Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r247534 (by ru): Fixed documented prototype of kinfo_getproc(3).

MFC: r240391

Fix IEC / SI binary prefixes (Ki, Mi, Gi, etc) production by humanize_number(3)

PR: bin/171487
Submitted by: matthew

MFH r237269: switch default password hash to sha512.

Approved by: re

MFH r236751: document sha256 / sha512 support
MFH r236892: remove mention of auth.conf from programs that don't use it
MFH r236963: remove dead code relating to auth.conf
MFH r236965 r236966 r236967 r237005 r237006 r237011: retire auth.conf

Approved by: re

MFC: r237268

early MFC to get this important bugfix into 9.1

Revert user comparison back to user names as some user can share uids (root/toor
for example)

get the username information from old_pw structures to still allow renaming of a
user.

Reported by: Claude Buisson <clbuisson@orange.fr>
Approved by: des (mentor)

MFC r233648:
Remove trailing whitespace per mdoc lint warning

Approved by: cperciva (implicit)

MFC: 228545,229572

Modify pw_copy:
- if pw is NULL and oldpw is not NULL then the oldpw is deleted
- if pw->pw_name != oldpw->pw_name but pw->pw_uid == oldpw->pw_uid
then it renames the user

add new gr_* functions so now gr_util API is similar to pw_util API,
this allow to manipulate groups in a safe way.

Add new pw_make_v7 to make a passwd line (in v7 format) out of a struct passwd

Approved by: des (mentor)

MFC r235337:

General mdoc(7) and typo fixes.

PR: 167804

MFC r232157, r232158:

r232157:
Fix various typos in manual pages.

Submitted by: amdmi3
PR: 165431

r232158:
Whitespace cleanup:
o Wrap sentences on to new lines
o Cleanup trailing whitespace

MFC: 229942, 231938

229942: Style fixes courtesy of pjd.

231938: Set the O_CLOEXEC flag when opening the pidfile to avoid leaking the
file descriptor via exec(3).

Now that daemon(8) has been fixed to resolve the issue noted by trociny,
the consensus is that this change should be OK.

MFC r229951,229985-229986,229988,230011,230037,230233,230599-230601
libutil.h and pidfile.c cleanup:

229951: Constify arguments (pjd)

229985: Fix forward structure declaration and prototype disorder.

229986: Fix namespace issues with prototype parameter names.
Add missing prototype parameter names.

229988: Fix prototype formatting (indentation, long lines, and
continued lines).

230011: More prototype formatting fixes, struct member formatting fixes,
and namespace fix for property_find() prototype.

230037: Move struct pidfh definition into pidfile.c, and leave a forward
declaration for pidfh in libutil.h in its place.
This allows us to hide the contents of the pidfh structure, and also
allowed removal of the "#ifdef _SYS_PARAM_H" guard from around the
pidfile_* function prototypes.

230233: Fix more disorder in prototypes and constants.
Fix header comments for each section of constants.
Fix whitespace in #define lines.
Fix unnecessary parenthesis in constants.

230599: Restore the parenthesis that are necessary around the
constant values.

230600: Make the comments consistent (capitalization, punctuation, and
format).

230601: Consensus between bde and pjd seemed to be that if the function
names are lined up, then any * after a long type should appear after
the type instead of being in front of the function name on the
following line.

MFC r229937:
Add pidfile_fileno() to obtain the file descriptor for an open
pidfile.

MFC r231306:
Fix NULL ptr dereference in setusercontext if pwd is null,
LOGIN_SETPRIORITY is set, and setting the priority (rtprio or
setpriority) fails.

PR: kern/164238
Approved by: cperciva

MFC: r227006, r227281, r227282

Add a PCI front-end to esp(4) allowing it to support AMD Am53C974 and
replace amd(4) with the former in the amd64, i386 and pc98 GENERIC kernel
configuration files. Besides duplicating functionality, amd(4), which
previously also supported the AMD Am53C974, unlike esp(4) is no longer
maintained and has accumulated enough bit rot over time to always cause
a panic during boot as long as at least one target is attached to it
(see PR 124667).

PR: 124667
Approved by: re (kib)
Obtained from: NetBSD (based on)

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Add missing "swapuse" resource limit.

With retirement of cpumask_t and usage of cpuset_t for representing a
mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.

Remove them and replace their usage with custom pc_cpuid magic (as,
atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and
pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).

This change is not targeted for MFC because of struct pcpu members
removal and dependency by cpumask_t retirement.

MD review by: marcel, marius, alc
Tested by: pluknet
MD testing by: marcel, marius, gonzo, andreast

etire the cpumask_t type and replace it with cpuset_t usage.

This is intended to fix the bug where cpu mask objects are
capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever
value. Anyway, as long as several structures in the kernel are
statically allocated and sized as MAXCPU, it is suggested to keep it
as low as possible for the time being.

Technical notes on this commit itself:
- More functions to handle with cpuset_t objects are introduced.
The most notable are cpusetobj_ffs() (which calculates a ffs(3)
for a cpuset_t object), cpusetobj_strprint() (which prepares a string
representing a cpuset_t object) and cpusetobj_strscan() (which
creates a valid cpuset_t starting from a string representation).
- pc_cpumask and pc_other_cpus are target to be removed soon.
With the moving from cpumask_t to cpuset_t they are now inefficient
and not really useful. Anyway, for the time being, please note that
access to pcpu datas is protected by sched_pin() in order to avoid
migrating the CPU while reading more than one (possible) word
- Please note that size of cpuset_t objects may differ between kernel
and userland. While this is not directly related to the patch itself,
it is good to understand that concept and possibly use the patch
as a reference on how to deal with cpuset_t objects in userland, when
accessing kernland members.
- KTR_CPUMASK is changed and now is represented through a string, to be
set as the example reported in NOTES.

Please additively note that no MAXCPU is bumped in this patch, but
private testing has been done until to MAXCPU=128 on a real 8x8x2(htt)
machine (amd64).

Please note that the FreeBSD version is not yet bumped because of
the upcoming pcpu changes. However, note that this patch is not
targeted for MFC.

People to thank for the time spent on this patch:
- sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested
several revision of the patches and really helped in improving
stability of this work.
- marius fixed several bugs in the sparc64 implementation and reviewed
patches related to ktr.
- jeff and jhb discussed the basic approach followed.
- kib and marcel made targeted review on some specific part of the
patch.
- marius, art, nwhitehorn and andreast reviewed MD specific part of
the patch.
- marius, andreast, gonzo, nwhitehorn and jceel tested MD specific
implementations of the patch.
- Other people have made contributions on other patches that have been
already committed and have been listed separately.

Companies that should be mentioned for having participated at several
degrees:
- Yahoo! for having offered the machines used for testing on big
count of CPUs.
- The FreeBSD Foundation for having sponsored my devsummit attendance,
which has been instrumental.
- Sandvine for having offered offices and infrastructure during
development.

(I really hope I didn't forget anyone, if it happened I apologize in
advance).

- Commit work from libprocstat project. These patches add support for runtime
file and processes information retrieval from the running kernel via sysctl
in the form of new library, libprocstat. The library also supports KVM backend
for analyzing memory crash dumps. Both procstat(1) and fstat(1) utilities have
been modified to take advantage of the library (as the bonus point the fstat(1)
utility no longer need superuser privileges to operate), and the procstat(1)
utility is now able to display information from memory dumps as well.

The newly introduced fuser(1) utility also uses this library and able to operate
via sysctl and kvm backends.

The library is by no means complete (e.g. KVM backend is missing vnode name
resolution routines, and there're no manpages for the library itself) so I
plan to improve it further. I'm commiting it so it will get wider exposure
and review.

We won't be able to MFC this work as it relies on changes in HEAD, which
was introduced some time ago, that break kernel ABI. OTOH we may be able
to merge the library with KVM backend if we really need it there.

Discussed with: rwatson

Don't duplicate define the stdint types.

Add support for IEE/IEC (and now also SI) power of two notions of
prefixes (Ki, Mi, Gi...) for humanize_number(3).

Note that applications has to pass HN_IEC_PREFIXES to use this
feature for backward compatibility reasons.

Reviewed by: arundel
MFC after: 2 weeks

Add missing resource limits:
- RLIMIT_NPTS
- RLIMIT_SWAP

MFC after: 1 week

humanize_number(3) multiply the input number by 100, which could cause an
integer overflow when the input is very large (for example, 100 Pi would
become about 10 Ei which exceeded signed int64_t).

Solve this issue by splitting the division into two parts and avoid the
multiplication.

PR: bin/146205
Reviewed by: arundel
MFC after: 1 month

s/buffer/buf as is used in the code.

Submitted by: arundel (via doc@)
MFC after: 3 days

expand_number() needs uint64_t, declare it here if not already declared.

MFC after: 3 days

Mention setloginclass(2) in login_class(3).

Add two new system calls, setloginclass(2) and getloginclass(2). This makes
it possible for the kernel to track login class the process is assigned to,
which is required for RCTL. This change also make setusercontext(3) call
setloginclass(2) and makes it possible to retrieve current login class using
id(1).

