FAMP技术文摘 – 第4页 – FreeBSD相关技术文章

musicpd + mpc：最简易的音乐播放器(FreeBSD)

musicpd 简称为 MPD，它是音乐伺服器。此文介绍如何在 FreeBSD 下用 MPC + MPD 听音乐，打造内存消耗最少，组合功能最强的音乐播放器。

为何选用 MPD + MPC？

在/usr/ports/audio 下有很多不错的音乐播放器，如 beep-media-player、mpg123 等。而我更喜欢 mpc（需要安装MusicPD），简洁是我选择它的理由。每次开机自动打开守护程序 MusicPD（简称 mpd），这如同一个潜在的点歌器，终端下用 mpc 就能选听自己喜欢的歌曲，不需要任何界面，也不必为音乐播放器单开一个桌面。

mpc 和 conky 结合，可以做出开机音乐；mpc 和 remind 结合用音乐来提醒某些事情，譬如用《生日快乐》提醒朋友的生日等。守护程序 mpd 就像一个功能强大的点歌器，你可以轻松地选择你喜爱的歌手、专辑，毫不逊于 GUI 的音乐播放器。mpc 是简洁的，用 mpc play 40，我可以从第 40 首歌曲开始，用鼠标哪有如此快捷呢。mpc 是弹性的，开个玩笑，mpc 能播素数序列的歌曲，2,3,5,7,9,11,13,……，试问天下哪个 GUI 的播放器能做到这一点？我们还可以用 conky 在桌面上显示 mpd 的情况，显示歌曲名，显示歌手名，显示播放进程等，设计我们自己的音乐播放器，够酷吧。

MusicPD 的安装

安装一点儿都不困难，只需记住一点：在 mpd 的 port 里通过 make config，或者直接修改 Makefile，选中“Support for id3v1 tag encoding”一项，这样才能让 conky 获取 mp3 文件中的一些信息，如 artist、title 等。我们将利用 conky 把 mpd 的状态信息显示于桌面上，做一个自己喜欢的音乐播放器界面。

对 mpd.conf 的配置

以root身份运行

# cp /usr/local/share/doc/mpd/mpdconf.example /usr/local/etc/mpd.conf

编辑 mpd.conf 如下：

music_directory        "/backup/multimedia"   ## 此处是音乐存放处
playlist_directory     "/home/IOU/.mpd/playlists" ## 此处是mpd配置文件存放处
db_file                "/home/IOU/.mpd/mpd.db"    ## 这些都是用户自己设定
log_file               "/home/IOU/.mpd/mpd.log"
pid_file               "/home/IOU/.mpd/mpd.pid"
state_file             "/home/IOU/.mpd/mpdstate"
user                   "IOU" ## 除了root用户，能操控mpd的其他用户
filesystem_charset     "UTF-8" ## “iconv -l”一下，看系统支持的编码
id3v1_encoding         "GBK"
mixer_type             "software"
audio_output {
type                 "oss"
name                 "Sound Card"
}

有关 filesystem_charset 的设置，也可以通过

$ locale

来搞清楚。譬如，我选 eucCN 是因为

IOU@~$ locale
LANG=zh_CN.eucCN
LC_CTYPE="zh_CN.eucCN"
LC_COLLATE="zh_CN.eucCN"
LC_TIME="zh_CN.eucCN"
LC_NUMERIC="zh_CN.eucCN"
LC_MONETARY="zh_CN.eucCN"
LC_MESSAGES="zh_CN.eucCN"
LC_ALL=zh_CN.eucCN

其他设置

在 /etc/rc.conf 中添加

musicpd_enable="YES"

以 root 身份运行

# musicpd /usr/local/etc/mpd.conf

系统将自动搜索机器上的歌曲，并将信息存放于 /home/IOU/.mpd 下。

$ mpc listall | mpc add

将所有歌曲载入播放列表。在 console 下键入

$ mpc play 10

便开始从第10首歌曲开始播放。

也可以先查看一下有哪些艺术家的作品，

$ mpc list artist

譬如，在上面命令的结果中发现了“许巍”，而你现在想听他的歌。

$ mpc search artist 许巍 | mpc add
$ mpc play

就开始了我们的音乐之旅。

mpc 提供的搜索内容相当丰富，有

有关mpc的命令行的细节，譬如搜索啦，音量啦，man mpc自己慢慢看吧。

原文链接：http://wiki.freebsdchina.org/software/m/mpd

FreeBSD Ports 之间的依存关系及其管理

用过 FreeBSD 的朋友对 FreeBSD 的 ports 管理认识颇深，它让我们从来不苦恼于“装软件”。FreeBSD 会自动地下载所需的 ports 并安装它们，这是为什么很多使用 GNU/Linux 的朋友在了解到 FreeBSD 后义无反顾地加入 FreeBSD 阵营，包括我。

本 wiki 还要说一说不仅如此，FreeBSD 让我们从来不纠结于“不干净的卸载”。

ports 间的复杂关系

各种各样的 ports 之间可以有复杂的依存关系，如果用有向图画出来，它一定是 DAG （有向无圈图）。拿随机模拟软件 mcmc-jags-3.2.0 为例，安装它必须安装它的子孙节点。

如何干干净净地删除一个 port？

如何删除 ports？通常的做法是去那个 port 执行 make deinstall clean。可是，如果那个 port 还关联着一些“不再有用的” ports。举个例子，卸载了 jags 后，如果你同时也想卸载 “孤零零的” lapack，该如何做呢？总不至于去搞清除所安装的 ports 之间的复杂关系吧？拿随机模拟软件 jags 和 fbm 为例，它们的依存关系是这样的。

两个 ports 及其关联 ports 的关系就可以如此复杂，何况你安装的如此众多的 ports！苍天啊，大地啊，哪位天使姐姐能帮我一把啊？

有一个 port 可以帮助你，它就是 pkg_cutleaves！这是一个小巧的工具，它能生成你所安装 ports 中所有的“终极节点”，只需命令

# pkg_cutleaves -lxg

有关这些节点的信息存放在文件 /usr/local/etc/pkg_leaves.exclude 之中。一旦你不喜欢其中某个节点，可以在文件 pkg_leaves.exclude 中将之删除，然后运行

# pkg_cutleaves -Rxg

你猜怎么着？系统删除了该节点及其所有与之关联的“孤零零”的 ports，而不影响其他“终极节点”及其关联的 ports。pkg_cutleaves 催马过去，把敌人及其孤立党羽杀了个干干净净！

我多么希望我的大脑里也有一个这样的工具，把不美好的记忆删除得干干净净，然后更新一下，重新开始生活。

如何重建 ports 间的依存关系？

用 portmaster 重建 ports 间的依存关系，只需

# portmaster –check-depends

见识某些 ports 的依存图

最后分别见识一下 zh_cn-freebsd-doc，emacs 和 maxima 的依存图，感受一下 FreeBSD ports 的复杂关系，顺便惊叹一下 FreeBSD 在这些复杂关系上纵横驰骋的强大。FreeBSD 是位有内涵的美女，处之愈久，就愈爱她，但愿她能陪我到老。我还不了解她的姊妹 OpenBSD 和 NetBSD，虽然传说中她们也很美。

原文链接：http://wiki.freebsdchina.org/software/p/pkg_cutleaves

FreeBSD 9.0 安装入门教程

在 ftp 中看到了 9.0 的 release 安装镜像于是没事 down 过来捣腾一下。貌似安装过程有了新的变化，于是又了这个入门的东东，水平有限，欢迎指正，谢谢。

