MFC r359642: adduser: allow standard IFS characters in passwords

Notably, the default IFS contains space/tab, thus any leading/trailing
whitespace characters tend to be removed.

Set IFS= for just the read lines to mitigate this, allowing the user to be
less surprised when their leading/trailing spaces weren't actually captured
in the password as they are with other means of setting a user's password.

PR: 245342

MFC r326276:

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add META_MODE support.

Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision: D2796
Reviewed by: brooks imp

use .Mt to mark up email addresses consistently (part2)

PR: 191174
Submitted by: Franco Fichtner <franco@lastsummer.de>

Remove a reference to CVS and to freefall from a user-facing man page.

PR: docs/171658
Reported by: Chris Petrik (c dot petrik dot sosa at gmail dot com)
Approved by: gabor (mentor)
MFC after: 5 days

mdoc: add missing width argument to Bl -tag.

Remove trailing whitespace per mdoc lint warning

Disussed with: gavin
No objection from: doc
Approved by: joel
MFC after: 3 days

When using uidstart in /etc/adduser.conf, get the next
available user id and show it in the "Uid [xxx]" prompt.

PR: 163863
Submitted by: Moritz Wilhelmy (mw at wzff dot de)
MFC after: 2 weeks

Spelling fixes for usr.sbin/

mdoc: move CAVEATS, BUGS and SECURITY CONSIDERATIONS sections to the
bottom of the manpages and order them consistently.

GNU groff doesn't care about the ordering, and doesn't even mention
CAVEATS and SECURITY CONSIDERATIONS as common sections and where to put
them.

Found by: mdocml lint run
Reviewed by: ru

Fix a few whitespace issues and comment typos that I found while reading
through this file.

The original adduser/rmuser scripts in Perl used to modify the PATH
setting. When the scripts were converted to Bourne shell, this was
removed. The adduser script was changed to use an explicit path for
the pw(8) command so that /usr/sbin did not have to be in the user's
PATH. The rmuser script continued to assume that /usr/sbin was in the
user's path, however. This fixes the rmuser script to use an explicit
path for pw(8) similar to adduser.

MFC after: 2 weeks

In the description of the password field, -w was meant, not the
nonexistant -p flag.

PR: 120122
Submitted by: Andy Kosela <andy.kosela@gmail.com>
MFC after: 3 days

Add the -M command-line option, which will set home directory permissions.
Works both in interactive or batch mode. This is a heavily modified version
of the patch submitted in the PR.

PR: bin/105060
MFC after: 1 week

Allow adding a user(s) to additional groups in batch mode as well.

Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (modulo minor changes)
MFC after: 2 weeks

The POP daemon's temporary mail file has a leading dot ('.'). This was
lost in the shell script rewrite of the rmuser command.

Submitted by: Ian Smith <smithi@nimnet.asn.au>

Bump .Dd for r1.5; fix grammatical problem.

Specify the correct way to modify this file, and warn that the
user should not depend on the internal variables documented in
this man page.

MFC After: 2 weeks

There are a couple of bugs in rev. 1.27:
1) The man page should describe the code, not the other way around.
2) Internal variables should not be documented or exposed, except in
controlled circumstances (i.e. - That's what the -C flag is for).
The variable should have been saved to the config file in save_config().
3) The next available userid doesn't get automatically updated. The
end-result is the same (user gets added with the correct uid),
but in an interactive session the default uid doesn't get updated in
the display.

So,

o Use the uidstart variable instead of uuid (bug #3)
o Actually save the variable to adduser.conf (bug #2)
o (bug #1 to be fixed in an upcomming commit to adduser.conf.5)

MFC After: 2 weeks

Errm... I don't see how rev. 1.26 could have possibly worked or been tested.
Fix it for real.

Submitted by: Johnny Lee <johnny@bmtk.com>
MFC After: 2 weeks

Check if the new user already exists right after entering the
username instead of watching the final call to pw(8) fail.

Flush my typo fix queue for this directory.

Fix typos.

Markup fixes.