Reviewed by: kib (as part of a larger patch)

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

UTFize my name.

Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while
translating these manual pages. Minor corrections by me.

Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>

In setusercontext(), do not apply user settings unless running as the
user in question (usually but not necessarily because we were called
with LOGIN_SETUSER). This plugs a hole where users could raise their
resource limits and expand their CPU mask.

MFC after: 3 weeks

Old patch I had lying around: clean up and use stpcpy(3) instead of
sprintf(3).

Further simplify the code, and update the manpage.

Submitted by: Christoph Mallon <christoph.mallon@gmx.de>

no-op commit to note that the example given in the previous commit is
a very bad one, since the shift does not actually overflow. This is
a better example (assuming uint64_t = unsigned long long):

~0LLU >> 9 = 0x7fffffffffffffLLU
~0LLU >> 9 << 10 = 0xfffffffffffffc00LLU
~0LLU >> 9 << 10 >> 10 = 0x3fffffffffffffLLU

Fix the overflow test. It is possible for the result of an
overflowing shift to be larger than the original value, e.g.

(uint64_t)1 << 53 = 0x20000000000000
((uint64_t)1 << 53) << 10 = 0x8000000000000000

Simplify expand_number() by combining the (unrolled) loop with the
switch. Since expand_number() does not accept negative numbers, switch
from int64_t to uint64_t; this makes it easier to check for overflow.

MFC after: 3 weeks

Fix typos and spelling mistakes.

Spelling fixes.

Merger of the quota64 project into head.

This joint work of Dag-Erling Smørgrav and myself updates the
FFS quota system to support both traditional 32-bit and new 64-bit
quotas (for those of you who want to put 2+Tb quotas on your users).

By default quotas are not compiled into the kernel. To include them
in your kernel configuration you need to specify:

options QUOTA # Enable FFS quotas

If you are already running with the current 32-bit quotas, they
should continue to work just as they have in the past. If you
wish to convert to using 64-bit quotas, use `quotacheck -c 64';
if you wish to revert from 64-bit quotas back to 32-bit quotas,
use `quotacheck -c 32'.

There is a new library of functions to simplify the use of the
quota system, do `man quotafile' for details. If your application
is currently using the quotactl(2), it is highly recommended that
you convert your application to use the quotafile interface.
Note that existing binaries will continue to work.

Special thanks to John Kozubik of rsync.net for getting me
interested in pursuing 64-bit quota support and for funding
part of my development time on this project.

mdoc: order prologue macros consistently by Dd/Dt/Os

Although groff_mdoc(7) gives another impression, this is the ordering
most widely used and also required by mdocml/mandoc.

Reviewed by: ru
Approved by: philip, ed (mentors)

The NetBSD Foundation has granted permission to remove clause 3 and 4 from
their software.

Obtained from: NetBSD

Fix a regression that was introduced in r191882.

I changed login_tty() to only work when the application is not a session
leader yet. This works fine for applications in the base system, but it
turns out various applications call this function after daemonizing,
which means they already use their own session.

If setsid() fails, just call tcsetsid() on the current session.
tcsetsid() will already perform proper security checks.

Reported by: Oliver Lehmann
MFC after: 1 week

Remove login(3), logout(3) and logwtmp(3) from libutil.

These functions only apply to utmp(5). They cannot be kept intact when
moving towards utmpx. The login(3) function would break, because its
argument is an utmp structure. The logout(3) and logwtmp(3) functions
cannot be used, since they provide a functionality which partially
overlaps.

Increment SHLIB_MAJOR to 9 to indicate the removal.

Build lib/ with WARNS=6 by default.

Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.

Remove a dead store.

MFC after: 5 days

Make <libutil.h> work when included by itself.

There are several reasons why it didn't work:

- It was missing <sys/cdefs.h> for __BEGIN_DECLS.
- It uses various primitive types that were not declared.

sigset() is the name of function specified by SUSv4.
Replace it to avoid conflict.

MFC after: 3 weeks

Bump the version of all non-symbol-versioned shared libraries in
preparation for 8.0-RELEASE. Add the previous version of those
libraries to ObsoleteFiles.inc and bump __FreeBSD_Version.

Reviewed by: kib
Approved by: re (rwatson)

Fix copy-and-paste-o's from kinfo_getfile.3 in kinfo_getvmmap.3.

MFC after: 3 days

Merge NetBSD revision 1.14: humanize_number.c is now 2-clause BSD licensed.
(humanize_number.3 intentionally hold back until I make sure why we didn't
merged dehumanize_number(3)).

Obtained from: NetBSD

Usermode portion of the support for swap allocation accounting:
- update for getrlimit(2) manpage;
- support for setting RLIMIT_SWAP in login class;
- addition to the limits(1) and sh and csh limit-setting builtins;
- tuning(7) documentation on the sysctls controlling overcommit.

In collaboration with: pho
Reviewed by: alc
Approved by: re (kensmith)

Note that the structures are defined in <sys/user.h> in the text (using
language from stat(2)) rather than in the synopsis.

Requested by: bde

- Note that these interfaces require <sys/user.h> for the structure
definitions.
- Note that these functions return NULL on failure.

MFC after: 3 days

Revert (once again, and hopefully for the last time) to flock(2) locks.
The problem with fcntl(2) locks is that they are not inherited by child
processes. This breaks pidfile(3), where the common idiom is to open
and lock the PID file before daemonizing.

Add missing .Pp

Add tcsetsid(3).

The entire world seems to use the non-standard TIOCSCTTY ioctl to make a
TTY a controlling terminal of a session. Even though tcsetsid(3) is also
non-standard, I think it's a lot better to use in our own source code,
mainly because it's similar to tcsetpgrp(), tcgetpgrp() and tcgetsid().

I stole the idea from QNX. They do it the other way around; their
TIOCSCTTY is just a wrapper around tcsetsid(). tcsetsid() then calls
into an IPC framework.

Include param.h instead of types.h when using user.h. Otherwise there is
a dependence on ucred.h including audit.h including param.h, which we
would like to eliminate.

MFC after: 3 weeks

Initialize the cntp pointer to 0 prior to doing any work so that callers
don't try to iterate through garbage or NULL memory. Additionally, return
NULL instead of 0 on error.

Reviewed by: peter
Approved by: peter

Add filler man pages for the kinfo functions I added recently.
While here, hook up the hexdump(3) man page which wasn't being installed.

Attempt a quick bandaid for arm build breakage. I went to the trouble of
maintaining alignment, but I'm not sure how to tell gcc this.

Merge user/peter/kinfo branch as of r185547 into head.

This changes struct kinfo_filedesc and kinfo_vmentry such that they are
same on both 32 and 64 bit platforms like i386/amd64 and won't require
sysctl wrapping.

Two new OIDs are assigned. The old ones are available under
COMPAT_FREEBSD7 - but it isn't that simple. The superceded interface
was never actually released on 7.x.

The other main change is to pack the data passed to userland via the
sysctl. kf_structsize and kve_structsize are reduced for the copyout.
If you have a process with 100,000+ sockets open, the unpacked records
require a 132MB+ copyout. With packing, it is "only" ~35MB. (Still
seriously unpleasant, but not quite as devastating). A similar problem
exists for the vmentry structure - have lots and lots of shared libraries
and small mmaps and its copyout gets expensive too.

My immediate problem is valgrind. It traditionally achieves this
functionality by parsing procfs output, in a packed format. Secondly, when
tracing 32 bit binaries on amd64 under valgrind, it uses a cross compiled
32 bit binary which ran directly into the differing data structures in 32
vs 64 bit mode. (valgrind uses this to track file descriptor operations
and this therefore affected every single 32 bit binary)

I've added two utility functions to libutil to unpack the structures into
a fixed record length and to make it a little more convenient to use.

Fixing !INET6 builds.

Fixed style issues with variable ordering and naming, spacing and
parentheses.

Fixed alignment issue in gr_dup() in its assignment of gr_mem using a
struct to force alignment without performing alignment mathematics. This
was noticed recently with libutil was built with WARNS=6 on platform such
as sparc64.

Added checks to gr_dup(), gr_equal() and gr_make() to prevent segfaults
when examining struct group's with the struct members pointing to NULL's.

With fix of alignment issue, restore WARNS?=6.

Reviewed by: des
MFC after: 1 week

style(9) fixes.

MFC after: 1 week

Like many other functions that handle sockaddrs, realhostname_sa() takes a
struct sockaddr * that it casts internally to the appropriate type based on
sa_family. However, struct sockaddr has very lax alignment requirements,
which causes the compiler to complain when you cast a struct sockaddr * to,
say, a struct sockaddr_in6 *.

I find it reasonable to assume that the pointer we received is in fact
correctly aligned. Therefore, we can work around the compiler warnings by
casting to void * before casting to the desired type. For readability's
sake, this is done with macros.

The same technique should prove useful in other parts of the tree that
deal with socket addresses.

MFC after: 3 weeks

Comment out WARNS. There are too many alignment issues in libutil.

Disconnect gr_util.c from the build. It isn't documented or used anywhere
in the tree, and due to unsafe pointer arithmetic, it will most likely crash
on architectures with strict alignment requirements.

libutil now builds at WARNS level 6.

