add rtable capability to login.conf.
from Matthew Martin

introduce support for storing capability databases in /etc/login.conf.d;

anytime a class is looked up, the /etc/login.conf.d/${class} file will be
checked first for a matching class definition; this will allow us to easily
add custom login classes from packages

ok millert@

secure_path(3) hasn't been called since we recognized the TOCTOU issues a few
years back, so we can remove it. Since nothing in the ecosystem calls it, I
am not cranking the libc major as required, surely another crank will come
along soon.
noticed by Dante Catalfamo
ok millert

Add _PATH_AUTHPROGDIR = "/usr/libexec/auth", this path will be used
to unveil. Unfortunately the auth subsystem uses _PATH_AUTHPROG =
"/usr/libexec/auth/login_", which it auth-program is appended to -- a
rather gross idea which now shows lack of wisdom.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

prototype for crypt_newhash(). adding it here because this is where
login_cap_t lives and i don't want to forward declare it in unistd.h

LOGIN_SETALL did not include LOGIN_SETENV as it should.

Support the "setenv" capability in login.conf ala FreeBSD. Following
FreeBSD's example, a '~' in an environment variable is replaced
with the user's homedir. A '$' is replaced by the user's login
name. Both can be escaped with a backslash to get the literal char.
OK deraadt@

Define BI_FDPASS for the BSD auth fd passing changes.

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

Change value of LOGIN_DEFSTYLE from "krb4-or-pwd" to just "passwd".
If there is no login.conf or it is corrupt we don't want to make
any assumptions about kerberos. By request of deraadt@

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Give login_cap_t a struct name so we can use forward declarations.

Default login style is now krb4-or-pwd, not krb-or-pwd.

Guard against multiple inclusion

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Remove prototypes for old BSD auth functions. New ones will live in
bsd_auth.h when BSD authentication is committed.

login.conf code from BSDi. This does not include the bsd auth code
which will come later. At this stage it is primarily used for setting
resource limits.

introduce support for storing capability databases in /etc/login.conf.d;

anytime a class is looked up, the /etc/login.conf.d/${class} file will be
checked first for a matching class definition; this will allow us to easily
add custom login classes from packages

ok millert@

secure_path(3) hasn't been called since we recognized the TOCTOU issues a few
years back, so we can remove it. Since nothing in the ecosystem calls it, I
am not cranking the libc major as required, surely another crank will come
along soon.
noticed by Dante Catalfamo
ok millert

Add _PATH_AUTHPROGDIR = "/usr/libexec/auth", this path will be used
to unveil. Unfortunately the auth subsystem uses _PATH_AUTHPROG =
"/usr/libexec/auth/login_", which it auth-program is appended to -- a
rather gross idea which now shows lack of wisdom.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

prototype for crypt_newhash(). adding it here because this is where
login_cap_t lives and i don't want to forward declare it in unistd.h

LOGIN_SETALL did not include LOGIN_SETENV as it should.

Support the "setenv" capability in login.conf ala FreeBSD. Following
FreeBSD's example, a '~' in an environment variable is replaced
with the user's homedir. A '$' is replaced by the user's login
name. Both can be escaped with a backslash to get the literal char.
OK deraadt@

Define BI_FDPASS for the BSD auth fd passing changes.

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

Change value of LOGIN_DEFSTYLE from "krb4-or-pwd" to just "passwd".
If there is no login.conf or it is corrupt we don't want to make
any assumptions about kerberos. By request of deraadt@

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Give login_cap_t a struct name so we can use forward declarations.

Default login style is now krb4-or-pwd, not krb-or-pwd.

