gmtime(3) / locatime(3) can fail when timestamps are way off.

Add missing error checks to all calls under sbin/

Input & OK millert

remove duplicate includes

shutdown(8): sig_atomic_t variables should be qualified 'volatile'

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

remove duplicate includes

shutdown(8): sig_atomic_t variables should be qualified 'volatile'

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

shutdown(8): sig_atomic_t variables should be qualified 'volatile'

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

Move pledge after getopt when we know whether the operation is reboot,
powerdown, halt, or singleuser. Before pledge, unveil access to
/dev/console, /etc/rc for singleuser entry, execute of /usr/bin/wall
to alert users, and creation of the fastboot and nologin files. Also
conditionally allow execute of halt, reboot, or the shell depending on mode.
Believe all scenarios were tested -- please exercise this one a bit.

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

Display local timezone in all deadline estimates.

Admins don't necessarily reside in the same timezone as the
machine. If an admin mistakenly schedules downtime for a
machine at the wrong time this could be quite bad.

Users, too, don't necessarily reside in the same timezone as the
machine. Saying the box is going down at "15:40" is potentially
ambiguous.

So, display the local timezone in all logs, broadcasts, printouts,
messages, etc. Give the admin a chance to correct the mistake; give
the user a better idea of when the box is actually going down.

This also updates the process' understanding of the present time
before printing estimates. The system's wall clock could have
changed after the shutdown was scheduled, making subsequent
broadcasts potentially misleading for users.

ok deraadt@

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

Disallow "++minutes".

strtonum(3) accepts a single leading '+', so if we increment timearg we
allow input with two leading pluses. If we don't increment, we still
have a valid input for strtonum(3).

While here, use errstr to say what was wrong with timearg.

Don't increase the range for offsets yet: it exposes segfaults elsewhere
in the program that need to be addressed.

ok millert@ tb@

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se

whoops

bad environ init; from brian@saturn.net

update rcsid

branches: 1.1.1;
Initial revision

Refactor the countdown loop() to simplify it.

If we insert our offset into tlist[] and then process tlist[] like an
array we can eliminate many of the special cases and duplicate calls
in loop().

While we're at it, change struct interval and timewarn() to use time_t
to eliminate the need for some of the casting and add explicit long-long
suffixes to the constants in tlist[] to head off overflow if the code
wanders off.

With type-related input from tb@ and a style tweak from anton@.

ok tb@

Replace popen/setjmp/pclose with a manual pipe/fork/exec/wait.

We can limit the time we wait on wall(1) without the complexity
inherent to setjmp.

Actually wait (instead of waitpid) to pick up any straggler wall
processes from prior timewarn() calls.

With a tweak from millert@ to ensure we don't accidentally close
stdin before we exec wall.

ok millert@ tb@

fprintf(stderr -> warnx

ok jca@ tb@ deraadt@

warn format string should be literal.

OK deraadt@, millert@

Aggressively use dprintf, rather than crazy unchecked writes. Use
localtime() since it tends to work better than ctime() when some
filesystems are absent.
ok guenther

initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes
it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt. After looking at getpw*, drop
pledge "getpw". Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

error in strtonum() conversion; found by Nathanael Rensen

Convert many atoi() calls to strtonum(), adding range checks and failure
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Build the argument list for halt/reboot without excessive use of
the conditional operator. Adapted from NetBSD. ok miod@

Use plain "-p" to specify "halt and power down", for consistency
and compatibility with other BSDs. Adapted from FreeBSD.
Still permit the combination "-hp" as requested by many.
ok sthen@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Whole bunch of (unsigned char) casts carefully added for ctype calls.
Careful second audit by millert

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Replace gcc __attribute with __dead. Recompile yields no binary change.

more sig_atomic_t

sort options + sync usage();

minor knf

NULL -> (char *)NULL in execle; ok millert@

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use errx instead of fprintf+exit; millert@ ok

GNU semantics say that if optstring begins with '-' then
each non-option shall be treated as arguments to option '\1'.

BSD getopt match '-' in optstring with a '-' on the command line.
This is used to support deprecated options like "su -" that would
otherwise prevent the use of getopt().

Resolving this simply requires that the leading '-' be moved somewhere
else (I moved it to the end of optstring) since position within
optstring is not meaningful.

ansi

pid_t cleanup

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

kill more registers;

millert@ ok

correct type on last arg to execl(); nordin@cse.ogi.edu

major -Wall cleanup, almost complete

mark signal races i cannot fix at the moment

use _exit() in term handler if real signal

add 'd' to usage. mention rc.shutdown in the man page.

have shutdown code run /etc/rc with arg of "shutdown"; rc.shutdown becomes completely admin-editable

if we run /etc/rc.shutdown ourselves, do it on /dev/console

Y2K fix: allow 'shutdown yymmddhhmm' to work in the next century.

run rc.shutdown even if -r or -h is not specified

use err()/warn()/__progname where appropriate, consolidate string, some -Wall

give shutdown daemon own session; dima@tejblum.dnttm.rssi.ru

do -d for reboot and halt

-Wall

Slightly cleaner. (Change nosync to an int, like the rest.)

Support halt -p.

getopt(3) returns -1 when out of args, not EOF, whee!

MAXHOSTNAMELEN, not +1

call execle with the correct params; netbsd pr#2737, augustss@cs.chalmers.se