MFC after: 3 weeks

Add missing header.

Avoid assigning a const char * to a char *.

MFC after: 3 weeks

Remove unneeded call to revoke() inside openpty().

As discussed on the commits list, there is no need to call revoke()
inside openpty(). On RELENG_6 and RELENG_7 unlockpt() will call
revoke(). On HEAD we create pseudo-terminals on demand, so there is no
need to revoke the slave device node.

This change should never be MFC'd, because the implementation we have in
RELENG_6 and RELENG_7 should work flawlessly with older versions of
libc.

Discussed with: jhb
MFC after: never

Diff reduction against Varnish, including one important fix: use a shared
lock if the file is opened with O_RDONLY.

Reimplement flopen(3) using fcntl(2) locks instead of flock(2) locks.

pidfile(3) uses flopen(3) - don't make any assumptions about how the
latter is implemented.

There is no point in releasing a lock on a file which we've unlinked and
are about to close, so don't. As a bonus, pidfile_remove(3) will now
work with an fcntl(2)-based flopen(3).

Since in_lt() and in_lts() are not static, assume that they are intended to
be part of the public API. Accordingly, add prototypes and document them.

Additional style and whitespace fixes.

Style and whitespace

Unbreak

Since setclasscpumask() is not static, assume that it is intended to be
part of the public API. Accordingly, add a prototype and document it.

Style and whitespace.

Parenthesize return values.

include and whitespace cleanup.

Use strlcpy() when we mean it.

Small cleanups to openpty().

- Pass O_NOCTTY to posix_openpt(2). This makes the implementation work
consistently on implementations that make the PTY the controlling TTY
by default.

- Call unlockpt() before opening the slave device. POSIX mentions that
de slave device should only be opened after grantpt() and unlockpt()
have been called.

- Replace some redundant code by a label.

In theory we could remove a lot of code from openpty() on FreeBSD
-CURRENT, because grantpt(), unlockpt() and revoke() are not needed in
our implementation. We'd better keep them there. This makes the code
still work with older FreeBSD releases and even makes it work on other
non-BSD operating systems.

I've compiled openpty() on Linux. You only need to remove the revoke()
call, because revoke() on Linux always returns -1. Apart from that, it
seems to work like it should.

Reviewed by: jhb

Integrate the new MPSAFE TTY layer to the FreeBSD operating system.

The last half year I've been working on a replacement TTY layer for the
FreeBSD kernel. The new TTY layer was designed to improve the following:

- Improved driver model:

The old TTY layer has a driver model that is not abstract enough to
make it friendly to use. A good example is the output path, where the
device drivers directly access the output buffers. This means that an
in-kernel PPP implementation must always convert network buffers into
TTY buffers.

If a PPP implementation would be built on top of the new TTY layer
(still needs a hooks layer, though), it would allow the PPP
implementation to directly hand the data to the TTY driver.

- Improved hotplugging:

With the old TTY layer, it isn't entirely safe to destroy TTY's from
the system. This implementation has a two-step destructing design,
where the driver first abandons the TTY. After all threads have left
the TTY, the TTY layer calls a routine in the driver, which can be
used to free resources (unit numbers, etc).

The pts(4) driver also implements this feature, which means
posix_openpt() will now return PTY's that are created on the fly.

- Improved performance:

One of the major improvements is the per-TTY mutex, which is expected
to improve scalability when compared to the old Giant locking.
Another change is the unbuffered copying to userspace, which is both
used on TTY device nodes and PTY masters.

Upgrading should be quite straightforward. Unlike previous versions,
existing kernel configuration files do not need to be changed, except
when they reference device drivers that are listed in UPDATING.

Obtained from: //depot/projects/mpsafetty/...
Approved by: philip (ex-mentor)
Discussed: on the lists, at BSDCan, at the DevSummit
Sponsored by: Snow B.V., the Netherlands
dcons(4) fixed by: kan

Add support for a new login capability, cpumask which allows login
sessions to be pinned to cpus by login class.

Add #include <inttypes.h> for the strtoimax().

Submitted by: Jilles Tjoelker <jilles stack nl>
MFC after: 3 days

Merge hexdump(9) to userland as hexdump(3) in libutil. I'm tired of doing
this by hand in userland utilities.

MFC after: 1 month

Add four utility functions related to struct grp processing modeled in-part
after similar calls related to struct pwd in libutil/pw_util.c:
- gr_equal()
Perform a deep comparison of two struct grp's. It does a thorough, yet
unoptimized comparison of all the members regardless of order.

- gr_make()
Create a string (see group(5)) from a struct grp.

- gr_dup()
Duplicate a struct grp. Returns a value that is a single contiguous
block of memory.

- gr_scan()
Create a struct grp from a string (as produced by gr_make()).

MFC after: 3 weeks

Merge changes from NetBSD on humanize_number.c, 1.8 -> 1.13
Significant changes:
- rev. 1.11: Use PRId64 instead of a cast to long long and %lld to print
an int64_t.
- rev. 1.12: Fix a bug that humanize_number() produces "1000" where it
should be "1.0G" or "1.0M". The bug reported by Greg Troxel.

PR: 118461
PR: 102694
Approved by: rwatson (mentor)
Obtained from: NetBSD
MFC after: 1 month

Put back the openpty(3) and ptsname(3) fixes but don't disable ptsname(3)
on pts(4) devices this time. This fixes the issues while leaving pts(4)
enabled on HEAD.

Back out last commit, since it accidentally broke pts.

The security fix will be re-committed soon, hopefully without breaking
anything.

Update the manpage for openpty(3) to account for the recent fixes.
Specifically, remove the BUGS section and note that openpty(3) now always
does the various security-related steps. Also, update the error return
value section. The PR below is for the original bug rather than the doc
updates.

MFC after: 1 week
PR: bin/9770

Fix issues which allow snooping on ptys. [08:01]

Fix an off-by-one error in inet_network(3). [08:02]

Security: FreeBSD-SA-08:01.pty
Security: FreeBSD-SA-08:02.libc

Invoke revoke(2) on the slave pty in the pts(4) case (new_openpty()) to
kick off any other users on the device line before using it since
openpty(3) is documented to do this. Note that grantpt(3) does not
call revoke(2), it only adjusts permissions and ownership.

MFC after: 3 days

Bump up the number of ttys supported by pty(4) to 512 by making use of
[pt]ty[lmnoLMNO][0-9a-v].

MFC after: 3 days
Reviewed by: rwatson

Constify the first argument to expand_number() so that it can
be called with a const without the compiler grisling.

Minor mdoc cleanup: Every sentence should start on its own line.

When pidfile is already locked and has zero length, do not return
success and zero pid from pidfile_read(). Return EAGAIN instead. Sleep
up to three times for 5 ms while waiting for pidfile to be written.

mount(8) does the kill(mountpid, SIGHUP). If mountd pidfile is truncated,
that would result in the SIGHUP delivered to the mount' process group
instead of the mountd.

Found and analyzed by: Peter Holm
Tested by: Peter Holm, kris
Reviewed by: pjd
MFC after: 1 week

Adjust history.

Approved by: re(ken)

- Fix strange for loop.

Reported by: phk

- While here, check the unit before calculating the actually number.
This way we can return EINVAL for invalid unit instead of ERANGE.

Approved by: re (kensmith)

Point expand_number(3) at humanize_number(3) and nive versa.

Suggested by: trhodes
Approved by: re (kensmith)

Implement expand_number(3), which is the opposite of humanize_number(3), ie.
a number in human-readable form is converted to int64_t, for example:
123b -> 123
10k -> 10240
16G -> 17179869184

First version submitted by: Eric Anderson <anderson@freebsd.org>
Approved by: re (bmah)

Back out previous commit until I figure out why my regression test fails.

Approved by: re (kensmith)

Use fcntl(2)-style locks instead of less-portable flock(2)-style locks.

Approved by: re (kensmith)

Document the quirks of ~/.login_conf and LOGIN_MECLASS.

Improve mdoc(7) markup.

Update some comments, mostly regarding LOGIN_MECLASS and ~/.login_conf.

Nit: avoid shadowing truncate(2) with a local variable.

Fix stupid braino in previous commit.

If (flags & O_TRUNC), don't truncate the file until we've successfully
locked it.

MFC after: 3 weeks

Bump library versions in preparation for 7.0.

Ok'd by: kan

strlcpy() may be faster than snprintf(), but it is less portable, and this
is not performance critical code anyway. Also, avoid using strlen() to
obtain information which we already have.

MFC after: 3 weeks

Fix typo.

Submitted by: Bård Skaflestad <bardsk@math.ntnu.no>

Well gag me with a spoon... I'm so used to working at high WARNS levels
that I make stupid fundamental mistakes like this when I don't.

Remove superfluous unexpanded RCS tag.

Use flopen(3).

MFC after: 3 weeks

DTRT when O_NONBLOCK is specified.

MFC after: 3 weeks

I'm tired of seeing this done incorrectly and non-portably, so add a
flopen(3) function which reliably opens and locks a file.