所有测试没有使用物理机安装，采用的是 VirtualBox 4.1.8 ，本人机器上面的 VM 版本过老，无法安装。
硬件配置内存分配了 512M 硬盘分配了 4G
CPU 是 intel 的所以下载的是 I386 版本的

安装开始
1、安装 log 界面换了

PS：实话说那个东东我看了半天都木有分清楚是猫科类动物还是什么生物。

2、选择【1】安装 10 秒默认安装

3、安装界面确实不同了，开始估计会不习惯，不过没关系，新的安装其实更加简单的。

3 个选项第一安装，第二个是shell 估计也可以用来安装吧，水平有限木有尝试，最后一个
是光盘镜像系统，估计用来处错使用的。
选择【install】回车即可

4、询问选择键盘

无特殊要求选择【yes】

5、选择键盘语言种类

默认吧

6、设置hostname

可以按【esc】跳过，建议设置

7、选择需要安装的资源
第一个是 doc 文档估计是帮助文档，说明文档之类的
第二个是 games
第三个是ports 树（建议不要选择，安装比较耗时，我用虚拟机安装到最后报错）
第四个是 src 源代码呗。

按空格选择上下键移动

8、硬盘分区设置
第一个是安装他的步骤引导操作
第二个应该是专家模式的
第三个是shell 模式

选择【Guided】

9、配置分区
第一个是整个硬盘
第二个是选择分区（木有尝试成功）

选择【entire disk】

10、分区设置
若是以前安装过早期版本的freebsd 估计这个懂的
你若是需要配置硬盘分区大小就在这里设置
一般是 auto 然后 finish

这个是数据提醒

配置好后选择【finish】

11、选择提交【commit】

12、格式化完就好开始验证文件然后就开始安装了
若是在第7 步没有选择 games 和port 就只有两项

开始安装比较耗时如果选择了 ports

13、安装完开始系统配置

设置密码

14、配置网卡

是否配置IPv4

是否DHCP 看个人需求配置

配置IP 地址

有配置IPV6 的选项

15、时间配置
在国内要配置时区

16、用户配置
可以以后进行配置。

好差不多完成了
若是刚配置的有问题可以在这里可以进行综合一点的配置。

如服务配置
可以开启鼠标。

基本完成重启吧。

附安装后的图片

提示若是不习惯使用新版本的安装向导完全可以使用原来的安装配置

只要 root 用户输入 sysinstall 即可

若是大牛说，新版本安装方式很烂啊，完全不习惯怎么办呢？
很简单啦，在第3 部直接选择【shell】
然后输入 sysinstall 嘿嘿，老的方式安装，
水平有限，大家若是想用鸡蛋砸我，真心请不要那样。

By Ndk 2012-1-8
谢谢。
PS：哪天有时间折腾一个FreeBSD 9.0 + Gnome 的入门教程

FreeBSD 9.0-RELEASE发布了

The FreeBSD Release Engineering Team is pleased to announce the availability
of FreeBSD 9.0-RELEASE. This is the first release from the stable/9 branch,
which improves on stable/8 and adds many new features. Some of the
highlights:

– A new installer, bsdinstall(8) has been added and is the installer
used by the ISO images provided as part of this release
– The Fast Filesystem now supports softupdates journaling
– ZFS updated to version 28
– Updated ATA/SATA drivers support AHCI, moved into updated CAM
framework
– Highly Available Storage (HAST) framework
– Kernel support for Capsicum Capability Mode, an experimental
set of features for sandboxing support
– User-level DTrace
– The TCP/IP stack now supports pluggable congestion control framework
and five congestion control algorithm implementations available
– NFS subsystem updated, new implementation supports NFSv4 in
addition to NFSv3 and NFSv2
– High Performance SSH (HPN-SSH)
– Flattened device tree (FDT), simplifying FreeBSD configuration
for embedded platforms
– The powerpc architecture now supports Sony Playstation 3
– The LLVM compiler infrastructure and clang have been imported
– Gnome version 2.32.1, KDE version 4.7.3

For a complete list of new features and known problems, please see the
online release notes and errata list, available at:

http://www.FreeBSD.org/releases/9.0R/relnotes.html http://www.FreeBSD.org/releases/9.0R/errata.html
For more information about FreeBSD release engineering activities,
please see:

http://www.FreeBSD.org/releng/
Dedication
———-

The FreeBSD Project dedicates the FreeBSD 9.0-RELEASE to the memory of
Dennis M. Ritchie, one of the founding fathers of the UNIX[tm] operating
system. It is on the foundation laid by the work of visionaries like Dennis
that software like the FreeBSD operating system came to be. The fact that
his work of so many years ago continues to influence new design decisions
to this very day speaks for the brilliant engineer that he was.

May he rest in peace.

Availability
————-

FreeBSD 9.0-RELEASE is now available for the amd64, i386, ia64, powerpc,
powerpc64, and sparc64 architectures.

FreeBSD 9.0 can be installed from bootable ISO images or over the
network. Some architectures also support installing from a USB memory
stick. The required files can be downloaded via FTP or BitTorrent as
described in the sections below. While some of the smaller FTP mirrors
may not carry all architectures, they will all generally contain the more
common ones such as amd64 and i386.

NOTE: A problem was discovered with the DVD images for amd64 and i386
architectures shortly after they were loaded on the FTP distribution
server. Those images have since been replaced and we have allowed
enough time that the newer images should have distributed to all the
FTP servers that carry the release. If you downloaded the amd64 or
i386 DVD images prior to this announcement it would be a good idea to
verify the checksums of the image you downloaded with the checksums
provided as part of this Release Announcement. The only thing wrong
with the images that were replaced is that sysinstall(8) can not be used
to install the pre-built packages on the DVD. Other than that there is
nothing different on the updated images. The bad DVD images were never
available on BitTorrent.

MD5 and SHA256 hashes for the release ISO and memory stick images are
included at the bottom of this message.

The purpose of the images provided as part of the release are as follows:

dvd1: This contains everything necessary to install the base FreeBSD
operating system, the documentation, and a small set of pre-built
packages aimed at getting a graphical workstation up and running.
It also supports booting into a "livefs" based rescue mode. This
should be all you need if you can burn and use DVD-sized media.

disc1: This contains the base FreeBSD operating system. It also supports
booting into a "livefs" based rescue mode. There are no pre-built
packages.

bootonly: This supports booting a machine using the CDROM drive but
does not contain the support for installing FreeBSD from the
CD itself. You would need to perform a network based install
(e.g. from an FTP server) after booting from the CD.

memstick: This can be written to an USB memory stick (flash drive) and
used to do an install on machines capable of booting off USB
drives. It also supports booting into a "livefs" based rescue
mode. There are no pre-built packages.

As one example of how to use the memstick image, assuming the USB drive
appears as /dev/da0 on your machine something like this should work:

# dd if=FreeBSD-9.0-RELEASE-amd64-memstick.img of=/dev/da0 bs=10240 conv=sync

Be careful to make sure you get the target (of=) correct.

FreeBSD 9.0-RELEASE can also be purchased on CD-ROM or DVD from several
vendors. One of the vendors that will be offering FreeBSD 9.0-based
products is:

~ FreeBSD Mall, Inc. http://www.freebsdmall.com/
BitTorrent
———-

9.0-RELEASE ISOs are available via BitTorrent. A collection of torrent
files to download the images is available at:

http://torrents.freebsd.org:8080/

FTP
—

At the time of this announcement the following FTP sites have
FreeBSD 9.0-RELEASE available.

