Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Convert K&R function definitions to modern C.

OK naddy@, millert@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Add pledge for ftpd's user processes.

OK tobhe@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Convert K&R function definitions to modern C.

OK naddy@, millert@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Add pledge for ftpd's user processes.

OK tobhe@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

Convert K&R function definitions to modern C.

OK naddy@, millert@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Add pledge for ftpd's user processes.

OK tobhe@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Add pledge for ftpd's user processes.

OK tobhe@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

Add pledge for ftpd's user processes.

OK tobhe@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

freezero() can be used here

prefer setres{u,g}id() rather than manipulating both real and effective
ids, it clarifies these are full revocation situations.
ok millert

don't need to ifdef setproctitle

SIZE_MAX is standard, we should be using it in preference to the
obsolete SIZE_T_MAX. OK miod@ beck@

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

...and now try again with a commit from the right tree. doh!

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

ftp uses its own ugly "sockunion" to hold addresses, but with CMD_BIND
the monitor treats it as if it were a sockaddr. this is fine for v4 but
fails for v6, so active connections break. problem reported and diff
tested by Maurice Janssen. looks sensible to deraadt@.

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

Remove lint comment, which does not apply anymore.

Do not log when the slave gets killed because of read()
returning 0. This is normal behavior and should not spam
the logs. Noticed by henning@

OK henning@ millert@

- use proper log facility and priority in the slave sig handlers
- if the monitor decides to kill the slave, log that
ok millert@ moritz@

lint cleanup; ok ray moritz dhill

Allow anonymous logins without a password, which was broken
by the last commit. Noticed by Armin Wolfermann. ok henning@

branches: 1.12.2;
fix integer overflows. ok millert@

let root create the data socket. fixes PR 4287.
ok millert@ henning@

readd endpwent()

no need for endpwent()

branches: 1.8.2;
fix {send,recv}data so they don't add -1 to pos in the
EINTR/EAGAIN case as found by otto@.
also make them more quiet as requested by deraadt@.

ok millert@ otto@ henning@

change mail address

ok henning@

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

make signal blocking a lot easier.
ok millert@, henning@

fix nasty signal races by blocking signals in signal handlers.
with moritz jodeit and theo, ok theo

slave_pid -1 by default, not 0, and reset to -1 when it goes away, with theo

fix ttyline setting, fixes proctitle.
notice independently by theo and pval, fix from moritz jodeit

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com