MFC after: 3 weeks

Fix one kind of style(9) bug and a typo in a comment.

Tested with: md5(1)

Remove California Regent's clause 3, per letter

Fix a typo: "the give login class" to "the given login class."

PR: 75577
Submitted by: Nobuyuki Koganemaru

Fix markup in previous revision.

Add information on how to escape a literal colon in a value or name.

PR: 101262

Revise markup in recently added manpages.

Markup fixes.

Minor comment fix.

(pw_copy): Handle the case of a malformed line in master.passwd
(copy it silently, do not dereference NULL pointer).

PR: bin/102848
Reviewed by: security-officer (cperciva)
MFC after: 1 week

Recognize the existence of `auth' and `auth-type'
capabilities but tell they do nothing in the base system.

This is a late responce to
http://docs.freebsd.org/cgi/mid.cgi?ED759F1DC5ADD74592DD063B1EDEDAF803ACD2B5
.

Obtained from: OpenBSD (wording; with minor corrections)

style.Makefile(5) is good for our eyes.

Note the convention that humanize_number follows.
Add 'engineering' numbers to table.

o Add missed comma, xref kld(4).

Remove some unused variables

o Typo: ownship -> ownership.

Obtained from: DragonFlyBSD

Specify default path for SHLIBDIR before bsd.own.mk does.
This fix shared library installed correct place.

Don't build IPv6 support if we have choosen not to have it.

- Add include for libutil.h and string.h for prototype.
- Cast the rvalue to be compared with the result of
strlen() to size_t.

Bump library majro version for gethostbyaddr(3).

Document how the backoff delay is calculated.

Submitted by: markus
MFC after: 3 days

use pwrite to always write at the begining of the file.. If multiple calls
to pidfile_write happen, the pidfile will have nul characters prepended
due to the cached file descriptor offset...

Reviewed by: scottl
MFC after: 3 days

Use `intmax_t' instead of plain `int' for pid_t casts.

Useful tips from: ru, bde
Approved by: pjd
MFC after: 3 days

Add utility functions for checking if a given kernel module is loaded,
and loading it.

- Add a note that passing NULL to pidfile_write(), pidfile_remove() and
pidfile_close() functions is safe. This possibility is used in example code.
- Cast pid_t to int.

Requested by: yar

Teach openpty() how to deal with pts.

Restore use of strncpy(), as there is later unconditional termination
of the string, and reliance on the returned pointer.

Found by: bde (tm)

Replace strncpy() with strlcpy() when parsing login time limit strings
from /etc/login.conf, or an unterminated string buffer could result.
Probably, login_times.c should reject excessively long time strings as
unparseable, rather than truncating, which might render an invalid
string valid.

Found with: Coverity Prevent (tm)
Reviewed by: csjp
MFC after: 3 days

Fix typo in comment.

MFC after: 3 days

Document the LOGIN_SETMAC setusercontext(3) flag. While we are here, drop
in an external reference to mac_set_proc(3).

Restore the previous state after a FILL operation in properties_read()
rather than forcing the state to LOOK. If we are in the middle of parsing
a line when we have to do a FILL we would have lost any token we were in
the middle of parsing and would have treated the next character as being
at the start of a new line instead.

PR: kern/89181
Submitted by: Antony Mawer gnats at mawer dot org
MFC after: 1 week

Fix prototype.

Fix markup, grammar and spelling.

When removing the local domain, only do so when the result will be a
host name. This is matches the documented behaviro. The previous
behavior would remove the domain name even if the result retained a dot.

This fixes rsh connections from a.example.com to example.com.

Reviewed by: ceri (at least the concept)

Pidfiles should be created with permission preventing users from opening
them for reading. When user can open file for reading, he can also
flock(2) it, which can lead to confusions.

Pointed out by: green

Add a family of functions for reliable pidfiles handling.

Idea from: jmg
Discussed on: arch@

Bump the shared library version number of all libraries that have not
been bumped since RELENG_5.

Reviewed by: ru
Approved by: re (not needed for commit check but in principle...)

NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.

Properly spell default in a comment.

Remove duplicated "bytes".

Submitted by: Wojciech A. Koszek [dunstan freebsd czest pl]
PR: 79747

Fix grammatical issue.

Submitted by: ceri

Use ~/.login_conf when discussing a user's local file.

Suggested by: ru

Reword previous commit to be a bit more correct and provide more information.

Inspiried by: ru

Make it more obvious that cap_mkdb(1) is required to rebuild the database.

PR: 76981
Submitted by: Lowell Gilbert <freebsd-bugs-local@be-well.ilk.org>

Expand *n't contractions.

Reflect the reality; only crypt(3) uses /etc/auth.conf
for the time being.

Sort sections.

Scheduled mdoc(7) sweep.

Various markup and spelling fixes.

PR: 75574
Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp> (original version)

Grammar in a comment.

Backout manual page updates.

Requested by: ru

Take the lastest fixes from NetBSD.

Obtained from: NetBSD

There is no such manual page in FreeBSD.

Document when this function came into FreeBSD.

Spell FTP correctly - in this case, it is used as the name of the protocol,
not the program. Also, bump the document date.

Reminded by: our resident mdoc guard (ru)

Add Giorgos's description of the ftp-chroot login.conf option.

Reported by: Bill Moran <wmoran@potentialtech.com>
Submitted by: keramida
MFC after: 2 weeks

Markup fixes.

Eliminate double whitespace.

Mechanically kill hard sentence breaks.

Humanize_number(3) is a part of libutil.

You want to include libutil.h, not util.h.
Some minor sentence tweaking.

Add humanize_number(3) to libutil for formating numbers into a human
readable form.

Obtained from: NetBSD

Don't depend on NULL's expansion being a pointer, cast it before it is passed
to variadic functions.

Approved by: das (mentor)

Fix and clarify unparsable sentence.

MFC after: 2 weeks

Bring the description for login_getclassbyname in sync with the function's
arguments. The function has as a second argument a struct passwd * pointer,
not a directory name.

MFC after: 2 weeks

Back out the "clean_environment()" function from libutil.

Further contemplation has convinced me that this was
not going to really solve the problem of environment-poisoning
without raising serious administrative headaches. There
must be a better way...

Add the clean_environment call to libutil.h also.

MFC after: 2 weeks

Add a clean_environment call to libutil.

This function removes all environment variables except
the ones listed on a "whitelist."

The function accepts two whitelist arguments.
If the first is NULL, a built-in default list will be
used. This allows callers to get a variety of behaviors:
* Default screening: provide NULL for both lists
* Custom screening: provide a custom list for the first argument
* Modified default screening: provide NULL for first arg,
list of additional variables to preserve in the second arg

Idea from: Jacques Vidrine

MFC after: 2 weeks

Bump the major version on libtuil. libutil now relies on the mac_*
symbols exported by newer versions of libc, and so we want applications
depending on the newer library code to be required to link against the
newer libc.

Discussed with: scottl, kris, imp

Remove __NETBSD_SYSCALLS.

(mostly) Clean up some const warnings here. The code takes some liberties
because it is the originator of various const strings and knows that they
came from malloc.

ANSIfy, WARNSify, CONSTify. Bit of style(9)-ify.

Remove a GCC specifig CFLAG. We should be using WARNS=? for this.
WARNS=? is not added here at this point, because I've not tested
it on enough platforms, and I don't want to break builds.

mdoc(7): Properly mark C headers.

style.Makefile(5)

Stage 3 of dynamic root support. Make all the libraries needed to run
binaries in /bin and /sbin installed in /lib. Only the versioned files
reside in /lib, the .so symlink continues to live /usr/lib so the
toolchain doesn't need to be modified.

Tidy up. Sort headers.

Backout last commit. It is redundant in -CURRENT.

Pointed out by: David Schultz

Note that the idletime setting is not enforced.

PR: docs/40952
MFC After: 3 days

Document the login-backoff and login-retries capabilities.

PR: docs/51397
MFC After: 3 days

Add vmemoryuse to the list.

PR: 50796
Submitted by: Dmitry Sivachenko <mitya@cavia.pp.ru>

Brucify.

Correctly detect the case where a password entry was changed while we were
preparing to edit it.

PR: bin/50563

Apply the correct fix for bin/50679: don't mess around with process groups
or the tty, just block selected signals in the parent like system(3) does.
Many thanks to bde for his assistance in finding the correct solution.

PR: bin/50679

Band-aid for the "^C kills the editor" problem. I haven't yet found the
proper way to fix this. The way this works is to prepend "exec " to
the editor command to eliminate the "shell in the middle" which prevents
us from properly reawakening the editor after a SIGTSTP.

PR: bin/50679

The .Fn function

Make pw_edit() use /bin/sh to interpret the EDITOR environment
variable.

PR: 48748
Reviewed by: mike (mentor)

Re-document unimplemented capabilities that were removed in the last
revision of this file, but note that they are not supported in the
base system.

Requested by: ache
Reviewed by: ache, mike (mentor)

- Document the fact that we now use pam_passwdqc(8) to check
password quality, not login.conf(5).
- Move warnexpire and warnpasswd from the ``Accounting Limits''
section to ``Authentication'', and nix everything else in the
former section. The accounting knobs are not available in
the base system, and the subset of them available in ports
should be documented in the ports' manpages.