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp5.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp7.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp8.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.au.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.cn.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.cz.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.dk.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.fr.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.jp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.ru.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.tw.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.uk.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp2.us.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp10.us.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/
ftp://ftp.za.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/

However before trying these sites please check your regional mirror(s)
first by going to:

ftp://ftp.<yourdomain>.FreeBSD.org/pub/FreeBSD
Any additional mirror sites will be labeled ftp2, ftp3 and so on.

More information about FreeBSD mirror sites can be found at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html
For instructions on installing FreeBSD or updating an existing machine to
9.0-RELEASE please see:

http://www.FreeBSD.org/releases/9.0R/installation.html
Support
——-

The FreeBSD Security Team currently plans to support FreeBSD 9.0 until
January 31st, 2013. For more information on the Security Team and their
support of the various FreeBSD branches see:

http://www.freebsd.org/security/
Other Projects Based on FreeBSD
——————————-

There are many "third party" Projects based on FreeBSD. The Projects
range from re-packaging FreeBSD into a more "novice friendly" distribution
to making FreeBSD available on Amazon’s EC2 infrastructure. For more
information about these Third Party Projects see:

http://wiki.freebsd.org/3rdPartyProjects
Acknowledgments
—————

Many companies donated equipment, network access, or man-hours to
support the release engineering activities for FreeBSD 9.0 including
The FreeBSD Foundation, Yahoo!, NetApp, Internet Systems Consortium,
Sentex Communications, New York Internet, Juniper Networks, and
iXsystems.

The release engineering team for 9.0-RELEASE includes:

Ken Smith <kensmith@FreeBSD.org> Release Engineering,
amd64, i386, sparc64 Release Building,
Mirror Site Coordination
Robert Watson <rwatson@FreeBSD.org> Release Engineering, Security
Konstantin Belousov <kib@FreeBSD.org> Release Engineering
Marc Fonvieille <blackend@FreeBSD.org> Release Engineering, Documentation
Josh Paetzel <jpaetzel@FreeBSD.org> Release Engineering
Hiroki Sato <hrs@FreeBSD.org> Release Engineering, Documentation
Bjoern Zeeb <bz@FreeBSD.org> Release Engineering
Marcel Moolenaar <marcel@FreeBSD.org> ia64, powerpc Release Building
Nathan Whitehorn <nwhitehorn@FreeBSD.org> powerpc64 Release Building
Joe Marcus Clarke <marcus@FreeBSD.org> Package Building
Erwin Lansing <erwin@FreeBSD.org> Package Building
Mark Linimon <linimon@FreeBSD.org> Package Building
Pav Lucistnik <pav@FreeBSD.org> Package Building
Ion-Mihai Tetcu <itetcu@FreeBSD.org> Package Building
Martin Wilke <miwi@FreeBSD.org> Package Building, Ports Security
Colin Percival <cperciva@FreeBSD.org> Security Officer

Trademark
———

FreeBSD is a registered trademark of The FreeBSD Foundation.

ISO Image Checksums
——————-

MD5 (FreeBSD-9.0-RELEASE-amd64-bootonly.iso) = 477019a305797186a8b3e4147f44edec
MD5 (FreeBSD-9.0-RELEASE-amd64-disc1.iso) = b23ef73412bd50ed62ef8613ca1a4199
MD5 (FreeBSD-9.0-RELEASE-amd64-dvd1.iso) = 61221643ebeefeeb74bd552311e07070
MD5 (FreeBSD-9.0-RELEASE-amd64-memstick.img) = b37217292ad626d6ab2d3a9c1d215d2d

MD5 (FreeBSD-9.0-RELEASE-i386-bootonly.iso) = 70b4b0dd42c309da79ce63ba2789cfe3
MD5 (FreeBSD-9.0-RELEASE-i386-disc1.iso) = 5bf615f286ee6eeb3ecce45bd8d1622c
MD5 (FreeBSD-9.0-RELEASE-i386-dvd1.iso) = fee32ba2041285b971daf7ea429e36e4
MD5 (FreeBSD-9.0-RELEASE-i386-memstick.img) = 79ddd8f3422e209ae9bd11fee4e399eb

MD5 (FreeBSD-9.0-RELEASE-ia64-bootonly.iso) = 5c83f9a5bf359b2971059d1664ef5f7e
MD5 (FreeBSD-9.0-RELEASE-ia64-memstick) = ee1d5196eb281966b9ef95b953a36d8d
MD5 (FreeBSD-9.0-RELEASE-ia64-release.iso) = 73ca213db21379eb2527dcea37eeb824

MD5 (FreeBSD-9.0-RELEASE-powerpc-bootonly.iso) = bfe036760daac0cddfe8ce2915eaec54
MD5 (FreeBSD-9.0-RELEASE-powerpc-memstick) = e7a09f343ee248ee538954b39549c241
MD5 (FreeBSD-9.0-RELEASE-powerpc-release.iso) = 2431f52b2f9cc1951b0e568b3cd0f126

MD5 (FreeBSD-9.0-RELEASE-powerpc64-bootonly.iso) = 377714742e5f2e16e34b7818347d4e3f
MD5 (FreeBSD-9.0-RELEASE-powerpc64-memstick) = 9e4ee64a7460c3c930d0e3e2e3cd03b9
MD5 (FreeBSD-9.0-RELEASE-powerpc64-release.iso) = 347e51ceb3e65c1eff3cc3acdb519ffb

MD5 (FreeBSD-9.0-RELEASE-sparc64-bootonly.iso) = 81778b8ee1a8881b8597ee4275cc3b4e
MD5 (FreeBSD-9.0-RELEASE-sparc64-disc1.iso) = a63a07e3c45275568db2cead1b3e7167

SHA256 (FreeBSD-9.0-RELEASE-amd64-bootonly.iso) = d16fd5f32c9483177a01241f37ed84f347484c65e52aba4dbf8a2f3108fb457d
SHA256 (FreeBSD-9.0-RELEASE-amd64-disc1.iso) = bcc69320cd2f227411d55967113abc8ffa5ede0a6526090ca3fb5ab776fead9d
SHA256 (FreeBSD-9.0-RELEASE-amd64-dvd1.iso) = f338e24645f0bcc792b8417411ed737d8057cd2f470f9d2b601c143352d6d459
SHA256 (FreeBSD-9.0-RELEASE-amd64-memstick.img) = b8c964f362200d758e06dc6ea8dd556a4d6fedc2f3cd44c300318d9c2f4fb7a5

SHA256 (FreeBSD-9.0-RELEASE-i386-bootonly.iso) = e655de649040269ffdaa40179c3b91c59c8febef7486e340c3a5a5493097366d
SHA256 (FreeBSD-9.0-RELEASE-i386-disc1.iso) = b03df5fbd345781cab7dcab1fd0ea4d84c7c48712a6035476a709e6c0d5763f0
SHA256 (FreeBSD-9.0-RELEASE-i386-dvd1.iso) = ebc75ecdbd0580fbe9e59373962e0fc452c4480082af563e5cd765aca1ecd705
SHA256 (FreeBSD-9.0-RELEASE-i386-memstick.img) = 99193a7895109d415936ba89e4f2c24227af48f064073dee7c4b49722c3656f8

