I forgot that chpass(1) and passwd(1) reach-around into libc for
getpwent.c (isn't it horrible), and therefore lack visibility of
the the libc-internal __hash_open() function. Use -DFORCE_DBOPEN
in chpass/Makefile and passwd/Makefile and adjust getpwent.c to
use the external visible interface. Is there a better way?

getpwnam(3) uses dbopen(3), which pulls all 3 database backends into
static binaries. If we call libc-private __hash_open() instead, it
results in a ~40K reduction in many static binaries.
ok millert

1) The yp_bind/yp_unbind and internal _yp_dobind/_yp_unbind sequences shared
dom_binding structs between threads, which is unsafe -- example, dom_vers
signalled retry events, and structs+socket would get deallocated in _yp_unbind.
Change all yp_first (and similar) functions to understand that _yp_dobind now
provides a private dom_binding and socket, which must be released using
_yp_unbind. Use similar methods in the one-step yp_all function.
2) domainname caching in get* is not neccessary now that the domainname cannot
change relative to ypconnect(2)'s decisions.
Many fields in dom_binding struct become unused, so delete them.
ok jmatthew, also tested by miod

since yp_bind() and yp_all() don't use open, fstat, read, socket, and other
rich system calls to perform YP/LDAP lookups, there is no need to access()
/var/run/ypbind.lock to "hint" to pledge that it should open up those system
calls.
ok jmatthew, miod

The ypproto buffer (which supports + lines in master.passwd) was correct
length for maximum amount of strings, but forgot about the struct passwd
taken from the start, and it isn't clear if the missing non-string elements
cover for that shortage. It would require misconfiguration by root to
exceed the buffer. As well, the strings don't need to be aligned, and
thus sys/param.h isn't needed for ALIGN()
ok millert

The "always hint that getpw operation is happening with access() the YP
lock file" would trash errno, creating confusion.
One instance found by richardipsum@fastmail, other two identified from
original commit
ok millert

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

1) The yp_bind/yp_unbind and internal _yp_dobind/_yp_unbind sequences shared
dom_binding structs between threads, which is unsafe -- example, dom_vers
signalled retry events, and structs+socket would get deallocated in _yp_unbind.
Change all yp_first (and similar) functions to understand that _yp_dobind now
provides a private dom_binding and socket, which must be released using
_yp_unbind. Use similar methods in the one-step yp_all function.
2) domainname caching in get* is not neccessary now that the domainname cannot
change relative to ypconnect(2)'s decisions.
Many fields in dom_binding struct become unused, so delete them.
ok jmatthew, also tested by miod

since yp_bind() and yp_all() don't use open, fstat, read, socket, and other
rich system calls to perform YP/LDAP lookups, there is no need to access()
/var/run/ypbind.lock to "hint" to pledge that it should open up those system
calls.
ok jmatthew, miod

The ypproto buffer (which supports + lines in master.passwd) was correct
length for maximum amount of strings, but forgot about the struct passwd
taken from the start, and it isn't clear if the missing non-string elements
cover for that shortage. It would require misconfiguration by root to
exceed the buffer. As well, the strings don't need to be aligned, and
thus sys/param.h isn't needed for ALIGN()
ok millert

The "always hint that getpw operation is happening with access() the YP
lock file" would trash errno, creating confusion.
One instance found by richardipsum@fastmail, other two identified from
original commit
ok millert

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

since yp_bind() and yp_all() don't use open, fstat, read, socket, and other
rich system calls to perform YP/LDAP lookups, there is no need to access()
/var/run/ypbind.lock to "hint" to pledge that it should open up those system
calls.
ok jmatthew, miod

The ypproto buffer (which supports + lines in master.passwd) was correct
length for maximum amount of strings, but forgot about the struct passwd
taken from the start, and it isn't clear if the missing non-string elements
cover for that shortage. It would require misconfiguration by root to
exceed the buffer. As well, the strings don't need to be aligned, and
thus sys/param.h isn't needed for ALIGN()
ok millert