PR: 47960
Reviewed by: mike (mentor), doc

mdoc(7) police: markup laundry.

Now return NULLified struct in case of empty config file
(previous variant return NULL pointer for both empty file case and error case,
so caller can't sense error properly).

It not affect existen programs because property_find() now returns NULL
for both NULL pointer and NULLified struct.

Handle read errors

Add (unsigned char) cast to ctype macros
Handle NULL return from malloc and strdup

Fix typos, mostly s/ an / a / where appropriate and a few s/an/and/
Add FreeBSD Id tag where missing.

english(4) police.

Document the `label' capability.

Approved by: re
Sponsored by: DARPA, Network Associates Labs
Obtained from: TrustedBSD Project

Oops. Some ut_time stuff slipped through the cracks. These turned out
to be non-fatal due to stack alignment roundups.

Add LOGIN_SETMAC to the list of flags that can't be set without class
information, since we rely on the pwd entry to know what MAC labels
to set as part of the login process.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Use "deprecated" instead of "depreciated" where appropriate.

Don't forget to '\n'-terminate new entries. This unbreaks chpass -a.

Submitted by: joerg

If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see
if the user has a 'label' entry in their login class. If so, attempt
to set that label on the process as part of the credential setup. If
we're unable to parse the label, or unable to set the label, fail.
In the future, we may also want to warn if a label is set but the
kernel doesn't support MAC.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Zap now-unused SHLIB_MINOR

Replace various spelling with FALLTHROUGH which is lint()able

Add LOGIN_SETMAC, which will indicate to the user context management code
that it should also set the user's default MAC label, if available and
permitted.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Whitespace cleanup--it's not style(9), but it is consistent. Prep
for MAC-related commits to the login infrastructure.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

mdoc(7) police: spelling.

Add additional field 'overwrite' to login_vars. It mainly needed to handle
"term" according to manpage, i.e. not overwrite it, if already present in
environment.

Backout previous delta (addition of -I${.CURDIR}/../../sys).

Submitted by: bde

Add -I${.CURDIR}/../../sys into CFLAGS, which should fix the world broken
by RLIMIT_VMEM addition.

Add documentation for vmemoryuse

Make libutil aware of vmemoryuse in its login.conf cap processing (aka
sshd, /usr/bin/login, etc)

Be more clear in error messages.
Distinguish between a held lock and a failed lock op.

If rpc.lockd is not running on a diskless client this makes clearer
what the problem is.

Return HOSTNAME_INVALIDADDR when reverse lookup is fail.

Submitted by: Sergey Zorin <sergey@cc.tpu.edu.ru>

Add used include of <string.h>.

If no old_pw was passed to pw_copy, compare just the name.

Sponsored by: DARPA, NAI Labs

Add passwd manipulation code based on parts of vipw and chpass.

Sponsored by: DARPA, NAI Labs

login(3) doesn't care about the controlling terminal any more.

Fix for the sshd(8) utmp problem. Previously, login(3) would ignore the tty
named by its argument and use ttyslot(3) instead to determine what slot to
use. The problem is that sshd(8) calls pam_open_session(3) before forking
the child (as it should), at which point it does not have a controlling
terminal. Also, ttyslot(3) is very crude as it assumes fd 0, 1 or 2 refers
to the controlling terminal, which is usually (but not always) the case.

Instead of using ttyslot(3) to determine the slot number, look up the
specified tty in /etc/ttys ourselves (this is what ttyslot(3) does anyway).

(perforce change 9969)

Sponsored by: DARPA, NAI Labs

Make mppath and masterpasswd pointers instead of arrays, and initialize
them to point at static strings that contain the default paths. This
makes 'vipw -d' work again (I broke it in rev 1.21; apologies for taking
so long to fix it.)

Spotted by: Olivier Houchard <doginou@cognet.ci0.org>
Sponsored by: DARPA, NAI Labs

Add a missing cross-ref.

Approved by: murray
MFC after: 1 week

Remove bogus reference to _use_yp.

Const poisoning.

Remove multi-line __P() usage.

Remove __P() usage.

Remove 'register' keyword.

Remove a bogus cast.

Correct a typo.

PR: 35273
Submitted by: Nicola Vitale <nivit@libero.it>

#include <time.h> for the definition of time functions instead of
depending on namespace pollution 2 layers deep in <sys/stat.h>.

Sorted includes.

#include <stddef.h> for the definition of NULL instead of depending on
namespace pollution 2 layers deep in <sys/stat.h>.

Sorted includes.

ANSIfy and constify.

Sponsored by: DARPA, NAI Labs

o Reflect repo-copy of extattr.[c3] from libutil to libc, moving
extattr namespace routines to the libc/posix1e directory. While
the extattr calls are not strictly POSIX.1e, POSIX.1e wasn't
strictly ever approved, so I think that's OK.

Obtained from: TrustedBSD Project

o Document 'nocheckmail' login capability.

Although the 'bool' type is referenced in the list of capabilities, it
is not defined in the capability type list. Provide a definition for
'bool', if a slightly less than elegant one. Note that this definition
does not include the complete scope of available behavior defined
in cgetcap(3), and could probably be improved.

Fix the phrase about "both files", which must be left
from login(3). This page, logwtmp(3), speaks of only
one file -- wtmp(5).

MFC after: 1 week

mdoc(7) police: Use the new .In macro for #include statements.

Add __FBSDID()s to libutil

1) Back out ~/.login_conf disable
2) Pick only "me" class from ~/.login_conf as documented

Disable per-user .login_conf support due to incorrect merging of local
and globaly settings. An alternative implementation will be developed.

Reported by: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

o Add a comment noting that the early setting of privileges for the purpose
of NFS home directory and root directory processing fails to include
additional groups. This doesn't impact the final credential, but does
mean that users may be denied login even when additional groups might
allow it.

Removed duplicate VCS ID tags, as per style(9).

mdoc(7) police: protect trailing full stops of abbreviations
with a trailing zero-width space: `e.g.\&'.

Simplify IPv4 mapped IPv6 address handling.

Reviewed by: brian
MFC after: 5 days

remove emalloc,ecalloc,erealloc,estrdup

add ecalloc, emalloc, erealloc, estrdup - versions of the e-less
functions that exit instead of failing

Hint getaddrinfo() correctly if we're looking up a name that we got from
an AF_INET6 address.

MFC after: 1 week

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: remove extraneous .Pp before and/or after .Sh.

Fix the type of the NULL arg to execl()

Idea from: Theo de Raadt <deraadt@openbsd.org>

Add RETURN VALUES and ERRORS sections.

Add a manual page for extattr_string_to_namespace and
extattr_namespace_to_string.

Reviewed by: rwatson

Removed -I${.CURDIR}/.../sys from CFLAGS.

Sort.

Add the "prompt" and "passwd_prompt" fields to /etc/login.conf,
which makes lgoin more like getty in its ability to be configured.

Submitted by: tlambert (code only)

Don't pass NULL to the %s format.

Reviewed by: kris

mdoc(7) police: normalize .Nd.

MAN[1-9] -> MAN.

o Slap some "_"'s in front of variable names relating to extattr functions,
so as not to pollute application namespace.

Submitted by: bde

o Rename "namespace" argument to "attrnamespace" as namespace is a C++
reserved word.

Submitted by: jkh
Obtained from: TrustedBSD Project

o Rename "namespace" argument to "attrnamespace" as namespace is a C++
reserved word, causing breakage when a C++ program included libutil.h
This change will be propagated elsewhere shortly.

Submitted by: jkh
Obtained from: TrustedBSD Project

Fix some further style nits

Pointed out by: bde

Actually commit the new version of trimdomain *blush*

Thanks for covering my blunder to: peter

o To support new EA interface with explicit namespaces, introduce two
utility functions which convert between string namespace names and
numeric constants used by the interface. Right now, two namespaces
are supported, EXTATTR_NAMESPACE_SYSTEM ("system") and
EXTATTR_NAMESPACE_USER ("user"). These functions are used by
various userland EA utilities, rather than hard coding the routines
all over the place.

Obtained from: TrustedBSD Project

It would help if trimdomain.c was actually committed. This is a stopgap
world-unbreaker until Brian Somers commits the one he intended to.

Pointy Hat to: brian

Move trimdomain() into it's own source file and tidy things up a bit.
Fix disorder in the Makefile.

Reviewed (mostly) by: bde

MAXHOSTNAMELEN includes space for the NUL
Don't read past the end of the host passed to realhostname()

Not objected to by: freebsd-audit
Interface disliked by: imp

Updates for Blowfish password hashing.

In theory it would be perfectly legal for a system administrator to

# cd /dev && ./MAKEDEV pty0 pty3
and/or
# rm -rf /dev/ptyp0

and expect all programs that use openpty() to still try to find available ptys.

Fix typo: seperate -> separate.

Seperate does not exist in the english language.

Submitted to look at by: kris

Fixed prototype of logout() (const poisoning).

mdoc(7) police: split punctuation characters + misc fixes.