Add adding_user.8 to SEE ALSO, note that usernames may contain any character
but not being with a hyphen, similar to adding_user.8.

PR: 35732

Honour the "uuid" directive in adduser.conf

PR: conf/87914
Approved by: philip (mentor)
MFC after: 3 days

Fix a particularly egregious grammar error.

Approved by: wpaul
MFC after: 1 day

- Act according to the documentation (man page):
When adding users from a preformatted file, do not exit
silently when empty lines or lines starting with a '#'
are encountered - ignore them instead.
- Fix a spelling error in a comment.

PR: bin/80058

In fullpath_from_shell(), move the nologin detection before the cat | while
loop to avoid an incorrect display of the nologin path twice.

PR: 71786
Submitted by: Andrew Hayden <andrew.hayden@gmail.com>
Reviewed by: mtm
MFC after: 3 days

Also, match the full path to the special nologin shell.
Previously, it would recognize it as a valid shell only
if the basename (nologin) was specified. Now, it will
recognize both the basename and the full path.

NOTE: The full path as adduser(8) understands it is /usr/sbin/nologin.
There is a symlink, /sbin/nologin, but that's deprecated and
only there for backwards compatibility.

Assorted markup, grammar, and spelling fixes.

Add note that rmuser will clean up any IPC mechanisms owned by the user.

Approved by: bmilekic (mentor)

Accept full path names in addition to base names for shells.

Make explicit in the documentation that valid shells need to be
supplied only if the -S option is not given.

Fixed a typo.

This manual page will not first appear in 4.10 as RELENG_4 has a different
version of the adduser utility.

Noticed by: simon

Fix today's faux pas by:

Removing the -compact option passed to .Bl macro to avoid useless .Pp macros;
Adding a missing period;
Using .Xr with .Nd since makewhatis(1) has no support for cases where the Xref is absent.

Informed by: ru

Add an adduser.conf manual page.
Hook it to the build in Makefile.
Xref from adduser.8.
Update adduser.8's BUGS section.
Bump the date on adduser.8.

Sychronize with reality: nologin(8) is now in /usr/sbin

Reminded by: trhodes

o Add an -S option to not attempt to ascertain the validity of a shell.
o Add a -D option to not attempt to create the home directory.
o Treat the /nonexistent home directory specially. It means the user has
no home directory and it should not be created.
o Update Copyright year and my email.

Make rmuser now also remove ipc resources. Also, fix a few minor
shell style problems (superfluous backslashes at EOL).

PR: 55980
Submitted by: Chris S.J.Peron <maneo@bsdpro.com>
MFC after: 2 weeks

mdoc(7): Properly mark C headers.

Typo.
This has worked so far because the variable was empty by default.

Submitted by: Kostyuk Oleg <cub@cub.org.ua>

s/warn/info/

Add support for the special shell nologin.

Prodded by: mikeh

Update my email address.

Don't forget the -r on the second password prompt.

PR: bin/53550

Document the -g option in the usage message.

Approved by: markm (mentor)(implicit)

Add a -g option to specify a default login group.

Approved by: markm (mentor)(implicit)

o initialize a couple of local flags so the user can re-edit groups
next time the subroutine is re-entered
o s/configrun/configflag/
o Make the prompt make sense if the user was creating a configuration file

Approved by: markm (mentor)(implicit)

mdoc(7) police: Scheduled sweep.

Update copyright.

Condense the output to one line per removed user. For user's who
want the more verbose version, there's a -v option.

Approved by: markm (mentor)

Revisit the shell special characters issue and settle it once-and-forall.
All characters will be accepted, and pw(8) can sort out which ones it
will allow and which ones it won't.

Approved by: markm (mentor)
Prodded by: Philippe Bourcier <philippe@cyberabuse.org>

Change the behaviour of adduser to match the previous incarnation a little more.

If any of the given groups do not exist complain and let the user try again.
This saves the user from discovering at the end of the process that they've
forgotten to add a group or they've typoed.