The "always hint that getpw operation is happening with access() the YP
lock file" would trash errno, creating confusion.
One instance found by richardipsum@fastmail, other two identified from
original commit
ok millert

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

The ypproto buffer (which supports + lines in master.passwd) was correct
length for maximum amount of strings, but forgot about the struct passwd
taken from the start, and it isn't clear if the missing non-string elements
cover for that shortage. It would require misconfiguration by root to
exceed the buffer. As well, the strings don't need to be aligned, and
thus sys/param.h isn't needed for ALIGN()
ok millert

The "always hint that getpw operation is happening with access() the YP
lock file" would trash errno, creating confusion.
One instance found by richardipsum@fastmail, other two identified from
original commit
ok millert

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

The "always hint that getpw operation is happening with access() the YP
lock file" would trash errno, creating confusion.
One instance found by richardipsum@fastmail, other two identified from
original commit
ok millert

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

Use an mmap()'d buffer instead of a static buffer for the contents
of the pointer returned by getpw{ent,nam,uid}(). We unmap the
buffer each time to catch callers using a stale passwd struct
pointer. As a special case, we do not unmap the buffer if the
previous lookup was for the same name or uid. This special case
may be removed in the future. OK deraadt@

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@

protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

add missing enumeration case to select to kill gcc warning
millert@ ok

Add a "shadow" group and make the shadow passwd db readable by that
group. This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes. In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root. OK deraadt@

If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb

You do not need to rebuild libc yet, but it would't hurt to do so.

KNF

cope better if realloc fails; better fix than cloder@acm.org

try to use strlcpy and snprintf more; ok various

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

put another YP-only piece inside the ifdef

Avoid theoretical potential buffer overflow

move utmp to large format, usernames to 32 chars; downsj

well if you cannot do a libc commit properly a week before 2.7 tree lock, surely it can wait till after 2.7

getpw*_r()

redo master.passwd.byname check if either the uid or euid changes, this was
a case of bad caching; peter and I

indent

Use strtol() and strtoul() instead of atoi(). This allows us to catch
errors reasonably and deal correctly with unsigned quantities.

realloc repair

avoid calling __has_yppw() everytime through getpwent(), by caching the YP status along with the open file status

handle long usernames more carefully

tabify

constrain length of db lookups better; reported by adam@math.tau.ac.il

buf oflow; bitblt

kill __yp_token, other clean ups.

* optimal exclusions support -- don't waste memory with DB. assumes
exclusions lists are typically small.
* move YP_OVERRIDE_PASSWD to a static var. needs some way for the system
to set this.
* clean up variable names and some code.
* invisibly support FreeBSD ypserv running in "secure" mode.

uid_t is now a u_int32_t, treat it as such.

Add a couple of syscalls; bring more prototypes into scope

Remove dead code
Remove unused variables
Silence some warnings
lint(1) is your friend

Fix RCS ids
Make sure everything uses {SYS,}LIBC_SCCS properly

yp_prot.h lies -> use yp.h (from yp.x) instead, change lots of structure
accesses to match. change xdr_domainname() and some other functions to
take "char **" instead of "char *", as rpcgen intended -- helps programs
linking against rpcgen output of yp.x. yp_all() should not free it's
return value. split xdryp.c and yplib.c into ~20 files so binaries like
"csh" need not link in functions like yp_maplist(). NIS+'s YP emulation
code lacks YPPROC_ORDER... attempt to deal nicely.

branches: 1.1.1;
Initial revision

stop opening the shadow database by default. only programs that request it
via the _shadow functions will open now, preventing some programs running
as root from accidentally loading password hashes it into their memory.
ok deraadt

Remove NULL-checks before free() and a few related dead assignments.

ok and valuable input from millert@

modify getpw*(), getgr*(), and getgrouplist() functions to access the
YP lock file unconditionally. This hints to the kernel that a "getpw"
operation is happening, even in the non-YP case. This looks like a
gruesome hack, but helps refine the ways these functions are called
and mandates the right pledge requests. Once the tree is fully annotated
we will know better how to improve the backing store management.
ok semarie espie beck