Call trimdomain properly for ip4 addresses.

PR: 24659
realhostname_sa() stuff submitted by: Jim.Pirzyk@disney.com

Prepare for mdoc(7)NG.

In call to realloc, pass the number of bytes needed, not simply the
number of login time structures.

Forward the name of the deny capability rather than hard-coding it
in login_hostok.

Prepare for mdoc(7)NG.

mdoc(7) police: Now that .Fx macro is parsed, backout
the 1.18 -> 1.20 and fix the .Fx issue the right way.

Fix a mangled $Id string

mdoc(7) police: Er macro usage cleanup.

mdoc(7) police: use the new features of the Nm macro.

Use Fx macro wherever possible.

Avoid use of direct troff requests in mdoc(7) manual pages.

Eliminate inconsistency where a value that contains only whitespace
confuses the parser.

Approved by: jkh

Added PROPERTY_MAX_VALUE and PROPERTY_MAX_NAME defines to libutil.h so
that applications know how large of a buffer they must allocate before
calling property_find(). Also added a $FreeBSD$ tag while I'm here.

Approved by: jkh

Fix problems people were having with large -O levels with GCC and
getting libutil/libcrypt to work properly. I've determined that GCC
thinks it can inline all functions, including weak-symboled ones, if
it feels like it.

Create a new stub.c and move any stubs there to prevent inlining.
Thanks to jdp and William S. Duncanson for helping me finally find the
problem.

Correct uu_lock_txfr. I don't think this ever worked correctly.

Document passwd_format further.

Constify the arg to logout(3). It is const-safe.
(cosmetic: drop some "register" qualifications too.)

Move setproctitle() from libutil to libc (after a repo-copy)
and bump __FreeBSD_version to 500012 to mark the occasion.

setproctitle() is prototyped in unistd.h as opposed to stdlib.h
where OpenBSD and NetBSD have it.

Reviewed by: peter

Add weak symbol pragma for crypt_set_format().

Approved by: green

Stick login_setcryptfmt() in its own file to make pulling in of
-lcrypt only happen if truly necessary.

Add working and easy crypt(3)-switching. Yes, we need a whole new API
for crypt(3) by now. In any case:

Add crypt_set_format(3) + documentation to -lcrypt.
Add login_setcryptfmt(3) + documentation to -lutil.
Support for switching crypt formats in passwd(8).
Support for switching crypt formats in pw(8).

The simple synopsis is:
edit login.conf; add a passwd_format field set to "des" or "md5"; go nuts :)

Reviewed by: peter

If the format string passed to setproctitle begins with a '-'
character, skip the program name when setting the process title.
Ansified with extreme prejudice.

Reviewed by: peter

Sshd writes connected host into utmp directly. If the connection is
via IPv6, the hostname is trimed due to the length of IPv6 address.
This change saves it as possible.
I have a grudge against the shortage of UT_HOSTSIZE.

Make sbsize a size instead of a number. This allows the usual suffixes
to be applied to the value given. This does not break installed
/etc/login.conf files, since un-suffixed numbers are interpreted as
they were before.

PR: 19750
Submitted by: Paul Herman <pherman@frenchfries.net>

Don't call warn() without a format string.

Better fix for .Fx macro

Submitted by: sheldonh

Fix .Fx usage (causing error diagnositc)

document sbsize limit.

We should see the ai_canonname menber of the first addrinfo
structure in the linked list. RFC2553 mentions only first.

Reviewed by: shin

Fix a memory leak with lc->lc_cap in login_close().

PR: bin/17084

Fix miscellaneous mdoc macro argument limit infringements.

PR: 18465
Reported by: Kazu TAKAMUNE <takamune@avrl.mei.co.jp>

Add xref to cap_mkdb(1).

PR: docs/17544
Submitted by: Christ J. Clark <cjc@cc942873-a.ewndsr1.nj.home.com>

Introduce .Lb macro to libutil manpages
Sort .Nm values in some manpages
Remove explicit note about compiling with -lutil, it's implicitly
declared by .Lb macro now.

Fix some spelling errors.

Return IPv4 native address for IPv4 mapped IPv6 address, even if
A RR is not found.

Reviewed by: shin

Since crypto/openssh/login.c was changed to use realhostname_sa(),
when connecting via IPv6, hostname was not recorded to utmp anymore.
Because, if hostname is longer than buffer size, getnameinfo() returns
with ENI_MEMORY.

Reviewed by: shin
Approved by: jkh

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

Update major version.

Now libutil depends on libc.so.4, so needs to update the major version.
Without this, old binaries which use libutil and build with libc.so.3
will coredump on recent 4.0.

Solicited comment for cvs-committers and there seems to be no objection.

Approved by: jkh

Document mixpasswordcase here as well as in passwd.1

Historically file flags (schg, uschg, etc) have been converted from
string to u_long and back using two functions, flags_to_string and
string_to_flags, which co-existed with 'ls'. As time has progressed
more and more other tools have used these private functions to
manipulate the file flags.

Recently I moved these functions from /usr/src/bin/ls to libutil,
but after some discussion with bde it's been decided that they
really ought to go in libc.

There are two already existing libc functions for manipulating file
modes: setmode and getmode. In keeping with these flags_to_string
has been renamed getflags and string_to_flags to setflags.

The manual page could probably be improved upon ;)

Avoid core dump when ai_canonname is NULL.
(Now this happens for numeric addrs, as getaddrinfo() 1.3 -> 1.4 change)

Reviewed by: Mark Huizer <xaa@timewasters.nl>

Use a long line instead splitting a line with backslash-newline in synopsis.
My synopsis checker doesn't understand backslash-newline.

Use a more conventional copyright message.

several tcp apps IPv6 update
-inetd
-rshd
-rlogind
-telnetd
-rsh
-rlogin

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Do not set the default terminal type to "su", leave it empty.

PR: bin/5084
Reviewed by: asmodai, davidn, sef

Repair internal consistency: Change "login_cap_t * lc" to a more correct
(and consistent) "login_cap_t *lc".

Add the "use -lutil" line to all functions that require it so people like
Dan Papsian <bugg@bugg.strangled.net> don't anger wpaul and myself with
silly linking errors.

Reviewed by: chris

Support v6 login.

Replace beforeinstall target with new variables used by .mk system.

Reviewed by: marcel, and make world

Fixed missing include in synopsis.

Removed superfluous quoting of function name in .Fo macro. My synopsis
checker doesn't understand it.

Moved flags_to_string and string_to_flags into libutil. It's used in
many places nowadays.

Connect fparseln(3) for mailwrapper(8)

Fix a bug where a pointer would be one character too far after putting
a '\0' at the end of a string.

Submitted by: Martin Birgmeier <Martin.Birgmeier@aon.at>

Rewriting of flags_to_string() and string_to_flags() to use an array.

PR: bin/3648
Submitted by: Martin Birgmeier <mbirg@austria.ds.philips.com>

This commit was generated by cvs2svn to compensate for changes in r54820,
which included commits to RCS files with non-trunk default branches.

Make setproctitle(NULL) restore all of the original arguments
(if it's able).

Introduce commandline caching in the kernel.

This fixes some nasty procfs problems for SMP, makes ps(1) run much faster,
and makes ps(1) even less dependent on /proc which will aid chroot and
jails alike.

To disable this facility and revert to previous behaviour:
sysctl -w kern.ps_arg_cache_limit=0

For full details see the current@FreeBSD.org mail-archives.

Link manual page for login_getpwclass(3) to login_cap(3).

PR: docs/14673
Submitted by: Andrew <andrew@ugh.net.au>

This implements the RLIMIT_SBSIZE ("sbsize") administrative limits for
userland. Currently, it can be enforced by login and csh. More
shells supporting sbsize are welcome.

mdoc(7)'fy

Reviewed by: mpp

Correct spelling : ascii -> ASCII

PR: docs/13702
Submitted by: Stephen J. Roznowski <sjr@home.com>
Reviewed by: mpp

$Id$ -> $FreeBSD$

$Id$ -> $FreeBSD$

$Id$ -> $FreeBSD$

Fix a bunch of broken cross-references

Various man page cleanup:

- Sort xrefs
- FreeBSD.ORG -> FreeBSD.org
- Be consistent with section names as outlines in mdoc(7)
- Other misc mdoc cleanup.

PR: doc/13144
Submitted by: Alexy M. Zelkin <phantom@cris.net>

Bad reference of termios(3) changed to termios(4).

Bad reference to lstat(3) changed to lstat(2)

Axe LOGIN_CAP_AUTH.

PR: 10115
Reported by: Gene Skonicki <gene@cif.rochester.edu>
Requested by: jdp

Correct some grammar and style problems with this page.

Submitted by: Kris Kennaway <root@rebel.net.au>

Be a little clearer about login_getpwclass(3), and its penchant for
looking up a record called "root".

PR: docs/12377
Submitted by: Adrian Filipi-Martin <adrian@ubergeeks.com>

Fix commented out CFLAGS addition for LOGIN_CAP_AUTH, which was missing
a make -D option.

