login: Missed an instance of getpwnam().

Fixes: a3d80dd8aa6ac15877e00102ab174b417ac81d79
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D43423

login: Use getpwnam_r() instead of getpwnam().

Since we expect the entry to still be valid after calling into PAM,
which may call getpwnam() itself, we need to use getpwnam_r().

MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans, imp, allanjude, markj
Differential Revision: https://reviews.freebsd.org/D43376

usr.bin: Automated cleanup of cdefs and other formatting

Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by: Netflix

usr.bin: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

usr.bin/login: send errors to console if syslog isn't running

I was debugging why login(1) wasn't working as expected on a minimal
MFS_ROOT disk image. This image doesn't have syslogd running so the
warnings were lost and I had to use GDB to find out why login(1) was
failing (missing PAM libraries) instead of being able to see it in
the console output.

MFC after: 1 week
Reviewed By: pfg
Differential Revision: https://reviews.freebsd.org/D30892

login(1): when exporting variables check the result of setenv(3)

When exporting a variable we correctly check all the preconditions that
could make setenv(3) fail. Checking the setenv(3) return value seems
redundant, but given that login(1) is critical, it doesn't hurt to have
a post-check.

This change is based on the "Principles of Secure Coding" course by
Matthew Bishop, PhD., which specifically discusses this code in FreeBSD.

(This change redoes r368776 due to a silly mistake)

Revert r368776:
login(1): when exporting variables check the result of setenv(3)

mismatch: the return value upon error is -1, so the code was not
doing nothing.

login(1): when exporting variables check the result of setenv(3)

When exporting a variable we correctly check all the preconditions that
could make setenv(3) fail. Checking the setenv(3) return value seems
redundant, but given that login(1) is critical, it doesn't hurt to have
a post-check.

This change is based on the "Principles of Secure Coding" course by
Matthew Bishop, PhD., which specifically discusses this code in FreeBSD.

Differential Revision: https://reviews.freebsd.org/D26966

spdx: initial adoption of licensing ID tags.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.

Initially, only tag files that use BSD 4-Clause "Original" license.

RelNotes: yes
Differential Revision: https://reviews.freebsd.org/D13133

login.c doesn't really need libutil.h, don't include it.

login_fbtab.c includes paths.h and pathnames.h, and pathnames.h includes
paths.h. Eliminate the paths.h inclusion in login_fbtab.c.

MFC after: 2 weeks

Remove LOG_ODELAY because it does nothing.

Reviewed by: jilles
CR: https://reviews.freebsd.org/D611

login: Remove broken dialup log message.

For 10 years, the "DIALUP <tty>, <user>" message has required having a
hostname (-h) instead of not having a hostname; therefore, it is never
logged. Given that dialup is obsolete and this has not been fixed, remove
the log message.

Note that LOGALL, which is defined by default, logs a message for all
logins, including dialup logins.

login: Clean up PAM and audit, then exit, on SIGHUP and SIGTERM.

This avoids leaving stale entries in utmpx after the connection is closed on
an open login session. It also allows a clean way (SIGTERM) to forcibly
terminate a user's terminal session.

This does not affect the situation for "hung" processes after the connection
is closed. The foreground process group receives SIGHUP and the tty becomes
inaccessible.

Also replace all use of the obsolete signal() function with sigaction() (not
only the part where it is actually required: SIGHUP and SIGTERM must mask
the other as well when caught).

PR: misc/183495
Reviewed by: ed

Fix whitespace.

Call pam_setcred() before login_getpwclass to support home directories
on GSS-API authenticated NFS where the kerberos credentials need to be
saved so that the kernel can authenticate to the NFS server.

Get rid of hand-rolled closefrom(3).

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Remove copyright strings printed at login time via login(1) or sshd(8).
It is not clear to what this copyright should apply, and this is in line
with what other operating systems do.

For ssh specifically, printing of the copyright string is not in the
upstream version so this reduces our FreeBSD-local diffs.

Approved by: core, des (ssh)

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

ANSIfy various tools in usr.bin/.

Most of these tools properly build at WARNS=6, except for their K&R
function declarations. Fix this, so we can bump WARNS as well.

Revert most part of 200420 as requested, as more review and polish is
needed.

Remove unneeded header includes from usr.bin/ except contributed code.

