2.1 Kernel Changes

Execution of a.out(5) format executables now requires the COMPAT_AOUT option in the kernel configuration or the loading of the aout.ko kernel module.

acct(2) has been changed to open the accounting file in append mode, so that accton(8) can be used to enable accounting to an append-only file. [MERGED]

Preliminary support for Bluetooth devices has been added, in the form of a series of Netgraph modules (see ng_bluetooth(4)). Two modules provide device driver support for Bluetooth adapters: The ng_bt3c(4) driver supports the 3Com/HP Bluetooth PCCARD adapters, while the ng_ubt(4) driver supports several USB Bluetooth adapters.

A new in-kernel cryptographic framework (see crypto(4) and crypto(9)) has been imported from OpenBSD. It provides a consistent interface to hardware and software implementations of cryptographic algorithms for use by the kernel and access to cryptographic hardware for user-mode applications. Hardware device drivers are provided to support hifn-based cards ( hifn(4)) and Broadcom-based cards ( ubsec(4)). [MERGED]

A new ddb(4) command show pcpu lists some of the per-CPU data.

A devctl device has been added to allow userland programs to learn when devices come and go in the device tree. This facility is primarily used by the devd(8) utility.

devfs(5), which allows entries in the /dev directory to be built automatically and supports more flexible attachment of devices, has been largely reworked. devfs(5) is now enabled by default and can be disabled by the NODEVFS kernel option. A ``rule'' subsystem permits the administrator to define certain properties of new device nodes before they become visible to the userland. Both static (e.g. /dev/speaker) and dynamic (e.g. /dev/bpf*, some removable devices) nodes are supported. Each devfs(5) mount may have a different ruleset assigned to it, permitting different policies to be implemented for things like jails. Rules and rulesets are manipulated with the devfs(8) utility.

A new digi driver has been added to support PCI Xr-based and ISA Xem Digiboard cards. A new digictl(8) program is (mainly) used to re-initialize cards that have external port modules attached such as the PC/Xem. This driver replaces the older dgm driver.

An eaccess(2) system call has been added, similar to access(2) except that the former uses effective credentials rather than real credentials.

Initial support has been added for FireWire devices (see firewire(4)). [MERGED]

Each jail(2) environment can now run under its own securelevel.

The tunable sysctl variables for jail(2) have moved from jail.* to the security.* hierarchy. Other security-related sysctl variables have moved from kern.security.* to security.*.

The kernel environment is now dynamic, and can be changed via the new kenv(2) system call.

The labpc(4) driver has been removed due to ``bitrot''.

The loader and kernel linker now look for files named linker.hints in each directory with KLDs for a module name and version to KLD filename mapping. The new kldxref(8) utility is used to generate these files.

lomac(4), a Low-Watermark Mandatory Access Control security facility, has been added as a kernel module. It provides a drop-in security mechanism in addition to the traditional UID-based security facilities, requiring no additional configuration from the administrator. Work on this feature was sponsored by DARPA and NAI Labs.

FreeBSD now supports an extensible Mandatory Access Control framework, the TrustedBSD MAC Framework. It permits loadable kernel modules to link to the kernel at compile-time, boot-time, or run-time to augment the system security policy. The framework permits modules to express interest in a variety of events, and also provides common security policy services such as label storage. A variety of sample policy modules are shipped in this release, including implementations of fixed and floating label Biba integrity models, Multi-Level Security (MLS) with compartments, and a number of augmented UNIX security models including a file system firewall. This feature will permit easier development and maintenance of local and vendor security extensions. The extensibility service is enabled by adding options MAC to the kernel configuration.

mutex(9) profiling code has been added, enabled by the MUTEX_PROFILING kernel configuration option. It enables the debug.mutex.prof.* hierarchy of sysctl variables.

The P1003_1B kernel option is no longer used and has been removed.

PECOFF (Win32 Execution file format) support has been added.

