etc: remove leftover leading empty comments, blank lines

Remove leftover empty leading comments/blank lines that had been
spacers between $FreeBSD$ and the following content in config files
in src/etc.

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D41548

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Reserve u2f group for FIDO/U2F key support (SSH, etc.)

We have FIDO/U2F support in the base system now, so reserve a group ID
for it (maching the security/u2f-devd port).

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34341

Add idle priority scheduling privilege group to MAC/priority

Add an idletime user group that allows non-root users to run processes
with idle scheduling priority. Privileges are granted by a MAC policy in
the mac_priority module. For this purpose, the kernel privilege
PRIV_SCHED_IDPRIO was added to sys/priv.h (kernel module ABI change).

Deprecate the system wide sysctl(8) knob
security.bsd.unprivileged_idprio which lets any user run idle priority
processes, regardless of context. While the knob is still working, it is
marked as deprecated in the description and in the man pages.

MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D33338

MAC/priority module for realtime privilege group

This is a MAC policy module that grants scheduling privileges based on
group membership. Users or processes in the group realtime (gid 47) are
allowed to run threads and processes with realtime scheduling priority.
For timing-sensitive, low-latency software like audio/jack, running with
realtime priority helps to avoid stutter and gaps.

PR: 239125
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D33191

Create and use a tests group for the tests user.

No user (except nobody) should be a member of the nobody group.

Reported by: rgrimes
Reviewed by: rgrimes
MFC after: 3 days
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24199

Move back group, master.passwd and shells to etc directory

Use the .PATH mechanism instead so keep installing them from lib/libc/gen

While here revert 347961 and 347893 which are no longer needed

Discussed with: manu
Tested by: manu
ok manu@

Make it possible to run ntpd as a non-root user, add ntpd uid and gid.

Code analysis and runtime analysis using truss(8) indicate that the only
privileged operations performed by ntpd are adjusting system time, and
(re-)binding to privileged UDP port 123. These changes add a new mac(4)
policy module, mac_ntpd(4), which grants just those privileges to any
process running with uid 123.

This also adds a new user and group, ntpd:ntpd, (uid:gid 123:123), and makes
them the owner of the /var/db/ntp directory, so that it can be used as a
location where the non-privileged daemon can write files such as the
driftfile, and any optional logfile or stats files.

Because there are so many ways to configure ntpd, the question of how to
configure it to run without root privs can be a bit complex, so that will be
addressed in a separate commit. These changes are just what's required to
grant the limited subset of privs to ntpd, and the small change to ntpd to
prevent it from exiting with an error if running as non-root.

Differential Revision: https://reviews.freebsd.org/D16281

Fix regression introduced on r293801.
The UID/GID 93 is in using by jaber on PORTS, we will use
UID/GID 160 for ypldap(8).

Reported by: antoine
Approved by: bapt (mentor)
Differential Revision: https://reviews.freebsd.org/D5062

Add a new group named 'video' with the id of 44. And make drm create
devices in /dev/dri/ with this new group.

This will allow ports and users to more easily access to these devices
for OpenGL and OpenCL support.

Reviewed by: dumbbell@
Approved by: dumbbell@
Differential Revision: https://reviews.freebsd.org/D1260

Remove most of the ATF tools and the _atf user.

This is necessary because ATF is deprecated and it will be replaced by Kyua.

Submitted by: jmmv@netbsd.org
Reviewed by: Garrett Cooper
Approved by: re

Build and install the Unbound caching DNS resolver daemon.

Approved by: re (blanket)

Add ATF to the build. This is may be a bit rought around the egdes,
but committing it helps to get everyone on the same page and makes
sure we make progress.

Tinderbox breakages that are the result of this commit are entirely
the committer's fault -- in other words: buildworld testing on amd64
only.

Credits follow:

Submitted by: Garrett Cooper <yanegomi@gmail.com>
Sponsored by: Isilon Systems
Based on work by: keramida@
Thanks to: gnn@, mdf@, mlaier@, sjg@
Special thanks to: keramida@

Add 'hast' user and 'hast' group that will be used by hastd (and maybe hastctl)
to drop privileges.

MFC after: 1 week

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Create group ftp by default. This is gid 14 as this is the historical
id used by sysinstall when enabling anonymous FTP.

Change the default group used by sysinstall for setting up anonymous FTP
from operator to ftp; there is no reason to use operator and there are
potential security issues when doing so.

PR: 93284
Approved by: ru (mentor)
Reviewed by: simon

Assign gid 77 to audit instead of gid 73. The ports group list did not
include '73', which was assigned in a ports passwd entry to ircservices.

