For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

libc's authentication privsep layer performed insufficient username
validation. Repair work mostly by markus and millert, first of all
solving the primary problem, then adding some additional validation
points. And then futher validation in login and su.
This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig
Reported by Qualys

branches: 1.27.2;
When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

branches: 1.26.12;
Use S_ISDIR instead of doing it by hand. No binary change.

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

remove null check before free. from Michael McConville
ok semarie

Wrap <bsd_auth.h> so that calls go direct and the symbols are all weak

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

use explicit_bzero to clear some memory that had creds in it instead of
memset.

ok deraadt@ millert@

most obvious unsigned char casts for ctype
ok jca krw ingo

Use PATH_MAX, NAME_MAX and LOGIN_NAME_MAX not MAXPATHNAMELEN,
MAXNAMLEN or MAXLOGNAME where possible. OK deraadt@

Remove support for kerb4 '.' instance separator, kerb4 is dead. OK jacekm@

Zero out the password/response argument in the simplified BSD auth
interafces. Otherwise, we end up with an extra copy in memory when
auth_call() forks that is not possible to clear.

Check snprintf(3) return value for error or truncation.
Mostly path construction, where truncation could be bad.

ok and input from deraadt@ millert@ ray@

Use strlcpy() return value in bound check instead of using an
extra strlen(). This has been in my tree for a long time.

add missing va_end(); Andrey Matveev

cast NULL varargs sentinel to char * so it is 64 bit on alpha & sparc64

indent, and double free fix; millert ok

uid_t is unsigned

try to use strlcpy and snprintf more; ok various

fix memleak.

millert@ ok

Convert indentation whitespace -> tabs and kill $@%^#! ^M's

o) Fix memory leak in _auth_checklogin(), auth_approval(), auth_close() and
auth_clean().

Spotted via ftpd. We could use ftpd as a simple debug tool for bsdauth and
login_cap routines. :)

millert@ help&OK

run the approve for accounts with expiration time, too. ok millert@

a first pass at -Wall

Convert warn/warnx -> _warn/_warnx
Should not really spew to stderr from libc but right now there
is no other way to get a sensible error message to the user.

When splitting instance from username, treat '/' as a separator as
well (for Kerb5).

Don't bail out early for users w/o passwd file entries since we may
want to cons up a fake prompt for challenge/response auth methods.
markus@ OK'd.

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

libc's authentication privsep layer performed insufficient username
validation. Repair work mostly by markus and millert, first of all
solving the primary problem, then adding some additional validation
points. And then futher validation in login and su.
This will be 6.5/021_libcauth.patch.sig and 6.6/010_libcauth.patch.sig
Reported by Qualys

branches: 1.27.2;
When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

branches: 1.26.12;
Use S_ISDIR instead of doing it by hand. No binary change.

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

remove null check before free. from Michael McConville
ok semarie

Wrap <bsd_auth.h> so that calls go direct and the symbols are all weak

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

use explicit_bzero to clear some memory that had creds in it instead of
memset.

ok deraadt@ millert@

most obvious unsigned char casts for ctype
ok jca krw ingo

Use PATH_MAX, NAME_MAX and LOGIN_NAME_MAX not MAXPATHNAMELEN,
MAXNAMLEN or MAXLOGNAME where possible. OK deraadt@

Remove support for kerb4 '.' instance separator, kerb4 is dead. OK jacekm@

Zero out the password/response argument in the simplified BSD auth
interafces. Otherwise, we end up with an extra copy in memory when
auth_call() forks that is not possible to clear.

Check snprintf(3) return value for error or truncation.
Mostly path construction, where truncation could be bad.

ok and input from deraadt@ millert@ ray@

Use strlcpy() return value in bound check instead of using an
extra strlen(). This has been in my tree for a long time.

add missing va_end(); Andrey Matveev

cast NULL varargs sentinel to char * so it is 64 bit on alpha & sparc64

indent, and double free fix; millert ok

uid_t is unsigned

try to use strlcpy and snprintf more; ok various

fix memleak.

millert@ ok

Convert indentation whitespace -> tabs and kill $@%^#! ^M's

o) Fix memory leak in _auth_checklogin(), auth_approval(), auth_close() and
auth_clean().

Spotted via ftpd. We could use ftpd as a simple debug tool for bsdauth and
login_cap routines. :)

millert@ help&OK

run the approve for accounts with expiration time, too. ok millert@

a first pass at -Wall

Convert warn/warnx -> _warn/_warnx
Should not really spew to stderr from libc but right now there
is no other way to get a sensible error message to the user.

When splitting instance from username, treat '/' as a separator as
well (for Kerb5).

Don't bail out early for users w/o passwd file entries since we may
want to cons up a fake prompt for challenge/response auth methods.
markus@ OK'd.