Thanks to cmc/dougb for pointing out how bad my sh fu actually is.

Original code by: me
Scary sh rewrite by: dougb

Reviewed by: dougb

Better gender-neutral language.

Submitted by: sheldonh

back out logging to /var/log/adduser
(/usr/sbin/pw already logs to /var/log/userlog)

In interactive mode, ask the user if he/she wants to add another
user and re-run interactive questions or quit depending on the
answer.

Submitted by: Scot Hetzel <hetzels@westbend.net>
Approved by: markm (mentor)

expr foo -> $((foo))

- restore an ability to write log of added users (default to
/var/log/adduser, disabled if empty or adduserlog="no")
- do not ask for password in configure mode
- print $passwdtype instead of password in configure mode
- add DATECMD, GREPCMD (not overridable but with full path)

Do not loose trailing spaces when printing prompt messages.

*blush*
While I'm here properly quote all the other input I neglected
to quote.

Approved by: markm (mentor)(implicit)

Don't forget to properly quote input.

Approved by: markm (mentor)(implicit)
Submitted by: Robin Breathe <robin@isometry.net>

do not loose trailing space when asking uid

english(4) police.

Uniformly refer to a file system as "file system".

Approved by: re

Correctly handle files with IFS characters (spaces) in their names when
cleaning up temporary files.

Submitted by: Mike Makonnen <mtm@identd.net>
Approved by: re

mdoc(7) police: overhaul.

Approved by: re

Replace the perl versions of adduser and rmuser with shell script versions.

Submitted by: Mike Makonnen <mtm@identd.net>
Approved by: re

mdoc(7) police: markup fixes.

Approved by: re

Clarify the unique groups scheme by mentioning that the 002 umask
is instead of the usual 022 umask, and explain that what the scheme
still prevents is unwanted changes, not prying eyes.

While I'm here, mess with the phrasing and line-breaks a bit.

Fix conjugation of exists and add full stops to the messages I changed.

PR: 38481
Submitted by: Kevin Kinsey <kadmin@elisha.daleco.biz>
MFC after: 1 week

The .Nm utility

Found a single point where rmuser(8) wasn't robust to strange
characters in a username: where it was inserted into a regexp.
Fix it by escaping metacharacters in the name with \Q-\E.

Keep similar things together: Check for too long usernames
inside the function that verifies username validity.

Disallow adding duplicate roots, toors, or other users w/uid 0.
Previously, a truth check instead if defined() check erroneously
allowed that.

PR: bin/8745

Implement a flexible way of letting some unusual characters
into usernames: Make the regular expression to check usernames
against configurable.

PR: bin/22860 bin/31049
Reviewed by: sheldonh

Remove the newly added -force option because it made adduser(8)
less robust to possible errors of the user/admin while adduser(8)
had been intended to minimize their possibility.
An alternative way of introducing strange symbols into usernames
to be committed really soon.

Add `-h' to the chown command so that symbolic links copied from
the skeleton directory are chown'd to the new user.

PR: bin/10601
Submitted by: Adrian Filipi-Martin <adrian2ubergeeks.com@gosub.cstone.net>
MFC after: 1 month

yp(4) -> yp(8).

PR: docs/30797

Remove myself as maintainer, I don't have free time for adduser anymore.

Oops, missed one point where $pwd_mkdb had been used.
Now it should be @pwd_mkdb since we moved to Perl's
safe system() not using /bin/sh.

Document a new option: -force.

Allow weird characters in usernames if an admin persists on that:
a) Convert all the remaining older Perl system() calls to the new,
more secure LIST format so they are robust to whitespace and
shell metacharacters in their arguments.
b) Add a new option: -force, which allows adding usernames containing
characters that are otherwise illegal.

PR: bin/22860 bin/31049

Be consistent in what restriction is imposed on a username
in the code and what the warning message reads.

Forbid adding duplicate users with the name of "0".
Previously, it was possible due to 0 and "0" being
equivalent in Perl.

Parse atq(1) output correctly under various (but not all perhaps)
locale settings: allow any date and time separator characters.

