Prevent signed integer overflow

A signed integer overflow could occur after INT_MAX bad password
attempts. Check for unlimited tries first and then increment the
counter. Also consider INT_MAX to be a valid upper limit.

ok millert@

unveil _PATH_LOGIN_CONF_D

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

notify the user about a successful password change; ok millert@

use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

unveil _PATH_LOGIN_CONF_D

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

notify the user about a successful password change; ok millert@

use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

notify the user about a successful password change; ok millert@

use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

notify the user about a successful password change; ok millert@

use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

use stderr for printing error and informational messages

this makes it easier to parse what passwd(1) is doing if
spawned from a GUI

ok millert@

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

add missing unveil of /etc/shells; ok benno@ deraadt@ mestre@ tb@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@

Use explicit_bzero() to clear the buffer used when the user retypes
the new password. From isk AT ingve DOT org

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

make sure to explicitly clear memory that is used for password input.
OK tedu@

replace obsolete getpass with readpassphrase.
ok gsoares

nicer format strings and use dprintf instead of write

Trust the login_getcaptime() declaration and don't cast the arguments to
their own expected type

Switch to getpwnam_shadow() now that getpwnam() no longer opens the shadow
database; OK deraadt@ sthen@

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

No need to declare pwd_gensalt; it's unused and gone.
ok tedu@

change prototype for crypt_newhash. the login_cap_t is a holdover from its
pwd_gensalt origins, but a string argument works equally work and is more
friendly to consumers beyond local user accounts.
ok deraadt

switch to using crypt_newhash interface. ok deraadt

use crypt_checkpass instead of crypt/strcmp

Use open(O_CLOEXEC) instead of a separate fcntl(FD_CLOEXEC) call.

Nudged by David Hill

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

-Wall -Wshadow clean, no binary change

Correct English.

ok jmc@

spacing

o some missing free()'s in error paths
o use FD_CLOEXEC instead of 1
o fix a crash when the round number of
localcipher in the default section
in login.conf was ommitted. noted by
mpech@

ok mpech@, otto@, millert@, henning@

ARGSUSED signal handler

Print a newline before the message in kbintr. Otherwise the message
ends up on the same line as the prompt.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Adapt to new pw_copy() API, closes PR 3698.

Check getpass() return value for NULL. Closes Pr 3706.
With help and OK from otto@.

a cleaning recommended by lint

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

stdlib.h

Simpler and consistent error messages when the user enters an empty
password or hits ^C. OK deraadt@ and mpech@

various cleanups; ok millert

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT and SIGQUIT via the kbintr() signal handler in ypgetnewpasswd()
too. Restore old signal handler at the end of ypgetnewpasswd() and
getnewpasswd().

Catch SIGINT and SIGQUIT via the kbintr() signal handler.
Now that getpass() is interuptible we need to catch these so that the
"Password unchanged." message is printed.

kill more registers

millert@ ok

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

Change the second arg to pw_mkdb() from a boolean flag to a set of
bit flags ORed together. Currently the only flags defined are
_PASSWORD_SECUREONLY and _PASSWORD_OMITV7 but this is enough to
cause pw_mkdb() to run pwd_mkdb with the options we want.

With this change we no longer generate the old V7 passwd file when
only the extra fields in master.passwd (or the encrypted password)
have changed. There are other programs that could probably use
the _PASSWORD_OMITV7 flag; they will be converted at a future date.

If we modify pw_change we cannot pass pw_mkdb() the secureonly flag.

We don't need to rebuild the v7 version of the file in this case but
we have no way to communicate that to pw_mkdb since we pass in a
boolean instead of a set of bit flags.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

quiet some -Wall warnings for login_{l,}chpass

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

o move passwd.conf variables into login.conf
o no longer install passwd.conf (but it is used if it exists and the
needed info is not in login.conf)
o added passwordtime and minpasswordlen login.conf variables

Minor interface changes to allow code reuse in login_chpass(8) and
login_lchpass(8)

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

integrate password quality checking, disallow all digit passwords motivated
by Solar Designer. External password checking program can be spawned now,
number of password trials configurable. work by me and Bob Beck.

excessive paranoia

catch special password "s/key" and refuse it

Better error message when lookup of getlogin() != uid

Slight cleanup, more needed

cleaned up, moved pw_getconf to libutil, removed _'s in option names

include blowfish cipher - free config of which cipher to use

If can't open temp file (and it doesn't already exist) give real error message.

rcsid

libutil

branches: 1.1.1;
Initial revision

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

unveil(2) obvious _PATH_LOGIN_CONF with read permission to use login_get*(3)
family commands.

Report and fix provided by Mark Patruck <mark ! wrapped ! cx>

unveil(2) the following files for passwd(1) with their corresponding
permissions:

_PATH_MASTERPASSWD_LOCK - write/create permissions
_PATH_MASTERPASSWD - read permission
_PATH_BSHELL - execute permission (required since we might need to spawn an
external passwordcheck program if defined in /etc/login.conf)
_PATH_PWD_MKDB - execute permission

OK millert@ deraadt@