The random(4) device has been rewritten to use the Yarrow algorithm. It harvests entropy from a variety of interrupt sources, including the console devices, Ethernet and point-to-point network interfaces, and mass-storage devices. Entropy from the random(4) device is now periodically saved to files in /var/db/entropy, as well as at shutdown time. The semantics of /dev/random have changed; it never blocks waiting for entropy bits but generates a stream of pseudo-random data and now behaves exactly as /dev/urandom.

A new kernel option, options REGRESSION, enables interfaces and functionality intended for use during correctness and regression testing.

RLIMIT_VMEM support has been added. This feature defines a new resource limit that covers a process's entire virtual memory space, including mmap(2) space. This limit can be configured in login.conf(5) via the new vmemoryuse variable. [MERGED]

A bug in the sendfile(2) system call, in which headers counted against the size of the file to be sent, has been fixed. [MERGED]

The syscons(4) driver now supports keyboard-controlled pasting, by default bound to Shift-Insert.

The uaudio driver, for USB audio devices, has been added. [MERGED]

The ubsa driver has been added to support the Belkin F5U103 (and compatible) USB-to-serial adaptors.

The ucom(4) device driver has been added, to support USB modems, serial devices, and other programs that need to look like a tty. The related uftdi(4), uplcom(4), uvscom(4) drivers provide specific support for FTDI serial adapters, the Prolific PL-2303 serial adapter and the SUNTAC Slipper U VS-10U, respectively. [MERGED]

To increase security, the UCONSOLE kernel configuration option has been removed.

The UserConfig boot-time kernel configuration feature, usually used to enable, disable, or configure ISA devices, has been removed. Its functionality has been replaced by the kernel hints file in /boot/device.hints.

The USER_LDT kernel option is now activated by default.

The uvisor(4) driver for connecting Handspring Visors via USB has been added. [MERGED]

A VESA S3 linear framebuffer driver has been added.

The kernel crashdump infrastructure has been revised, to support new platforms and in general clean up the logic in the code. One implication of this change is that the on-disk format for kernel dumps has changed, and is now byte-order-agnostic.

Extremely large swap areas (>67 GB) no longer panic the system.

Linker sets are now self-contained; gensetdefs(8) is unnecessary and has been removed.

It is now possible to hardwire kernel environment variables (such as tunables) at compile-time using config(8)'s ENV directive.

Idle zeroing of pages can be enabled with the vm.idlezero_enable sysctl variable.

The FreeBSD kernel scheduler now supports Kernel-Scheduled Entities (KSEs), which provides support for multiple threads of execution per process similar to Scheduler Activations. At this point, the kernel has most of the changes needed to support threading. The kernel scheduler can schedule multiple threads per process, but only on a single CPU at a time. More information can be found in kse(2).

The kernel now has support for multiple low-level console devices. The new conscontrol(8) utility helps to manage the different consoles.

The kernel memory allocator is now a slab memory allocator, similar to that used in Solaris. This is a SMP-safe memory allocator that has near-linear performance as the number of CPUs increases. It also allows for reduced memory fragmentation.

2.2 Security-Related Changes

A buffer overflow in the resolver, which could be exploited by a malicious domain name server or an attacker forging DNS messages, has been fixed. See security advisory FreeBSD-SA-02:28 for more details. [MERGED]

A buffer overflow in tcpdump(1), which could be triggered by badly-formed NFS packets, has been fixed. See security advisory FreeBSD-SA-02:29 for more details. [MERGED]

ktrace(1) can no longer trace the operation of formerly privileged processes; this prevents the leakage of sensitive information that the process could have obtained before abandoning its privileges. For a discussion of this issue, see security advisory FreeBSD-SA-02:30 for more details. [MERGED]

A race condition in pppd(8), which could be used to change the permissions of an arbitrary file, has been corrected. For more information, see security advisory FreeBSD-SA-02:32. [MERGED]

Multiple buffer overflows in OpenSSL have been corrected, by way of an upgrade to the base system version of OpenSSL. More details can be found in security advisory FreeBSD-SA-02:33. [MERGED]

A heap buffer overflow in the XDR decoder has been fixed. For more details, see security advisory FreeBSD-SA-02:34. [MERGED]