In remove_at_jobs():
Don't print "Removing at jobs" if there are no jobs to remove.
Add a whitespace before "done." so the output looks better.

Print the correct filename if we fail to open $etc_passwd.

Submitted by: Brian Poole <raj@cerias.purdue.edu>

Pass the username we just made to pwd_mkdb so that the latter doesn't
have to regenerate the entire database.

PR: 25798
Submitted by: Domas Mituzas <domas.mituzas@delfi.lt>

mdoc(7) police: s/BSD/.Bx/ where appropriate.

Add "use Fcntl" to resolve O_RDWR|O_CREAT|O_EXCL macros used in
new sysopen call.

PR: 29366 (in part)

Install the new password file with pwd_mkdb, not the old one.

PR: 29366 (in part)

The variable giving the name of the temporary password file was
inconsistently named "ptmp" and "etc_ptmp". This commit changes
it to "passwd_tmp" for consistency and to match OpenBSD's name
for the variable.

Consulted with: jedgar

Use a safer method of creating the temporary password file.

Submitted by: dynamo@harvard.net
Obtained from: OpenBSD
MFC after: 3 days

Fix removal of at jobs.

PR: bin/23052
Submitted by: Mike Sellenschuetter <mike.sellenschuetter@bankofamerica.com>
MFC after: 1 week

Generate a bigger salt. This is necessary for blowfish to work
properly, and doesn't hurt the other algorithms.

PR: 28991
Submitted by: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

Fix the rmuser script to correctly determine if a user does not exist.

PR: 26674

Extend adduser to create "locked" accounts. Adduser can now lock an
account at creation, create accounts with a "*" password (so you can
use alternate authentication schemes without fearing a "default" password
biting you later), and blank passwords.

Yes, adduser could create a blank password account, but this makes it
slightly more difficult to shoot yourself in the foot.

The /etc/adduser.conf entries are:

# use password-based authentication for new users
# defaultusepassword = "yes" | "no"
defaultusepassword = "yes"

# enable account password at creation
# (the password will be prepended with a star if the account isn't enabled)
# defaultenableaccount = "yes" | "no"
defaultenableaccount = "yes"

# allow blank passwords
# defaultemptypassword = "yes" | "no"
defaultemptypassword = "no"

Requested by: alfred
Reviewed by: alfred

By popular demand, have adduser preserve comments at the top of the
group file. Because of the way the group sorting works while printing
out the new file it's not possible at this time to restore comments
in other locations, but at least they won't just disappear altogether.

Add a more useful solution to the problem of password files with more than
one user who differs only by case. The other perl tools assume (or enforce)
the all lowercase requirement, therefore making the search through
master.passwd case insensitive seemed a reasonable optimization, IMO.

I understand, although I do not sympathize with, the argument that someone
might want to do this on purpose, and might subsequently want to use the
wrong tool for the job. So, this fix should hopefully satisfy both camps.

Rev 1.11 introduced a bug where the processing became case insensative for
username to rm.

PR: 25961
Submitted by: Linh Pham <lplist@closedsrc.org>

beforeinstall -> SCRIPTS.

- Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.

mdoc(7) police: split punctuation characters + misc fixes.

Prepare for mdoc(7)NG.

Prepare for mdoc(7)NG.

* Fix a long line that I introduced in the last commit
* Backslash escape non-alphanumeric chars in the login name so that perl
doesn't choke on things like '$'.

mdoc(7) police: removed history info from the .Os FreeBSD call.

If a user is in the database, rmuser ought to be able to remove them.
Address this by using getpwnam(), thus killing several birds with
the same stone. My fix is slightly more aggressive than the
originators. :)

PR: misc/22278

mdoc(7) police: use the new features of the Nm macro.

Avoid use of direct troff requests in mdoc(7) manual pages.

Complete migration of aliases file to /etc/mail/aliases.
The maintainers of share/examples/diskless/README.TEMPLATING and mergemaster
have been contacted so those may be updated as well.