Pointed out by: ceri

Allocate an 'audit' group, membership in which will grant the audit
review right by virtue of read file permission on /var/audit and its
contents.

Obtained from: TrustedBSD Project

Add _dhcp user/group as required by the OpenBSD dhclient.

Add "privsep" user/group _pflogd:_pflogd (64:64) to make pflogd(8) work
again. This user/group is not required for install* targets, hence do not
add them to CHECK_UIDS/CHECK_GIDS in Makefile.inc1 (no need to annoy
people).

Discussed-on: -current

Add trailing collon

Noticed by: dwhite
Approved by: bms(mentor)

Link pf to the build and install:
This adds the former ports registered groups: proxy and authpf as well as
the proxy user. Make sure to run mergemaster -p in oder to complete make
installworld without errors.

This also provides the passive OS fingerprints from OpenBSD (pf.os) and an
example pf.conf.

For those who want to go without pf; it provides a NO_PF knob to make.conf.

__FreeBSD_version will be bumped soon to reflect this and to be able to
change ports accordingly.

Approved by: bms(mentor)

xten isn't needed after tw is gone.

Approved by: re@ (scottl)

Remove root from the 'guest' group: missed in a previous pass.

Spotted by: jhb

Remove root from the kmem, sys, tty, and staff groups in the default
configuration. Root privileges override DAC on local file systems and
therefore root does not generally need to be a member of a group to
access files owned by that group. In the NFS case, require explicit
authorization for root to have these privileges.

Leave root in operator for dump/restore broadcast reasons; leave root
in wheel until discrepencies in the "no users in wheel means any user
can su" policy are resolved (possibly indefinitely).

For consistency with other entries in group, don't put the daemon or
xten users in their groups explicitly--we pick that up from the gid
field in master.passwd.

Add an sshd user and group for the OpenSSH privilege separation code.

Add two new accounts/groups for sendmail:

smmsp - sendmail 8.12 operates as a set-group-ID binary (instead of
set-user-ID). This new user/group will be used for command line
submissions. UID/GID 25 is suggested in the sendmail documentation and has
been adopted by other operating systems such as OpenBSD and Solaris 9.

mailnull - The default value for DefaultUser is now set to the uid and gid
of the first existing user mailnull, sendmail, or daemon that has a
non-zero uid. If none of these exist, sendmail reverts back to the old
behavior of using uid 1 and gid 1. Currently FreeBSD uses daemon for
DefaultUser but I would prefer not to use an account used by other
programs, hence the addition of mailnull. UID/GID 26 has been chosen for
this user.

This was discussed on -arch on October 18-19, 2001.

MFC after: 1 week

Re-commit www:www
If anybody wants to remove them for some reason, please consider "pop"
removing first.

Approved by: arch discussion from Oct 20
MFC after: 3 days

Back previous revision out until it has been discussed on -arch and
motivated. Currently, it is under dispute.

Add www:www (80:80) for upcoming Apache changes

$Id$ -> $FreeBSD$

Added group bind(53), added sandbox users tty(4), kmem(5), and bind(53),
adjustd inetd.conf to run comsat and ntalk from tty sandbox, and
the (commented out) ident from the kmem sandbox.

Note that it is necessary to give each group access it's own uid to
prevent programs running under a single uid from being able to gdb
or otherwise mess with other programs (with different group perms) running
under the same uid.

Add Id keyword

ppp => network
As discussed on cvs-committers

Add group ppp (gid 69)

Add mail group.

Move "dialer" to gid == 68.

Move user & group "xten" from [ug]id == 100 to 67.
This is less likely to collide with site policies.

Remove ingres user.

nogroup 32766 -> 65533 to go with nobody's change to 65534.

change nobody master.passwd entry to 65534:65534
change nobody group entry to 65534
Suggested-by: pst

Add xten user/group.
Submitted by: Gene Stark <gene@starkhome.cs.sunysb.edu>

Intruduce new group for uucp, gid 66

As per Rod's wishes, man uses uid/gid 9 now.

Remove man group - no longer necessary (that was quick! :). I'll let Rod
pick the uid for the `man' user, since he staked a claim on that, but he'd
better not forget or the make install will break badly! :)

Added a man group ID.

>From: Andreas Schulz <ats@g386bsd.first.gmd.de>
Subject: failure in /usr/src/etc/group

The /usr/src/etc/group file is missing a colon in the line
"dialer:*:117" at the end.

Removed bill and lynne from group file, this was a security hole in the
0.1 distribution, as they had accounts in the password file with out passwords,
and were in group wheel!

Initial import of 386BSD 0.1 othersrc/etc