- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Make check for unknown login class actually work. Previously, using the "-c" option
with login class not defined in login.conf(5) would silently fail, resulting in using
the default login class.

In su(1), fix option ordering and clarify that the login class specified
must be defined in login.conf.

MFC after: 1 month

Undo r226423.

It seems su does build without warnings, but it requires a small fix to
libbsm headers, which I have not committed to SVN yet.

Remove WARNS line. This tool builds with WARNS=6 properly.

Attempt to clear up some confusion in the following example, by stating
the '-c' argument is passed to the shell, not to su(1), which would
indicate the login class.

'su -m <user> -c <command>'

Submitted by: Warren Block <wblock@wonkity.com> (followup to 157078)
MFC after: 5 days

Bump date from previous commit. :(

MFC after: 5 days

Document that when running 'su -m <user> -c <command>', <command> is run
within a shell as <user>.

PR: 157078
Submitted by: Warren Block <wblock@wonkity.com>
MFC after: 5 days

getpwnam(3) may return NULL.

Requested by: nork
Reviewed by: Takeharu KATO <takeharu1219__at__ybb.ne.jp>, nork
MFC after: 1 week

Remove the advertising clause from UCB copyrighted files in usr.bin. This
is in accordance with the information provided at
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change

Also add $FreeBSD$ to a few files to keep svn happy.

Discussed with: imp, rwatson

Build usr.bin/ with WARNS=6 by default.

Also add some missing $FreeBSD$ to keep svn happy.

Revert most part of 200420 as requested, as more review and polish is
needed.

Remove unneeded header includes from usr.bin/ except contributed code.

Tested with: make universe

Fixup the parameters to audit_submit(3) the order is errno then return
value. This bug went un-noticed for so long because EPERM == 1

MFC after: 1 week
Spotted by: sson, rwatson

- add the -m option to the example commands because they would fail w/o it
as the ``man'' user does not have a valid shell by default.

PR: docs/121713
Approved by: trhodes
MFC after: 3 days

Fix a strict aliasing warning - I think it is really telling us
that the way char * and void * pointers may not be stored in the
same way.

The upper while loop has already recycled child process, so the if
statement has never executed as expected, fix it.

MFC after: 3 days

Stop mentioning /usr/X11R6.

Approved by: re (hrs)

Significantly reduce the memory leak as noted in BUGS section for
setenv(3) by tracking the size of the memory allocated instead of using
strlen() on the current value.

Convert all calls to POSIX from historic BSD API:
- unsetenv returns an int.
- putenv takes a char * instead of const char *.
- putenv no longer makes a copy of the input string.
- errno is set appropriately for POSIX. Exceptions involve bad environ
variable and internal initialization code. These both set errno to
EFAULT.

Several patches to base utilities to handle the POSIX changes from
Andrey Chernov's previous commit. A few I re-wrote to use setenv()
instead of putenv().

New regression module for tools/regression/environ to test these
functions. It also can be used to test the performance.

Bump __FreeBSD_version to 700050 due to API change.

PR: kern/99826
Approved by: wes
Approved by: re (kensmith)

Back out all POSIXified *env() changes.

Not because I admit they are technically wrong and not because of bug
reports (I receive nothing). But because I surprisingly meets so
strong opposition and resistance so lost any desire to continue that.

Anyone who interested in POSIX can dig out what changes and how
through cvs diffs.

Prepare for upcoming POSIXed putenv() rewrite:
don't free memory after putenv()

Backout previous change (SIGSYS related). The fix has been applied to the
proper place.

Pointed out by: rwatson

Ignore SIGSYS when BSM is compiled in. Otherwise, attempt to invoke su on
system that don't have audit framefork compiled into kernel or ia32 binary
on amd64 system will result in SIGSYS. There is one place in su.c itself
where it tries to check for errno != ENOSYS, but it has been a nop since su
does not catch SIGSYS anyway. There are few other places in libbsm,
where attempt to invoke audit syscal would result in SIGSYS if no audit
support is present in the kernel, so that the only reliable method for
now is to disable SIGSYS completely in the case when BSM is compiled in.

In the long run, both direct invocation of audit-related syscalls and
libbsm should be made more intellegent to handle the case when BSM is not
compiled into the kernel gracefully.

MFC after: 3 days
(provided re@ approval)

Markup fixes.