A bug that could allow local users to read and write arbitrary blocks on an FFS filesystem has been corrected. More details can be found in security advisory FreeBSD-SA-02:35. [MERGED]

A bug in the NFS server code, which could allow a remote denial of service attack, has been fixed. Security advisory FreeBSD-SA-02:36 has more details. [MERGED]

A bug that could allow local users to panic a system using the kqueue(2) mechanism has been fixed. More information is contained in security advisory FreeBSD-SA-02:37. [MERGED]

Several bounds-checking bugs in system calls, which could result in some system calls returning a large portion of kernel memory, have been fixed. More information can be found in security advisory FreeBSD-SA-02:38. [MERGED]

A bug that could allow applications using libkvm to leak sensitive file descriptors has been corrected. (See security advisory FreeBSD-SA-02:39 for more details.) [MERGED]

Buffer overflows in kadmind(8) and k5admin have been corrected. More details can be found in security advisory FreeBSD-SA-02:40. [MERGED]

Errors in smrsh(8), which could allow users to circumvent restrictions on what programs can be executed, have been fixed. See FreeBSD-SA-02:41 for details. [MERGED]

Buffer overflows in the DNS resolver(3), which could cause some applications to fail, have been corrected. More details are in FreeBSD-SA-02:42. [MERGED]

Multiple vulnerabilities in BIND have been fixed, as described in FreeBSD-SA-02:43. [MERGED]

A file descriptor leak in the fpathconf(2) system call, which could allow a local user to crash the system or cause a privilege escalation, has been fixed. More details can be found in security advisory FreeBSD-SA-02:44. [MERGED]

2.3 Userland Changes

Support for creating a.out(5) format executables with the base system compiler toolchain has been removed.

adduser(8) and rmuser(8) are now sh(1) scripts, rather than Perl scripts.

arp(8) now prints [fddi] or [atm] tags for addresses on interfaces of those types.

The asa(1) utility, to interpret FORTRAN carriage-control characters, has been added.

at(1) now supports the -r command-line option to remove jobs and the -t option to specify times in POSIX time format.

The system awk(1) now refers to BWK awk.

basename(1) now accept -a and -s flags, which allow it to perform the basename(3) function on multiple files.

biff(1) now accepts a b argument to enable ``bell notification'' of new mail (which does not disturb the terminal contents as biff y would). [MERGED]

biff(1) now uses the first terminal associated with the standard input, standard output or standard error file descriptor, in that order. Thus, it is possible to use the redirection facilities of a shell (biff n < /dev/ttyp1) to toggle the notification for other terminals.

burncd(8) now supports Disk At Once (DAO) mode, selectable via the -d flag. [MERGED]

burncd(8) now has the ability to write VCDs/SVCDs. [MERGED]

burncd(8) now accepts a value of max for its -s option to set the drive's maximum write speed. [MERGED]

bzgrep(1), bzegrep(1), and bzfgrep(1) have been added to perform grep(1)-type operations on bzip2(1)-compressed files.

calendar(1) now takes a -W option, which operates similar to -A but without special treatment at weekends, and a -F option to change the notion of ``Friday''.

catman(1) is now a C program, instead of a Perl script.

cdcontrol(1) now supports a speed command to set the maximum speed to be used by the drive (the maximum possible speed can be selected setting the speed to max). [MERGED]

A check_utility_compat(3) library function has been added to libc, to determine whether certain FreeBSD base system utilities should behave in FreeBSD 4-compatible mode or in a ``standard'' mode (default standard). The configuration is done malloc(3)-style, with either an environment variable or a symbolic link.

chflags(1) has moved from /usr/bin to /bin.

chmod(1) now supports a -h for changing the mode of a symbolic link.

chmod(1) now also, when the mode is modified, prints the old and new modes if the -v option is specified more than once.

chown(8) no longer takes . as a user/group delimeter. This change was made to support usernames containing a . character.