Tested with: make universe

Don't strip TTY device name to the last '/'.

We've seen this bug in other applications before: we have some
applications that use strrchr(tty, '/') on the TTY device name. This
isn't valid when using pts(4), because the device name will be stripped
to "0" instead of "pts/0".

This fixes issues with login(1) ignoring /etc/ttys and missing utmp
records.

Reported by: Barney Cordoba <barney_cordoba yahoo com>
Reviewed by: rwatson

- Import the HEAD csup code which is the basis for the cvsmode work.

Significantly reduce the memory leak as noted in BUGS section for
setenv(3) by tracking the size of the memory allocated instead of using
strlen() on the current value.

Convert all calls to POSIX from historic BSD API:
- unsetenv returns an int.
- putenv takes a char * instead of const char *.
- putenv no longer makes a copy of the input string.
- errno is set appropriately for POSIX. Exceptions involve bad environ
variable and internal initialization code. These both set errno to
EFAULT.

Several patches to base utilities to handle the POSIX changes from
Andrey Chernov's previous commit. A few I re-wrote to use setenv()
instead of putenv().

New regression module for tools/regression/environ to test these
functions. It also can be used to test the performance.

Bump __FreeBSD_version to 700050 due to API change.

PR: kern/99826
Approved by: wes
Approved by: re (kensmith)

Back out all POSIXified *env() changes.

Not because I admit they are technically wrong and not because of bug
reports (I receive nothing). But because I surprisingly meets so
strong opposition and resistance so lost any desire to continue that.

Anyone who interested in POSIX can dig out what changes and how
through cvs diffs.

Slightly tune previous fix: free memory if !export

Prepare for upcoming POSIXed putenv() rewrite:
don't free memory after putenv()

Teach login(1) about the make.conf NO_AUDIT variable. This allows us to
conditionally build in audit support.

Submitted by: bz
MFC after: 1 week

Don't call audit_logout() if pwd is NULL, as audit_logout() attempts to
dereference it.
This will happen if we ^D at the Login: prompt without having provided a
valid login before.
Set pwd to NULL on bad login attempts to prevent audit_logout() from being
called for a user which didn't actually log on.

Reported by: Jerome Magnin jethro at docisland dot org

Make login audit-enabled, submitting audit records for the login and logout
events. The specifics of submitting the records is contained within
login_audit.c.
Document the auditing behavior in the man page.

Obtained from: TrustedBSD Project, Apple Computer, Inc.
Approved by: rwatson (mentor)

o Teach login(1) to respect "hushlogin" and "nocheckmail" attributes
defined in user's $HOME/.login_conf.

PR: bin/75001
Submitted by: Rostislav Krasny
MFC after: 2 weeks

Fix ~/.hushlogin handling.

PR: 61354
Submitted by: Eugeny Grosbein <eugen (at) kuzbass.ru>

When the tty chown() fails, report a chown() failure rather than a
chmod() failure.

The documented login.conf variable for setting the login prompt is
"login_prompt". This makes more sense than "prompt" which is what
login actually used, so change the code to match the documentation.

PR: docs/51396
MFC in: 3 days

Back out previous commit, I wasn't thinking clearly.

Set PAM_RHOST to "localhost" if no remote host was specified. This allows
pam_opieaccess() to work as expected for local logins.

Use waitpid() instead of wait() since we know the pid of the process we
are waiting for, and we don't want to reap the wrong process.

Change the process title as soon as possible to mask information passed on
the command line by getty(8). This is not a perfect fix, but drastically
reduces the window of exposure.

Approved by: re (rwatson)
MFC after: 1 week

Be consistent about functions being static.

Spotted by: FlexeLint

When login tries to do the chmod/chflags on a read only file system,
it complains that it can't do it because the filesystem is readonly.
Assume that when the user has a readonly /dev that they don't care if
login can't change the permissions/flags. While this does break a few
things like msgs, we'll assume that the user setting up the read only
system knows what they are doing.

All this change does is to stop the complaint when the file system is
read only. It also adds comments as to why EROFS and EOPNOTSUPP are
ignored.

This allows one to have a read-only / w/o a /dev MFS and have a
relatively warning-free existence. /etc/rc still complains when it
can't chown/chflags/chmod things, but that's easy to ignore/tweak.

