular settings be rolled out
on a production system. Implementing these policies takes
a good deal of thought. One who does not fully understand
exactly how everything works may find him or herself going
back through the entire system and reconfiguring many files
or directories.What Will Not Be CoveredThis chapter covers a broad range of security issues relating
to the MAC framework; however, the
development of new MAC policies
will not be covered. A number of modules included with the
MAC framework have specific characteristics
which are provided for both testing and new module
development. These include the &man.mac.test.4;,
&man.mac.stub.4; and &man.mac.none.4; modules/policies.
For more information on these modules and the various
mechanisms they provide, please review the manual pages.Key Terms in this ChapterBefore reading this chapter, a few key terms must be
explained. This will hopefully clear up any confusion that
may occur and avoid the abrupt introduction of new terms
and information.compartment: A compartment is a
a set of programs and data to be partitioned or separated,
where users are given explicit access to specific components
of a system. Also, a compartment represents a grouping,
such as a work group, department, project, or topic. Using
compartments, it is possible to implement a need-to-know
policy.integrity: Integrity, as a key
concept, is the level of trust which can be placed on data.
As the integrity of the data is elevated, so does the ability
to trust that data.label: A label is a security
attribute which can be applied to files, directories, or
other items in the system. It could be considered
to be a confidentiality stamp; when a label is placed on
a file it describes the security properties for that specific
file and will only permit access by files, users, resources,
etc. with a similar security setting. The meaning and
interpretation of label values depends on the policy: while
some policies might treat a label as representing the
integrity or secrecy of an object, other policies might use
labels to hold rules for access.level: The increased or decreased
setting of a security attribute. As the level increases,
its security is considered to elevate as well.multilabel: The
property is a file system option
which can be set in single user mode using the
&man.tunefs.8; utility; set during the boot operation
using the &man.fstab.5; file; or during the creation of
a new file system. This option will permit an administrator
to apply different MAC labels on different
objects. This option
only applies to labeled policies.object: An object or system
object is an entity through which information flows
under the direction of a subject.
This includes directories, files, fields, screens, keyboards,
memory, magnetic storage, printers or any other data
storage/moving device. Basically, an object is a data container or
a system resource; access to an object
effectively means access to the data.policy: A collection of rules
which defines how objectives are to be achieved. A
policy usually documents how certain
items are to be handled. This chapter will
consider the term policy in this
context as a security policy; i.e.
a collection of rules which will control the flow of data
and information and define whom will have access to that
data and information.sensitivity: Usually used when
discussing MLS. A sensitivity level is
a term used to describe how important or secret the data
should be. As the sensitivity level increases, so does the
importance of the secrecy, or confidentiality of the data.single label: A single label is
when the entire file system uses one label to
enforce access control over the flow of data. When a file
system has this set, which is any time when the
option is not set, all
files will conform to the same label setting.subject: a subject is any
active entity that causes information to flow between
objects; e.g. a user, user processor,
system process, etc. On &os;, this is almost always a thread
acting in a process on behalf of a user.Explanation of MACWith all of these new terms in mind, consider how the
MAC framework augments the security of
the system as a whole. The various security policies provided by
the MAC framework could be used to
protect the network and file systems, block users from
accessing certain ports and sockets, and more. Perhaps
the best use of the policies is to blend them together, by loading
several security policy modules at a time, for a multi-layered
security environment. In a multi-layered security environment,
multiple policies are in effect to keep security in check. This
is different then a hardening policy, which typically hardens
elements of a system that is used only for specific purposes.
The only downside is administrative overhead in cases of
multiple file system labels, setting network access control
user by user, etc.These downsides are minimal when compared to the lasting
effect of the framework; for instance, the ability to pick choose
which policies are required for a specific configuration keeps
performance overhead down. The reduction of support for unneeded
policies can increase the overall performance of the system as well as
offer flexibility of choice. A good implementation would
consider the overall security requirements and effectively implement
the various policies offered by the framework.Thus a system utilizing MAC features
should at least guarantee that a user will not be permitted
to change security attributes at will; all user utilities,
programs and scripts must work within the constraints of
the access rules provided by the selected policies; and
that total control of the MAC access
rules are in the hands of the system administrator.It is the sole duty of the system administrator to
carefully select the correct policies. Some environments
may need to limit access control over the network; in these
cases, the &man.mac.portacl.4;, &man.mac.ifoff.4; and even
&man.mac.biba.4; policies might make good starting points. In other
cases, strict confidentiality of file system objects might
be required. Policies such as &man.mac.bsdextended.4;
and &man.mac.mls.4; exist for this purpose.Policy decisions could be made based on network
configuration. Perhaps only certain users should be permitted
access to facilities provided by &man.ssh.1; to access the
network or the Internet. The &man.mac.portacl.4; would be
the policy of choice for these situations. But what should be
done in the case of file systems? Should all access to certain
directories be severed from other groups or specific
users? Or should we limit user or utility access to specific
files by setting certain objects as classified?In the file system case, access to objects might be
considered confidential to some users but not to others.
For an example, a large development team might be broken
off into smaller groups of individuals. Developers in
project A might not be permitted to access objects written
by developers in project B. Yet they might need to access
objects created by developers in project C; that is quite a
situation indeed. Using the different policies provided by
the MAC framework; users could
be divided into these groups and then given access to the
appropriate areas without the fear of information
leakage.Thus, each policy has a unique way of dealing with
the overall security of a system. Policy selection should be based
on a well thought out security policy. In many cases, the
overall policy may need to be revised and reimplemented on
the system. Understanding the different policies offered by
the MAC framework will help administrators
choose the best policies for their situations.The default &os; kernel does not include the option for
the MAC framework; thus the following
kernel option must be added before trying any of the examples or
information in this chapter:options MACAnd the kernel will require a rebuild and a reinstall.While the various manual pages for MAC
modules state that they may be built into the kernel,
it is possible to lock the system out of
the network and more. Implementing MAC
is much like implementing a firewall, but care must be taken
to prevent being completely locked out of the system. The
ability to revert back to a previous configuration should be
considered while the implementation of MAC
remotely should be done with extreme caution.Understanding MAC LabelsA MAC label is a security attribute
which may be applied to subjects and objects throughout
the system.When setting a label, the user must be able to comprehend
what it is, exactly, that is being done. The attributes
available on an object depend on the policy loaded, and that
policies interpret their attributes in pretty different
ways. If improperly configured due to lack of comprehension, or
the inability to understand the implications, the result will
be the unexpected and perhaps, undesired, behavior of the
system.The security label on an object is used as a part of a
security access control decision by a policy. With some
policies, the label by itself contains all information necessary
to make a decision; in other models, the labels may be processed
as part of a larger rule set, etc.For instance, setting the label of biba/low
on a file will represent a label maintained by the Biba policy,
with a value of low.A few policies which support the labeling feature in
&os; offers three specific predefined labels. These
are the low, high, and equal labels. Although they enforce
access control in a different manner with each policy, you
can be sure that the low label will be the lowest setting,
the equal label will set the subject or object to be disabled
or unaffected, and the high label will enforce the highest
setting available in the Biba and MLS
policies.Within single label file system environments, only one label may be
used on objects. This will enforce one set of
access permissions across the entire system and in many
environments may be all that is required. There are a few
cases; however, where multiple labels may be set on objects
or subjects in the file system. For those cases, the
option may be passed to
&man.tunefs.8;.In the case of Biba and MLS, a numeric
label may be set to indicate the precise level of hierarchical
control. This numeric level is used to partition or sort
information into different groups of say, classification only
permitting access to that group or a higher group level.In most cases the administrator will only be setting up a
single label to use throughout the file system.Hey wait, this is similar to DAC!
I thought MAC gave control strictly to the
administrator. That statement still holds true, to some
extent root is the one in control and who
configures the policy so that users are placed in the
appropriate categories/access levels. Alas, many policies can
restrict the root user as well. Basic
control over objects will then be released to the group but
root may revoke or modify the settings
at any time. This is the hierarchal/clearance model covered
by policies such as Biba and MLS.Label ConfigurationVirtually all aspects of label policy configuration
will be performed using the base system utilities. These
commands provide a simple interface for object or subject
configuration or the manipulation and verification of
the configuration.All configuration may be done by use of the
&man.setfmac.8; and &man.setpmac.8; utilities.
The setfmac command is used to set
MAC labels on system objects while the
setpmac command is used to set the labels
on system subjects. Observe:&prompt.root; setfmac biba/high testIf no errors occurred with the command above, a prompt
will be returned. The only time these commands are not
quiescent is when an error occurred; similarly to the
&man.chmod.1; and &man.chown.8; commands. In some cases this
error may be a Permission denied and
is usually obtained when the label is being set or modified
on an object which is restricted.Other conditions
may produce different failures. For instance, the file may not
be owned by the user attempting to relabel the object, the
object may not exist or may be read only. A mandatory policy
will not allow the process to relabel the file, maybe because
of a property of the file, a property of the process, or a
property of the proposed new label value. For example: a user
running at low integrity tries to change the label of a high
integrity file. Or perhaps a user running at low integrity
tries to change the label of a low integrity file to a high
integrity label. The system administrator
may use the following commands to overcome this:&prompt.root; setfmac biba/high testPermission denied
&prompt.root; setpmac biba/low setfmac biba/high test
&prompt.root; getfmac test
test: biba/highAs we see above, setpmac
can be used to override the policy's settings by assigning
a different label to the invoked process. The
getpmac utility is usually used with currently
running processes, such as sendmail:
although it takes a process ID in place of
a command the logic is extremely similar. If users
attempt to manipulate a file not in their access, subject to the
rules of the loaded policies, the
Operation not permitted error
will be displayed by the mac_set_link
function.Common Label TypesFor the &man.mac.biba.4;, &man.mac.mls.4; and
&man.mac.lomac.4; policy modules, the ability to assign
simple labels is provided. These take the form of high,
equal and low, what follows is a brief description of
what these labels provide:The low label is considered the
lowest label setting an object or subject may have.
Setting this on objects or subjects will block their
access to objects or subjects marked high.The equal label should only be
placed on objects considered to be exempt from the
policy.The high label grants an object or
subject the highest possible setting.With respect to each policy module, each of those settings
will instate a different information flow directive. Reading
the proper manual pages will further explain the traits of
these generic label configurations.Advanced Label ConfigurationNumeric grade numbers used for
comparison:compartment+compartment; thus
the following:biba/10:2+3+6(5:2+3-20:2+3+4+5+6)May be interpreted as:Biba Policy Label/Grade 10
:Compartments 2, 3 and 6:
(grade 5 ...)In this example, the first grade would be considered
the effective grade with
effective compartments, the second grade
is the low grade and the last one is the high grade.
In most configurations these settings will not be used;
indeed, they offered for more advanced
configurations.When applied to system objects, they will only have a
current grade/compartments as opposed to system subjects
as they reflect the range of available rights in the system,
and network interfaces, where they are used for access
control.The grade and compartments in a subject and object pair
are used to construct a relationship referred to as
dominance, in which a subject dominates an
object, the object dominates the subject, neither dominates
the other, or both dominate each other. The
both dominate case occurs when the two labels
are equal. Due to the information flow nature of Biba, you
have rights to a set of compartments,
need to know, that might correspond to
projects, but objects also have a set of compartments.
Users may have to subset their rights using
su or setpmac in order
to access objects in a compartment from which they are not
restricted.Users and Label SettingsUsers themselves are required to have labels so that
their files and processes may properly interact with the
security policy defined on the system. This is
configured through the login.conf file
by use of login classes. Every policy that uses labels
will implement the user class setting.An example entry containing every policy is listed
below:default:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5,biba/10(5-15),lomac10[2]:The label option is used to set the
user class default label which will be enforced by
MAC. Users will never be permitted to
modify this value, thus it can be considered not optional
in the user case. In a real configuration, however, the
administrator will never wish to enable every policy.
It is recommended that the rest of this chapter be reviewed
before any of this configuration is implemented.Users may change their label after the initial login;
however, this change is subject constraints of the policy.
