Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

userspace: remove vestigial '?' cases from top-level getopt(3) loops

getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.

Prompted by dlg@. With help from dlg@ and millert@.

Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2

ok naddy@ millert@ dlg@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

userspace: remove vestigial '?' cases from top-level getopt(3) loops

getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.

Prompted by dlg@. With help from dlg@ and millert@.

Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2

ok naddy@ millert@ dlg@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

add unveil(2):

chpass(1) without parameters enters in edit mode by default, in here it will
need to execute _PATH_BSHELL to spawn a new EDITOR, _PATH_SHELLS to check
(read) if we are changing from/to a non-standard shell (in case we are not
root) and read access to `tempname' to verify if the file has valid entries and
create to unlink it.

If -s is used to change a user's shell then it will need read access to
_PATH_SHELLS by the same reason already mentioned above.

Unconditionally we need to unveil _PATH_MASTERPASSWD_LOCK with write/create
permissions, _PATH_MASTERPASSWD with read and _PATH_PWD_MKDB to execute
pwd_mkdb(8).

In the -a case I'm not unveiling /etc/spwd.db since we can get it through
pledge "getpw", which can be added later for completeness of all code paths.
Note also that the first pledges need "unveil" since we will call unveil(2)
afterwards.

"looks good" deraadt@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

Delete YP password related code. As a result, these can also be
pledged. Keep an eye out for regressions, because they could be
uncomfortable.
ok beck semarie

needs _shadow so it can rewrite the master.passwd file

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Prefer mkostemp(O_CLOEXEC) over mkstemp()+fcntl(F_SETFD)
Prefer fopen("re") over fopen("r")+fcntl(F_SETFD)

ok otto@ millert@

- use FD_CLOEXEC instead of 1
- use O_CLOEXEC with open() instead of open/fcntl

from David Hill

ok otto@

Correct English just like jsing@ did it in passwd/local_passwd.c rev. 1.38
on April 27, 2008. While here, fix a typo and drop an obsolete BUGS section.

"my typo so OK millert@ :-)" and OK jmc@

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

fix double "usage:"

Moved the unset of TZ environment variable out of atot into main, removing
an unused static var and test out of atot.

With input by jsing and millert, ok millert

-a requires a separate synopsis;
from Daniel Polak via henning

ok henning

Fix -a when given an entry with an already existing user. Also, give
error message if a user arg has been given with -a. Noted by Dan
Brosemer. ok millert@ jaredy@

ARGSUSED on signal handler

unbreak chsh, ok millert

Adapt to new pw_copy() API, closes PR 3698.

This is ISO C, use string concatenation, instead of bogus use of __CONCAT.
(hint: "a" and "b" can't be pasted as a valid C token...)
okay millert@

- no need for pathnames.h, just use <paths.h> instead
- bump mktemp randomness slightly from 8 -> 10
millert@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

When I got removed the use of atexit() I missed the fact that edit()
calls pw_error() which in turn calls exit(). Now edit() returns
its status so the temp file gets cleaned up nicely if the user makes
no changes or if an error occurred. Problem noticed by deraadt@

move protos

There is absolutely no reason for the "tempname" or dfd variables
to exist outside the scope of the 'op == EDITENTRY' code block.
This allows us to get rid of the atexit() call and tempcleanup().

cleanup; mpech & millert ok

Remove \n from err/errx/warn/warnx().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Instead of prompting the user whether or not they wish to continue to
wait for the lock on password file just tell the user to interrupt with
^C. This simplifies the locking loop a bit.

Update man page to this effect.

extra arg to pw_mkdb

At Theo's request only print 'Please wait' if don't get the lock
on the first try.

Move locking of the passwd file *after* we have gotten a new password
from the user. Set real/effective/saved uids to 0 and block all signals
so the lock cannot be kept longer than necessary. If we cannot lock,
try again every 1/4 second for 2 seconds and then ask the user what
they wish to do (keep trying, quit).

Same as in local_passwd.c but here we need to remove a temp file
in the SIGINT handler because _exit() doesn't call atexit() routines.

Update for pw_mkdb(3) interface change. All but vipw and userdel can
specify a username (and thus avoid rebuilding the while database).

Sync usage() output with man page; mpech@prosoft.org.lv

Fix temp file unlinking. We use atexit() since the libutil passwd
routines do their own exit.

use __progname

add close on exec flag to all opens

put temp file _PATH_VARTMP

Y2K fixes from Andreas.Gunnarsson@emw.ericsson.se; culled from various places

(foo *)NULL -> NULL

fix YP and non-YP cases to exit/warn nicely

getopt(3) returns -1 when out of args, not EOF, whee!

better error message if unable to create password temp file.

pw_abort() after yp change, does unlock

kill leaks; help from das33@cornell.edu

rcsid

libutil

branches: 1.1.1;
Initial revision