SHA256 (FreeBSD-9.0-RELEASE-ia64-bootonly.iso) = 1d25fc52d868877eb3cbdc012be895827f9c2bd808f886755d7ca2e9257af108
SHA256 (FreeBSD-9.0-RELEASE-ia64-memstick) = af147d20765bdbe6f71a8fb113fdba64de4d152b554c1fc8d78dc6f941e4737c
SHA256 (FreeBSD-9.0-RELEASE-ia64-release.iso) = 289f31e0dadfa46f51e9a44e26cd9cf6652ff4b5a631a21dca065dcd0d66890d

SHA256 (FreeBSD-9.0-RELEASE-powerpc-bootonly.iso) = 7ca03f71d2dd0cad929d0005601b4c994a54b02ab140d4218fa326b0fce7dad8
SHA256 (FreeBSD-9.0-RELEASE-powerpc-memstick) = 042bb4d473b615cf0d3c46d48d4db1fb457a54695e6ef3e47ee1b2dc6a4f3d9b
SHA256 (FreeBSD-9.0-RELEASE-powerpc-release.iso) = 0a7af5c74ebc0e13e79dfde03d54d3d752f3c71aff39659406ad6e5bcc0cefc3

SHA256 (FreeBSD-9.0-RELEASE-powerpc64-bootonly.iso) = 2eb5f141fb702a9c757f91a54ff8ea5ded13d51b29dfa86e5ba6bfbe9bb8e48e
SHA256 (FreeBSD-9.0-RELEASE-powerpc64-memstick) = 91648a0377cd4cf8dc5453e48416dd16ac99a30e5439534053a1ca16f9944a0d
SHA256 (FreeBSD-9.0-RELEASE-powerpc64-release.iso) = 17ab67fe62e1da232038b1ff598be1aef5fe8ccea620e0fbd67d8e262992fd66

SHA256 (FreeBSD-9.0-RELEASE-sparc64-bootonly.iso) = 1f633899cf42be1fecc61f82aa9fd9197da0cf88dda25aabbbf67250653459f5
SHA256 (FreeBSD-9.0-RELEASE-sparc64-disc1.iso) = 8414abb3a501a9f712fe137a2f3667249ab3d2666815a877a93c934ced5d1110

原文链接：http://www.freebsdchina.org/document_28_52946.html

FreeBSD-SA-11:10.pam

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:10.pam Security Advisory
The FreeBSD Project

Topic: pam_start() does not validate service names

Category:       contrib
Module:         pam
Announced:      2011-12-23
Credits:        Matthias Drochner
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE)
                2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name:       CVE-2011-4122

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown. It is
used not only in the base system, but also by a large number of
third-party applications.

Various authentication methods (UNIX, LDAP, Kerberos etc.) are
implemented in modules which are loaded and executed according to
predefined, named policies. These policies are defined in
/etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf or
/usr/local/etc/pam.d/<policy name>.

The PAM API is a de facto industry standard which has been implemented
by several parties. FreeBSD uses the OpenPAM implementation.

II. Problem Description

Some third-party applications, including KDE’s kcheckpass command,
allow the user to specify the name of the policy on the command line.
Since OpenPAM treats the policy name as a path relative to /etc/pam.d
or /usr/local/etc/pam.d, users who are permitted to run such an
application can craft their own policies and cause the application
to load and execute their own modules.

III. Impact

If an application that runs with root privileges allows the user to
specify the name of the PAM policy to load, users who are permitted to
run that application will be able to execute arbitrary code with root
privileges.

There are no vulnerable applications in the base system.

IV. Workaround

No workaround is available, but systems without untrusted users are
not vulnerable.

Inspect any third-party setuid / setgid binaries which use the PAM
library and ascertain whether they allow the user to specify the
policy name, then either change the binary’s permissions to prevent
its use or remove it altogether.

The following command will output a non-zero number if a dynamically
linked binary uses libpam:

# ldd /usr/local/bin/suspicious_binary | grep -c libpam

The following command will output a non-zero number if a statically
linked binary uses libpam:

# grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch
# fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libpam
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/openpam/lib/openpam_configure.c                1.1.1.7.20.2
RELENG_7_4
src/UPDATING                                             1.507.2.36.2.7
src/sys/conf/newvers.sh                                  1.72.2.18.2.10
src/contrib/openpam/lib/openpam_configure.c            1.1.1.7.20.1.8.1
RELENG_7_3
src/UPDATING                                            1.507.2.34.2.11
src/sys/conf/newvers.sh                                  1.72.2.16.2.13
src/contrib/openpam/lib/openpam_configure.c            1.1.1.7.20.1.6.1
RELENG_8
src/contrib/openpam/lib/openpam_configure.c                 1.1.1.8.2.1
RELENG_8_2
src/UPDATING                                             1.632.2.19.2.7
src/sys/conf/newvers.sh                                  1.83.2.12.2.10
src/contrib/openpam/lib/openpam_configure.c                 1.1.1.8.8.1
RELENG_8_1
src/UPDATING                                            1.632.2.14.2.10
src/sys/conf/newvers.sh                                  1.83.2.10.2.11
src/contrib/openpam/lib/openpam_configure.c                 1.1.1.8.6.1
RELENG_9
src/contrib/openpam/lib/openpam_configure.c                1.1.1.8.10.1
RELENG_9_0
src/contrib/openpam/lib/openpam_configure.c                1.1.1.8.12.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228467
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228466
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228464
releng/9.0/                                                       r228465
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV
lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb
=9COS
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-11:10.pam.asc

FreeBSD-SA-11:09.pam_ssh

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:09.pam_ssh Security Advisory
The FreeBSD Project

Topic: pam_ssh improperly grants access when user account has
unencrypted SSH private keys

Category:       contrib
Module:         pam
Announced:      2011-12-23
Credits:        Guy Helmer, Dag-Erling Smorgrav
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE)
                2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE)

I. Background

The base system includes a module named pam_ssh which, if enabled,
allows users to authenticate themselves by typing in the passphrase of
one of the SSH private keys which are stored in encrypted form in the
their .ssh directory. Authentication is considered successful if at
least one of these keys could be decrypted using the provided
passphrase.

By default, the pam_ssh module rejects SSH private keys with no
passphrase. A "nullok" option exists to allow these keys.

II. Problem Description

The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the pam_ssh
module only checks whether the passphrase provided by the user is
null, users with unencrypted SSH private keys may successfully
authenticate themselves by providing a dummy passphrase.

III. Impact

If the pam_ssh module is enabled, attackers may be able to gain access
to user accounts which have unencrypted SSH private keys.

IV. Workaround

No workaround is available, but systems that do not have the pam_ssh module
enabled are not vulnerable. The pam_ssh module is not enabled in any
of the default policies provided in the base system.