The example above tells the Biba policy that a process's
minimum integrity is 5, its maximum is 15, but the default
effective label is 10. The process will run at 10 until
it chooses to change label, perhaps due to the user using
the setpmac command, which will be constrained by Biba to
the range set at login.In all cases, after a change to
login.conf, the login class capability
database must be rebuilt using cap_mkdb
and this will be reflected throughout every forthcoming
example or discussion.It is useful to note that many sites may have a
particularly large number of users requiring several
different user classes. In depth planning is required
as this may get extremely difficult to manage.Future versions of &os; will include a new way to
deal with mapping users to labels; however, this will
not be available until some time after &os; 5.3.Network Interfaces and Label SettingsLabels may also be set on network interfaces to help
control the flow of data across the network. In all cases
they function in the same way the policies function with
respect to objects. Users at high settings in
biba, for example, will not be permitted
to access network interfaces with a label of low.The may be passed to
ifconfig when setting the
MAC label on network interfaces. For
example:&prompt.root; ifconfig bge0 maclabel biba/equalwill set the MAC label of
biba/equal on the &man.bge.4; interface.
When using a setting similar to
biba/high(low-high) the entire label should
be quoted; otherwise an error will be returned.Each policy which supports labeling has some tunable
which may be used to disable the MAC
label on network interfaces. Setting the label to
will have a similar effect. Review
the output from sysctl, the policy manual
pages, or even the information found later in this chapter
for those tunables.Singlelabel or Multilabel?By default the system will use the
option. But what does this
mean to the administrator? There are several differences
which, in their own right, offer pros and cons to the
flexibility in the systems security model.The only permits for one
label, for instance biba/high to be used
for each subject or object. It provides for lower
administration overhead but decreases the flexibility of
policies which support labeling. Many administrators may
want to use the option in
their security policy.The option will permit each
subject or object to have its own independent
MAC label in
place of the standard option
which will allow only one label throughout the partition.
The and
label options are only required for the policies which
implement the labeling feature, including the Biba, Lomac,
MLS and SEBSD
policies.In many cases, the may not need
to be set at all. Consider the following situation and
security model:&os; web-server using the MAC
framework and a mix of the various policies.This machine only requires one label,
biba/high, for everything in the system.
Here the file system would not require the
option as a single label
will always be in effect.But, this machine will be a web server and should have
the web server run at biba/low to prevent
write up capabilities. The Biba policy and how it works
will be discussed later, so if the previous comment was
difficult to interpret just continue reading and return.
The server could use a separate partition set at
biba/low for most if not all of its
runtime state. Much is lacking from this example, for
instance the restrictions on data, configuration and user
settings; however, this is just a quick example to prove the
aforementioned point.If any of the non-labeling policies are to be used,
then the option would never
be required. These include the seeotheruids,
portacl and partition
policies.It should also be noted that using
with a partition and establishing
a security model based on
functionality could open the doors for higher administrative
overhead as everything in the file system would have a label.
This includes directories, files, and even device
nodes.The following command will set
on the file systems to have multiple labels. This may only be
done in single user mode:&prompt.root; tunefs -l enable /This is not a requirement for the swap file
system.Some users have experienced problems with setting the
flag on the root partition.
If this is the case, please review the
of this chapter.Controlling MAC with TunablesWithout any modules loaded, there are still some parts
of MAC which may be configured using
the sysctl interface. These tunables
are described below and in all cases the number one (1)
means enabled while the number zero (0) means
disabled:security.mac.enforce_fs defaults to
one (1) and enforces MAC file system
policies on the file systems.security.mac.enforce_kld defaults to
one (1) and enforces MAC kernel linking
policies on the dynamic kernel linker (see
&man.kld.4;).security.mac.enforce_network defaults
to one (1) and enforces MAC network
policies.security.mac.enforce_pipe defaults
to one (1) and enforces MAC policies
on pipes.security.mac.enforce_process defaults
to one (1) and enforces MAC policies
on processes which utilize inter-process
communication.security.mac.enforce_socket defaults
to one (1) and enforces MAC policies
on sockets (see the &man.socket.2; manual page).security.mac.enforce_system defaults
to one (1) and enforces MAC policies
on system activities such as accounting and
rebooting.security.mac.enforce_vm defaults
to one (1) and enforces MAC policies
on the virtual memory system.Every policy or MAC option supports
tunables. These usually hang off of the
security.mac.<policyname> tree.
To view all of the tunables from MAC
use the following command:&prompt.root; sysctl -da | grep macThis should be interpreted as all of the basic
MAC policies are enforced by default.
If the modules were built into the kernel the system
would be extremely locked down and most likely unable to
communicate with the local network or connect to the Internet,
etc. This is why building the modules into the kernel is not
completely recommended. Not because it limits the ability to
disable features on the fly with sysctl,
but it permits the administrator to instantly switch the
policies of a system without the requirement of rebuilding
and reinstalling a new system.Module ConfigurationEvery module included with the MAC
framework may be either compiled into the kernel as noted above
or loaded as a run-time kernel module.
The recommended method is to add the module name to the
/boot/loader.conf file so that it will load
during the initial boot operation.The following sections will discuss the various
MAC modules and cover their features.
Implementing them into a specific environment will also
be a consideration of this chapter. Some modules support
the use of labeling, which is controlling access by enforcing
a label such as this is allowed and this is not.
A label configuration file may control how files may be accessed,
network communication can be exchanged, and more. The previous
section showed how the flag could
be set on file systems to enable per-file or per-partition
access control.A single label configuration would enforce only one label
across the system, that is why the tunefs
option is called .The MAC seeotheruids ModuleMAC See Other UIDs PolicyModule name: mac_seeotheruids.koKernel configuration line:
options MAC_SEEOTHERUIDSBoot option:
mac_seeotheruids_load="YES"The &man.mac.seeotheruids.4; module mimics and extends
the security.bsd.see_other_uids and
security.bsd.see_other_gidssysctl tunables. This option does
not require any labels to be set before configuration and
can operate transparently with the other modules.After loading the module, the following
sysctl tunables may be used to control
the features:security.mac.seeotheruids.enabled
will enable the module's features and use the default
settings. These default settings will deny users the
ability to view processes and sockets owned by other
users.security.mac.seeotheruids.specificgid_enabled
will allow a certain group to be exempt from this policy.
To exempt specific groups from this policy, use the
security.mac.seeotheruids.specificgid=XXXsysctl tunable. In the above example,
the XXX should be replaced with the
numeric group ID to be exempted.security.mac.seeotheruids.primarygroup_enabled
is used to exempt specific primary groups from this policy.
When using this tunable, the
security.mac.seeotheruids.specificgid_enabled
may not be set.It should be noted that the root
user is not exempt from this policy. This is one of the
large differences between the MAC version
and the standard tunable version included by default:
security.bsd.seeotheruids.The MAC bsdextended ModuleMACFile System Firewall PolicyModule name: mac_bsdextended.koKernel configuration line:
options MAC_BSDEXTENDEDBoot option:
mac_bsdextended_load="YES"The &man.mac.bsdextended.4; module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
administrator to create a firewall-like ruleset to protect files,
utilities, and directories in the file system hierarchy.The policy may be created using a utility, &man.ugidfw.8;,
that has a syntax similar to that of &man.ipfw.8;. More tools
can be written by using the functions in the
&man.libugidfw.3; library.Extreme caution should be taken when working with this
module; incorrect use could block access to certain parts of
the file system.ExamplesAfter the &man.mac.bsdextended.4; module has
been loaded, the following command may be used to list the
current rule configuration:&prompt.root; ugidfw list
0 slots, 0 rulesAs expected, there are no rules defined. This means that
everything is still completely accessible. To create a rule
which will block all access by users but leave
root unaffected, simply run the
following command:&prompt.root; ugidfw add subject not uid root new object not uid root mode nIn releases prior to &os; 5.3, the
add parameter did not exist. In those
cases the set should be used
instead. See below for a command example.This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls. A more patriotic list of rules
might be:&prompt.root; ugidfw set 2 subject uid user1 object uid user2 mode n
&prompt.root; ugidfw set 3 subject uid user1 object gid user2 mode nThis will block any and all access, including directory
listings, to user2's home
directory from the username user1.In place of user1, the
could
be passed. This will enforce the same access restrictions
above for all users in place of just one user.The root user will be unaffected
by these changes.This should give a general idea of how the
&man.mac.bsdextended.4; module may be used to help fortify
a file system. For more information, see the
&man.mac.bsdextended.4; and the &man.ugidfw.8; manual
pages.The MAC ifoff ModuleMAC Interface Silencing PolicyModule name: mac_ifoff.koKernel configuration line:
options MAC_IFOFFBoot option: mac_ifoff_load="YES"The &man.mac.ifoff.4; module exists solely to disable network
interfaces on the fly and keep network interfaces from being
brought up during the initial system boot. It does not require
any labels to be set up on the system, nor does it have a
dependency on other MAC modules.Most of the control is done through the
sysctl tunables listed below.security.mac.ifoff.lo_enabled will
enable/disable all traffic on the loopback (&man.lo.4;)
interface.security.mac.ifoff.bpfrecv_enabled will
enable/disable all traffic on the Berkeley Packet Filter
interface (&man.bpf.4;)security.mac.ifoff.other_enabled will
enable/disable traffic on all other interfaces.One of the most common uses of &man.mac.ifoff.4; is network
monitoring in an environment where network traffic should not
be permitted during the boot sequence. Another suggested use
would be to write a script which uses
security/aide to automatically
block network traffic if it finds new or altered files in
protected directories.The MAC portacl ModuleMAC Port Access Control List PolicyModule name: mac_portacl.koKernel configuration line:
MAC_PORTACLBoot option: mac_portacl_load="YES"The &man.mac.portacl.4; module is used to limit binding to
local TCP and UDP ports
using a variety of sysctl variables. In
essence &man.mac.portacl.4; makes it possible to allow
non-root users to bind to specified
privileged ports, i.e. ports fewer than 1024.Once loaded, this module will enable the
MAC policy on all sockets. The following
tunables are available:security.mac.portacl.enabled will
enable/disable the policy completely.Due to
a bug the security.mac.portacl.enabledsysctl variable will not work on
&os; 5.2.1 or previous releases.security.mac.portacl.port_high will set
the highest port number that &man.mac.portacl.4;
will enable protection for.security.mac.portacl.suser_exempt will,
when set to a non-zero value, exempt the
root user from this policy.security.mac.portacl.rules will
specify the actual mac_portacl policy; see below.The actual mac_portacl policy, as
specified in the security.mac.portacl.rules
sysctl, is a text string of the form:
rule[,rule,...] with as many rules as
needed. Each rule is of the form:
idtype:id:protocol:port. The
idtype parameter can be
uid or gid and used to
interpret the id parameter as either a
user id or group id, respectively. The
protocol parameter is used to determine if
the rule should apply to TCP or
UDP by setting the parameter to
tcp or udp. The final
port parameter is the port number to allow
the specified user or group to bind to.Since the ruleset is interpreted directly by the kernel
only numeric values can be used for the user ID, group ID, and
port parameters. I.e. user, group, and port service names
cannot be used.By default, on &unix;-like systems, ports fewer than 1024
can only be used by/bound to privileged processes,
i.e. those run as root. For
&man.mac.portacl.4; to allow non-privileged processes to bind
to ports below 1024 this standard &unix; restriction has to be
disabled. This can be accomplished by setting the &man.sysctl.8;
variables net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh
to zero.See the examples below or review the &man.mac.portacl.4;
manual page for further information.ExamplesThe following examples should illuminate the above
discussion a little better:&prompt.root; sysctl security.mac.portacl.port_high=1023
&prompt.root; sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0First we set &man.mac.portacl.4; to cover the standard
privileged ports and disable the normal &unix; bind
restrictions.&prompt.root; sysctl security.mac.portacl.suser_exempt=1The root user should not be crippled
by this policy, thus set the
security.mac.portacl.suser_exempt to a
non-zero value. The &man.mac.portacl.4; module
has now been set up to behave the same way &unix;-like systems
behave by default.&prompt.root; sysctl security.mac.portacl.rules=uid:80:tcp:80Allow the user with UID 80 (normally
the www user) to bind to port 80.
This can be used to allow the www
user to run a web server without ever having
root privilege.&prompt.root; sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995Permit the user with the UID of
1001 to bind to the TCP ports 110
(pop3) and 995 (pop3s).