Un-botch my botched reduction in permitted characters in the permitted
username check which resulted from my attempt to expand them.

PR: bin/17372
Reviewed by: sheldonh

Fix the case where username validity test would incorrectly fail if
the specified username contained uppercase alphabetics.

PR: bin/17372

Remove more single-space hard sentence breaks.

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

$Id$ -> $FreeBSD$

Remove references to the non-existent addgroup(8) and rmgroup(8)
commands.

PR: docs/12659
Submitted by: Mark Diekhans <markd@Grizzly.COM>

Grammar and spelling fixes

Obtained from: OpenBSD

Added myself as maintainer.

Print yyyy/mm/dd in /var/log/adduser, instead of yy/mm/dd
Submitted by: Peter Jeremy <peter.jeremy@alcatel.com.au>

Removing -batch option from adduser. Adduser was written as
an *interactive* command for newbies. The pw(8) does now a much better
job for adding users from command line. Also, the -batch option is
not well tested, buggy and unsupported.

Always ask for homedir.

PR: 6754
Submitted by: uhlar@netlab.sk

MF22: Remove confusing comma

Clarify the -batch arguments.

PR: 5677
Submitted by: Adrian Filipi-Martin <adrian@virginia.edu>

Typo.

Rename the pwd_mkdb(8) option '-c' to '-C' for better compatiblity
with BSD/OS.

Small bugfix: store $uid_start instead hard coded value 1000
in /etc/adduser.conf.

Typo alert.

Do not complain about non existing shell "/nonexistent"
Smarter error check if a uid is already in use.

Submitted by: "Eugene Radchenko" <genie@qsar.chem.msu.su>

Do not accept empty user names.

Cosmetic changes.

Stop the growing list of shells if /etc/adduser.conf
was updated.

Nologin is also a valid 'invalid' shell

Delete dead test code.

`cp -r' -> `cp -R'
Option -r is obsolete and buggy.

Remove addgroup/rmgroup -- they are completely replaced by pw(1).

Adduser/rmuser stay for now until we get a good user-friendly front-end
for pw.

Fix a minor nit in the .Dd macro invocation so that
the revision date is displayed correctly.

Change "no" answer to "default" for login class, because "no" class
can exists and "default" class is really equal to empty class.

Allow "no" answer on login class prompt override non-empty
/etc/adduser.conf defaultclass with empty one

1. Deal with login classes now
2. Turn on send_message by default for security reasons (mailbox
must be pre-created)

Variable name typo.

Reviewed by: Guy Helmer <ghelmer@cs.iastate.edu
Submitted by: Paul Sandys <myj@nyct.net>

Support comments in password database (/etc/master.passwd).

Comments in group database (/etc/group) are currently not
supported - adduser silently delete blank lines and comments.

Cleaned up some messages, added a check to remove a leftover popd file
from /var/mail, added a routine to delete the removed user's files
from /tmp, /var/tmp, & /var/tmp/vi.recover, and added code to kill any
running processes owned by the removed user). I've also added a flag
for non-interactive execution, cleaned up the man page, and adjusted
my address.

Submitted by: ghelmer@cs.iastate.edu (Guy Helmer)

Revert $FreeBSD$ to $Id$

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Allow dash `-' (except for first char) and underscore `_' in usernames.

pointed out by: max

remove group limits checks

increase username length limit to 16

Minor internal mdoc usage changes.

Minor style fixes.

I also renamed the adduser "-quit" option to "-quiet", since
it is supposed to be the same as the -s/-silent option,
and -quit must have beena typo.

Expand username limit to 16

Don't show on the screen just securely entered password
(in /etc/adduser.message text)
Sending password by E-mail on local machine is joke in any case

do not print 'illegal shell' for pseudo users news and xten

Submitted by: kuku

install rmuser, addgroup, rmgroup in /usr/sbin

manpages for rmgroup(8) and addgroup(8)

rmgroup - delete a Unix group

usage: rmgroup group

addgroup - add a group or add users to a group

addgroup [-g gid] group [user[,user,...]]

warn if reach group line limit (>200 users, >1024 bytes per line)
close PR#1595

suggested by: Seppo Kallio <kallio@beeblebrox.cc.jyu.fi

Do not backup master.passwd if pwd_mkdb returned an error. This
was to paranoid, pwd_mkdb(8) is carefully enough to not
corrupt master.passwd on failure.