Do not chdir(2) until after setuid(2), otherwise "su - username" would fail
when root doesn't have the permission to enter target user's home directory.
If set, PAM environment variable HOME will be used in chdir(2) instead of
pwd->pw_dir, this allows pam_chroot module to continue to function.

Remove references to the pam(8) manual page. It does not exist.

Requested by: novel
Discussed with: brueffer, simon

Integrate audit_submit(3) bits into su. This means that records for
successful and failed su attempts will be recorded using the AUE_su
event type (login or lo class) if auditing is present in the system.
Currently, the records will have a header, subject, text (with the
actual diagnostics), a return and trailer token.

See audit_submit(3) for more information.

Reviewed by: rwatson
Obtained from: TrustedBSD Project

- Mention that users need to be in the wheel group to `su - root' by default, and how to change it.

PR: docs/70616
Submitted by: Jilles Tjoelker <jilles at stack dot nl>
Reviewed by: ru@
Approved by: ceri@
MFC after: 3 days

Fix the other su bug reintroduced two commits ago, namely

$ su
% kill -STOP $$

where su is executing (t)csh. csh's job handling is a little more
special than that of (a)sh, bash and even zsh and blows up a little
more spectacularly. This modification restores the original mucking
about with the tty pgrp, but is careful to only do it when su (or
su's child) is the foreground process.

While I'm here, fix a STDERR_FILENO spelling as suggested by bde.

Handle the case (that I just broke) where the following hangs:

$ su
# kill -STOP $$

Pointed out by: David Xu <davidxu@freebsd.org>

Remove broken code that mucks about with tcsetpgrp() -- even if
su isn't the foreground process. Hopefully this won't break PAM,
but I couldn't find any useful information about ache's theory
that it will.

Specifically, this change fixes the following:

# sh
# echo $$
# su - root -c id &
# echo $$

The PID output changes as su seems to be kill -STOP'ing itself
and catching the parent shell in the process. This is especially
bad if you add a ``su - user -c command &'' to an rc script!

Sponsored by: Sophos/Activestate
Not objected to by: des

Sort sections.

If su(1) is run without an effective uid of 0, generate an error to
the user indicating that su is not running setuid, which may help
suggest to the user that it should be setuid, or should not be
running from a file system mounted nosuid.

Suggsted by: Ivan Voras <ivoras at fer dot hr>
MFC after: 2 weeks

Introduce the PRECIOUSPROG knob in bsd.prog.mk, similar
to PRECIOUSLIB from bsd.lib.mk. The side effect of this
is making installing the world under jail(8) possible by
using another knob, NOFSCHG.

Reviewed by: oliver

Bump document date for last commit.

Noticed by: ru

PAM configuration is now in /etc/pam.d/su.

Submitted by: Jilles Tjoelker <jilles@stack.nl> (original version)
PR: docs/70616 (part of)
MFC after: 1 week

Deal with double whitespace.

Mechanically kill hard sentence breaks.

Oops. My last commit included a bug that would make "su -m" always
use /bin/sh. Fix this.

Paranoia, WARNS fixes and lint.

Bumped the document date.
Fixed the grammar nit.

Add FBSDID. Do not dot terminate errx(3) string.

Fixed style of assignments.

When root tries to su to a non-existent user, pam_authenticate() will
normally succeed (because root can su to anyone), but pam_acct_mgmt()
will most likely fail, causing su to log a confusing "pam_acct_mgmt:
error in service module" message. To avoid this, call getpwnam()
before pam_acct_mgmt().

Sponsored by: registrar.no

Be sure to restore foreground group to parent su before parent su
exits, otherwise shell will be confused and does not set foreground
group correctly for next su command. This sounds like a bug in sh.

It seems when su executes in a shell scripts, there is a timing race,
sometimes, su will receive a SIGTTOU when parent su tries to set child
su's process group as foreground group, and su will be stopped unexpectly,
ignoring SIGTTOU fixes the problem.

Noticed by: fjoe

Fix broken su -m behaviour :
chshell must return 0 if the shell is not a standard shell, or else it is
possible to use an account without a valid shell.

Reviewed by: des

- Clarification to how command line arguments are processed.

PR: docs/55613
Submitted by: gshapiro@freebsd.org
Approved by: blackend (mentor)

typo

PAM-related improvements:

- if operating "as them" (su -l), use pam_{open,close}_session()
- allow PAM to override $HOME (pam_chroot needs this)
- chdir early, because later on we may be chrooted and chdir will fail

Also use pid_t instead of int where applicable.