This will permit this user to start a server that accepts
connections on ports 110 and 995.MAC Policies with Labeling FeaturesThe next few sections will discuss MAC
policies which use labels.From here on this chapter will focus on the features
of &man.mac.biba.4;, &man.mac.lomac.4;,
&man.mac.partition.4;, and &man.mac.mls.4;.This is an example configuration only and should not be
considered for a production implementation. The goal is
to document and show the syntax as well as examples for
implementation and testing.For these policies to work correctly several
preparations must be made.Preparation for Labeling PoliciesThe following changes are required in the
login.conf file:An insecure class, or another
class of similar type, must be
added. The login class of insecure
is not required and just used as an example here; different
configurations may use another class name.The insecure class should have
the following settings and definitions. Several of these
can be altered but the line which defines the default
label is a requirement and must remain.insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5,biba/low:The &man.cap.mkdb.1; command needs to be ran on
&man.login.conf.5; before any of the
users can be switched over to the new class.The root should also be placed
into a login class; otherwise, almost every command
executed by root will require the
use of setpmac.Rebuilding the login.conf
database may cause some errors later with the daemon
class. Simply uncommenting the daemon account and
rebuilding the database should alleviate these
issues.Ensure that all partitions on which
MAC labeling will be implemented support
the . We must do this because
many of the examples here contain different labels for
testing purposes. Review the output from the
mount command as a precautionary
measure.Switch any users who will have the higher security
mechanisms enforced over to the new user class. A quick
run of &man.pw.8; or &man.vipw.8; should do the
trick.The MAC partition ModuleMAC Process Partition PolicyModule name: mac_partition.koKernel configuration line:
options MAC_PARTITIONBoot option:
mac_partition_load="YES"The &man.mac.partition.4; policy will drop processes into
specific partitions based on their
MAC label. Think of it as a special
type of &man.jail.8;, though that is hardly a worthy
comparison.This is one module that should be added to the
&man.loader.conf.5; file so that it loads
and enables the policy during the boot process.Most configuration for this policy is done using
the &man.setpmac.8; utility which will be explained below.
The following sysctl tunable is
available for this policy:security.mac.partition.enabled will
enable the enforcement of MAC process
partitions.When this policy is enabled, users will only be permitted
to see their processes but will not be permitted to work with
certain utilities. For instance, a user in the
insecure class above will not be permitted
to access the top command as well as many
other commands that must spawn a process.To set or drop utilities into a partition label, use the
setpmac utility:&prompt.root; setpmac partition/13 topThis will add the top command to the
label set on users in the insecure class.
Note that all processes spawned by users
in the insecure class will stay in the
partition/13 label.ExamplesThe following command will show you the partition label
and the process list:&prompt.root; ps ZaxThis next command will allow the viewing of another
user's process partition label and that user's currently
running processes:&prompt.root; ps -ZU trhodesUsers can see processes in root's
label unless the &man.mac.seeotheruids.4; policy is
loaded.A really crafty implementation could have all of the
services disabled in /etc/rc.conf and
started by a script that starts them with the proper
labeling set.The following policies support integer settings
in place of the three default labels offered. These options,
including their limitations, are further explained in
the module manual pages.The MAC Multi-Level Security ModuleMAC Multi-Level Security PolicyModule name: mac_mls.koKernel configuration line:
options MAC_MLSBoot option: mac_mls_load="YES"The &man.mac.mls.4; policy controls access between subjects
and objects in the system by enforcing a strict information
flow policy.In MLS environments, a
clearance level is set in each subject or objects
label, along with compartments. Since these clearance or
sensibility levels can reach numbers greater than six thousand;
it would be a daunting task for any system administrator to
thoroughly configure each subject or object. Thankfully, three
instant labels are already included in this
policy.These labels are mls/low,
mls/equal and mls/high.
Since these labels are described in depth in the manual page,
they will only get a brief description here:The mls/low label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with mls/low
will have a low clearance level and not be permitted to access
information of a higher level. In addition, this label will
prevent objects of a higher clearance level from writing or
passing information on to them.The mls/equal label should be
placed on objects considered to be exempt from the
policy.The mls/high label is the highest level
of clearance possible. Objects assigned this label will
hold dominance over all other objects in the system; however,
they will not permit the leaking of information to objects
of a lower class.MLS provides for:A hierarchical security level with a set of non
hierarchical categories;Fixed rules: no read up, no write down (a subject can
have read access to objects on its own level or below, but
not above. Similarly, a subject can have write access to
objects on its own level or above but not beneath.);Secrecy (preventing inappropriate disclosure
of data);Basis for the design of systems that concurrently handle
data at multiple sensitivity levels (without leaking
information between secret and confidential).The following sysctl tunables are
available for the configuration of special services and
interfaces:security.mac.mls.enabled is used to
enable/disable the MLS policy.security.mac.mls.ptys_equal will label
all &man.pty.4; devices as mls/equal during
creation.security.mac.mls.revocation_enabled is
used to revoke access to objects after their label changes
to a label of a lower grade.security.mac.mls.max_compartments is
used to set the maximum number of compartment levels with
objects; basically the maximum compartment number allowed
on a system.To manipulate the MLS labels, the
&man.setfmac.8; command has been provided. To assign a label
to an object, issue the following command:&prompt.root; setfmac mls/5 testTo get the MLS label for the file
test issue the following command:&prompt.root; getfmac testThis is a summary of the MLS
policy's features. Another approach is to create a master policy
file in /etc which
specifies the MLS policy information and to
feed that file into the setfmac command. This
method will be explained after all policies are covered.Observations: an object with lower clearance is unable to
observe higher clearance processes. A basic policy would be
to enforce mls/high on everything not to be
read, even if it needs to be written. Enforce
mls/low on everything not to be written, even
if it needs to be read. And finally enforce
mls/equal on the rest. All users marked
insecure should be set at
mls/low.The MAC Biba ModuleMAC Biba Integrity PolicyModule name: mac_biba.koKernel configuration line: options MAC_BIBABoot option: mac_biba_load="YES"The &man.mac.biba.4; module loads the MAC
Biba policy. This policy works much like that of the
MLS policy with the exception that the rules
for information flow
are slightly reversed. This is said to prevent the downward
flow of sensitive information whereas the MLS
policy prevents the upward flow of sensitive information; thus,
much of this section can apply to both policies.In Biba environments, an integrity label is
set on each subject or object. These labels are made up of
hierarchal grades, and non-hierarchal components. As an object's
or subject's grade ascends, so does its integrity.Supported labels are biba/low,
biba/equal, and biba/high;
as explained below:The biba/low label is considered the
lowest integrity an object or subject may have. Setting
this on objects or subjects will block their write access
to objects or subjects marked high. They still have read
access though.The biba/equal label should only be
placed on objects considered to be exempt from the
policy.The biba/high label will permit
writing to objects set at a lower label but not
permit reading that object. It is recommended that this
label be placed on objects that affect the integrity of
the entire system.Biba provides for:Hierarchical integrity level with a set of non
hierarchical integrity categories;Fixed rules: no write up, no read down (opposite of
MLS). A subject can have write access
to objects on its own level or below, but not above. Similarly, a
subject can have read access to objects on its own level
or above, but not below;Integrity (preventing inappropriate modification of
data);Integrity levels (instead of MLS sensitivity
levels).The following sysctl tunables can
be used to manipulate the Biba policy.security.mac.biba.enabled may be used
to enable/disable enforcement of the Biba policy on the
target machine.security.mac.biba.ptys_equal may be
used to disable the Biba policy on &man.pty.4;
devices.security.mac.biba.revocation_enabled
will force the revocation of access to objects if the label
is changed to dominate the subject.To access the Biba policy setting on system objects, use
the setfmac and getfmac
commands:&prompt.root; setfmac biba/low test
&prompt.root; getfmac test
test: biba/lowObservations: a lower integrity subject is unable to write
to a higher integrity subject; a higher integrity subject cannot
observe or read a lower integrity object.The MAC LOMAC ModuleMAC LOMACModule name: mac_lomac.koKernel configuration line: options MAC_LOMACBoot option: mac_lomac_load="YES"Unlike the MAC Biba policy, the
&man.mac.lomac.4; policy permits access to lower integrity
objects only after decreasing the integrity level to not disrupt
any integrity rules.The MAC version of the Low-watermark
integrity policy, not to be confused with the older &man.lomac.4;
implementation, works almost identically to Biba but with the
exception of using floating labels to support subject
demotion via an auxiliary grade compartment. This secondary
compartment takes the form of [auxgrade].
When assigning a lomac policy with an auxiliary grade, it
should look a little bit like: lomac/10[2]
where the number two (2) is the auxiliary grade.The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects. This is the
[auxgrade] option discussed above, thus the
policy may provide for greater compatibility and require less
initial configuration than Biba.ExamplesLike the Biba and MLS policies;
the setfmac and setpmac
utilities may be used to place labels on system objects:&prompt.root; setfmac /usr/home/trhodes lomac/high[low]
&prompt.root; getfmac /usr/home/trhodes lomac/high[low]Notice the auxiliary grade here is low,
this is a feature provided only by the MAC
LOMAC policy.Implementing a Secure Environment with MACMAC Example ImplementationThe following demonstration will implement a secure
environment using various MAC modules
with properly configured policies. This is only a test and
should not be considered the complete answer to everyone's
security woes. Just implementing a policy and ignoring it
never works and could be disastrous in a production
environment.Before beginning this process, the
multilabel option must be set on each file
system as stated at the beginning of this chapter. Not doing
so will result in errors.Create an insecure User ClassBegin the procedure by adding the following user class
to the /etc/login.conf file:insecure:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
:manpath=/usr/share/man /usr/local/man:\
:nologin=/usr/sbin/nologin:\
:cputime=1h30m:\
:datasize=8M:\
:vmemoryuse=100M:\
:stacksize=2M:\
:memorylocked=4M:\
:memoryuse=8M:\
:filesize=8M:\
:coredumpsize=8M:\
:openfiles=24:\
:maxproc=32:\
:priority=0:\
:requirehome:\
:passwordtime=91d:\
:umask=022:\
:ignoretime@:\
:label=partition/13,mls/5:And adding the following line to the default user
class::label=mls/equal,biba/equal,partition/equal:Once this is completed, the following command must be
issued to rebuild the database:&prompt.root; cap_mkdb /etc/login.confBoot with the Correct ModulesAdd the following lines to
/boot/loader.conf so the required
modules will load during system initialization:mac_biba_load="YES"
mac_mls_load="YES"
mac_seeotheruids_load="YES"
mac_partition_load="YES"Set All Users to InsecureAll user accounts that are not root
or system users will now require a login class. The login
class is required otherwise users will be refused access
to common commands such as &man.vi.1;.
The following sh script should do the
trick:&prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \/etc/passwd`; do pw usermod $x -L insecure; done;The cap_mkdb command will need to be
run on /etc/master.passwd after this
change.Complete the ConfigurationA contexts file should now be created; the following
example was taken from Robert Watson's example policy and
should be placed in
/etc/policy.contexts.# This is the default BIBA/MLS policy for this system.