The system administrator can use the following procedure to inspect all
PAM policy files to determine whether the pam_ssh module is enabled.
If the following command produces any output, the system may be
vulnerable:

# egrep -r ‘^[^#].*\<pam_ssh\>’ /etc/pam.* /usr/local/etc/pam.*

The following command will disable the pam_ssh module in all PAM
policies present in the system:

# sed -i ” -e ‘/^[^#].*pam_ssh/s/^/#/’ /etc/pam.conf /etc/pam.d/* \
/usr/local/etc/pam.conf /usr/local/etc/pam.d/*

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch
# fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libpam/modules/pam_ssh
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.44.2.2
RELENG_7_4
src/UPDATING                                             1.507.2.36.2.7
src/sys/conf/newvers.sh                                  1.72.2.18.2.10
src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.44.2.1.8.2
RELENG_7_3
src/UPDATING                                            1.507.2.34.2.11
src/sys/conf/newvers.sh                                  1.72.2.16.2.13
src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.44.2.1.6.2
RELENG_8
src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.45.2.3
RELENG_8_2
src/UPDATING                                             1.632.2.19.2.7
src/sys/conf/newvers.sh                                  1.83.2.12.2.10
src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.45.2.2.4.2
RELENG_8_1
src/UPDATING                                            1.632.2.14.2.10
src/sys/conf/newvers.sh                                  1.83.2.10.2.11
src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.45.2.2.2.2
RELENG_9
src/lib/libpam/modules/pam_ssh/pam_ssh.c                       1.47.2.2
RELENG_9_0
src/lib/libpam/modules/pam_ssh/pam_ssh.c                   1.47.2.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228421
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228420
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228410
releng/9.0/                                                       r228414
– ————————————————————————-

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37JTSwCfS+bmWBxv5hote7Hrcl7VZjjk
vKMAn116aLADxmdYsyZ5WdSrfFTRt3Xm
=Y+ar
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc

FreeBSD-SA-11:08.telnetd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:08.telnetd Security Advisory
The FreeBSD Project

Topic: telnetd code execution vulnerability

Category:       core
Module:         contrib
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)
CVE Name:       CVE-2011-4862

I. Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol has a mechanism for encryption of the data stream
(but it is not cryptographically strong and should not be relied upon
in any security-critical applications).

II. Problem Description

When an encryption key is supplied via the TELNET protocol, its length
is not validated before the key is copied into a fixed-size buffer.

III. Impact

An attacker who can connect to the telnetd daemon can execute arbitrary
code with the privileges of the daemon (which is usually the "root"
superuser).

IV. Workaround

No workaround is available, but systems not running the telnet daemon
are not vulnerable.

Note that the telnet daemon is usually run via inetd, and consequently
will not show up in a process listing unless a connection is currently
active; to determine if it is enabled, run

$ ps ax | grep telnetd | grep -v grep
$ grep telnetd /etc/inetd.conf | grep -vE ‘^#’

If any output is produced, your system may be vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2, and 8.1 systems.

a) Download the patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make && make install
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.24.1
src/contrib/telnet/libtelnet/encrypt.c                         1.9.24.1
RELENG_7_4
src/UPDATING                                             1.507.2.36.2.7
src/sys/conf/newvers.sh                                  1.72.2.18.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.38.1
src/contrib/telnet/libtelnet/encrypt.c                         1.9.40.2
RELENG_7_3
src/UPDATING                                            1.507.2.34.2.11
src/sys/conf/newvers.sh                                  1.72.2.16.2.13
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.2.36.1
src/contrib/telnet/libtelnet/encrypt.c                         1.9.38.2
RELENG_8
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.2.1
src/contrib/telnet/libtelnet/encrypt.c                         1.9.36.2
RELENG_8_2
src/UPDATING                                             1.632.2.19.2.7
src/sys/conf/newvers.sh                                  1.83.2.12.2.10
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.8.1
src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.6.2
RELENG_8_1
src/UPDATING                                            1.632.2.14.2.10
src/sys/conf/newvers.sh                                  1.83.2.10.2.11
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c          1.1.1.3.6.1
src/contrib/telnet/libtelnet/encrypt.c                     1.9.36.1.4.2
RELENG_9
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.10.1
src/contrib/telnet/libtelnet/encrypt.c                         1.9.42.2
RELENG_9_0
src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c         1.1.1.3.12.1
src/contrib/telnet/libtelnet/encrypt.c                     1.9.42.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r228843
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r228843
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228843
releng/9.0/                                                       r228843
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m
HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u
=dcyj
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

FreeBSD-SA-11:07.chroot

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:07.chroot Security Advisory
The FreeBSD Project

Topic: Code execution via chrooted ftpd

Category:       core
Module:         libc
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE)

I. Background

Chroot is an operation that changes the apparent root directory for the
current process and its children. The chroot(2) system call is widely
used in many applications as a measure of limiting a process’s access to
the file system, as part of implementing privilege separation.

The nsdispatch(3) API implementation has a feature to reload its
configuration on demand. This feature may also load shared libraries
and run code provided by the library when requested by the configuration
file.

II. Problem Description

The nsdispatch(3) API has no mechanism to alert it to whether it is
operating within a chroot environment in which the standard paths for
configuration files and shared libraries may be untrustworthy.

The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and
also uses the nsdispatch(3) API.

III. Impact

If ftpd is configured to place a user in a chroot environment, then an
attacker who can log in as that user may be able to run arbitrary code
with elevated ("root") privileges.

IV. Workaround

Don’t use ftpd with the chroot option.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.3 and 7.4]
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc

[FreeBSD 8.1 and 8.2]
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch
# fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode()
to the C library, which completely disables loading of shared libraries
upon return. Applications doing chroot(2) jails need to be updated
to call this API explicitly right after the chroot(2) operation as a
safety measure.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/include/unistd.h                                           1.80.2.4
src/lib/libc/include/libc_private.h                            1.17.2.4
src/lib/libc/Versions.def                                       1.3.2.3
src/lib/libc/net/nsdispatch.c                                  1.14.2.3
src/lib/libc/gen/Symbol.map                                     1.6.2.7
src/lib/libc/gen/Makefile.inc                                 1.128.2.6
src/lib/libc/gen/libc_dlopen.c                                  1.2.2.2
src/libexec/ftpd/popen.c                                      1.26.10.2
src/libexec/ftpd/ftpd.c                                       1.212.2.2
RELENG_7_4
src/UPDATING                                             1.507.2.36.2.7
src/sys/conf/newvers.sh                                  1.72.2.18.2.10
src/include/unistd.h                                       1.80.2.3.4.2
src/lib/libc/include/libc_private.h                        1.17.2.3.4.2
src/lib/libc/Versions.def                                   1.3.2.2.4.2
src/lib/libc/net/nsdispatch.c                              1.14.2.2.2.2
src/lib/libc/gen/Symbol.map                                 1.6.2.6.4.2
src/lib/libc/gen/Makefile.inc                             1.128.2.5.4.2
src/lib/libc/gen/libc_dlopen.c                                  1.2.4.2
src/libexec/ftpd/popen.c                                  1.26.10.1.2.2
src/libexec/ftpd/ftpd.c                                   1.212.2.1.6.2
RELENG_7_3
src/UPDATING                                            1.507.2.34.2.11
src/sys/conf/newvers.sh                                  1.72.2.16.2.13
src/include/unistd.h                                       1.80.2.3.2.2
src/lib/libc/include/libc_private.h                        1.17.2.3.2.2
src/lib/libc/Versions.def                                   1.3.2.2.2.2
src/lib/libc/net/nsdispatch.c                              1.14.2.1.6.2
src/lib/libc/gen/Symbol.map                                 1.6.2.6.2.2
src/lib/libc/gen/Makefile.inc                             1.128.2.5.2.2
src/lib/libc/gen/libc_dlopen.c                                  1.1.2.1
src/libexec/ftpd/popen.c                                      1.26.24.2
src/libexec/ftpd/ftpd.c                                   1.212.2.1.4.2
RELENG_8
src/include/unistd.h                                           1.95.2.2
src/lib/libc/include/libc_private.h                            1.20.2.3
src/lib/libc/Versions.def                                       1.8.2.3
src/lib/libc/net/nsdispatch.c                                  1.18.2.3
src/lib/libc/gen/Symbol.map                                    1.21.2.6
src/lib/libc/gen/Makefile.inc                                 1.144.2.7
src/lib/libc/gen/libc_dlopen.c                                  1.1.4.2
src/libexec/ftpd/popen.c                                      1.26.22.3
src/libexec/ftpd/ftpd.c                                       1.214.2.3
RELENG_8_2
src/UPDATING                                             1.632.2.19.2.7
src/sys/conf/newvers.sh                                  1.83.2.12.2.10
src/include/unistd.h                                       1.95.2.1.6.2
src/lib/libc/include/libc_private.h                        1.20.2.2.4.2
src/lib/libc/Versions.def                                   1.8.2.2.4.2
src/lib/libc/net/nsdispatch.c                              1.18.2.2.2.2
src/lib/libc/gen/Symbol.map                                1.21.2.5.2.2
src/lib/libc/gen/Makefile.inc                             1.144.2.6.2.2
src/lib/libc/gen/libc_dlopen.c                                  1.2.8.2
src/libexec/ftpd/popen.c                                  1.26.22.2.4.2
src/libexec/ftpd/ftpd.c                                   1.214.2.1.6.2
RELENG_8_1
src/UPDATING                                            1.632.2.14.2.10
src/sys/conf/newvers.sh                                  1.83.2.10.2.11
src/include/unistd.h                                       1.95.2.1.4.2
src/lib/libc/include/libc_private.h                        1.20.2.2.2.2
src/lib/libc/Versions.def                                   1.8.2.2.2.2
src/lib/libc/net/nsdispatch.c                              1.18.2.1.4.2
src/lib/libc/gen/Symbol.map                                1.21.2.3.2.2
src/lib/libc/gen/Makefile.inc                             1.144.2.4.2.2
src/lib/libc/gen/libc_dlopen.c                                 1.2.10.2
src/libexec/ftpd/popen.c                                  1.26.22.2.2.2
src/libexec/ftpd/ftpd.c                                   1.214.2.1.4.2
RELENG_9
src/include/unistd.h                                          1.101.2.2
src/lib/libc/include/libc_private.h                            1.26.2.2
src/lib/libc/Versions.def                                       1.9.2.2
src/lib/libc/net/nsdispatch.c                                  1.19.2.2
src/lib/libc/gen/Symbol.map                                    1.38.2.2
src/lib/libc/gen/Makefile.inc                                 1.159.2.2
src/lib/libc/gen/libc_dlopen.c                                  1.1.6.2
src/lib/libc/iconv/citrus_module.c                              1.1.2.2
src/libexec/ftpd/popen.c                                       1.27.2.2
src/libexec/ftpd/ftpd.c                                       1.220.2.2
RELENG_9_0
src/include/unistd.h                                      1.101.2.1.2.2
src/lib/libc/include/libc_private.h                        1.26.2.1.2.2
src/lib/libc/Versions.def                                   1.9.2.1.2.2
src/lib/libc/net/nsdispatch.c                              1.19.2.1.2.2
src/lib/libc/gen/Symbol.map                                1.38.2.1.2.2
src/lib/libc/gen/Makefile.inc                             1.159.2.1.2.2
src/lib/libc/gen/libc_dlopen.c                                  1.2.6.2
src/lib/libc/iconv/citrus_module.c                          1.1.2.1.2.2
src/libexec/ftpd/popen.c                                   1.27.2.1.2.2
src/libexec/ftpd/ftpd.c                                   1.220.2.1.2.2
– ————————————————————————-

Subversion:

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37ILmgCgjVxRH+NsPpnXOVdwWmuxlSDp
h9wAniE0tokORcqQlFJim5Pc1Z65ybwl
=45yE
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-11:07.chroot.asc

FreeBSD-SA-11:06.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:06.bind Security Advisory
The FreeBSD Project

Topic: Remote packet Denial of Service against named(8) servers

Category:       contrib
Module:         bind
Announced:      2011-12-23
Affects:        All supported versions of FreeBSD.
Corrected:      2011-11-17 01:10:16 UTC (RELENG_7, 7.4-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9)
                2011-11-17 00:36:10 UTC (RELENG_8, 8.2-STABLE)
                2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5)
                2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7)
                2011-12-01 21:13:41 UTC (RELENG_9, 9.0-STABLE)
                2011-12-01 21:17:59 UTC (RELENG_9_0, 9.0-RC3)
                2011-11-16 23:41:13 UTC (ports tree)
CVE Name:       CVE-2011-4313

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

A remote attacker could cause the BIND resolver to cache an invalid
record, which could cause the BIND daemon to crash when that record
is being queried.

III. Impact

An attacker that is able to send an specifically crafted response to the
BIND daemon can cause it to crash, resulting in a denial of service.

Note that due to the nature of this vulnerability, the attacker does
not necessarily have to have query access to the victim server. The
vulnerability can be triggered by tricking legitimate clients, for
instance spam filtering systems or an end user browser, which can be
made to the query on their behalf.

IV. Workaround

No workaround is available, but systems not running the BIND resolving
name server are not affected.

Servers that are running in authoritative-only mode appear not to be
affected by this vulnerability.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4, 7.3,
8.2 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.3-RELEASE and 7.4-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch.asc

[FreeBSD 8.1-RELEASE and 8.2-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch
# fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection already have the mitigation measure:

        bind96-9.6.3.1.ESV.R5.1
        bind97-9.7.4.1
        bind98-9.8.1.1

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.4.2.9
src/contrib/bind9/bin/named/query.c                         1.1.1.6.2.8
RELENG_7_4
src/UPDATING                                             1.507.2.36.2.7
src/sys/conf/newvers.sh                                  1.72.2.18.2.10
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.6.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.6.2.1
RELENG_7_3
src/UPDATING                                            1.507.2.34.2.11
src/sys/conf/newvers.sh                                  1.72.2.16.2.13
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.3.2.2
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.3.2.2
RELENG_8
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.2.9
src/contrib/bind9/bin/named/query.c                             1.3.2.8
RELENG_8_2
src/UPDATING                                             1.632.2.19.2.7
src/sys/conf/newvers.sh                                  1.83.2.12.2.10
src/contrib/bind9/lib/dns/rbtdb.c                           1.3.2.5.2.1
src/contrib/bind9/bin/named/query.c                         1.3.2.5.2.1
RELENG_8_1
src/UPDATING                                            1.632.2.14.2.10
src/sys/conf/newvers.sh                                  1.83.2.10.2.11
src/contrib/bind9/lib/dns/rbtdb.c                           1.3.2.3.2.1
src/contrib/bind9/bin/named/query.c                         1.3.2.3.2.1
RELENG_9
src/contrib/bind9/lib/dns/rbtdb.c                              1.13.2.1
src/contrib/bind9/bin/named/query.c                            1.11.2.1
RELENG_9_0
src/contrib/bind9/lib/dns/rbtdb.c                              1.13.4.1
src/contrib/bind9/bin/named/query.c                            1.11.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r227603
releng/7.4/                                                       r228843
releng/7.3/                                                       r228843
stable/8/                                                         r227599
releng/8.2/                                                       r228843
releng/8.1/                                                       r228843
stable/9/                                                         r228189
releng/9.0/                                                       r228190
– ————————————————————————-