Put child process in a different process group, ensure that the broadcast
signal never affects su directly, some shells changes its pgrp at running
or suspended time, so a broadcast SIGTSTP from child will mess up su's job
control.

Discussed with: bde

Fix style bugs in the previous commit (which weren't in bde's patch)

Reset SIGTSTP handler to default both for parent and child process.

Submitted by: bde

Fix long standing job control bug. SIGTSTP shouldn't be ignored.
Special instructions tested:
suspend
stop $$

Pass the correct, verified username to PAM instead of getlogin().

mdoc(7) police: markup polishing.

Approved by: re

Add a new '-s' option to su(1): if the flag is present, attempt to
also set the user's MAC label as part of the user credential setup
by setting setusercontext(3)'s SETMAC flag. By default, change only
traditional process properties.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

When a user gets refused because the password is wrong, use the
older "BAD SU" syslog message that folks prefer. There is quite
a bit more tweaking that can be done with other similar messages.

Asked for by: tjr

Style: use sa_handler instead of __sigaction_u.__sa_handler.

Remove an unused variable.

Fix typing error in prev. commit

Fix style bug in prev. commit

Fix su job control (recently introduced for PAM cleanup purposes) to not
kill login shell on either "suspend/fg" or "stop $$/fg" for tcsh. Since
this bug occurse on -stable too, it is not kernel threads bug.

Submitted by: David Xu <bsddiy@yahoo.com>

Back out workaround of fixing "suspend/fg" by price of breaking "stop $$/fg".

This is real kernel bug (threads) and don't attempt to mask it by
workarounds to increase chances to fix it in the kernel.

Remove tcsetpgrp() stuff across suspend/continue because it cause upper level
tcsh killed on resume (fg). It is because tcsh is interactive itself and
do its own things with terminal group.

This is Alexander Kabaev's patch to solve the signal problem with su
(see 'zsh exits upon ^C' thread). This may be temporary be he's been
running it for a year without incident so we should be golden with it.

Approved by: des

Backout 1.51 on DES's request.

Approved by: des

Make our child the leader of its own process group to avoid receiving
signals in its stead. This fixes the dread "zsh exits upon ^C" bug.

Drive-by whitespace cleanup & add NAI copyright

Use `The .Nm utility'

Fix a few typos.
as a user ID -> has a user ID
command constitutes of -> command consists of

PR: misc/36523
Submitted by: Chris Pepper <pepper@mail.rockefeller.edu>
MFC after: 3 days

Belatedly OpenPAMify. I forgot this patch in last night's megacommit.

Sponsored by: DARPA, NAI Labs

Don't set PAM_RHOST, this is a local login.

Sponsored by: DARPA, NAI Labs

Remove to-be-default WARNS?=2

Set BINOWN=root explicitly for setuid root binaries.

This is not "useless", as one may have non-default
setting for BINOWN in make.conf, and we still want
these to be installed setuid root in this case.

Reinstate complete (and now correctly functioning) WARNS=2.

Back out (with prejudice) the last WARNS=2 fix. I cannot understand
its failure mode, and will revisit it later.

WARNS=2 fixes.

The remaining problem of converting highly incompatible pointer types
is done by "laundering" the value through a union.

This solves the problem (in my own mind) of how a "const char *" _ever_
actually gets a value in a WARNS=2 world.

Very minor stylistic nit.

Discussed with: ru

Substitute ARGSTR in-place.
Forgot trailing newline in usage().

Fixed the usage() string.

This also reverts change in rev. 1.36 to the documented
style of writing usage().

PR: bin/29730
Submitted by: Joseph Mallett <jmallett@xMach.org>

Set the RUSER for PAM so that (eg) kerberos can set up tickets properly.

WARNS=2 type cleanup.

WARNS=2 cannot be enable because of an unresolvable conflict in arg 2
of execv(). Document this in the Makefile.

Reviewed by: bde (su.c only)

mdoc(7) police: join split punctuation to macro calls.

Remove whitespace at EOL.

Deconvolute the authentication mess, and hand total responsiblity
for authentication to PAM. This meens that WHEELSU-type logic can
now be effected in the pam.conf "su" configuration stack. While here,
clean up the mess that the code had assumed over years of hacking by
folks using different styles. ANSIfy.

There is more policy in here that can be handed over to PAM. This will
be revisited.

Tell the user what group they must be in to su to root.