.* biba/high,mls/high
/sbin/dhclient biba/high(low),mls/high(low)
/dev(/.*)? biba/equal,mls/equal
# This is not an exhaustive list of all "privileged" devices.
/dev/mdctl biba/high,mls/high
/dev/pci biba/high,mls/high
/dev/k?mem biba/high,mls/high
/dev/io biba/high,mls/high
/dev/agp.* biba/high,mls/high
(/var)?/tmp(/.*)? biba/equal,mls/equal
/tmp/\.X11-unix biba/high(equal),mls/high(equal)
/tmp/\.X11-unix/.* biba/equal,mls/equal
/proc(/.*)? biba/equal,mls/equal
/mnt.* biba/low,mls/low
(/usr)?/home biba/high(low),mls/high(low)
(/usr)?/home/.* biba/low,mls/low
/var/mail(/.*)? biba/low,mls/low
/var/spool/mqueue(/.*)? biba/low,mls/low
(/mnt)?/cdrom(/.*)? biba/high,mls/high
(/usr)?/home/(ftp|samba)(/.*)? biba/high,mls/high
/var/log/sendmail\.st biba/low,mls/low
/var/run/utmp biba/equal,mls/equal
/var/log/(lastlog|wtmp) biba/equal,mls/equalThis policy will enforce security by setting restrictions
on both the downward and upward flow of information with
regards to the directories and utilities listed on the
left.This can now be read into our system by issuing the
following command:&prompt.root; setfsmac -ef /etc/policy.contexts /
&prompt.root; setfsmac -ef /etc/policy.contexts /usrThe above file system layout may be different depending
on environment.The /etc/mac.conf file requires
the following modifications in the main section:default_labels file ?biba,?mls
default_labels ifnet ?biba,?mls
default_labels process ?biba,?mls,?partition
default_labels socket ?biba,?mlsTesting the ConfigurationMAC Configuration TestingAdd a user with the adduser command
and place that user in the insecure
class for these tests.The examples below will show a mix of
root and regular user tests; use the
prompt to distinguish between the two.Basic Labeling Tests&prompt.user; getpmac
biba/15(15-15),mls/15(15-15),partition/15
&prompt.root; setpmac partition/15,mls/equal topThe top process will be killed before we start
another top process.MAC Seeotheruids Tests&prompt.user; ps Zax
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.03 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1101 #C: R+ 0:00.01 ps ZaxWe should not be permitted to see any processes
owned by other users.MAC Partition TestDisable the MAC
seeotheruids policy for the rest of these
tests:&prompt.root; sysctl security.mac.seeotheruids.enabled=0
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/equal(low-high),mls/equal(low-high),partition/15 1122 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.05 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1123 #C: R+ 0:00.01 ps ZaxAll users should be permitted to see every process in
their partition.Testing Biba and MLS Labels&prompt.root; setpmac partition/15,mls/equal,biba/high\(high-high\) top
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/high(high-high),mls/equal(low-high),partition/15 1251 #C: S+ 0:00.02 top
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.06 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1157 #C: R+ 0:00.00 ps ZaxThe Biba policy allows us to read higher-labeled
objects.&prompt.root; setpmac partition/15,mls/equal,biba/low top
&prompt.user; ps Zax
LABEL PID TT STAT TIME COMMAND
biba/15(15-15),mls/15(15-15),partition/15 1096 #C: S 0:00.07 -su (bash)
biba/15(15-15),mls/15(15-15),partition/15 1226 #C: R+ 0:00.01 ps ZaxThe Biba policy does not allow lower-labeled objects
to be read; however, MLS does.&prompt.user; ifconfig bge0 | grep maclabel
maclabel biba/low(low-low),mls/low(low-low)
&prompt.user; ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes
ping: sendto: Permission deniedUsers are unable to ping
example.com, or any domain
for that matter.To prevent this error from occurring, run the following
command:&prompt.root; sysctl security.mac.biba.trust_all_interfaces=1This sets the default interface label to insecure mode,
so the default Biba policy label will not be enforced.&prompt.root; ifconfig bge0 maclabel biba/equal\(low-high\),mls/equal\(low-high\)
&prompt.user; ping -c 1 192.0.34.166
PING 192.0.34.166 (192.0.34.166): 56 data bytes
64 bytes from 192.0.34.166: icmp_seq=0 ttl=50 time=204.455 ms
--- 192.0.34.166 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 204.455/204.455/204.455/0.000 msBy setting a more correct label, we can issue
ping requests.Now to create a few files for some read and write
testing procedures:&prompt.root; touch test1 test2 test3 test4 test5
&prompt.root; getfmac test1
test1: biba/equal,mls/equal
&prompt.root; setfmac biba/low test1 test2; setfmac biba/high test4 test5; \
setfmac mls/low test1 test3; setfmac mls/high test2 test4
&prompt.root; setfmac mls/equal,biba/equal test3 && getfmac test?
test1: biba/low,mls/low
test2: biba/low,mls/high
test3: biba/equal,mls/equal
test4: biba/high,mls/high
test5: biba/high,mls/equal
&prompt.root; chown testuser:testuser test?All of these files should now be owned by our
testuser user. And now for some read
tests:&prompt.user; ls
test1 test2 test3 test4 test5
&prompt.user; ls test?
ls: test1: Permission denied
ls: test2: Permission denied
ls: test4: Permission denied
test3 test5We should not be permitted to observe pairs; e.g.:
(biba/low,mls/low),
(biba/low,mls/high) and
(biba/high,mls/high). And of course,
read access should be denied. Now for some write
tests:&prompt.user; for i in `echo test*`; do echo 1 > $i; done
-su: test1: Permission denied
-su: test4: Permission denied
-su: test5: Permission deniedLike with the read tests, write access should not be
permitted to write pairs; e.g.:
(biba/low,mls/high) and
(biba/equal,mls/equal).&prompt.user; cat test?
cat: test1: Permission denied
cat: test2: Permission denied
1
cat: test4: Permission deniedAnd now as root:&prompt.root; cat test2
1Another Example: Using MAC to Constrain a Web ServerA separate location for the web data which users
must be capable of accessing will be appointed. This
will permit biba/high processes access
rights to the web data.Begin by creating a directory to store the web
data in:&prompt.root; mkdir /usr/home/cvsNow initialize it with cvs:&prompt.root; cvs -d /usr/home/cvs initThe first goal is to enable the biba
policy, thus the mac_biba_enable="YES"
should be placed in
/boot/loader.conf. This assumes
that support for MAC has been enabled
in the kernel.From this point on everything in the system should
be set at biba/high by default.The following modification must be made to the
login.conf file, under the default
user class::ignoretime@:\
:umask=022:\
:label=biba/high:Every user should now be placed in the default class;
a command such as:&prompt.root; for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \/etc/passwd`; do pw usermod $x -L default; done;will accomplish this task in a few moments.Now create another class, web, a copy of default,
with the label setting of biba/low.Create a user who will be used to work with the
main web data stored in a cvs
repository. This user must be placed in our new login
class, web.Since the default is biba/high
everywhere, the repository will be the same. The web data must
also be the same for users to have read/write access to it;
however, since our web server will be serving data that
biba/high users must access, we will need to
downgrade the data as a whole.The perfect tools for this are &man.sh.1; and
&man.cron.8; and are already provided in &os;. The following
script should do everything we want:PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
CVSROOT=/home/repo; export CVSROOT;
cd /home/web;
cvs -qR checkout -P htdocs;
exit;In many cases the cvs
Id tags must be placed into the web
site data files.This script may now be placed into
web's home directory and the following
&man.crontab.1; entry added:# Check out the web data as biba/low every twelve hours:
0 */12 * * * web /home/web/checkout.shThis will check out the HTML sources
every twelve hours on the machine.The default startup method for the web server must also be
modified to start the process as biba/low.
This can be done by making the following modification to the
/usr/local/etc/rc.d/apache.sh
script:command="setpmac biba/low /usr/local/sbin/httpd"The Apache configuration must be
altered to work with the biba/low policy. In
this case the software must be configured to append to the
log files in a directory set at biba/low
or else access denied errors will be
returned.Following this example requires that the
docroot directive be set to
/home/web/htdocs; otherwise,
Apache will fail when trying
to locate the directory to serve documents from.Other configuration variables must be altered as well,
including the PID file,
Scoreboardfile,
DocumentRoot, log file locations, or any
other variable which requires write access.
When using biba, all write access will be
denied to the server in areas not set at
biba/low.Troubleshooting the MAC FrameworkMAC TroubleshootingDuring the development stage, a few users reported problems
with normal configuration. Some of these problems
are listed below:The option cannot be enabled on
/The flag does not stay
enabled on my root (/) partition!It seems that one out of every fifty users has this
problem, indeed, we had this problem during our initial
configuration. Further observation of this so called
bug has lead me to believe that it is a
result of either incorrect documentation or misinterpretation
of the documentation. Regardless of why it happened, the
following steps may be taken to resolve it:Edit /etc/fstab and set the root
partition at for read-only.Reboot into single user mode.Run tunefs
on /.Reboot the system into normal mode.Run mount/ and change the
back to in /etc/fstab
and reboot the system again.Double-check the output from the
mount to ensure that
has been properly set on the
root file system.Cannot start &xfree86; after MACAfter establishing a secure environment with
MAC, I am no longer able to start
&xfree86;!This could be caused by the MAC
partition policy or by a mislabeling in
one of the MAC labeling policies. To
debug, try the following:Check the error message; if the user is in the
insecure class, the
partition policy may be the culprit.
Try setting the user's class back to the
default class and rebuild the database
with the cap_mkdb command. If this
does not alleviate the problem, go to step two.Double-check the label policies. Ensure that the
policies are set correctly for the user in question, the
&xfree86; application, and
the /dev
entries.If neither of these resolve the problem, send the
error message and a description of your environment to
the TrustedBSD discussion lists located at the
TrustedBSD
website or to the &a.questions;
mailing list.Error: &man..secure.path.3; cannot stat .login_confWhen I attempt to switch from the root
to another user in the system, the error message
_secure_path: unable to state .login_conf.This message is usually shown when the user has a higher
label setting then that of the user whom they are attempting to
become. For instance a user on the system,
joe, has a default label of
. The root user,
who has a label of , cannot view
joe's home directory. This will happen
regardless if root has used the
su command to become joe,
or not. In this scenario, the Biba integrity model will not
permit root to view objects set at a lower
integrity level.The root username is broken!In normal or even single user mode, the
root is not recognized. The
whoami command returns 0 (zero) and
su returns who are you?.
What could be going on?This can happen if a labeling policy has been disabled,
either by a &man.sysctl.8; or the policy module was unloaded.
If the policy is being disabled or has been temporarily
disabled, then the login capabilities database needs to be
reconfigured with the option being
removed. Double check the login.conf
file to ensure that all options have
been removed and rebuild the database with the
cap_mkdb command.
diff --git a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
index 1eb1ffd1f8..dc43516e89 100644
--- a/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/multimedia/chapter.sgml
@@ -1,1858 +1,1858 @@
RossLippertEdited by MultimediaSynopsisFreeBSD supports a wide variety of sound cards, allowing you
to enjoy high fidelity output from your computer. This includes
the ability to record and playback audio in the MPEG Audio Layer
3 (MP3), WAV, and Ogg Vorbis formats as well as many other
formats. The FreeBSD Ports Collection also contains
applications allowing you to edit your recorded audio, add sound
effects, and control attached MIDI devices.With some willingness to experiment, FreeBSD can support
playback of video files and DVD's. The number of applications
to encode, convert, and playback various video media is more
limited than the number of sound applications. For example as
of this writing, there is no good re-encoding application in the
FreeBSD Ports Collection, which could be use to convert
between formats, as there is with audio/sox. However, the software
landscape in this area is changing rapidly.This chapter will describe the necessary steps to configure
your sound card. The configuration and installation of X11
() has already taken care of the
hardware issues for your video card, though there may be some
tweaks to apply for better playback.After reading this chapter, you will know:How to configure your system so that your sound card is
recognized.Methods to test that your card is working using
sample applications.How to troubleshoot your sound setup.How to playback and encode MP3s and other audio.How video is supported by the X server.Some video player/encoder ports which give good results.How to playback DVD's, .mpg and .avi files.How to rip CD and DVD information into files.How to configure a TV card.How to configure an image scanner.Before reading this chapter, you should:Know how to configure and install a new kernel ().Trying to mount audio CDs
with the &man.mount.8; command will
result in an error, at least, and a kernel
panic, at worst. These media have specialized
encodings which differ from the usual ISO-filesystem.MosesMooreContributed by MarcFonvieilleEnhanced for &os; 5.X by Setting Up the Sound CardConfiguring the SystemPCIISAsound cardsBefore you begin, you should know the model of the card you
have, the chip it uses, and whether it is a PCI or ISA card.
FreeBSD supports a wide variety of both PCI and ISA cards.
Check the supported audio devices list of the Hardware Notes to see if
your card is supported. This document will also mention which
driver supports your card.kernelconfigurationTo use your sound device, you will need to load the proper
device driver. This may be accomplished in one of two ways.
The easiest way is to simply load a kernel module for your sound
card with &man.kldload.8; which can either be done from the
command line:&prompt.root; kldload snd_emu10k1or by adding the appropriate line to the file
/boot/loader.conf like this:snd_emu10k1_load="YES"These examples are for a Creative &soundblaster; Live! sound
card. Other available loadable sound modules are listed in
/boot/defaults/loader.conf.