VII. References

https://www.isc.org/software/bind/advisories/cve-2011-4313

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk70nOoACgkQFdaIBMps37K18wCeLYPkREXJsMXYdzt+guRFcPZR
VY4AoII3kmCzRX/gYRmPW7lwGqWIgwlM
=wMSJ
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-11:06.bind.asc

FreeBSD下安装lighttpd

安装 lighttpd 於 FreeBSD

作者：zeissoctopus

以下是我安装和配置 lighttpd 1.4.29 万维网服务器於 FreeBSD 8-Stable 的笔记。我会启动以下几项功能：

SSL
lighttpd 的 simple namebase virtualhost
FastCGI 支援 PHP

1: 安装软件

从 ports 编译安装 lighttpd 入 FreeBSD

% cd /usr/ports/www/lighttpd
% su root
# make install
# make clean
# exit

以下是我用 ports 编译 lighttpd 时所选择的选项

WITHOUT_BZIP2    true
WITHOUT_CML    true
WITHOUT_FAM    true
WITHOUT_GDBM    true
WITH_IPV6    true
WITHOUT_LIBEV    true
WITHOUT_MAGNET    true
WITHOUT_MEMCACHE    true
WITHOUT_MYSQL    true
WITHOUT_MYSQLAUTH    true
WITHOUT_NODELAY    true
WITHOUT_OPENLDAP    true
WITH_OPENSSL    true
WITHOUT_SPAWNFCGI    true
WITHOUT_VALGRIND    true
WITHOUT_WEBDAV    true
FreeBSD 默认 Httpd 使用者身份是 www:www

2: 安排网站的文件目录

lighttpd 执行时，会产生一些文件。lighttpd 也会找寻网站实际放置的位置。因此需要事先安排妥当。因为我只需要 lighttpd 为一个 domain 服务，所以我只需要依从 simple virtualhost 规则建立网站的目录结构。然而所有文件位置皆可以自由安排，本例子是依从我个人喜好来决定而已。

lighttpd 执行时产生的文件

lighttpd 的 simple namebase virtualhost 目录安排

除了根目录外，其余皆以 virtual host 网站名称来命名目录

3: 配置 FreeBSD ports 里的 lighttpd

在 FreeBSD 里默认配置文件的位置

有关本例子载入配置文件的次序

本例子会启动 Lighttpd 的 ssl、fastcgi 和 simple_vhost 模块，因此有关配置文件会按以下次序读入：

/usr/local/etc/lighttpd/lighttpd.conf
/usr/local/etc/lighttpd/modules.conf
/usr/local/etc/lighttpd/conf.d/fastcgi.conf
/usr/local/etc/lighttpd/conf.d/simple_vhost.conf
换言之，本例子只需要适当修改以上4个配置文件。

lighttpd.conf 内容

#######################################################################
##
## /usr/local/etc/lighttpd/lighttpd.conf
##
#######################################################################

#######################################################################
##
## 定义有些有关目录的变量
##
var.log_root    = "/var/log/lighttpd"
var.state_dir   = "/var/run"
var.home_dir    = "/var/spool/lighttpd"
var.conf_dir    = "/usr/local/etc/lighttpd"

##
## Virutal Hosts 的根目录
##
## 用于以下模块：
## conf.d/evhost.conf
## conf.d/simple_vhost.conf
## vhosts.d/vhosts.template
##
var.vhosts_dir = "/home/www"

##
## CGI/FastCGI socket 目录
##
## 用于以下模块：
## conf.d/fastcgi.conf
## conf.d/scgi.conf
##
var.socket_dir = "/var/lib/lighttpd/sockets"

##
#######################################################################

#######################################################################
##
## 载入模块定义文件
include "modules.conf"

##
#######################################################################

#######################################################################
##
## Lighttpd 基本设定
## ———————
##
server.port = 80

## 用否 IPv6?
server.use-ipv6 = "disable"

## 缚紧 IP
server.bind = "127.0.0.1"

## Lighttpd 以什么身份执行.
server.username = "www"
server.groupname = "www"

## Server: 回应字串
server.tag = "lighttpd"

## Lighttpd 的 pid 文件
server.pid-file = state_dir + "/lighttpd.pid"

## 默认文件目录
server.document-root = "/home/www/example.org/htdocs/"

##
#######################################################################

#######################################################################
##
## Logging 选项
## ——————
##
server.errorlog             = log_root + "/lighttpd-error.log"

##
## Access log config
##
include "conf.d/access_log.conf"

##
## The debug options are moved into their own file.
## see conf.d/debug.conf for various options for request debugging.
##
include "conf.d/debug.conf"

##
#######################################################################

#######################################################################
##
## Tuning/Performance
## ——————–
##
server.event-handler = "freebsd-kqueue"

##
## The basic network interface for all platforms at the syscalls read()
## and write(). Every modern OS provides its own syscall to help network
## servers transfer files as fast as possible
##
## linux-sendfile – is recommended for small files.
## writev         – is recommended for sending many large files
##
server.network-backend = "writev"

##
## As lighttpd is a single-threaded server, its main resource limit is
## the number of file descriptors, which is set to 1024 by default (on
## most systems).
##
## If you are running a high-traffic site you might want to increase this
## limit by setting server.max-fds.
##
## Changing this setting requires root permissions on startup. see
## server.username/server.groupname.
##
## By default lighttpd would not change the operation system default.
## But setting it to 2048 is a better default for busy servers.
##
server.max-fds = 2048

##
## Stat() call caching.
##
## lighttpd can utilize FAM/Gamin to cache stat call.
##
## possible values are:
## disable, simple or fam.
##
server.stat-cache-engine = "simple"

##
## Fine tuning for the request handling
##
## max-connections == max-fds/2 (maybe /3)
## means the other file handles are used for fastcgi/files
##
server.max-connections = 1024

##
## How many seconds to keep a keep-alive connection open,
## until we consider it idle.
##
## Default: 5
##
server.max-keep-alive-idle = 5

##
## How many keep-alive requests until closing the connection.
##
## Default: 16
##
server.max-keep-alive-requests = 16

##
## Maximum size of a request in kilobytes.
## By default it is unlimited (0).
##
## Uploads to your server cant be larger than this value.
##
server.max-request-size = 0

##
## Time to read from a socket before we consider it idle.
##
## Default: 60
##
server.max-read-idle = 60

##
## Time to write to a socket before we consider it idle.
##
## Default: 360
##
server.max-write-idle = 360

##
## Traffic Shaping
## —————–
##
## see /usr/share/doc/lighttpd/traffic-shaping.txt
##
## Values are in kilobyte per second.
##
## Keep in mind that a limit below 32kB/s might actually limit the
## traffic to 32kB/s. This is caused by the size of the TCP send
## buffer.
##
## per server:
##
server.kbytes-per-second = 128

##
## per connection:
##
connection.kbytes-per-second = 32

##
#######################################################################

#######################################################################
##
## Filename/File handling
## ————————

##
## files to check for if …/ is requested
## index-file.names            = ( "index.php", "index.rb", "index.html",
##                                 "index.htm", "default.htm" )
##
index-file.names += (
"index.xhtml", "index.html", "index.htm", "index.php"
)

##
## deny access the file-extensions
##
## ~    is for backupfiles from vi, emacs, joe, …
## .inc is often used for code includes which should in general not be part
##      of the document-root
url.access-deny             = ( "~", ".inc" )