Submitted by: Seth Kingsley <sethk@osd.bsdi.com>

Dike out Kerberos(IV) support on the grounds that better kerberos
support can be gotten via PAM.

Dike out the Kerberos(IV) support on the grounds that better kerberos
support can be already obtained via PAM.

Add full PAM support for account management and sessions.

The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c

Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>

o Make comment match reality, synch code with comment.
o In practice: the comment indicates that all but umask and
environmental variables of the users login class are applied when su
occurs, unless -m is used to specify a class. This was incorrect;
in practice, the uid, gids, resources, and priority were set, and
then resources and priority were selectively removed. This meant
that some aspects of the user context were not set, including handling
of login events (wtmp, utmp), as well as the path specified in
login.conf.
o I changed it so that the behavior is the same, but instead,
LOGIN_SETALL is used, and appropriate flags are removed, including
the LOGIN_SETLOGIN and LOGIN_SETPATH entries that were implicitly
not present before. I also updated the comment to reflect
reality, selecting reality as the "correct" behavior.
o This has the practical benefit that as new LOGIN_SET* flags are
introduced, they are supported by su unless specifically disabled.
For example, of a LOGIN_SETLABEL flag is introduced to support
MAC labels determined by the user's login class, then su no longer
has to be modified.
o It might be desirable to have su use LOGIN_SETPATH depending on
its command line parameters, as it might or might not be
considered part of the "environment".

Obtained from: TrustedBSD Project

mdoc(7) police: use the new features of the Nm macro.

Document the ``-'' option and minor re-wording in EXAMPLES

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

Use libcrypto in place of libdes.

Revert the libcrypt/libmd stuff back to how it was. This should not have
happened as it was working around problems elsewhere (ie: binutils/ld
not doing the right thing according to the ELF design). libcrypt has
been adjusted to not need the runtime -lmd. It's still not quite right
(ld is supposed to work damnit) but at least it doesn't impact all the
users of libcrypt in Marcel's cross-build model.

Add libmd (or move it after libcrypt). We don't want the linker to be
smart because it will definitely get it wrong. This popped up during
cross-linking.

Change edistribution to krb4 in preaparation for K5

Fix Common Error brokenness.

$Id$ -> $FreeBSD$

Fixed editing error in previous commit. `-lmd' (link libmd) became `-md'
(emulate the 'd' linker (?)). This was most harmful for the NOSHARED=yes
case since libskey.o isn't linked to libmd.a.

Fixed the usual disorder of DPADD and LDADD, and some tab lossage.

Axe LOGIN_CAP_AUTH.

PR: 10115
Reported by: Gene Skonicki <gene@cif.rochester.edu>
Requested by: jdp

Actually fixed ambiguous else. The previous revision had no effect.

Fix ambigious else.

Reviewed By: eivind

Add JKH's auth.conf parser to turn on/off Kerberos in userland

Fix bad option processing.

PR: bin/7986
Submitted by: Dan Nelson <dnelson@emsphone.com>

Remove useless `BINOWN=root' now that it is the default.

Removed a buggy ifdef for not linking libmd explicitly. Explicit
linkage is needed for the NOSHARED=YES case, so it is simplest to
never depend on the automagic linkage for elf shared libraries.

Reviewed by: jdp

Add $Id$

Still need -lmd on the alpha as it doesn't have shlibs yet

BINFORMAT -> OBJFORMAT ready for E-day.

Fix LIBDIR (for aout/ELF).

Reword to remove confusion between su(1)'s "-c" option and that of the shell
being invoked. Add example that clarifies usage of "-c".

PR: 6859

PR: 1904
Abort if given uname is > MAXLOGNAME-1

Allow a user in group 0 to su(1) to root if their primary
group is 0 in /etc/passwd even if they aren't listed
as a member in /etc/group. This is more inline with
what the group manpage says.

PR: 6696
Submitted by: Max Euston <meuston@jmrodgers.com>

I wonder how I managed to get the krb.h include wrong. Anyway: correct it.

Add -c option that allows root to specify a login_class.

Changes for KTH KerberosIV.
Quieten -Wall a bit.

From Joe Traister:
The previous patch did not propogate the KRBTKFILE environment variable
into the new environment when -l is given to su, making it impossible
for kdestroy to find the ticket file. This patch corrects that problem
as well as the original segfault problem.
(Fixes PR 3903)

PR: docs/4383
su manpage ambiguous regarding command prompt

Submitted by: sheldonh@iafrica.com

If elf, don't add libmd.a just because we link against libskey.so.
A

fix a few spelling changes

Submitted by: Josh Gilliam

Closes PR's: 4429, 4431-4438

PS: He has agreed to submit all contrib fixes back to the original author.