Reviewed by: roberto, phk
Sponsored by: Timing Solutions

Don't reuse a const char * when we really want a char *.

Simplify TERM handling since now libutil not overwrites existen TERM for "term"

Overwrite "term" from login.conf(5) for any known TERM

Drive-by whitespace cleanup.

Don't use PAM_SILENT unless hushlogin is set (perforce change 10123)

Sponsored by: DARPA, NAI Labs

Remove unused #define.

Align for const poisoning in -lutil.

Simple fix so the 'LOGIN FAILURE' message send to syslog will include
the correct userid, instead of random garbage. This bug does not
exist in -stable.

Reviewed by: freebsd-audit

Switch to OpenPAM. Bump library version. Modules are now versioned, so
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by: DARPA, NAI Labs

Still with asbestos longjohns on, completely PAMify login(1) and remove
code made redundant by various PAM modules (primarily pam_unix(8)).

Sponsored by: DARPA, NAI Labs

Back out rev 1.78, which is incorrect now that the PAM modules have been
fixed to accept a NULL PAM_RHOST.

When running on a local terminal, set PAM_RHOST to the local hostname.

Sponsored by: DARPA, NAI Labs

Back out PAM_CRED_ERR addition

Add PAM_CRED_ERR as valid failure case

Style improvements recommended by Bruce as a follow up to some
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.

Use __FBSDID(). Also do a bit of cosmetic #if and header-order
cleaning-up.

Sort includes.

Style fixups.

Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)

Inspired by: bde

WARNS=2 fixes.

Reviewed by: bde (a while back)

o Add support for a 'nocheckmail' capability, which (if true) prevents
the 'You have mail.' check. This is useful for sites that rely on
remote mail access, rather than a local mail spool. Due to the
behavior of login_getcapbool(), the negated form is required so as
to have appropriate results.
o This behavior may have to be independently added to sshd due to
redundant implementation.

o Modify NFS rights comment to note that the early credential changes
to test for a home directory don't set up the additional groups, and
as such may limit users conservatively. This does not affect the
eventual credentials selected.

Like su(1), make PAM use mandatory. Remove parts of the authentication
logic that are handled by PAM. Fix documentation to reflect this.

Fix some bogus strncpy(3) to strlcpy(3) changes I made in the previous
revision. <utmp.h> structures don't leave room for a NUL character.
Also fix "UNKNOWN" which should have just been UNKNOWN.

Pointed out by: bde

o Replace occurrences of strncpy(3) with strlcpy(3); most of
the uses of it were wrong anyway.
o Always check for NULL returns on strdup(3).
o Fix a possible buffer overflow in strcpy(3).
o Fix a format string vulnerability.
o t->ty_type in stypeof() could be NULL and eventually cause
a segmentation fault in setenv(3), so check for that.

Eyeballed by: kris
Reviewed by: murray
MFC after: 3 days

Fix the environment handling:

However, there's still a bug in login.c
because you copy the environment *before* the call to pam_open_session,
which won't set the necessary variables set by /usr/ports/security/pam_ssh.

Submitted by: Volker Stolz <stolz@hyperion.informatik.rwth-aachen.de>

Fix the type of the NULL arg to execl()

Idea from: Theo de Raadt <deraadt@openbsd.org>

Remove an accidentaly added extra blank line.

Approved by: murray

Disable SIGHUP while getting the login name.

Reviewed by: security-officer

Missed a few things.

In a word -- style(9).

Add the "prompt" and "passwd_prompt" fields to /etc/login.conf,
which makes lgoin more like getty in its ability to be configured.

Submitted by: tlambert (code only)

Check for the expiration of an account and its password in the proper
order.

Reviewed by: -audit (silence)
Approved by: murray
Obtained from: OpenBSD
MFC after: 5 days

Add full PAM support for account management and sessions.

The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c

Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>

Fix login so that it exports environmental variables that are set by PAM
modules (via pam_putenv). The following variables will never be set in
this fashion:

SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH
any variable starting with `LD_'

Call pam_setcred.

Reviewed by: markm, months ago

Add braces to avoid ambiguity in a nested conditional (silences a gcc
warning).

Fix excessive use of parenthesis in previous commit.