If you are not sure which driver to use, you may try to load
the snd_driver module:&prompt.root; kldload snd_driverThis is a metadriver loading the most common device drivers
at once. This speeds up the search for the correct driver. It
is also possible to load all sound drivers via the
/boot/loader.conf facility.Under &os; 4.X, to load all sound drivers, you have
to load the snd module instead of
snd_driver.A second method is to statically
compile in support for your sound card in your kernel. The
section below provides the information you need to add support
for your hardware in this manner. For more information about
recompiling your kernel, please see .Configuring a Custom Kernel with Sound SupportThe first thing to do is adding the generic audio driver
&man.sound.4; to the kernel, for that you will need to
add the following line to the kernel configuration file:device soundUnder &os; 4.X, you would use the following
line:device pcmThen we have to add the support for our sound card.
Therefore, we need to know which driver supports the card.
Check the supported audio devices list of the Hardware Notes, to
determine the correct driver for your sound card. For
example, a Creative &soundblaster; Live! sound card is
supported by the &man.snd.emu10k1.4; driver. To add the support
for this card, use the following:device "snd_emu10k1"Be sure to read the manual page of the driver for the
syntax to use. Information regarding the syntax of sound
drivers in the kernel configuration can also be found in the
/usr/src/sys/conf/NOTES file
(/usr/src/sys/i386/conf/LINT for
&os; 4.X).Non-PnP ISA cards may require you to provide the kernel
with information on the sound card settings (IRQ, I/O port,
etc). This is done via the
/boot/device.hints file. At system boot,
the &man.loader.8; will read this file and pass the settings
to the kernel. For example, an old
Creative &soundblaster; 16 ISA non-PnP card will use the
&man.snd.sbc.4; driver, with the following line added to
the kernel configuration file:device snd_sbcas well as the following in
/boot/device.hints:hint.sbc.0.at="isa"
hint.sbc.0.port="0x220"
hint.sbc.0.irq="5"
hint.sbc.0.drq="1"
hint.sbc.0.flags="0x15"In this case, the card uses the 0x220
I/O port and the IRQ 5.The syntax used in the
/boot/device.hints file is covered in the
sound driver manual page. On &os; 4.X, these settings
are directly written in the kernel configuration file. In the
case of our ISA card, we would only use this line:device sbc0 at isa? port 0x220 irq 5 drq 1 flags 0x15The settings shown above are the defaults. In some
cases, you may need to change the IRQ or the other settings to
match your card. See the &man.snd.sbc.4; manual page for more
information.Under &os; 4.X, some systems with built-in
motherboard sound devices may require the following option in
the kernel configuration:options PNPBIOSTesting the Sound CardAfter rebooting with the modified kernel, or after loading
the required module, the sound card should appear in your system
message buffer (&man.dmesg.8;) as something like:pcm0: <Intel ICH3 (82801CA)> port 0xdc80-0xdcbf,0xd800-0xd8ff irq 5 at device 31.5 on pci0
pcm0: [GIANT-LOCKED]
pcm0: <Cirrus Logic CS4205 AC97 Codec>The status of the sound card may be checked via the
/dev/sndstat file:&prompt.root; cat /dev/sndstat
FreeBSD Audio Driver (newpcm)
Installed devices:
pcm0: <Intel ICH3 (82801CA)> at io 0xd800, 0xdc80 irq 5 bufsz 16384
kld snd_ich (1p/2r/0v channels duplex default)The output from your system may vary. If no
pcm devices show up, go back and review
what was done earlier. Go through your kernel
configuration file again and make sure the correct
device is chosen. Common problems are listed in .If all goes well, you should now have a functioning sound
card. If your CD-ROM or DVD-ROM drive is properly coupled to
your sound card, you can put a CD in the drive and play it
with &man.cdcontrol.1;:&prompt.user; cdcontrol -f /dev/acd0 play 1Various applications, such as audio/workman can provide a friendlier
interface. You may want to install an application such as
audio/mpg123 to listen to
MP3 audio files. A quick way to test the card is sending data
to the /dev/dsp, like this:&prompt.user; cat filename > /dev/dspwhere filename can be any file.
This command line should produce some noise, confirming the
sound card is actually working.&os; 4.X users need to create the sound card device
nodes before being able to use it. If the card showed up in
message buffer as pcm0, you will have
to run the following as root:&prompt.root; cd /dev
&prompt.root; sh MAKEDEV snd0If the card detection returned pcm1,
follow the same steps as shown above, replacing
snd0 with
snd1.MAKEDEV will create a group of device
nodes that will be used by the different sound related
applications.Sound card mixer levels can be changed via the &man.mixer.8;
command. More details can be found in the &man.mixer.8; manual
page.Common Problemsdevice nodesI/O portIRQDSPErrorSolutionunsupported subdevice XXOne or more of the device nodes was not created
correctly. Repeat the steps above.sb_dspwr(XX) timed outThe I/O port is not set correctly.bad irq XXThe IRQ is set incorrectly. Make sure that
the set IRQ and the sound IRQ are the same.xxx: gus pcm not attached, out of memoryThere is not enough available memory to use
the device.xxx: can't open /dev/dsp!Check with fstat | grep dsp
if another application is holding the device open.
Noteworthy troublemakers are esound and KDE's sound
support.MunishChopraContributed by Utilizing Multiple Sound SourcesIt is often desirable to have multiple sources of sound that
are able to play simultaneously, such as when
esound or
artsd do not support sharing of the
sound device with a certain application.FreeBSD lets you do this through Virtual Sound
Channels, which can be set with the &man.sysctl.8;
facility. Virtual channels allow you to multiplex your sound
card's playback channels by mixing sound in the kernel.To set the number of virtual channels, there are two sysctl
knobs which, if you are the root user, can
be set like this:&prompt.root; sysctl hw.snd.pcm0.vchans=4
&prompt.root; sysctl hw.snd.maxautovchans=4The above example allocates four virtual channels, which is a
practical number for everyday use. hw.snd.pcm0.vchans
is the number of virtual channels pcm0 has, and is configurable
once a device has been attached.
hw.snd.maxautovchans is the number of virtual channels
a new audio device is given when it is attached using
&man.kldload.8;. Since the pcm module
can be loaded independently of the hardware drivers,
hw.snd.maxautovchans can store how many
virtual channels any devices which are attached later will be
given.If you are not using &man.devfs.5;, you will have to point
your applications at /dev/dsp0.x, where
x is 0 to 3 if hw.snd.pcm.0.vchans is set
to 4 as in the above example. On a system using &man.devfs.5;, the above will automatically be
allocated transparently to the user.JosefEl-RayesContributed by Setting Default Values for Mixer ChannelsThe default values for the different mixer channels are
hardcoded in the sourcecode of the &man.pcm.4; driver. There are
a lot of different applications and daemons that allow
you to set values for the mixer they remember and set
each time they are started, but this is not a clean
solution, we want to have default values at the driver
level. This is accomplished by defining the appropriate
values in /boot/device.hints. E.g.:hint.pcm.0.vol="100"This will set the volume channel to a default value of
100, as soon as the &man.pcm.4; module gets loaded.Only &os; 5.3 and above support this.ChernLeeContributed by MP3 AudioMP3 (MPEG Layer 3 Audio) accomplishes near CD-quality sound,
leaving no reason to let your FreeBSD workstation fall short of
its offerings.MP3 Players
- By far, the most popular &xfree86; MP3 player is
+ By far, the most popular X11 MP3 player is
XMMS (X Multimedia System).
Winamp
skins can be used with XMMS since the
GUI is almost identical to that of Nullsoft's
Winamp.
XMMS also has native plug-in
support.XMMS can be installed from the
multimedia/xmms port or package.XMMS' interface is intuitive,
with a playlist, graphic equalizer, and more. Those familiar
with Winamp will find
XMMS simple to use.The audio/mpg123 port is an alternative,
command-line MP3 player.mpg123 can be run by specifying
the sound device and the MP3 file on the command line, as
shown below:&prompt.root; mpg123 -a /dev/dsp1.0 Foobar-GreatestHits.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Playing MPEG stream from Foobar-GreatestHits.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
/dev/dsp1.0 should be replaced with the
dsp device entry on your system.Ripping CD Audio TracksBefore encoding a CD or CD track to MP3, the audio data on
the CD must be ripped onto the hard drive. This is done by
copying the raw CDDA (CD Digital Audio) data to WAV
files.The cdda2wav tool, which is a part of
the sysutils/cdrtools
suite, is used for ripping audio information from CDs and the
information associated with them.With the audio CD in the drive, the following command can
be issued (as root) to rip an entire CD
into individual (per track) WAV files:&prompt.root; cdda2wav -D 0,1,0 -Bcdda2wav will support
ATAPI (IDE) CDROM drives. To rip from an IDE drive, specify
the device name in place of the SCSI unit numbers. For
example, to rip track 7 from an IDE drive:&prompt.root; cdda2wav -D /dev/acd0a -t 7The
indicates the SCSI device 0,1,0,
which corresponds to the output of cdrecord
-scanbus.To rip individual tracks, make use of the
option as shown:&prompt.root; cdda2wav -D 0,1,0 -t 7This example rips track seven of the audio CDROM. To rip
a range of tracks, for example, track one to seven, specify a
range:&prompt.root; cdda2wav -D 0,1,0 -t 1+7The utility &man.dd.1; can also be used to extract audio tracks
on ATAPI drives, read
for more information on that possibility.Encoding MP3sNowadays, the mp3 encoder of choice is
lame.
Lame can be found at
audio/lame in the ports tree.Using the ripped WAV files, the following command will
convert audio01.wav to
audio01.mp3:&prompt.root; lame -h -b 128 \
--tt "Foo Song Title" \
--ta "FooBar Artist" \
--tl "FooBar Album" \
--ty "2001" \
--tc "Ripped and encoded by Foo" \
--tg "Genre" \
audio01.wav audio01.mp3128 kbits seems to be the standard MP3 bitrate in use.
Many enjoy the higher quality 160, or 192. The higher the
bitrate, the more disk space the resulting MP3 will
consume--but the quality will be higher. The
option turns on the higher quality
but a little slower mode. The options beginning with
indicate ID3 tags, which usually contain
song information, to be embedded within the MP3 file.
Additional encoding options can be found by consulting the
lame man page.Decoding MP3sIn order to burn an audio CD from MP3s, they must be
converted to a non-compressed WAV format. Both
XMMS and
mpg123 support the output of MP3 to
an uncompressed file format.Writing to Disk in XMMS:Launch XMMS.Right-click on the window to bring up the
XMMS menu.Select Preference under
Options.Change the Output Plugin to Disk Writer
Plugin.Press Configure.Enter (or choose browse) a directory to write the
uncompressed files to.Load the MP3 file into XMMS
as usual, with volume at 100% and EQ settings turned
off.Press Play —
XMMS will appear as if it is
playing the MP3, but no music will be heard. It is
actually playing the MP3 to a file.Be sure to set the default Output Plugin back to what
it was before in order to listen to MP3s again.Writing to stdout in mpg123:Run mpg123 -s audio01.mp3
> audio01.pcmXMMS writes a file in the WAV
format, while mpg123 converts the
MP3 into raw PCM audio data. Both of these formats can be
used with cdrecord to create audio CDs.
You have to use raw PCM with &man.burncd.8;.
If you use WAV files, you will notice a small tick sound at the
beginning of each track, this sound is the header of the WAV
file. You can simply remove the header of a WAV file with the
utility SoX (it can be installed from
the audio/sox port or
package):&prompt.user; sox -t wav -r 44100 -s -w -c 2 track.wav track.rawRead for more information on using a
CD burner in FreeBSD.RossLippertContributed by Video PlaybackVideo playback is a very new and rapidly developing application
area. Be patient. Not everything is going to work as smoothly as
it did with sound.Before you begin, you should know the model of the video
card you have and the chip it uses. While &xorg; and &xfree86; support a
wide variety of video cards, fewer give good playback
performance. To obtain a list of extensions supported by the
X server using your card use the command &man.xdpyinfo.1; while
X11 is running.It is a good idea to have a short MPEG file which can be
treated as a test file for evaluating various players and
options. Since some DVD players will look for DVD media in
/dev/dvd by default, or have this device
name hardcoded in them, you might find it useful to make
symbolic links to the proper devices:&prompt.root; ln -sf /dev/acd0c /dev/dvd
&prompt.root; ln -sf /dev/racd0c /dev/rdvdOn FreeBSD 5.X, which uses &man.devfs.5; there
is a slightly different set of recommended links:&prompt.root; ln -sf /dev/acd0 /dev/dvd
&prompt.root; ln -sf /dev/acd0 /dev/rdvdNote that due to the nature of &man.devfs.5;,
manually created links like these will not persist if you reboot
your system. In order to create the symbolic links
automatically whenever you boot your system, add the following
lines to /etc/devfs.conf:link acd0 dvd
link acd0 rdvdAdditionally, DVD decryption, which requires invoking
special DVD-ROM functions, requires write permission on the DVD
devices.kernel optionsoptions CPU_ENABLE_SSEkernel optionsoptions USER_LDTSome of the ports discussed rely on the following kernel
options to build correctly. Before attempting to build, add
these options to the kernel configuration file, build a new kernel, and reboot:option CPU_ENABLE_SSE
option USER_LDToption USER_LDT does not exist on
&os; 5.X.To enhance the shared memory X11 interface, it is
recommended that the values of some &man.sysctl.8; variables
should be increased:kern.ipc.shmmax=67108864
kern.ipc.shmall=32768Determining Video CapabilitiesXVideoSDLDGAThere are several possible ways to display video under X11.