Use of the CSMG_* macros no longer require inclusion of <sys/param.h>

A compat4x distribution has been added for compatibility with FreeBSD 4-STABLE. It includes a subset of the libraries distributed with FreeBSD 4.7-RELEASE.

cp(1) now takes a (nonstandard) -n option to automatically answer ``no'' when it would ask to overwrite a file. [MERGED]

A new csplit(1) utility, which splits files based on context, has been added.

ctags(1) now creates tags for typedefs, structs, unions, and enums by default (implying the -t option). The new -T reverts to the old behavior.

The daemon(8) program, a command-line interface to daemon(3), has been added. It detaches itself from its controlling terminal and executes a program specified on the command line. This allows the user to run an arbitrary program as if it were written to be a daemon. [MERGED]

The devd(8) utility, a userland daemon that can run arbitrary commands when devices come and go in the device tree, has been added. This program is a generalization of some of the functionality of pccardd(8).

devinfo(8), a simple tool to print the device tree and resource usage by devices, has been added.

diskpart(8) has been declared obsolete, and has been removed.

dump(8) now supports a -L flag for dumping live UFS and UFS2 filesystems safely. To obtain a consistent dump image, dump(8) takes a snapshot of the filesystem and performs the dump on the snapshot. The snapshot is removed when the dump is complete.

dump(8) now supports a new -S flag to allow it to just print out the dump size estimates and exit. [MERGED]

expr(1) is now compliant with POSIX.2-1992 (and thus also with POSIX.1-2001). Some program depend on the old, historic behavior and do not properly protect their arguments to keep them from being misinterpreted as command-line options. (the devel/libtool port/package, used by many GNU programs, is a notable example). The old behavior can be requested by enabling compatibility mode for expr(1) as described in check_utility_compat(3).

fbtab(5) now accepts glob matching patterns for target devices, not just individual devices and directories.

fdisk(8) no longer attempts to search for a device if none has been specified on the command line, but instead tries to figure out the default device name from the root device.

fdread(1), a program to read data from floppy disks, has been added. It is a counterpart to fdwrite(1) and is designed to provide a means of recovering at least some data from bad media, and to obviate the need for a complex invocation of dd(1).

finger(1) now has support for a .pubkey file. [MERGED]

finger(1) now supports a -g flag to restrict the printing of GECOS information to the user's full name only. [MERGED]

finger(1) now supports the -4 and -6 flags to specify an address family for remote queries. [MERGED]

fold(1) now supports a -b flag to break at byte positions and a -s flag to break at word boundaries. [MERGED]

fsck(8) wrappers have been imported; this feature provides infrastructure for fsck(8) to work on different types of filesystems (analogous to mount(8)).

The behavior of fsck(8) when dealing with various passes (a la /etc/fstab) has been modified to accommodate multiple-disk filesystems.

fsck(8) now has support for foreground (-F) and background (-B) checks. Traditionally, fsck(8) is invoked before the filesystems are mounted and all checks are done to completion at that time. If background checking is available, fsck(8) is invoked twice. It is first invoked at the traditional time, before the filesystems are mounted, with the -F flag to do checking on all the filesystems that cannot do background checking. It is then invoked a second time, after the system has completed going multiuser, with the -B flag to do checking on all the filesystems that can do background checking. Unlike the foreground checking, the background checking is started asynchronously so that other system activity can proceed even on the filesystems that are being checked. Boot-time enabling of this feature is controlled by the background_fsck option in rc.conf(5).

fsck_ffs(8) now supports background filesystem checks to mounted FFS filesystems with the -B option (Soft Updates must be enabled on these filesystems). The -F flag now determines whether a specified filesystem needs foreground checking.

ftpd(8) now supports the -m option to permit guest users to modify existing files if allowed by filesystem permissions. In particular, this enables guest users to resume uploads. [MERGED]

ftpd(8) now supports the -M option to prevent guest users from creating directories. [MERGED]

ftpd(8) now supports -o and -O options to disable the RETR command; the former for everybody, and the latter only for guest users. Coupled with -A and appropriate file permissions, these can be used to create a relatively safe anonymous FTP drop box for others to upload to. [MERGED]

ftpd(8) now supports the -W option to disable logging FTP sessions to wtmp(5). [MERGED]

The fwcontrol(8) utility has been added to help users access and control the FireWire subsystem. [MERGED]

The getconf(1) utility has been added. It prints the values of POSIX or X/Open path or system configuration variables. [MERGED]

gifconfig(8) is obsolete and has been removed. Its functionality is now handled by the tunnel and deletetunnel commands of ifconfig(8).

gprof(1) now has a -K option to enable dynamic symbol resolution from the currently-running kernel. With this change, properly-compiled KLD modules are now able to be profiled.