Requested by: bde

Do not issue a warning when chflags() fails with EOPNOTSUPP.

PR: 17875
Submitted by: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>

Fix diagnostic printing test condition (was always true)

Approved by: jkh

Added IPv6 name resolving support for utmp logging.

Approved by: jkh

$Id$ -> $FreeBSD$

Clear all file flags when taking ownership of devices. Do not ignore
chown failures in some places, but instead log them like we do all
other errors.

remove uid switching before login_getpwclass, now done inside libutil
add gid switching before chdir and comment why it needed

Don't perform the trimdomain() functionality twice,
trimdomain() now works as expected.

Add a compile knob to avoid using PAM code (login will use standard Unix
authentication only). This comes handy when you're tight on space.

Submitted by: mostly John Baldwin <jobaldwi@vt.edu>
Reviewed by: John D. Polstra <jdp@polstra.com>

Make the timeout handler log any failed logins, to make sure failed
logins get logged.

ATTENTION: INSTALL "/etc/pam.conf" FROM "src/etc"!!!

Change login to use PAM for authentication. I kept the built-in
passwd/NIS authentication support, to handle cases where the system
is missing its "/etc/pam.conf" file. S/Key and KerberosIV
authentication methods are removed from the login program, but
still available in PAM modules.

unifdef -DLOGIN_CAP. After almost 2 years, I think we can assume
it's here to stay.

This code is starting to look almost reasonable again.

Remove support for LOGIN_CAP_AUTH. It was never enabled, it was
not complete, and it hasn't been touched for 18 months. All the
ifdefs obfuscate the code. I discussed the LOGIN_CAP_AUTH support
with its author and he agreed that it is a dead end. I am bringing
PAM into the tree within the next two weeks. It is much more
flexible than LOGIN_CAP_AUTH, and will serve as a superior replacement
for it.

Fix a const-related compiler warning.

Use KJH's auth.conf parser to turn on/off Kerberos in userland.

Remove hardcoded constant in favour of login.conf value.

PR: 6529
Submitted by: Dan Lukes <dan@obluda.cz>

Backed out rev.1.31. It was a workaround for bugs in rev.1.4 of
libc/gen/getpass.c. The old behaviour of blocking SIGINT and not
changing SIGQUIT was restored in rev.1.5 of getpass.c. The change
here completely restores the old behaviour of not supporting killing
login with keyboard signals (only) at the password prompt. There
is no reason to support this, since login can be exited normally
by typing a couple of ^D's. Login certainly shouldn't dump core
in response to user input. Previously, SIGQUIT killed login
immediately but SIGINT killed it only after the password was
entered.

PR: 7444

Fix a couple of little bugs that prevented login.c from compiling
if LOGIN_CAP_AUTH was defined. This is kind of silly, because
LOGIN_CAP_AUTH doesn't work anyway, is not defined currently,
probably will never be defined, and IMHO should not be defined.
But I'm sure you'll sleep better tonight, knowing that these bugs
are gone.

Trim a domain part for wtmp as same as showed by "netstat -r".
Here is a some example for avoiding a confusion.

It asssumes a logged host domain is "spec.co.jp". All
example is longer than UT_HOSTNAMELEN value.

1) turbo.tama.spec.co.jp: 192.19.0.2 -> trubo.tama
2) turbo.tama.foo.co.jp : 192.19.0.2 -> 192.19.0.2
3) specgw.spec.co.jp : 202.32.13.1 -> specgw

Submitted by: Atsushi Murai <amurai@spec.co.jp>

*blush*, typo during last minute editing..

Change euid while reading the user's .login_cap file in case the homedir
is on a NFS partion without root read access. Also, flip euid again for
the duration of the chdir() to the homedir for the same reason.

PR: 5145
Submitted by: Joel.Faedi@esial.u-nancy.fr
Also tested by: A Joseph Koshy <koshy@india.hp.com>

Fix very rare but dangerous bug:
for some DES passwords
crypt(real_password, salt)
is equal to
crypt("", salt);
It means that this user (and not only he) can login without
entering password at all, just pressing Return.
So if empty password entered and crypted password is not empty,
invalidate any crypt result by assigning ":"

Reset SGINT and SIGQUIT handling to default when asking for passwords.
Otherwise, when pressing the INT ke at the password prompt, the password
will be displayed. Now login will be killed.