##
## disable range requests for pdf files
## workaround for a bug in the Acrobat Reader plugin.
##
$HTTP["url"] =~ "\.pdf$" {
server.range-requests = "disable"
}

##
## which extensions should not be handle via static-file transfer
##
## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
##
static-file.exclude-extensions = ( ".php", ".php5", ".pl", ".fcgi", ".scgi" )

##
## mimetype mapping
##
include "conf.d/mime.conf"

##
## directory listing configuration
##
include "conf.d/dirlisting.conf"

##
## Should lighttpd follow symlinks?
##
server.follow-symlink = "disable"

##
## force all filenames to be lowercase?
##
server.force-lowercase-filenames = "disable"

##
## defaults to /var/tmp as we assume it is a local harddisk
##
server.upload-dirs = ( "/var/tmp" )

##
#######################################################################

#######################################################################
##
## SSL Settings
##
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/usr/local/etc/ssl/crt/YourHost.pem"
ssl.use-sslv3 = "enable"
ssl.cipher-list = "TLSv1+HIGH:SSLv3+HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
}

##
#######################################################################

#######################################################################
##
## Simple virtual host
##

$HTTP["host"] != "wiki.example.org" {
accesslog.filename = log_root + "/example.org-access.log"
}

$HTTP["host"] == "wiki.example.org" {
accesslog.filename = log_root + "/wiki.example.org-access.log"
}

modules.conf 内容

#######################################################################
##
## Modules to load
## —————–
##
## at least mod_access and mod_accesslog should be loaded
## all other module should only be loaded if really neccesary
##
## – saves some time
## – saves memory
##
## the default module set contains:
##
## "mod_indexfile", "mod_dirlisting", "mod_staticfile"
##
## you dont have to include those modules in your list
##
## Modules, which are pulled in via conf.d/*.conf
##
## NOTE: the order of modules is important.
##
## – mod_accesslog     -> conf.d/access_log.conf
## – mod_compress      -> conf.d/compress.conf
## – mod_status        -> conf.d/status.conf
## – mod_webdav        -> conf.d/webdav.conf
## – mod_cml           -> conf.d/cml.conf
## – mod_evhost        -> conf.d/evhost.conf
## – mod_simple_vhost -> conf.d/simple_vhost.conf
## – mod_mysql_vhost   -> conf.d/mysql_vhost.conf
## – mod_trigger_b4_dl -> conf.d/trigger_b4_dl.conf
## – mod_userdir       -> conf.d/userdir.conf
## – mod_rrdtool       -> conf.d/rrdtool.conf
## – mod_ssi           -> conf.d/ssi.conf
## – mod_cgi           -> conf.d/cgi.conf
## – mod_scgi          -> conf.d/scgi.conf
## – mod_fastcgi       -> conf.d/fastcgi.conf
## – mod_proxy         -> conf.d/proxy.conf
## – mod_secdownload   -> conf.d/secdownload.conf
## – mod_expire        -> conf.d/expire.conf
##

server.modules = (
"mod_access",
"mod_alias",
"mod_auth",
# "mod_evasive",
"mod_redirect",
"mod_rewrite",
"mod_setenv",
# "mod_usertrack",
)

##
#######################################################################

#######################################################################
##
## Config for various Modules
##

##
## mod_ssi
##
#include "conf.d/ssi.conf"

##
## mod_status
##
#include "conf.d/status.conf"

##
## mod_webdav
##
#include "conf.d/webdav.conf"

##
## mod_compress
##
#include "conf.d/compress.conf"

##
## mod_userdir
##
#include "conf.d/userdir.conf"

##
## mod_magnet
##
#include "conf.d/magnet.conf"

##
## mod_cml
##
#include "conf.d/cml.conf"

##
## mod_rrdtool
##
#include "conf.d/rrdtool.conf"

##
## mod_proxy
##
#include "conf.d/proxy.conf"

##
## mod_expire
##
#include "conf.d/expire.conf"

##
## mod_secdownload
##
#include "conf.d/secdownload.conf"

##
#######################################################################

#######################################################################
##
## CGI modules
##

##
## SCGI (mod_scgi)
##
#include "conf.d/scgi.conf"

##
## FastCGI (mod_fastcgi)
##
include "conf.d/fastcgi.conf"

##
## plain old CGI (mod_cgi)
##
#include "conf.d/cgi.conf"

##
#######################################################################

#######################################################################
##
## VHost Modules
##
## Only load ONE of them!
## ========================
##

##
## You can use conditionals for vhosts aswell.
##
## see http://www.lighttpd.net/documentation/configuration.html
##

##
## mod_evhost
##
#include "conf.d/evhost.conf"

##
## mod_simple_vhost
##
include "conf.d/simple_vhost.conf"

##
## mod_mysql_vhost
##
#include "conf.d/mysql_vhost.conf"

##
#######################################################################

fastcgi.conf 内容

以下 fastcgi.conf 仅支援 PHP5，并以 socket 方式来连接 Lighttpd 和 FastCGI Daemon，在 FreeBSD 里，php-cgi 是放在 /usr/local/bin 目录。

#######################################################################
##
## FastCGI Module
## —————
##
## http://www.lighttpd.net/documentation/fastcgi.html
##
server.modules += ( "mod_fastcgi" )

##
## PHP Example
## For PHP don’t forget to set cgi.fix_pathinfo = 1 in the php.ini.
##
## The number of php processes you will get can be easily calculated:
##
## num-procs = max-procs * ( 1 + PHP_FCGI_CHILDREN )
##
## for the php-num-procs example it means you will get 17*5 = 85 php
## processes. you always should need this high number for your very
## busy sites. And if you have a lot of RAM. 🙂
##
fastcgi.server = ( ".php" =>
                   ( "php-local" =>
                     (
                       "socket" => socket_dir + "/php-fcgi.socket",
                       "bin-path" => "/usr/local/bin/php-cgi",
                       "bin-environment" => (
                         "PHP_FCGI_CHILDREN" => "8",
                         "PHP_FCGI_MAX_REQUESTS" => "10000",
                       ),
                       "max-procs" => 1,
                       "broken-scriptfilename" => "enable",
                     )
                   ),
                )
simple_vhost.conf 内容

simple_vhost.conf
#######################################################################
##
## Simple Virtual hosting
## ————————
##
## http://www.lighttpd.net/documentation/simple-vhost.html
##
server.modules += ( "mod_simple_vhost" )

## If you want name-based virtual hosting add the next three settings and load
## mod_simple_vhost
##
## document-root =
##   virtual-server-root + virtual-server-default-host + virtual-server-docroot
## or
##   virtual-server-root + http-host + virtual-server-docroot
##
simple-vhost.server-root   = vhosts_dir + "/"
simple-vhost.default-host = "example.org"
simple-vhost.document-root = "htdocs"

##
## Print some errors for finding the document-root
##
#simple-vhost.debug = "enable"

##
#######################################################################

4: 启动 Lighttpd 服务

请在 /etc/rc.conf 加入以下一行。那么每次重启 FreeBSD 皆会自动启动 Lighttpd

lighttpd_enable="YES"

不想重启 FreeBSB，立即启动 Lighttpd 的话，按上面修改 /etc/rc.conf 后输入以下命令便可。

% su –
# service lighttpd start
# exit

原文链接：http://wiki.freebsdchina.org/doc/l/lighttpd_1_14_29