The ibcs(8), linux(8), osf1(8), and svr4(8) scripts, whose sole purpose was to load emulation kernel modules, have been removed. The kernel module system will automatically load them as needed to fulfill dependencies.

ifconfig(8) now has the ability to set promiscuous mode on an interface, via the new promisc flag. [MERGED]

ifconfig(8) now supports a monitor interface flag, which blocks transmission of packets on that interface. This feature is useful for monitoring network traffic without interacting with the network in question.

By default, inetd(8) is no longer run by rc(8) at boot-time, although sysinstall(8) gives the option of enabling it during binary installations. inetd(8) can also be enabled by adding the following line to /etc/rc.conf:

    inetd_enable="YES"

inetd(8) now has the capability for limiting the maximum number of simultaneous invocations of each service from a single IP address. [MERGED]

ipfw(8) filter rules can now match on the value of the IPv4 precedence field.

kbdmap(1) and vidfont(1) have been converted from Perl to C.

kenv(1) now has the ability to set or delete kernel environment variables.

The kget(8) utility has been removed (it was only useful for UserConfig, which is not present in FreeBSD 5.0-RELEASE).

killall(1) no longer tries to kill zombie processes unless the -z flag is specified.

ktrdump(8), a utility to dump the ktr trace buffer from userland, has been added.

ldd(1) now supports a -a flag to list all the objects that are needed by each loaded object.

libc is now thread-safe by default; libc_r contains only thread functions.

libstand now has support for overwriting the contents of a file on a UFS filesystem (it cannot expand or truncate files because the filesystem may be dirty or inconsistent).

libgmp has been superceded by libmp.

The functions from libposix1e have been integrated into libc.

lock(1) now accepts a -v to disable switching VTYs while the current terminal is locked. This permits locking the entire console from a single terminal. [MERGED]

lpc(8) has been improved; lpc clean is now somewhat safer, and a new lpc tclean command has been added to check to see what files would be removed by lpc clean. lpc topq has been reimplemented, and now allows for a much more flexible specification of which jobs should be moved (such as a range of job numbers, or a hostname). An lpc bottomq command has been added to move jobs to the bottom of a print queue, and a new lpc setstatus command can be used to set a printer's status message. [MERGED]

The ls(1) program now supports a -m flag to list files across a page, a -p flag to force printing of a / after directories, and a -x flag to sort filenames across a page. [MERGED]

makewhatis(1) is now a C program, instead of a Perl script.

man(1) is no longer installed SUID man, in order to reduce vulnerabilities associated with generating ``catpages'' (preformatted manual pages cached for repeated viewing). As a result, man(1) can no longer create system catpages on a regular user's behalf. It is still able to do so if the user has write permissions to the directory holding catpages (e.g. a user's own manpages) or if the running user is root.

The mdmfs(8) command has been added; it is a wrapper around mdconfig(8), disklabel(8), newfs(8), and mount(8) that mimics the command line option set of the deprecated mount_mfs(8).

mesg(1) now conforms to SUSv3. Among other things, it now uses the first terminal associated with the standard input, standard output or standard error file descriptor, in that order. Thus, it is possible to use the redirection facilities of a shell (mesg n < /dev/ttyp1) to control write access for other terminals.

mountd(8) and nfsd(8) have moved from /sbin to /usr/sbin.

mv(1) now takes a (nonstandard) -n option to automatically answer ``no'' when it would ask to overwrite a file. [MERGED]

A number of archaic features of newfs(8) have been removed; these implemented tuning features that are essentially useless on modern hard disks. These features were controlled by the -O, -d, -k, -l, -n, -p, -r, -t, and -x flags.

newfs(8) now supports a -O flag to select the creation of UFS1 or UFS2 filesystems.

