init(8): fix signal handler boolean type and qualifier

The variable "clang" is modified from a signal handler. Change it
from an 'int' to a 'sig_atomic_t' and mark it 'volatile', as we
recommend in signal(3).

ok millert@ kn@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

init(8): use err(3) instead of hand-rolled fprintf(3) messages

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Drop special handling of SIGSYS.

Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.

After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.

In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.

ok deraadt@

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

init(8): use err(3) instead of hand-rolled fprintf(3) messages

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Drop special handling of SIGSYS.

Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.

After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.

In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.

ok deraadt@

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

init(8): use err(3) instead of hand-rolled fprintf(3) messages

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Drop special handling of SIGSYS.

Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.

After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.

In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.

ok deraadt@

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Drop special handling of SIGSYS.

Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.

After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.

In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.

ok deraadt@

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

Drop special handling of SIGSYS.

Tolerance for up to 25 SIGSYS deliveries was added to init(8) soon after
the addition of sysctl(2) at CSRG, presumably to ease the transition to
the new ABI.

After 25 years of work the ABI transition is finally complete and we can
now safely remove this splint.

In general, we now have better practices and methods for helping userspace
across kernel ABI breaks.

ok deraadt@

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

Check GETTY_SPACING against the monotonic clock.

Ensures that we can use the check if the system clock is set backwards.

While here, move time retrieval into the child process in start_getty(),
and only get the time if se_started has been set.

ok millert@ tb@

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)

<stdlib.h> is included, so do not need to cast result from
malloc, calloc, realloc*
ok krw millert

Use volatile sig_atomic_t for requested_transition since it is
modified inside signal handlers. Instead of returning a function
pointer, the state functions now return an enum for the next state.
This is used as an index into an array of function pointers to
do the actual state change in transition(). OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Do not define the variable pid twice to avoid a compiler warning.
OK millert@

malloc/memset->calloc. with bonus null check. from peter malone.

Do not raise the securelevel when transitioning from catatonia to
multiuser since we are not actually going multiuser. Fixes a problem
where the securelevel was raised for rc.shutdown even when reboot
was run from single user mode. OK deraadt@

Ignore sysctl failure for CPU_LIDSUSPEND when errno is EOPNOTSUPP.
Just because CPU_LIDSUSPEND is defined in cpu.h does mean it is
actually supported by the hardware. OK halex@

fix "disable lidsuspend on shutdown":
- pull in machine/cpu.h so we can actually see CPU_LIDSUSPEND if it's there
- fix the resulting compilation errors now that the code is actually used

"Just go for it" deraadt@

no need to (unsigned) a small constant

freebsd uses SIGINT to request a reboot, we may as well be consistent.

pointed out by kettenis@ and deraadt@

add a SIGQUIT handler that does the same as USR1 and USR2, except it
reboots the machine instead just halting or powering down.

diff from Jonathan Matthew
manpage tweaks from jmc@
ok deraadt@

Add missing err.h include

OK deraadt@

disable lidsuspend when we are powering down

"I like this" marco@, "Sure" deraadt@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

malloc(n * m) -> calloc(n, m); ok espie

accept SIGUSR2. Like SIGUSR1, except it makes RB_POWERDOWN mandatory.
This will be used by kernel components which are trying to really really
power the system down. suggested and tested by jason

Fix mem leaks in error path. From NetBSD's coverity analysis. ok pat@
deraadt@

use snprintf; dhill@mindcry.org

turn off accounting when switching to single user;
report bluhm at genua.de; ok henning, krw, deraadt

errno is not specified to be int, but something from errno.h. ok millert@

malloc failures in init? never. but try to be reasonable for one dumb one

spaces

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

snprintf; millert ok

Minor cosmetic nits picked while reading though init.c:
o Use STD{IN,OUT,ERR}_FILENO, not 0-2
o Call exit() from main, not return() (code is never reached anyway)
o Change two cases of '!' into "== NULL"

Style nits. Use STDERR_FILENO, not just 2. Also use parens with
return; David Hill

ansi

rm trailing whitespace

strcpy, sprintf death; mpech ok

We live in an ANSI C world. Remove lots of gratuitous #ifdef __STDC__ cruft.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

mark signal races i cannot fix at the moment

Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login class.

Add DEFAULT_STATE macro to allow ramdisk init to set default state to
single_user, not runcom (/etc/rc).

remove extra externs not needed because of unistd.h (rest of tree will be done later.. contact me if you want to help)

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if SIGUSR1 is received, kill gettys, run /etc/rc.shutdown, and halt the machine

zero sigaction before use

LETS_GET_BIG

Use _PATH_DEV, not "/dev/"
Make init(8) call login_fbtab() correctly.

sigset_t; jraynard

some -Wall

(foo *)0 -> NULL

closelog() more often

Update to lite2 -- man page is the only thing that changed.

at session termination, login_fbtab devs back to root

precheck getty devices for existance; if not there shut then down

do not ask for password if none set; from freebsd

Fix netbsd pr bin/2620. Fix dangling pointer while I am at it.

update rcsid

libutil

branches: 1.1.1;
Initial revision

unifdef LOGIN_CAP, we always want to use login.conf
OK jca@, no objection deraadt@

s/CPU_LIDSUSPEND/CPU_LIDACTION/
ok mlarkin

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

Add a new sysctl machdep.lidaction. The sysctl works as follows:

machdep.lidaction=0 # do nothing
machdep.lidaction=1 # suspend
machdep.lidaction=2 # hibernate

lidsuspend is just an alias for lidaction, so if you change one, the
other one will have the same value. The plan is to remove
machdep.lidsuspend eventually when people have upgraded their
/ets/sysctl.conf.

discussed with deraadt, who came up with the new MIB name
no objections mlarkin
ok stsp halex jcs

replace obsolete getpass() by readpassphrase()
OK tedu millert

Use an RB tree instead of BDB to map process->session, ok tedu millert

Pull in <sys/time.h> for struct timespec

ok deraadt@

Do not close the stdio file desciptors in init(8), but dup2(2) them
from /dev/null. The code is taken from daemon(3). Also move this
operation to the beginning.
OK millert@ deraadt@

Remove variable unneeded since introduction of crypt_checkpass

ok millert@

Use NULL rather than 0 for pointers. No binary change.

Remove NULL-checks before free(). ok tb@

use _shadow getpwnam (and crypt_checkpass)