Guard against multiple inclusion

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Remove prototypes for old BSD auth functions. New ones will live in
bsd_auth.h when BSD authentication is committed.

login.conf code from BSDi. This does not include the bsd auth code
which will come later. At this stage it is primarily used for setting
resource limits.

secure_path(3) hasn't been called since we recognized the TOCTOU issues a few
years back, so we can remove it. Since nothing in the ecosystem calls it, I
am not cranking the libc major as required, surely another crank will come
along soon.
noticed by Dante Catalfamo
ok millert

Add _PATH_AUTHPROGDIR = "/usr/libexec/auth", this path will be used
to unveil. Unfortunately the auth subsystem uses _PATH_AUTHPROG =
"/usr/libexec/auth/login_", which it auth-program is appended to -- a
rather gross idea which now shows lack of wisdom.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

prototype for crypt_newhash(). adding it here because this is where
login_cap_t lives and i don't want to forward declare it in unistd.h

LOGIN_SETALL did not include LOGIN_SETENV as it should.

Support the "setenv" capability in login.conf ala FreeBSD. Following
FreeBSD's example, a '~' in an environment variable is replaced
with the user's homedir. A '$' is replaced by the user's login
name. Both can be escaped with a backslash to get the literal char.
OK deraadt@

Define BI_FDPASS for the BSD auth fd passing changes.

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

Change value of LOGIN_DEFSTYLE from "krb4-or-pwd" to just "passwd".
If there is no login.conf or it is corrupt we don't want to make
any assumptions about kerberos. By request of deraadt@

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Give login_cap_t a struct name so we can use forward declarations.

Default login style is now krb4-or-pwd, not krb-or-pwd.

Guard against multiple inclusion

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Remove prototypes for old BSD auth functions. New ones will live in
bsd_auth.h when BSD authentication is committed.

login.conf code from BSDi. This does not include the bsd auth code
which will come later. At this stage it is primarily used for setting
resource limits.

Add _PATH_AUTHPROGDIR = "/usr/libexec/auth", this path will be used
to unveil. Unfortunately the auth subsystem uses _PATH_AUTHPROG =
"/usr/libexec/auth/login_", which it auth-program is appended to -- a
rather gross idea which now shows lack of wisdom.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

prototype for crypt_newhash(). adding it here because this is where
login_cap_t lives and i don't want to forward declare it in unistd.h

LOGIN_SETALL did not include LOGIN_SETENV as it should.

Support the "setenv" capability in login.conf ala FreeBSD. Following
FreeBSD's example, a '~' in an environment variable is replaced
with the user's homedir. A '$' is replaced by the user's login
name. Both can be escaped with a backslash to get the literal char.
OK deraadt@

Define BI_FDPASS for the BSD auth fd passing changes.

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

Change value of LOGIN_DEFSTYLE from "krb4-or-pwd" to just "passwd".
If there is no login.conf or it is corrupt we don't want to make
any assumptions about kerberos. By request of deraadt@

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Give login_cap_t a struct name so we can use forward declarations.

Default login style is now krb4-or-pwd, not krb-or-pwd.

Guard against multiple inclusion

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Remove prototypes for old BSD auth functions. New ones will live in
bsd_auth.h when BSD authentication is committed.

login.conf code from BSDi. This does not include the bsd auth code
which will come later. At this stage it is primarily used for setting
resource limits.

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

prototype for crypt_newhash(). adding it here because this is where
login_cap_t lives and i don't want to forward declare it in unistd.h

LOGIN_SETALL did not include LOGIN_SETENV as it should.

Support the "setenv" capability in login.conf ala FreeBSD. Following
FreeBSD's example, a '~' in an environment variable is replaced
with the user's homedir. A '$' is replaced by the user's login
name. Both can be escaped with a backslash to get the literal char.
OK deraadt@

Define BI_FDPASS for the BSD auth fd passing changes.

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

Change value of LOGIN_DEFSTYLE from "krb4-or-pwd" to just "passwd".
If there is no login.conf or it is corrupt we don't want to make
any assumptions about kerberos. By request of deraadt@

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Give login_cap_t a struct name so we can use forward declarations.

Default login style is now krb4-or-pwd, not krb-or-pwd.

Guard against multiple inclusion

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Remove prototypes for old BSD auth functions. New ones will live in
bsd_auth.h when BSD authentication is committed.

login.conf code from BSDi. This does not include the bsd auth code
which will come later. At this stage it is primarily used for setting
resource limits.