Submitted by: joerg

Make passwords no longer echo or display. Because of this, we now also
ask for matching confirmation. I'm sure there is a clever direct-from-perl
ioctl way of putting the terminal into noecho mode, but I don't feel like
learning perl so I just used system. [yes, I'll put stty on the installation
boot floppy as necessary]

typo police

I couldn't make any sense of the sentence "Eval variables in this file." so I
left it alone.

also allow creation of new local group when NIS groups are used.
this can probably be done more elegantly, and needs more thought.

sync copyright with /usr/share/examples/etc/bsd-style-copyright

Use the .Fx macro where appropriate.

run pwd_mkdb with new check option [-c] to verify correctness
of /etc/master.passwd

Do not add an user to a group if the group is also the login group.

Do not send "welcome mail" as default. If you want this feature
you can still enable it. Better, use mail client like elm or pine.

Requested by: Jordan

documented login name limit
Obtained from: mailing list

We DON'T ship bash by default, why is it the default shell?
We also don't ship tcsh or ksh by default.
Correct these two things to make sh the default and increase csh and sh
to be higher priority.

Submitted by: Masafumi NAKANE <masafumi@tky007.tth.expo96.ad.jp>
bugfix: chown home directory if don't copy dotfiles

Fix a bunch of spelling errors in a bunch of man pages.

This commit was generated by cvs2svn to compensate for changes in r13122,
which included commits to RCS files with non-trunk default branches.

recording cvs-1.6 file death

Clean up some of the english here..

Various fixes to make this work better when called from other tools.
Submitted by: Coranth Gryphon <gryphon@healer.com> & Wolfram Schneider <wosch@cs.tu-berlin.de>

The problem is the returned salt, while the freebsd man pages asks that the
crypt salt string begin with a '_', no other crypt's do. If you remove the
initialization of $salt to '_' in sub salt(), everything works as advertised.
Submitted by: Charles Henrich <henrich@crh.cl.msu.edu>

Don't accept usernames longer than 8 characters
Submitted by: Wolfram Schneider <wosch@cs.tu-berlin.de>

Non-blocking lock
Remove old salt cause possible endless loop
Submitted by: <wosch@cs.tu-berlin.de>

o more options
o less restrictive, you can choise uid, gid ...
o invite user into some groups
o encrypted passwords with crypt
o batch mode (for instance, this works now:
$ adduser -batch jkh guest,uuadmin "Jordan K. Hubbard" passwd
see manpage for more details)

Submitted by: Wolfram Schneider <wosch@cs.tu-berlin.de>

Correct some of the english.

Wolfram Schneider <wosch@cs.tu-berlin.de>:
o manpage
o save configuration in /etc/adduser.conf
o send message file (/etc/adduser.message)
Submitted by: woschcs.tu-berlin.de

Update adduser to version by Wolfram Schneider. Sorry, Gary, but his
adduser is a Cadillac to your Volkswagen.. :-)
Submitted by: wosch@cs.tu-berlin.de

Change ${COPY} to -c, always needed here
Remove manpage reference to BSD adduser, add pwd_mkdb reference

Remove extra targets per Bruce suggestion.
Use more macros instead of hardcoded things

Change man section

Oops, rename adduser.sh to adduser.perl
Add empty clean and obj targets.

Yet one cleanup

Fix everything.

Changed my copyright back. Too many problems with new one.

Fix configfile path

Move conf files to src/etc

Add makefile for adduser.
Would a makefile guru please look this over to make sure I did this right?

Add Id strings

This commit was generated by cvs2svn to compensate for changes in r5262,
which included commits to RCS files with non-trunk default branches.