PR: 12591
Submitted by: Craig Leres <leres@ee.lbl.gov>

Move call to umask(0) back into pw_util(), because the latter
function is also used by chpass(1) and passwd(1).

Force umask to 077 (instead of 000) during the edit phase, to get
secure permissions in case the user attempts to save something to
a file of his own.

Move umask stuff out of pw_init() into main() for better visibility
of overall umask tweaking logic.

PR: misc/11797

Add -d option to vipw(8) to allow selection of an alternative directory
for the password files.

PR: 2703
Submitted by: jmg

Remove the static declaration from the line[] variable to allow
openpty() to be called from a threaded application.

Chflags was clearing all flags supplied on the command line after a
clearing flag like dump or noschg, etc.

PR: bin/10071
Submitted by: Andreas Klussmann <andreas@infosys.heitec.net>

fix potential memory overwrite in escape parsing

PR: 11687
Submitted by: Don Lewis <Don.Lewis@tsc.tdk.com>

Change references from "passwordperiod" to "passwordtime", since
"passwordtime" is what passwd(1) has actually been using. I suspect
passwordperiod was the original intent. I can't figure-out which,
if either, BSDi uses. If anyone knows...

oops, add pwd!=NULL check to previous fix

Switch to user UID/GID before checking/reading its ~/.login_conf
- some NFSes have root read access disabled

add MLINKS for two functions used from login_auth.c
comment out unused functions from login_auth.3

If given host.domain:nn[.nn], trimdomain() now reduces it to
host:nn[.nn] (if the domain is the same as the local one).

bcopy -> memmove
Suggested by: archie

Tidy up trimdomain() and document it.
Don't truncate one byte short of the passed length.

Handle hostnames up to MAXHOSTNAMELEN-1 in length.
Use bcopy() instead of strcpy() to handle potentially
overlapping regions.
Un-obscure/complicate some code.

Put parenthesis around sizeof args.
Allow for host names up to MAXHOSTNAMELEN - 1 in length.

Prompted by: bde

Add realhostname() - a function to correctly lookup
a name by address and ensure that the name resolves
back to the original address.

Get the pid right if a stale lock file exists.
PR: 10531
Submitted by: Lawrence D. Lopez <lopez@cisco.com>

Fixed bitrot in synopsis (some const poisoning had not reached here).

Removed occurrences of consecutive repeated words (such as "the the").

Declare setproctitle() as printf0-like.

Adjust for kern.ps_strings and PS_STRINGS not being a pointer. This is
an unimprovement here. I thought it would be an improvement, as in libkvm,
but here we can access the strings directly.

Use sysctlbyname() instead of sysctl() and trust it to give a nonzero
address if it succeeds.

oops. Fix indentation of the 'for' loop I just added.

Handle the race condition where vipw may lock a password file which has
just been replaced. After our lock succeeds we check if st_nlink is 0
and if it is we close the descriptor and retry our open/lock sequence.

Better document the file format, add in support for nested {}'s in multi-line
property values.

Since vfork() was changed to fork(), we have to pass errno back from the
child to the parent somehow.

PR: 8353
Submitted by: Andrew J. Korty <ajk@purdue.edu>

correct prototype.

Calls one or more of malloc(), warn(), err(), syslog(), execlp() or
execvp() in the child branch of a vfork(). Changed to use fork()
instead.

Some of these (mv, find, apply, xargs) might benefit greatly from
being rewritten to use vfork() properly.

PR: Loosely related to bin/8252
Approved by: jkh and bde

Now take stdio.h out of files that don't require it.

Update docs to match interface change.

o move path in libutil.h to paths.h
o make property_read() take a fd instead to avoid stdio.h mess
o update auth to new interface.

Take the path spec back out.

All these have to include stdio.h now.

remove stdio.h include; I forgot Bruce's cardinal rule that header files
shouldn't include other ones (which, unfortunately, is also a hellish
rule since he broke interfaces like sysctl this way by requiring undocumented
header files to be included just in order to be able to use them now - SIGH!).

Add some rudimentary documentation for my new functions.

Correct a build error that got past my build test somehow.

Add a simple mechanism for reading property lists from files (which
I'll convert sysinstall to use shortly) and a simple call which uses
this mechanism to implement an /etc/auth.conf file. I'll let Mark Murray
handle the format and checkin of the sample auth.conf file.
Reviewed by: markm

Replace memory leaking instances of realloc with non-leaking reallocf.
In some cases replace if (a == null) a = malloc(x); else a =
realloc(a, x); with simple reallocf(a, x). Per ANSI-C, this is
guaranteed to be the same thing.

I've been running these on my system here w/o ill effects for some
time. However, the CTM-express is at part 6 of 34 for the CAM
changes, so I've not been able to do a build world with the CAM in the
tree with these changes. Shouldn't impact anything, but...

Print uid/gid as u_long per bde suggestion

cast arg to (long) to match format

Cast pid_t to int for sprintf.
Pointed out by: Charlie Sorsby <crs@hgo.net>

Spelling corrections.

PR: 6868
Submitted by: Josh Gilliam <josh@quick.net>

Add missing uu_lock_txfr() prototype

If using NetBSD syscalls the rtprio syscall doesn't exist, so just
don't try to use it to set special priorities.

Trim a domain part for wtmp as same as showed by "netstat -r".
Here is a some example for avoiding a confusion.

It asssumes a logged host domain is "spec.co.jp". All
example is longer than UT_HOSTNAMELEN value.

1) turbo.tama.spec.co.jp: 192.19.0.2 -> trubo.tama
2) turbo.tama.foo.co.jp : 192.19.0.2 -> 192.19.0.2
3) specgw.spec.co.jp : 202.32.13.1 -> specgw

Submitted by: Atsushi Murai <amurai@spec.co.jp>

Add uu_lock_txfr() to transfer ownership of a successful
uu_lock() to another process.

Allow setting of idle or realtime processing priorities per
login class.

PR: 6636
Submitted by: Jason Young <doogie@forbidden-donut.anet-stl.com>

Oops, revert part of a diff that wasn't supposed to have been committed.

Cache the results of the ps_strings sysctl so that it doesn't have to be
redone for every call of setproctitle().

Fixed function types in synopsis.

Commented out docmentation of nonexistent authenticate() and
auth_timesok(). authenticate() seems to be obsolete and
auth_timesok() never existed in FreeBSD.

.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq

Change tty-related capability names to match the implementation ("ttys.",
not "tty.").

MF22: add login_auth.3 to man page list.

Correctly document h and m modifiers to the time format.

PR: 5739
Submitted by: Matthew Cashdollar <mattc@rfcnet.com>

Fixed bitrot in the prototype for logwtmp().

Make a couple of the stat flags dependent on the sys/stat.h header file
that this source is compiled against. This source is referenced by
install which is needed as a build tool and must be able to compile
against NetBSD headers and libraries if we have a hope of supporting
another architecture.

With this change, that's two working programs down and 3945 (?) to go.
The other one was make, but that didn't need any changes to work under
FreeBSD/Alpha. 8-)

Make the login_getclassbyname prototype match reality.

PR: 4838

Statisize usage().

Remove the claim that UUCP locking were not atomic. It is since
revision 1.8 of uucplock.c.

Add passwd(5) to "SEE ALSO".

ISSUES:
An example and better explansion on how to specify a user's login
class in /etc/master passwd is needed.
(As I don't seem to be specifiying it right, I can't do it).

Changes to support full make parallelism (-j<n>) in the world
target.
Reviewed by: <many different folks>
Submitted by: Nickolay N. Dudorov" <nnd@nnd.itfs.nsk.su>

Sort cross refereces in section SEE ALSO.

Endless loop.

$ vipw
[corrupt a line in editor, exit editor]
pwd_mkdb: corrupted entry
pwd_mkdb: at line #2
pwd_mkdb:
/etc/pw.012585: Inappropriate file type or format
re-edit the password file? [y]: n^D^D
[hang]

The parameters to logwtmp should be const char's

Remove login_progok()
Suggested by: guido

Add full support for determining if a user
is restricted from running a given program.

Add prog.deny as a list capability for
denying execution of certain programs.

-I${DESTDIR}/sys -> -I${.CURDIR}/../../sys.

Cosmetic: distinguish in diag message between rebuilding and updating
the database.

PR: 3397
Submitted by: taob@risc.org (Brian Tao)

Protect the copyright comments from reformatting by
indent and make this compile -Wall clean like the
Makefile suggests that it should. :)

Pointed out by: Bruce Evans <bde@zeta.org.au>

Implement canonical locking protocol
Suggested by: joerg

Observe precedence set by Phillippe Charnier in adding an
rcsid.

Remove #if(n)def BSD_4_4_LITE cruft and sccsid -> rcsid.

Improve weak locking by using flock()

sleep() after sending 'nologin' file to ensure output is drained before
disconnect.

Add appropriate ${DESTDIR} in front of absolute paths.