What will really work is largely hardware dependent. Each
method described below will have varying quality across
different hardware. Secondly, the rendering of video in X11 is
a topic receiving a lot of attention lately, and with each
version of &xorg;, or of &xfree86;, there may be significant improvement.A list of common video interfaces:X11: normal X11 output using shared memory.XVideo: an extension to the X11
interface which supports video in any X11 drawable.SDL: the Simple Directmedia Layer.DGA: the Direct Graphics Access.SVGAlib: low level console graphics layer.XVideo&xorg; and &xfree86; 4.X have an extension called
XVideo (aka Xvideo, aka Xv, aka xv) which
allows video to be directly displayed in drawable objects
through a special acceleration. This extension provides very
good quality playback even on low-end machines.To check whether the extension is running,
use xvinfo:&prompt.user; xvinfoXVideo is supported for your card if the result looks like:X-Video Extension version 2.2
screen #0
Adaptor #0: "Savage Streams Engine"
number of ports: 1
port base: 43
operations supported: PutImage
supported visuals:
depth 16, visualID 0x22
depth 16, visualID 0x23
number of attributes: 5
"XV_COLORKEY" (range 0 to 16777215)
client settable attribute
client gettable attribute (current value is 2110)
"XV_BRIGHTNESS" (range -128 to 127)
client settable attribute
client gettable attribute (current value is 0)
"XV_CONTRAST" (range 0 to 255)
client settable attribute
client gettable attribute (current value is 128)
"XV_SATURATION" (range 0 to 255)
client settable attribute
client gettable attribute (current value is 128)
"XV_HUE" (range -180 to 180)
client settable attribute
client gettable attribute (current value is 0)
maximum XvImage size: 1024 x 1024
Number of image formats: 7
id: 0x32595559 (YUY2)
guid: 59555932-0000-0010-8000-00aa00389b71
bits per pixel: 16
number of planes: 1
type: YUV (packed)
id: 0x32315659 (YV12)
guid: 59563132-0000-0010-8000-00aa00389b71
bits per pixel: 12
number of planes: 3
type: YUV (planar)
id: 0x30323449 (I420)
guid: 49343230-0000-0010-8000-00aa00389b71
bits per pixel: 12
number of planes: 3
type: YUV (planar)
id: 0x36315652 (RV16)
guid: 52563135-0000-0000-0000-000000000000
bits per pixel: 16
number of planes: 1
type: RGB (packed)
depth: 0
red, green, blue masks: 0x1f, 0x3e0, 0x7c00
id: 0x35315652 (RV15)
guid: 52563136-0000-0000-0000-000000000000
bits per pixel: 16
number of planes: 1
type: RGB (packed)
depth: 0
red, green, blue masks: 0x1f, 0x7e0, 0xf800
id: 0x31313259 (Y211)
guid: 59323131-0000-0010-8000-00aa00389b71
bits per pixel: 6
number of planes: 3
type: YUV (packed)
id: 0x0
guid: 00000000-0000-0000-0000-000000000000
bits per pixel: 0
number of planes: 0
type: RGB (packed)
depth: 1
red, green, blue masks: 0x0, 0x0, 0x0Also note that the formats listed (YUV2, YUV12, etc) are not
present with every implementation of XVideo and their absence may
hinder some players.If the result looks like:X-Video Extension version 2.2
screen #0
no adaptors presentThen XVideo is probably not supported for your card.If XVideo is not supported for your card, this only means
that it will be more difficult for your display to meet the
computational demands of rendering video. Depending on your
video card and processor, though, you might still be able to
have a satisfying experience. You should probably read about
ways of improving performance in the advanced reading .Simple Directmedia LayerThe Simple Directmedia Layer, SDL, was intended to be a
porting layer between µsoft.windows;, BeOS, and &unix;,
allowing cross-platform applications to be developed which made
efficient use of sound and graphics. The SDL layer provides a
low-level abstraction to the hardware which can sometimes be
more efficient than the X11 interface.The SDL can be found at devel/sdl12.Direct Graphics Access
- Direct Graphics Access is an &xfree86; extension which allows
+ Direct Graphics Access is an X11 extension which allows
a program to bypass the X server and directly alter the
framebuffer. Because it relies on a low level memory mapping to
effect this sharing, programs using it must be run as
root.The DGA extension can be tested and benchmarked by
&man.dga.1;. When dga is running, it
changes the colors of the display whenever a key is pressed. To
quit, use q.Ports and Packages Dealing with Videovideo portsvideo packagesThis section discusses the software available from the
FreeBSD Ports Collection which can be used for video playback.
Video playback is a very active area of software development,
and the capabilities of various applications are bound to
diverge somewhat from the descriptions given here.Firstly, it is important to know that many of the video
applications which run on FreeBSD were developed as Linux
applications. Many of these applications are still
beta-quality. Some of the problems that you may encounter with
video packages on FreeBSD include:An application cannot playback a file which another
application produced.An application cannot playback a file which the
application itself produced.The same application on two different machines,
rebuilt on each machine for that machine, plays back the same
file differently.A seemingly trivial filter like rescaling of the image
size results in very bad artifacts from a buggy rescaling
routine.An application frequently dumps core.Documentation is not installed with the port and can be
found either on the web or under the port's work
directory.Many of these applications may also exhibit
Linux-isms. That is, there may be
issues resulting from the way some standard libraries are
implemented in the Linux distributions, or some features of the
Linux kernel which have been assumed by the authors of the
applications. These issues are not always noticed and worked around
by the port maintainers, which can lead to problems like
these:The use of /proc/cpuinfo to detect
processor characteristics.A misuse of threads which causes a program to hang upon
completion instead of truly terminating.Software not yet in the FreeBSD Ports Collection
which is commonly used in conjunction with the application.So far, these application developers have been cooperative with
port maintainers to minimize the work-arounds needed for
port-ing.MPlayerMPlayer is a recently developed and rapidly developing
video player. The goals of the MPlayer team are speed and
flexibility on Linux and other Unices. The project was
started when the team founder got fed up with bad playback
performance on then available players. Some would say that
the graphical interface has been sacrificed for a streamlined
design. However, once
you get used to the command line options and the key-stroke
controls, it works very well.Building MPlayerMPlayermakingMPlayer resides in multimedia/mplayer.
MPlayer performs a variety of
hardware checks during the build process, resulting in a
binary which will not be portable from one system to
another. Therefore, it is important to build it from
ports and not to use a binary package. Additionally, a
number of options can be specified in the make
command line, as described in the Makefile and at the start of the build:&prompt.root; cd /usr/ports/multimedia/mplayer
&prompt.root; make
N - O - T - E
Take a careful look into the Makefile in order
to learn how to tune mplayer towards you personal preferences!
For example,
make WITH_GTK1
builds MPlayer with GTK1-GUI support.
If you want to use the GUI, you can either install
/usr/ports/multimedia/mplayer-skins
or download official skin collections from
http://www.mplayerhq.hu/homepage/dload.html
The default port options should be sufficient for most
users. However, if you need the XviD codec, you have to
specify the WITH_XVID option in the
command line. The default DVD device can also be defined
with the WITH_DVD_DEVICE option, by
default /dev/acd0 will be used.As of this writing, the MPlayer port will build its HTML
documentation and two executables,
mplayer, and
mencoder, which is a tool for
re-encoding video.The HTML documentation for MPlayer is very informative.
If the reader finds the information on video hardware and
interfaces in this chapter lacking, the MPlayer documentation
is a very thorough supplement. You should definitely take
the time to read the MPlayer
documentation if you are looking for information about video
support in &unix;.Using MPlayerMPlayeruseAny user of MPlayer must set up a
.mplayer subdirectory of her
home directory. To create this necessary subdirectory,
you can type the following:&prompt.user; cd /usr/ports/multimedia/mplayer
&prompt.user; make install-userThe command options for mplayer are
listed in the manual page. For even more detail there is HTML
documentation. In this section, we will describe only a few
common uses.To play a file, such as
testfile.avi,
through one of the various video interfaces set the
option:&prompt.user; mplayer -vo xv testfile.avi&prompt.user; mplayer -vo sdl testfile.avi&prompt.user; mplayer -vo x11 testfile.avi&prompt.root; mplayer -vo dga testfile.avi&prompt.root; mplayer -vo 'sdl:dga' testfile.aviIt is worth trying all of these options, as their relative
performance depends on many factors and will vary significantly
with hardware.To play from a DVD, replace the
testfile.avi with where N is
the title number to play and
DEVICE is the
device node for the DVD-ROM. For example, to play title 3
from /dev/dvd:&prompt.root; mplayer -vo xv dvd://3 -dvd-device /dev/dvdThe default DVD device can be defined during the build
of the MPlayer port via the
WITH_DVD_DEVICE option. By default,
this device is /dev/acd0. More
details can be found in the port
Makefile.To stop, pause, advance and so on, consult the
keybindings, which are output by running mplayer
-h or read the manual page.Additional important options for playback are:
which engages the fullscreen mode
and which helps performance.In order for the mplayer command line to not become too
large, the user can create a file
.mplayer/config and set default options
there:vo=xv
fs=yes
zoom=yesFinally, mplayer can be used to rip a
DVD title into a .vob file. To dump
out the second title from a DVD, type this:&prompt.root; mplayer -dumpstream -dumpfile out.vob dvd://2 -dvd-device /dev/dvdThe output file, out.vob, will be
MPEG and can be manipulated by the other packages described
in this section.mencodermencoderBefore using
mencoder it is a good idea to
familiarize yourself with the options from the HTML
documentation. There is a manual page, but it is not very
useful without the HTML documentation. There are innumerable ways to
improve quality, lower bitrate, and change formats, and some
of these tricks may make the difference between good
or bad performance. Here are a couple of examples to get
you going. First a simple copy:&prompt.user; mencoder input.avi -oac copy -ovc copy -o output.aviImproper combinations of command line options can yield
output files that are
unplayable even by mplayer. Thus, if you
just want to rip to a file, stick to the
in mplayer.To convert input.avi to the MPEG4
codec with MPEG3 audio encoding (audio/lame is required):&prompt.user; mencoder input.avi -oac mp3lame -lameopts br=192 \
-ovc lavc -lavcopts vcodec=mpeg4:vhq -o output.aviThis has produced output playable by mplayer
and xine.input.avi can be replaced with
and run as
root to re-encode a DVD title
directly. Since you are likely to be dissatisfied with
your results the first time around, it is recommended you
dump the title to a file and work on the file.The xine Video PlayerThe xine video player is a project of wide scope aiming not only at being an
all in one video solution, but also in producing a reusable base
library and a modular executable which can be extended with
plugins. It comes both as a package and as a port, multimedia/xine.The xine player
is still very rough around the edges, but it is clearly off to a
good start. In practice, xine requires either a fast CPU with a
fast video card, or support for the XVideo extension. The GUI is
usable, but a bit clumsy.As of this writing, there is no input module shipped with
xine which will play CSS encoded DVD's. There are third party
builds which do have modules for this built in them, but none
of these are in the FreeBSD Ports Collection.Compared to MPlayer, xine does more for the user, but at the
same time, takes some of the more fine-grained control away from
the user. The xine video player
performs best on XVideo interfaces.By default, xine player will
start up in a graphical user interface. The menus can then be
used to open a specific file:&prompt.user; xineAlternatively, it may be invoked to play a file immediately
without the GUI with the command:&prompt.user; xine -g -p mymovie.aviThe transcode UtilitiesThe software transcode is not a player, but a suite of tools for
re-encoding .avi and .mpg files. With transcode, one has the
ability to merge video files, repair broken files, using command
line tools with stdin/stdout stream
interfaces.Like MPlayer, transcode is very experimental software which
must be build from the port multimedia/transcode. Using a great
many options to the make command. We
recommend:&prompt.root; make WITH_LIBMPEG2=yesIf you plan to install multimedia/avifile, then add the
WITH_AVIFILE option to your
make command line, as shown here:&prompt.root; make WITH_AVIFILE=yes WITH_LIBMPEG2=yesHere are two examples of using transcode
for video conversion which produce rescaled output. The first
encodes the output to an openDIVX AVI file, while the second
encodes to the much more portable MPEG format.&prompt.user; transcode -i input.vob -x vob -V -Z 320x240 \
-y opendivx -N 0x55 -o output.avi&prompt.user; transcode -i input.vob -x vob -V -Z 320x240 \
-y mpeg -N 0x55 -o output.tmp
&prompt.user; tcmplex -o output.mpg -i output.tmp.m1v -p output.tmp.mpa -m 1There is a manual page for transcode, but
there is little documentation for the various tc* utilities (such as
tcmplex) which are also installed.