Prevent a NULL dereferencation when given a garbage command line.

PR: bin/3206
Submitted by: blank@fox.uni-trier.de

Add usage().

Move libmd after all libraries to keep natural libraries order

login_getclass() -> login_getpwclass().

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

When group wheel is empty, allow everyone to su to root. This has normally
no conseqeunces as we ship with a non-empty wheel.

Closes PR/1882
Submitted by: Arne Henrik Juul <arnej@frida.imf.unit.no>

Revert $FreeBSD$ to $Id$

Sort cross references.

Fix problem with mask passwd to setusercontext() which
prevented uid/group change with non-root target.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Document effect of login class capabilities.

Make su login_cap savvy.
As with login(1), LOGIN_CAP_AUTH is not yet enabled since we don't
yet have authorisation modules.

Export $TERM only if it has been set in our environment.

Detected by: Amancio Hasty

[HISTORY] command appeared in Version 1 AT&T UNIX
Obtained from: A Quarter Century of UNIX, Peter H. Salus, page 41

Make su a little less fascist about using Kerberos if it is not
configured or available.

Also fix a _nasty_ bug that would let one in if su -K was used.
Any old password would work :-( :-(.

Better integrate kerberos into su so that if an incorrect Kerberos
password is entered, the user is not prompted for a password a second
time.

This closes pr-bin/1006.

#include <kerberosIV/des.h> -> #include <des.h>

Make it possible to enable WHEELSU from /etc/make.conf.

Kerberos can now deal with multi-homed clients.

Kerberos obtains a network address for the local host from the routing
tables and uses it consistently for all Kerberos transactions. This ensures
that packets only leave the *authenticated* interface. Clients who open
and use their own sockets for encrypted or authenticated correspondance
to kerberos services should bind their sockets to the same address as that
used by kerberos. krb_get_local_addr() and krb_bind_local_addr() allow
clients to obtain the local address or bind a socket to the local address
used by Kerberos respectively.

Reviewed by: Mark Murray <markm>, Garrett Wollman <wollman>
Obtained from: concept by Dieter Dworkin Muller <dworkin@village.org>

Bring Barry Morris' changes from FreeBSD 1.1.5.1 back: pass arguments
to the target login's shell. This allows for "su -c".

Do it right this time and also explain this behaviour in the man
page. :)

Obtained from: bsm's work in FreeBSD 1.1.5.1

Check for expired passwords before allowing access to the system.

Added support for an LCS-style `wheel su' which allows users in group wheel
to su to root by authenticating as themselves (using a password or S/Key)
rather than by using the root password. This is useful in contexts like
ours, where a large group of people need root access to a set of machines.
(However, the security implications are such that this should not be
enabled by default.)

The code is conditionalized on WHEELSU.

Remove trailing whitespace.

It has always bugged me that ps and w did not display su with tcsh
properly. I know, tcsh is not a "Real Shell".

jc p2 :0.0 Tue04PM - -u (tcsh)
^^^
7173 p2 S+ 0:01.33 -u (tcsh)
^^^

Submitted by: John Capo <jc@irbs.com>

Change the library order so libcrypt is the last library in the list.
libskey contains references to _crypt and can't resolve it unless
-lcrypt occurs after it in the link command. This only occurs when
linking statically.

Add distribution=krb for P-HK

Fixed the PATH and cleanenv setting in su. This was totally broken in the
4.4BSD Lite source.

Include most of the logdaemon v4.4 S/key changes

Add support for s/keys

First level of changes for bringing in eBones (kerberos).
- Get rid of inverse logic (NOKERBEROS and NOEBONES) in src/makefile,
and replace with MAKE_KERBEROS and MAKE_EBONES. (Far fewer contortions,
and both default to off.) IF YOU WANT KERBEROS, YOU HAVE TO EXPLICITLY
DEFINE ONE OF THESE.
- Make Makefiles kerberos-aware.

LDADD= -lcrypt
Submitted by: Geoff

Don't use kerberos yet, we aren't ready.

This commit was generated by cvs2svn to compensate for changes in r1590,
which included commits to RCS files with non-trunk default branches.