Fix infinite loop.
PR: 3878
Submitted by: roman@rpd.univ.kiev.ua

Add "break" inadvertently removed in previous update.
PR: 3820
Submitted by: Joseph Stein <joes@spiritone.com>

Submitted by: Whistle Communications (archie Cobbs)

These changes add the ability to specify that a UFS file/directory
cannot be unlinked. This is basically a scaled back version
of the IMMUTABLE flag. The reason is to allow an administrator
to create a directory hierarchy that a group of users
can arbitrarily add/delete files from, but that the hierarchy
itself is safe from removal by them.
If the NOUNLINK definition is set to 0
then this results in no change to what happens normally.
(and results in identical binary (in the kernel)).
It can be proven that if this bit is never set by the admin,
no new behaviour is introduced..
Several "good idea" comments from reviewers plus one grumble
about creeping featurism.

This code is in production in 2.2 based systems

Typo police.

Now I really understand the reason for the style.9 rule about not having
visible type names in prototypes in user space headers. libutil.h
generates warnings with -Wall over the use of "const char *ttyname".
It's lucky it wasn't a #define conflict.
Is a single '_' prefix acceptable? or does it need to be two?

MF2.2: update login_cap api docs.
PR:
Reviewed by:
Submitted by:
Obtained from:

For non-root uids, consider root-owned files also 'secure' unless otherwise
disqualified.

Back out previous revision. Shlib version numbers are supposed to be
bumped only 0.1 or 1.0 between releases. (See handbook.)

Note that if you have built world in -current in the last 48 hours or
so, you should manually remove /usr/lib/libutil.so.2.3 before
rebuilding world to cleanse your system.

Make uu_* const correct.

Suggested by: joerg

Add #include <sys/types.h> in synopsis, now required for libutil.h.

Bump shared lib version to 2.3.

Suggested by: bde

MF2.2: bugfix in arrayize().

Summary of login.conf support changes:

o Incorporated BSDI code and enhancements, better logging for error
checking (which has been shown to be a problem, and is therefore
justified, imho); also some minor things we were missing, including
better quad_t math, which checks for under/overflows.

o setusercontext() now allows user resource limit overrides, but
does this AFTER dropping root privs, to restrict the user to
droping hard limits and set soft limits within the kernel's
allowed user limits.

o umask() only set once, and only if requested.

o add _secure_path(), and use in login.conf to guard against
symlinks etc. and non-root owned or non-user owned files being
used. Derived from BSDI contributed code.

o revamped authentication code to BSDI's latest api, which
includes deleting authenticate() and adding auth_check()
and a few other functions. This is still marked as depecated
in BSDI, but is included for completeness. No other source
in the tree uses this anyway, so it is now bracketed with
#ifdef LOGIN_CAP_AUTH which is by default not defined. Only
auth_checknologin() and auth_cat() are actually used in
module login_auth.c.

o AUTH_NONE definition removed (collided with other includes
in the tree). [bde]

o BSDI's login_getclass() now accepts a char *classname
parameter rather than struct passwd *pwd. We now do likewise,
but added login_getpwclass() for (sort of) backwards
compatiblity, namely because we handle root as a special
case for the default class. This will require quite a few
changes elsewhere in the source tree.

o We no longer pretend to support rlim_t as a long type.

o Revised code formatting to be more bsd-ish style.

Move login_cap.h from src/include for easier maintenance with
related files.

Fix punctuation: "it's" -> "its"

Fixed missing const in synopsis.

Grammar police.

Add Id
Reduce space for error bufer from 512 to 128: there is no such long strings
can be returned from strerror()

Code space optimization in uu_lockerr()

Remove unused USE_PERROR define and syslog.h include
Use snprintf instead of sprintf to avoid buffer overflows
Use snprintf in uu_lockerr instead of lots of hardcoded constants
and not null-terminated strncpy
Return "" for OK and "device in use" for INUSE, it allows simple
strcpy(buf, uu_lockerr(retcode)) without testing for special OK
case (NULL was there) and obtaining meaningful result for INUSE
("" was there) without special testing for it too.

MLINK uu_lockerr(3).

Mdoc police.

Remove the syslog stuff, and allow various return values
in uu_lock(). Add uu_lockerr() for turning the results of
uu_lock into something printable. Remove bogus section in man page
about race conditions allowing both processes to get the lock.
Include libutil.h and use uu_lock() correctly where it should.

Suggested by: ache@freebsd.org

Move uucplock into libutil and create a manual page.

Fixed misquoted arg in synopsis.

"infinity" check was missed from login_getcapsize(), add it

One manifestation of this bug: all networking users have coredumpsize=0

Revert $FreeBSD$ to $Id$

Revert $FreeBSD$ to $Id$

Obsolete fgetline() -> fgetln(); and chop off newline if necessary.

1MB is 1048576 bytes, not 1038476 bytes. (I can see that the original
committer wasn't using the MicroSlop Natural keyboard though! :)

Fix free()ing block twice, remove unused function.

Fix typo .->, for default separators in login_getcaplist().

Completed fixes with login_getcapsize().

Added -Wall to CFLAGS, cleaned up (all avoidable) warnings.

1) Fixed bug in free()ing internal string/array where
allocated size not reset to 0 causing NULL dereference
on call after login_close().
2) Modify login_capsize() behaviour to match manpage, allow
concatenated sizes; ie. 10m500k

#include <sys/stat.h> for umask() prototype.

Sort cross references.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Bump libutil.so version (2.1 -> 2.2) since a whole heap of new functions
were added with the login class stuff. This is needed since libutil.so.2.1
is what is used in RELENG_2_2 and well into the release cycle. We only
bump once per release cycle as needed.

Minor mdoc style fixes.

Man page police.

Various bugfixes.

Consistency check: refs to ~/.login.conf should be ~/.login_conf.

Commit the right version this time. :-)

Fix for login_getclass(NULL) case.

Fix typos pointed out by bde (thanks!).

Don't depend only <stdio.h> bogusly including <sys/types.h>.
(<sys/types.h> is a prerequisite for <login_cap.h> mainly because
the latter wants to typedef rlim_t. rlim_t is typedefed in
<sys/types.h> in NetBSD.)

Add missing manpage for login.conf.

Library functions relating to the login class capabilities database,
including manpages.
See also login_cap.h.

Grammatical changes.

Reviewed by: joerg

Spelling/mdoc police.

Finally document the interfaces found in libutil. While being here,
also add the missing declaration of forkpty() to libutil.h.

Btw., the calling interface for login(3) is crude. Some better
abstraction is needed, perhaps similar to logwtmp(3).

2.2 candidate, but i'll wait for the spelling police first. :)

Merge Lite2 mods, and -Wall cleaning. undelete(2) cruft
not yet implemented is protected by a define (BSD4_4_LITE)
that should be removed when this call is supported by the
kernel.

Some minor man page cleanup.

General -Wall warning cleanup, part I.
Submitted-By: Kent Vander Velden <graphix@iastate.edu>

Implement incremental passwd database updates. This is done by ading a '-u'
option to pwd_mkdb and adding this option to utilities invoking it.
Further, the filling of both the secure and insecure databases has been
merged into one loop giving also a performance improvemnet.
Note that I did *not* change the adduser command. I don't read perl
(it is a write only language anyway).
The change will drastically improve performance for passwd and
friends with large passwd files. Vipw's performance won't change.
In order to do that some kind of diff should be made between the
old and new master.passwd and depending the amount of changes, an
incremental or complete update of the databases should be agreed
upon.

If hostname > UT_HOSTSIZE, use its numeric address instead to keep
valid entries into utmp and wtmp

If the two recently added sysctl variables exist, use those rather than
the statically compiled PS_STRINGS and USRSTACK variables. This prevents
programs using setproctitle from coredumping if the kernel VM is increased,
and stops libkvm users (w, ps, etc) from needing to be recompiled if only
the VM layout changes.

Another round of spelling fixes.

Bump libutil revision after recent addition of setproctitle().

Install (optional) libutil.h with prototypes for the functions and
document this in the man page.

minor cleanups to the various routines, include the prototype file, declare
return codes etc.

Bring in an initial version of setproctitle().. This is intended to
replace the dozen other various hacks in the code that do all sorts
of crude things including spamming the envrionment strings with the new
argv string.

This version is mainly inspired by the sendmail version, with a couple of
ideas taken from the NetBSD implementation as well.

Update to 4.4lite2 (clean up includes; initialize the name of the master
pty correctly (it was broken for calls to openpty() after the first
successful one)).
Obtained from: 4.4lite2

Small NIS tweak: frob pw_error() a little so that it can say either
'NIS information unchanged' or '/etc/master.passwd unchanged'
depending on which was is being modified (conditional on -DYP).

This is to save me the trouble of writing a whole other error
routine (nis_error()?) for the upcoming changes to passwd and
chpass.

Remove trailing whitespace.

Remove trailing whitespace.

Fix suspended vipw hangs
Obtained from: NetBSD

Support for >32 PTYs.
Submitted by: Heikki Suonsivu <hsu@cs.hut.fi>

Added $Id$

This commit was generated by cvs2svn to compensate for changes in r1573,
which included commits to RCS files with non-trunk default branches.

BSD 4.4 Lite bin Sources

BSD 4.4 Lite usr.sbin Sources