However, the command line option can
always be given to get curt usage instructions for a
command.In comparison, transcode runs
significantly slower than mencoder, but it
has a better chance of producing a more widely playable file.
MPEGs created by transcode have been known to
play on
&windows.media; Player and Apple's &quicktime;, for example.Further ReadingThe various video software packages for FreeBSD are
developing rapidly. It is quite possible that in the near
future many of the problems discussed here will have been
resolved. In the mean time, those who
want to get the very most out of FreeBSD's A/V capabilities will
have to cobble together knowledge from several FAQs and tutorials
and use a few different applications. This section exists to
give the reader pointers to such additional information.The
MPlayer documentation
is very technically informative.
These documents should probably be consulted by anyone wishing
to obtain a high level of expertise with &unix; video. The
MPlayer mailing list is hostile to anyone who has not bothered
to read the documentation, so if you plan on making bug reports
to them, RTFM.The
xine HOWTO
contains a chapter on performance improvement
which is general to all players.Finally, there are some other promising applications which
the reader may try:Avifile which
is also a port multimedia/avifile.Ogle
which is also a port multimedia/ogle.Xtheatermultimedia/dvdauthor, an open
source package for authoring DVD content.JosefEl-RayesOriginal contribution by MarcFonvieilleEnhanced and adapted by Setting Up TV CardsTV cardsIntroductionTV cards allow you to watch broadcast or cable TV on your
computer. Most of them accept composite video via an RCA or
S-video input and some of these cards come with a FM
radio tuner.&os; provides support for PCI-based TV cards using a
Brooktree Bt848/849/878/879 or a Conexant CN-878/Fusion 878a
Video Capture Chip with the &man.bktr.4; driver. You must
also ensure the board comes with a supported tuner, consult
the &man.bktr.4; manual page for a list of supported
tuners.Adding the DriverTo use your card, you will need to load the &man.bktr.4;
driver, this can be done by adding the following line to the
/boot/loader.conf file like this:bktr_load="YES"Alternatively, you may statically compile the support for
the TV card in your kernel, in that case add the following
lines to your kernel configuration:device bktr
device iicbus
device iicbb
device smbusThese additional device drivers are necessary because of the
card components being interconnected via an I2C bus. Then build
and install a new kernel.Once the support was added to your system, you have to
reboot your machine. During the boot process, your TV card
should show up, like this:bktr0: <BrookTree 848A> mem 0xd7000000-0xd7000fff irq 10 at device 10.0 on pci0
iicbb0: <I2C bit-banging driver> on bti2c0
iicbus0: <Philips I2C bus> on iicbb0 master-only
iicbus1: <Philips I2C bus> on iicbb0 master-only
smbus0: <System Management Bus> on bti2c0
bktr0: Pinnacle/Miro TV, Philips SECAM tuner.Of course these messages can differ according to your
hardware. However you should check if the tuner is correctly
detected; it is still possible to override some of the
detected parameters with &man.sysctl.8; MIBs and kernel
configuration file options. For example, if you want to force
the tuner to a Philips SECAM tuner, you should add the
following line to your kernel configuration file:options OVERRIDE_TUNER=6or you can directly use &man.sysctl.8;:&prompt.root; sysctl hw.bt848.tuner=6See the &man.bktr.4; manual page and the
/usr/src/sys/conf/NOTES file for more
details on the available options. (If you are under
&os; 4.X, /usr/src/sys/conf/NOTES is
replaced with
/usr/src/sys/i386/conf/LINT.)Useful ApplicationsTo use your TV card you need to install one of the
following applications:multimedia/fxtv
provides TV-in-a-window and image/audio/video capture
capabilities.multimedia/xawtv
is also a TV application, with the same features as
fxtv.misc/alevt decodes
and displays Videotext/Teletext.audio/xmradio, an
application to use the FM radio tuner coming with some
TV cards.audio/wmtune, a handy
desktop application for radio tuners.More applications are available in the &os; Ports
Collection.TroubleshootingIf you encounter any problem with your TV card, you should
check at first if the video capture chip and the tuner are
really supported by the &man.bktr.4; driver and if you used the right
configuration options. For more support and various questions
about your TV card you may want to contact and use the
archives of the &a.multimedia.name; mailing list.MarcFonvieilleWritten by Image Scannersimage scannersIntroduction&os;, like any modern operating system, allows the use of
image scanners. Standardized access to scanners is provided
by the SANE (Scanner Access Now
Easy) API available through the &os; Ports
Collection. SANE will also use
some &os; devices drivers to access to the scanner
hardware.&os; supports both SCSI and USB scanners. Be sure your
scanner is supported by SANE prior
to performing any configuration.
SANE has a supported
devices list that can provide you with information
about the support for a scanner and its status. The
&man.uscanner.4; manual page also provides a list of supported
USB scanners.Kernel ConfigurationAs mentioned above both SCSI and USB interfaces are
supported. According to your scanner interface, different
device drivers are required.USB InterfaceThe GENERIC kernel by default
includes the device drivers needed to support USB scanners.
Should you decide to use a custom kernel, be sure that the
following lines are present in your kernel configuration
file:device usb
device uhci
device ohci
device uscannerDepending upon the USB chipset on your motherboard, you
will only need either device uhci or
device ohci, however having both in the
kernel configuration file is harmless.If you do not want to rebuild your kernel and your
kernel is not the GENERIC one, you can
directly load the &man.uscanner.4; device driver module with
the &man.kldload.8; command:&prompt.root; kldload uscannerTo load this module at each system startup, add the
following line to
/boot/loader.conf:uscanner_load="YES"After rebooting with the correct kernel, or after
loading the required module, plug in your USB scanner. The
scanner should appear in your system message buffer
(&man.dmesg.8;) as something like:uscanner0: EPSON EPSON Scanner, rev 1.10/3.02, addr 2This shows that our scanner is using the
/dev/uscanner0 device node.On &os; 4.X, the USB daemon (&man.usbd.8;) must
be running to be able to see some USB devices. To enable
this, add usbd_enable="YES" to your
/etc/rc.conf file and reboot the
machine.SCSI InterfaceIf your scanner comes with a SCSI interface, it is
important to know which SCSI controller board you will use.
According to the SCSI chipset used, you will have to tune
your kernel configuration file. The
GENERIC kernel supports the most common
SCSI controllers. Be sure to read the
NOTES file (LINT
under &os; 4.X) and add the correct line to your kernel
configuration file. In addition to the SCSI adapter driver,
you need to have the following lines in your kernel
configuration file:device scbus
device passOnce your kernel has been properly compiled, you should
be able to see the devices in your system message buffer,
when booting:pass2 at aic0 bus 0 target 2 lun 0
pass2: <AGFA SNAPSCAN 600 1.10> Fixed Scanner SCSI-2 device
pass2: 3.300MB/s transfersIf your scanner was not powered-on at system boot, it is
still possible to manually force the detection by performing
a SCSI bus scan with the &man.camcontrol.8; command:&prompt.root; camcontrol rescan all
Re-scan of bus 0 was successful
Re-scan of bus 1 was successful
Re-scan of bus 2 was successful
Re-scan of bus 3 was successfulThen the scanner will appear in the SCSI devices
list:&prompt.root; camcontrol devlist
<IBM DDRS-34560 S97B> at scbus0 target 5 lun 0 (pass0,da0)
<IBM DDRS-34560 S97B> at scbus0 target 6 lun 0 (pass1,da1)
<AGFA SNAPSCAN 600 1.10> at scbus1 target 2 lun 0 (pass3)
<PHILIPS CDD3610 CD-R/RW 1.00> at scbus2 target 0 lun 0 (pass2,cd0)More details about SCSI devices, are available in the
&man.scsi.4; and &man.camcontrol.8; manual pages.SANE ConfigurationThe SANE system has been
splitted in two parts: the backends (graphics/sane-backends) and the
frontends (graphics/sane-frontends). The
backends part provides access to the scanner itself. The
SANE's supported
devices list specifies which backend will support your
image scanner. It is mandatory to determine the correct
backend for your scanner if you want to be able to use your
device. The frontends part provides the graphical scanning
interface (xscanimage).The first thing to do is install the graphics/sane-backends port or
package. Then, use the sane-find-scanner
command to check the scanner detection by the
SANE system:&prompt.root; sane-find-scanner -q
found SCSI scanner "AGFA SNAPSCAN 600 1.10" at /dev/pass3The output will show the interface type of the scanner and
the device node used to attach the scanner to the system. The
vendor and the product model may not appear, it is not
important.Some USB scanners require you to load a firmware, this
is explained in the backend manual page. You should also read
&man.sane-find-scanner.1; and &man.sane.7; manual
pages.Now we have to check if the scanner will be identified by
a scanning frontend. By default, the
SANE backends comes with a command
line tool called &man.scanimage.1;. This command allows you
to list the devices and to perform an image acquisition from
the command line. The option is used to
list the scanner device:&prompt.root; scanimage -L
device `snapscan:/dev/pass3' is a AGFA SNAPSCAN 600 flatbed scannerNo output or a message saying that no scanners were
identified indicates that &man.scanimage.1; is unable to
identify the scanner. If this happens, you will need to edit
the backend configuration file and define the scanner device
used. The /usr/local/etc/sane.d/ directory
contains all backends configuration files. This
identification problem does appear with certain USB
scanners.For example, with the USB scanner used in the ,
sane-find-scanner gives us the following
information:&prompt.root; sane-find-scanner -q
found USB scanner (UNKNOWN vendor and product) at device /dev/uscanner0The scanner is correctly detected, it uses the USB
interface and is attached to the
/dev/uscanner0 device node. We can now
check if the scanner is correctly identified:&prompt.root; scanimage -L
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).Since the scanner is not identified, we will need to edit
the /usr/local/etc/sane.d/epson.conf
file. The scanner model used was the &epson.perfection; 1650,
so we know the scanner will use the epson
backend. Be sure to read the help comments in the backends
configuration files. Line changes are quite simple: comment
out all lines that have the wrong interface for your scanner
(in our case, we will comment out all lines starting with the
word scsi as our scanner uses the USB
interface), then add at the end of the file a line specifying
the interface and the device node used. In this case, we add
the following line:usb /dev/uscanner0Please be sure to read the comments provided in the
backend configuration file as well as the backend manual page
for more details and correct syntax to use. We can now verify
if the scanner is identified:&prompt.root; scanimage -L
device `epson:/dev/uscanner0' is a Epson GT-8200 flatbed scannerOur USB scanner has been identified. It is not important
if the brand and the model do not match. The key item to be
concerned with is the
`epson:/dev/uscanner0' field, which give us
the right backend name and the right device node.Once the scanimage -L command is able
to see the scanner, the configuration is complete. The device
is now ready to scan.While &man.scanimage.1; does allow us to perform an
image acquisition from the command line, it is preferable to
use a graphical user interface to perform image scanning.