The newgrp(1) utility to change to a new group has been added.

newsyslog(8) now compresses log files using bzip2(1) by default. (The former behavior of using gzip(1) can be specified in /etc/newsyslog.conf.)

The nextboot(8) utility has been added to specify an alternate kernel and/or boot flags to be used the next time the machine is booted. A previous incarnation of this feature first appeared in FreeBSD 2.2.

NFS now works over IPv6.

nice(1) now uses the -n option to specify the ``niceness'' of the utility being run. [MERGED]

nsswitch support has been merged from NetBSD. By creating an nsswitch.conf(5) file, FreeBSD can be configured so that various databases such as passwd(5) and group(5) can be looked up using flat files, NIS, or Hesiod. If /etc/nsswitch.conf does not exist, it will be automatically generated from an existing /etc/hosts.conf at system startup time. The /etc/hosts.conf file may be used by old executables; it will be automatically generated from an existing /etc/nsswitch.conf during system startup if it exists.

od(1) now supports the -A option to specify the input address base, the -N option to specify the number of bytes to dump, the -j option to specify the number of bytes to skip, the -s option to output signed decimal shorts, and the -t option to specify output type. [MERGED]

PAM support has been added for account management and sessions.

PAM configuration is now specified by files in /etc/pam.d/, rather than a single /etc/pam.conf file. /etc/pam.d/README has more details.

A pam_echo(8) echo service module has been added.

A pam_exec(8) program execution service module has been added.

A pam_ftp(8) module has been added to allow authentication of anonymous FTP users.

A pam_ftpusers(8) module has been added to perform checks against the ftpusers(5) file.

A pam_ksu(8) module has been added to do Kerberos 5 authentication and $HOME/.k5login authorization for su(1).

A pam_lastlog(8) module has been added to record sessions in the utmp(5), wtmp(5), and lastlog(5) databases.

A pam_login_access(8) module has been added, to allow checking against /etc/login.access.

The pam_nologin(8) module, which can disallow logins using nologin(5), has been added.

The pam_opie(8) and pam_opieaccess(8) modules have been added to control authentication via opie(4). [MERGED]

A pam_passwdqc(8) module has been added, to check the quality of passwords submitted during password changes.

A pam_rhosts(8) module has been added to support rhosts(5) authentication.

The pam_rootok(8) module, which can be used to authenticate only the superuser, has been added.

A pam_securetty(8) module has been added to check the ``security'' of a TTY, as listed in ttys(5).

A pam_self(8) module, which allows self-authentication of a user, has been added.

A pam_wheel(8) module has been added to permit authentication to members of a group, which defaults to wheel.

The pathchk(1) utility, which checks pathnames for validity or portability between POSIX systems, has been added. [MERGED]

ping(8) now supports a -o flag to exit after receiving a reply.

prefix(8) is obsolete and has been removed. Its functionality is provided by the eui64 command to ifconfig(8).

The pselect(3) library function (introduced by POSIX.1 as a slightly stronger version of select(2)) has been added.

pwd(1) now supports the -L flag to print the logical current working directory. [MERGED]

quota(1) now takes a -l flag to suppress quote checks on NFS filesystems.

The pseudo-random number generator implemented by rand(3) has been improved to provide less biased results.

rcmd(3) now supports the use of the RSH environment variable to specify a program to use other than rsh(1) for remote execution. As a result, programs such as dump(8) can use ssh(1) for remote transport.

rdist(1) has been retired from the base system, but is still available from FreeBSD Ports Collection as net/44bsd-rdist.