Probably the same will have to be done for the LOGIN_CAP_AUTH case.
I have not done that.
Reviewed by: Joerg Wunsch

Fix a fatal typo.

PR: bin/4801
Submitted by: mishania@demos.su (Mikhail A. Sokolov)

Changes for KTH KerberosIV.
Also quieten -Wall a bit.

= -> ==, strcpy -> strncpy from OpenBSD.
update man page. Add usage().
Obtained from: OpenBSD

Restore backwards compatible default behavior for requirehome

login_getclass() -> login_getpwclass().
auth_rmfiles() was being called in error without LOGIN_CAP_AUTH defined.

Use isdialuptty() rather than hard-coded heuristic.

Submitted by: Sergei Chechetkin <csl@whale.sunbay.crimea.ua>

Fix incorrect bracket nesting. Closes PR#3144.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Fix for logic in no-password accounts.

Don't bypass password prompt for root logins on insecure tty if
the root password is empty.

strdup() value of term to correctly preserve contents.
Rearrange validation logic so that it works correctly when
compiled with kerberos support. Closes PR#3056.

Submitted by: Paul Traina <root@shockwave.com> (partially)

Cleanup of #ifdef's for LOGIN_CAP.

Fixed bug in empty shell (closes PR#2550).

Refused root logins now displays standard "Login incorrect" and
exhibits identical backoff behaviour to a failed login.

Cleaned up logging of refused logins.

Use #defines for login retries and backoff. Also implemented
definable variables if LOGIN_CAP is defined, with
"login-retries" and "login-backoff" as capabilities
in the default class (closes PR#2805).

TERM from previous environment is no longer truncated.

Include copyright message from <sys/copyright.h>

Back out "shell" / pw_shell change, I was confused by the same
variable name (with different functionality)

Fix few bogons with pw_shell / shell variables values mismatch
introduced by LOGIN_CAP

Don't dereference NULL pwd on non-existant username (I wonder how long
THAT has been in here!).

Fix handling of empty shell field in passwd file (use /bin/sh); problem
was caused by introduction of login classes. Closes PR bin/2550.
Added references to login.conf to manpage, crossreference to login.conf(5).

Makes login login_cap-savvy.

Note that LOGIN_CAP_AUTH code (login authentication) is not (yet) enabled
and requires /usr/libexec/login_<style> authentication program support to
be added at a later date. The Makefile contains a macro LC_AUTH to turn
it on and prevent unnecessarily linking against skey/krb libs and the
addition of klogin.c module.

All other aspects of login_cap support are fully functional.

Write numerical address instead of hostname for hostnames > UT_HOSTSIZE
to keep valid information in utmp and lastlog

Delete bogus referneces to timezone code internal header file `tzfile.h',
which is no longer bogusly installed in /usr/include.

Remove trailing whitespace.

Fix spelling error that keeps this from compiling with KERBEROS & SKEY
defined.

Submitted by: Mark Murray <mark@grondar.za>

Disallow Kerberos when S/Key is required. Fixes PR #339.

Submitted by: Paul Traina <pst@Shockwave.com>

Modify klogin to:

1) Don't spit out an error message if Kerberos is installed but not yet
set up.

2) Don't attempt to verify the ticket you got back, as workstations
are not intended to have srvtab files of their own.

Both behaviors can be re-enabled with KLOGIN_PARANOID.

Patch of password expired bug.
Now password changed for right user and
no longer possible to skip password change.
I hope it will be ok....

Include most of the logdaemon v4.4 S/key changes

Install support for skey and login.access

Problem:
Accounts that have "pw_change" set, are supposed to change their passwords
by the date specified in "pw_change". If they have not changed their passwords
by that date, currently they get "LOCKED OUT" of the system. This is not the
correct behavior, the user should be prompt (forced?) to change their password
at this time. If the behavior of "pw_change" was meant to be a LOCKOUT,
then you should use "pw_expire".

Solution:
Instead of locking out the user, prompt them to change their password.

Reviewed by: jkh
Submitted by: rls

Implemnet fbtab ala SunOS (thanks to WZV, see login_fbtab.c)
Reviewed by:
Submitted by: guido

BSD 4.4 Lite Usr.bin Sources