SANE offers a simple but efficient
graphical interface: xscanimage
(graphics/sane-frontends).Xsane (graphics/xsane) is another popular
graphical scanning frontend. This frontend offers advanced
features such as various scanning mode (photocopy, fax, etc.),
color correction, batch scans, etc. Both of these applications
are useable as a GIMP
plugin.Allowing Scanner Access to Other UsersAll previous operations have been done with
root privileges. You may however, need
other users to have access
to the scanner. The user will need read and write
permissions to the device node used by the scanner. As an
example, our USB scanner uses the device node
/dev/uscanner0 which is owned by the
operator group. Adding the user
joe to the
operator group will allow him to use
the scanner:&prompt.root; pw groupmod operator -m joeFor more details read the &man.pw.8; manual page. You
also have to set the correct write permissions (0660 or 0664)
on the /dev/uscanner0 device node, by
default the operator group can only
read the device node. This is done by adding the following
lines to the /etc/devfs.rules file:[system=5]
add path uscanner0 mode 660Then add the following to
/etc/rc.conf and reboot the
machine:devfs_system_ruleset="system"More information regarding these lines can be found in the
&man.devfs.8; manual page. Under &os; 4.X, the
operator group has, by default, read
and write permissions to
/dev/uscanner0.Of course, for security reasons, you should think twice
before adding a user to any group, especially the
operator group.
diff --git a/en_US.ISO8859-1/books/handbook/preface/preface.sgml b/en_US.ISO8859-1/books/handbook/preface/preface.sgml
index 7136a57134..fe685de2b8 100644
--- a/en_US.ISO8859-1/books/handbook/preface/preface.sgml
+++ b/en_US.ISO8859-1/books/handbook/preface/preface.sgml
@@ -1,618 +1,618 @@
PrefaceIntended
AudienceThe FreeBSD newcomer will find that the first section of this
book guides the user through the FreeBSD installation process and
gently introduces the concepts and conventions that underpin &unix;.
Working through this section requires little more than the desire
to explore, and the ability to take on board new concepts as they
are introduced.Once you have traveled this far, the second, far larger,
section of the Handbook is a comprehensive reference to all manner
of topics of interest to FreeBSD system administrators. Some of
these chapters may recommend that you do some prior reading, and
this is noted in the synopsis at the beginning of each
chapter.For a list of additional sources of information, please see .Changes from the
Second EditionThis third edition is the culmination of over two years of
work by the dedicated members of the FreeBSD Documentation
Project. The following are the major changes in this new
edition:, Configuration and
Tuning, has been expanded with new information about the
ACPI power and resource management, the cron system utility,
and more kernel tuning options., Security, has been expanded with
new information about virtual private networks (VPNs), file
system access control lists (ACLs), and security
advisories., Mandatory Access Control (MAC), is
a new chapter with this edition. It explains what MAC is
and how this mechanism can be used to secure a FreeBSD
system., Storage, has been expanded with
new information about USB storage devices, file system
snapshots, file system quotas, file and network backed
filesystems, and encrypted disk partitions., Vinum, is a new chapter
with this edition. It describes how to use Vinum, a logical
volume manager which provides device-independent logical
disks, and software RAID-0, RAID-1 and RAID-5.A troubleshooting section has been added to , PPP and SLIP., Electronic Mail, has been
expanded with new information about using alternative
transport agents, SMTP authentication, UUCP, fetchmail,
procmail, and other advanced topics., Network Servers, is
all new with this edition. This chapter includes
information about setting up the Apache HTTP Server, FTPd,
and setting up a server for Microsoft Windows clients with
Samba. Some sections from , Advanced Networking, were
moved here to improve the presentation., Advanced
Networking, has been expanded with new information about
using Bluetooth devices with FreeBSD, setting up wireless
networks, and Asynchronous Transfer Mode (ATM)
networking.A glossary has been added to provide a central location
for the definitions of technical terms used throughout the
book.A number of aesthetic improvements have been made to the
tables and figures throughout the book.Changes from the
First EditionThe second edition was the culmination of over two years of
work by the dedicated members of the FreeBSD Documentation
Project. The following were the major changes in this
edition:A complete Index has been added.All ASCII figures have been replaced by graphical diagrams.A standard synopsis has been added to each chapter to
give a quick summary of what information the chapter contains,
and what the reader is expected to know.The content has been logically reorganized into three
parts: Getting Started, System Administration, and
Appendices. (Installing FreeBSD) was completely
rewritten with many screenshots to make it much easier for new
users to grasp the text. (&unix; Basics) has been expanded to contain
additional information about processes, daemons, and
signals. (Installing Applications) has been expanded
to contain additional information about binary package
management. (The X Window System) has been completely
rewritten with an emphasis on using modern desktop
technologies such as KDE and GNOME on &xfree86; 4.X. (The FreeBSD Booting Process) has been
expanded. (Storage) has been written from what used
to be two separate chapters on Disks and Backups. We feel
that the topics are easier to comprehend when presented as a
single chapter. A section on RAID (both hardware and
software) has also been added. (Serial Communications) has been completely
reorganized and updated for FreeBSD 4.X/5.X. (PPP and SLIP) has been substantially
updated.Many new sections have been added to
(Advanced Networking). (Electronic Mail) has been expanded to
include more information about configuring
sendmail. (&linux; Compatibility) has been expanded to
include information about installing
&oracle; and
&sap.r3;.The following new topics are covered in this second
edition:Configuration and Tuning ().Multimedia ()Organization of This
BookThis book is split into five logically distinct sections.
The first section, Getting Started, covers
the installation and basic usage of FreeBSD. It is expected that
the reader will follow these chapters in sequence, possibly
skipping chapters covering familiar topics. The second section,
Common Tasks, covers some frequently used
features of FreeBSD. This section, and all subsequent sections,
can be read out of order. Each chapter begins with a succinct
synopsis that
describes what the chapter covers and what the reader is expected
to already know. This is meant to allow the casual reader to skip
around to find chapters of interest. The third section,
System Administration, covers administration
topics. The fourth section, Network
Communication, covers networking and server topics.
The fifth section contains
appendices of reference information., IntroductionIntroduces FreeBSD to a new user. It describes the
history of the FreeBSD Project, its goals and development model., InstallationWalks a user through the entire installation process.
Some advanced installation topics, such as installing through
a serial console, are also covered., &unix; BasicsCovers the basic commands and functionality of the
FreeBSD operating system. If you are familiar with &linux; or
another flavor of &unix; then you can probably skip this
chapter., Installing ApplicationsCovers the installation of third-party software with
both FreeBSD's innovative Ports Collection and standard
binary packages., The X Window SystemDescribes the X Window System in general and using
- &xfree86; on FreeBSD in particular. Also describes common
+ X11 on FreeBSD in particular. Also describes common
desktop environments such as KDE and GNOME., Desktop ApplicationsLists some common desktop applications, such as web browsers
and productivity suites, and describes how to install them on
FreeBSD., MultimediaShows how to set up sound and video playback support for your
system. Also describes some sample audio and video applications., Configuring the FreeBSD
KernelExplains why you might need to configure a new kernel
and provides detailed instructions for configuring, building,
and installing a custom kernel., PrintingDescribes managing printers on FreeBSD, including
information about banner pages, printer accounting, and
initial setup., &linux; Binary CompatibilityDescribes the &linux; compatibility features of FreeBSD.
Also provides detailed installation instructions for many
popular &linux; applications such as &oracle;, &sap.r3;, and
&mathematica;., Configuration and TuningDescribes the parameters available for system
administrators to tune a FreeBSD system for optimum
performance. Also describes the various configuration files
used in FreeBSD and where to find them., Booting ProcessDescribes the FreeBSD boot process and explains
how to control this process with configuration options., Users and Basic Account
ManagementDescribes the creation and manipulation of user
accounts. Also discusses resource limitations that can be
set on users and other account management tasks., SecurityDescribes many different tools available to help keep your
FreeBSD system secure, including Kerberos, IPsec and OpenSSH., Mandatory Access ControlExplains what Mandatory Access Control (MAC) is and how this
mechanism can be used to secure a FreeBSD system., StorageDescribes how to manage storage media and filesystems
with FreeBSD. This includes physical disks, RAID arrays,
optical and tape media, memory-backed disks, and network
filesystems., VinumDescribes how to use Vinum, a logical volume manager
which provides device-independent logical disks, and
software RAID-0, RAID-1 and RAID-5., LocalizationDescribes how to use FreeBSD in languages other than
English. Covers both system and application level
localization., The Cutting EdgeExplains the differences between FreeBSD-STABLE,
FreeBSD-CURRENT, and FreeBSD releases. Describes which users
would benefit from tracking a development system and outlines
that process., Serial CommunicationsExplains how to connect terminals and modems to your
FreeBSD system for both dial in and dial out connections., PPP and SLIPDescribes how to use PPP, SLIP, or PPP over Ethernet to
connect to remote systems with FreeBSD., Electronic MailExplains the different components of an email server and
dives into simple configuration topics for the most popular
mail server software:
sendmail., Network ServersProvides detailed instructions and example configuration
files to set up your FreeBSD machine as a network filesystem
server, domain name server, network information system
server, or time synchronization server., FirewallsExplains the philosophy behind software-based firewalls and
provides detailed information about the configuration of the
different firewalls available for FreeBSD., Advanced NetworkingDescribes many networking topics, including sharing an
Internet connection with other computers on your LAN, advanced
routing topics, wireless networking, bluetooth, ATM, IPv6, and
much more., Obtaining FreeBSD Lists different sources for obtaining FreeBSD media on CDROM
or DVD as well as different sites on the Internet that allow
you to download and install FreeBSD., Bibliography This book touches on many different subjects that may
leave you hungry for a more detailed explanation. The
bibliography lists many excellent books that are referenced in
the text., Resources on the InternetDescribes the many forums available for FreeBSD users to
post questions and engage in technical conversations about
FreeBSD., PGP KeysLists the PGP fingerprints of several FreeBSD Developers.Conventions used
in this bookTo provide a consistent and easy to read text, several
conventions are followed throughout the book.Typographic
ConventionsItalicAn italic font is used for filenames, URLs,
emphasized text, and the first usage of technical terms.MonospaceA monospaced font is
used for error messages, commands, environment variables,
names of ports, hostnames, user names, group names, device
names, variables, and code fragments.BoldA bold font is used for
applications, commands, and keys.User InputKeys are shown in bold to stand out from
other text. Key combinations that are meant to be typed
simultaneously are shown with `+' between
the keys, such as:CtrlAltDelMeaning the user should type the Ctrl,
Alt, and Del keys at the same
time.Keys that are meant to be typed in sequence will be separated with
commas, for example:CtrlX,
CtrlSWould mean that the user is expected to type the
Ctrl and X keys simultaneously
and then to type the Ctrl and S
keys simultaneously.ExamplesExamples starting with E:\>
indicate a &ms-dos; command. Unless otherwise noted, these commands
may be executed from a Command Prompt window in a modern µsoft.windows;
environment.E:\>tools\fdimage floppies\kern.flp A:Examples starting with &prompt.root; indicate a command that
must be invoked as the superuser in FreeBSD. You can login as
root to type the command, or login as your
normal account and use &man.su.1; to gain
superuser privileges.&prompt.root; dd if=kern.flp of=/dev/fd0Examples starting with &prompt.user; indicate a command that
should be invoked from a normal user account. Unless otherwise
noted, C-shell syntax is used for setting environment variables
and other shell commands.&prompt.user; topAcknowledgmentsThe book you are holding represents the efforts of many hundreds of
people around the world. Whether they sent in fixes for typos, or
submitted complete chapters, all the contributions have been
useful.Several companies have supported the development of this
document by paying authors to work on it full-time, paying for
publication, etc. In particular, BSDi (subsequently acquired by
Wind River Systems)
paid members of the FreeBSD Documentation Project to work on
improving this book full time leading up to the publication of the
first printed edition in March 2000 (ISBN 1-57176-241-8). Wind
River Systems then paid several additional authors to make a
number of improvements to the print-output infrastructure and to add
additional chapters to the text. This work culminated in the
publication of the second printed edition in November 2001 (ISBN
1-57176-303-1). In 2003-2004, FreeBSD Mall, Inc, paid
several contributors to improve the Handbook in preparation for
the third printed edition.