The renice(8) command implements a -n option, which specifies an increment to be applied to the priority of a process. [MERGED]

rpcbind(8) has replaced portmap(8).

rpcgen(1) now uses /usr/bin/cpp (as on NetBSD), not /usr/libexec/cpp.

rpc.lockd(8) has been imported from NetBSD. This daemon provides support for servicing client NFS locks.

rtld(1) will now print the names of all objects that cause each object to be loaded, if the LD_TRACE_LOADED_OBJECTS_ALL environment variable is defined.

sed(1) now takes a -i option to enable in-place editing of files. [MERGED]

The setfacl(1) and getfacl(1) commands have been added to manage filesystem Access Control Lists.

sh(1) no longer implements printf as a built-in command because it was considered less valuable compared to the other built-in commands (this functionality is, of course, still available through the printf(1) executable).

sh(1) now supports a -C option to prevent existing regular files from being overwritten by output redirection, and a -u to give an error if an unset variable is expanded. [MERGED]

The sh(1) built-in cd command now supports -L and -P flags to invoke logical or physical modes of operation, respectively. Logical mode is the default, but the default can be changed with the physical sh(1) option. [MERGED]

The sh(1) built-in jobs command now supports a -s flag to output PIDs only and a -l flag to add PIDs to the output. [MERGED]

sh(1) now supports a bind built-in command, which allows the key bindings for the shell's line editor to be changed.

The sh(1) built-in export and readonly commands now support a -p flag to print their output in ``portable'' format. [MERGED]

sh(1) no longer accepts invalid constructs as command & && command, && command, or || command. [MERGED]

spkrtest(8) is now a sh(1) script, rather than a Perl script.

split(1) now supports a -a option to specify the number of letters to use for the suffix of split files. [MERGED]

In preparation for meeting SUSv2/POSIX <sys/select.h> requirements, struct selinfo and related functions have been moved to <sys/selinfo.h>.

su(1) now uses PAM for authentication.

sysctl(8) now accepts a -d flag to print the descriptions of variables.

The default root partition in sysinstall(8) is now 100MB on the i386 and pc98, 120MB on the Alpha.

sysinstall(8) now lives in /usr/sbin, which simplifies the installation process. The sysinstall(8) manpage is also installed in a more consistent fashion now.

sysinstall(8) no longer mounts the procfs(5) filesystem by default on new installs. This change was made to improve security, but procfs(5) can still be mounted manually or via an appropriate line in the fstab(5) file.

tabs(1), a utility to set terminal tab stops, has been added.

The termcap(5) database now uses the xterm terminal type from XFree86. As a result, xterm(1) now supports color by default and the common workaround of setting TERM to xterm-color is no longer necessary. Use of the xterm-color terminal type may result in (benign) warnings from applications.

tftpd(8) now supports RFC 2349 (TFTP Timeout Interval and Transfer Size Options); this feature is required by some firmware like EFI boot managers (at least on HP i2000 Itanium servers) in order to boot an image using TFTP.

A version of Transport Independent RPC (TI-RPC) has been imported.

tip(1) has been updated from OpenBSD, and has the ability to act as a cu(1) substitute.

top(1) will now use the full width of its tty.

touch(1) now takes a -h option to operate on a symbolic link, rather than what the link points to.

tr(1) now has basic support for equivalence classes for locales that support them. [MERGED]

tr(1) now supports a -C flag to complement the set of characters specified by the first string argument.

tunefs(8) now supports the -a and -l flags to enable and disable the FS_ACLS and FS_MULTILABEL administrative flags on UFS file system.

A ugidfw(8) utility has been added to manage the rulesets provided by the mac_bsdextended Mandatory Access Control policy, similar to ipfw(8).

UUCP has been removed from the base system. It can be found in the Ports Collection, in net/freebsd-uucp.

unexpand(1) now supports a -t to specify tabstops analogous to expand(1). [MERGED]

usbdevs(8) now supports a -d flag to show the device driver associated with each device.

The base64 capabilities of uuencode(1) and uudecode(1) can now be automatically enabled by invoking these utilities as b64encode(1) and b64decode(1) respectively. [MERGED]

Functions to implement and manipulate OSF/DCE 1.1-compliant UUIDs have been added to libc. More information can be found in uuid(3).