Use reentrant versions of getpw{nam,uid} and getgr{nam,gid} within
libc to avoid reusing the static buffers returned by the non-reentrant
versions. Since this is inside libc we can use constants for the
buffer sizes instead of having to call sysconf().
OK guenther@ deraadt@

Add _shadow variants to the two popular getpw functions (uid and nam).
This version of the function will always open the secure/shadow/master
password files. Soon, the regular variants of these functions will not.
(Intermixing shadow and regular gets a little weird; don't do that.)
Not using struct spwd and getspwnam functions to reduce churn in callers.
Should just be a one line diff in most places.
ok deraadt

remove null check before free. from Michael McConville
ok semarie

Wrap <pwd.h> so that calls go direct and the symbols are all weak.
Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

Do not assume that asprintf() clears the pointer on failure, which
is non-portable. Also add missing asprintf() return value checks.
OK deraadt@ guenther@ doug@

Move to the <limits.h> universe.
review by millert, binary checking process with doug, concept with guenther

Make sure that setgrent(), endgrent(), and endpwent() do not clobber
errno; they might do so on open() and close() failures, but by POSIX,
they are not supposed to fail. Note that ignoring failures inside
setgrent() does not matter, the following getgrent() is bound to
fail the same way again, anyway. If you insist on detecting open()
failure, use setgroupent(), even though that is less portable.
While here, remove two pointless (void) casts.
ok millert@ jca@

The functions getpw{nam,uid}_r() no longer set errno, not even if an
error occurs, but of course they do return the error. This matches
what getgr{nam,gid}_r() have already been doing. Original idea
by kettenis@, and deraadt@ called that idea "the only sane approach".
ok kettenis@ millert@

Fix getpw{nam,uid}{,_r}() errno handling for the non-YP case.
Prevent close(2) and syslog(3) from stomping on errno; from guenther@.
Set ERANGE if the buf is too small, required by POSIX; from jca@.
ok millert@

Fix the return values of getpwnam_r(), getpwuid_r(), getgrnam_r(),
and getgrgid_r() to agree with POSIX. Not touching errno handling
yet, which will also need fixing.

Problem originally reported by william at 25thandClement dot com on bugs@.
OK sthen@, and kettenis@ agrees it's "a step in the right direction".

getpwnam_r() and getpwuid_r() reopen the passwd even when called with
setpassent(stayopen).

Bug found and fixed by Erik Lax <erik-AT-halon-DOT-se>
ok millert@ guenther@

ANSI prototypes

Align stack yp buffers to 64-bit boundaries now, for they might contain
a struct passwd. ok deraadt@ guenther@ kettenis@

Do not need machine/param.h

use a size_t instead of an int to avoid signed compare
spotted by Ilja Van Sprundel
ok millert

Preserve errno across calls to open the password database(s), so
that errno isn't changed when a normal user (who can't open spwd.db)
does a lookup.

Problem pointed out by Tim van der Molen (tbvdm at xs4all.nl)

remove unused variable

ok deraadt@

simplify the code looking for + in the password database, after analysis
of a false positive made by parfait; ok millert

Take advantage of the surprise libc bump to bring in
YP group(5) exclusion, i.e. support -groupname:*:: in /etc/group.
Such groups will be excluded from later +:*::,
in just the same was as it is already done for passwd(5).
I have been running this since the autumn of 2008.
Discussed with several (including deraadt@, millert@, jmc@).

getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

Avoid an occasional double free in getpwent() which corrupted memory. It
happened only in the case of a + record indicating to use YP, but with ypbind
not actually running. Problem found by pyr; solution found with millert
ok millert pyr

oops, fix getpwent() use of wrong buffers
found by alexander.schrijver

Add _PW_BUF_LEN define and use it instead of hard-coding 1024 for
the buffer size. OK deraadt@

implement getpwnam_r() and getpwuid_r() -- very nearly a rewrite of the
entire file. much help from kurt, and tested by many

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

deregister (and deauto!). ok millert@ marco@

ansify function definitions and zap some `register'

ok millert@