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Use S_ISDIR instead of doing it by hand. No binary change.

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

remove null check before free. from Michael McConville
ok semarie

Wrap <bsd_auth.h> so that calls go direct and the symbols are all weak

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

use explicit_bzero to clear some memory that had creds in it instead of
memset.

ok deraadt@ millert@

most obvious unsigned char casts for ctype
ok jca krw ingo

Use PATH_MAX, NAME_MAX and LOGIN_NAME_MAX not MAXPATHNAMELEN,
MAXNAMLEN or MAXLOGNAME where possible. OK deraadt@

Remove support for kerb4 '.' instance separator, kerb4 is dead. OK jacekm@

Zero out the password/response argument in the simplified BSD auth
interafces. Otherwise, we end up with an extra copy in memory when
auth_call() forks that is not possible to clear.

Check snprintf(3) return value for error or truncation.
Mostly path construction, where truncation could be bad.

ok and input from deraadt@ millert@ ray@

Use strlcpy() return value in bound check instead of using an
extra strlen(). This has been in my tree for a long time.

add missing va_end(); Andrey Matveev

cast NULL varargs sentinel to char * so it is 64 bit on alpha & sparc64

indent, and double free fix; millert ok

uid_t is unsigned

try to use strlcpy and snprintf more; ok various

fix memleak.

millert@ ok

Convert indentation whitespace -> tabs and kill $@%^#! ^M's

o) Fix memory leak in _auth_checklogin(), auth_approval(), auth_close() and
auth_clean().

Spotted via ftpd. We could use ftpd as a simple debug tool for bsdauth and
login_cap routines. :)

millert@ help&OK

run the approve for accounts with expiration time, too. ok millert@

a first pass at -Wall

Convert warn/warnx -> _warn/_warnx
Should not really spew to stderr from libc but right now there
is no other way to get a sensible error message to the user.

When splitting instance from username, treat '/' as a separator as
well (for Kerb5).

Don't bail out early for users w/o passwd file entries since we may
want to cons up a fake prompt for challenge/response auth methods.
markus@ OK'd.

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.

Use S_ISDIR instead of doing it by hand. No binary change.

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

remove null check before free. from Michael McConville
ok semarie

Wrap <bsd_auth.h> so that calls go direct and the symbols are all weak

Add framework for resolving (pun intended) libc namespace issues, using
wrapper .h files and asm labels to let internal calls resolve directly and
not be overridable or use the PLT. Then, apply that framework to most of
the functions in stdio.h, string.h, err.h, and wchar.h. Delete the
should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here.

tests clean on i386, amd64, sparc64, powerpc, and mips64

naming feedback from kettenis@ and millert@
ok kettenis@

use explicit_bzero to clear some memory that had creds in it instead of
memset.

ok deraadt@ millert@

most obvious unsigned char casts for ctype
ok jca krw ingo

Use PATH_MAX, NAME_MAX and LOGIN_NAME_MAX not MAXPATHNAMELEN,
MAXNAMLEN or MAXLOGNAME where possible. OK deraadt@

Remove support for kerb4 '.' instance separator, kerb4 is dead. OK jacekm@

Zero out the password/response argument in the simplified BSD auth
interafces. Otherwise, we end up with an extra copy in memory when
auth_call() forks that is not possible to clear.

Check snprintf(3) return value for error or truncation.
Mostly path construction, where truncation could be bad.

ok and input from deraadt@ millert@ ray@

Use strlcpy() return value in bound check instead of using an
extra strlen(). This has been in my tree for a long time.

add missing va_end(); Andrey Matveev

cast NULL varargs sentinel to char * so it is 64 bit on alpha & sparc64

indent, and double free fix; millert ok

uid_t is unsigned

try to use strlcpy and snprintf more; ok various

fix memleak.

millert@ ok

Convert indentation whitespace -> tabs and kill $@%^#! ^M's

o) Fix memory leak in _auth_checklogin(), auth_approval(), auth_close() and
auth_clean().

Spotted via ftpd. We could use ftpd as a simple debug tool for bsdauth and
login_cap routines. :)

millert@ help&OK

run the approve for accounts with expiration time, too. ok millert@

a first pass at -Wall

Convert warn/warnx -> _warn/_warnx
Should not really spew to stderr from libc but right now there
is no other way to get a sensible error message to the user.

When splitting instance from username, treat '/' as a separator as
well (for Kerb5).

Don't bail out early for users w/o passwd file entries since we may
want to cons up a fake prompt for challenge/response auth methods.
markus@ OK'd.

BSD authentication routines from BSDI. Presently this is not used but
the login_* helper programs and other support will be committed in the
near future.