The uuidgen(1) utility has been added. It uses the new uuidgen(2) system call to generate one or more Universally Unique Identifiers compatible with OSF/DCE 1.1 version 1 UUIDs.

vidcontrol(1) now accepts a -S to allow the user to disable VTY switching. [MERGED]

The default stripe size in vinum(8) has been changed from 256KB to 279KB, to spread out superblocks more evenly between stripes.

wc(1) now supports a -m flag to count characters, rather than bytes.

whereis(1), formerly a Perl script, has been rewritten in C. It now supports a -x flag to suppress the run of locate(1), and a -q flag suppresses the leading name of the query.

whereis(1) now supports a -a flag to report all matches instead of only the first of each requested type.

which(1) is now a C program, rather than a Perl script.

who(1) now has a number of new options: -H shows column headings; -T shows mesg(1) state; -m is an equivalent to am i; -u shows idle time; -q to list names in columns. [MERGED]

wicontrol(8) now supports a -l to list the stations associated in hostap mode and a -L to list available access points.

xargs(1) now supports a -I replstr option that allows the user to tell xargs(1) to insert the data read from standard input at specific points in the command line arguments rather than at the end. (A FreeBSD-specific -J option is similar.) [MERGED]

xargs(1) now supports a -L option to force its utility argument to be called after some number of lines. [MERGED]

Various routines in the C library now have support for ``wide'' characters. Among these are character class functions such as wctype(3), wide character I/O functions such as getwc(3), formatted I/O functions such as wprintf(3) and wscanf(3). Conversion functions to multibyte(3) characters are also supported.

A number of utilities and libraries were enhanced to improve their conformance with the Single UNIX Specification (SUSv3) and IEEE Std 1003.1-2001 (``POSIX.1''). Specific features added have been listed in the release notes for each utility. The standards conformance of each utility or library function is generally listed in its manual page.

A number of traditional BSD games have been removed from the base system; they are now available in the games/freebsd-games port. These include: adventure(6), arithmetic(6), atc(6), backgammon(6), battlestar(6), bs(6), canfield(6), cribbage(6), fish(6), hack(6), hangman(6), larn(6), mille(6), phantasia(6), piano(6), pig(6), quiz(6), rain(6), robots(6), rogue(6), sail(6), snake(6), trek(6), wargames(6), worm(6), worms(6), and wump(6). dm(8), which was used to control access to games, is no longer necessary, and has also been removed. The ``utility-like'' games, as well as fortune(6), remain.

    sendmail_enable="YES"

    XFREE86_VERSION=3

2.4 Release Engineering and Integration

The bin distribution has been renamed base, in order to make creation of combined install/recovery disks easier.

ISO images and CDROMs now use the cdboot boot loader by default. This eliminates the need for an emulated floppy disk image on a bootable CDROM and allows for a full GENERIC kernel to be used for CDROM installations, at the expense of compatability with some old BIOSs.

It is now possible to make releases of FreeBSD 5-CURRENT on a FreeBSD 4-STABLE host and vice versa. Cross-architecture (building a release for a target architecture on a host of a different architecture) releases are also possible. See release(7) for details. [MERGED]

A third drivers.flp floppy has been added to floppy releases. It holds loadable modules containing drivers that do not fit in the kernel on the kern.flp disk or in the mfsroot.flp image.

2.5 Documentation

A number of formerly-encumbered documents from the 4.4 BSD Programmer's Supplementary Documents have been restored to /usr/share/doc/psd. These include:

• The UNIX Time-Sharing System (01.cacm)

• UNIX Implementation (02.implement)

• The UNIX I/O System (03.iosys)

• UNIX Programming -- Second Edition (04.uprog)

• The C Programming Language -- Reference Manual (06.Clang)

• Yacc: Yet Another Compiler-Compiler (15.yacc)

• Lex -- A Lexical Analyzer Generator (16.lex)

• The M4 Macro Processor (17.m4)

Several formerly-encumbered documents from the 4.4 BSD User's Supplementary Documents have been restored to /usr/share/doc/usd. They include:

• NROFF/TROFF User's Manual (21.troff)

• A TROFF Tutorial (22.trofftut)