For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Use user_from_uid(3) if getlogin(2) fails, storing the uid as a
string if there is no passwd entry. OK tb@

Make write explicitly ASCII only by transforming UTF-8 characters and non-ASCII
bytes to a single '?'. This prevents sending of potentially harmful bytes to
terminals who don't support UTF-8.

writte

Make write explicitly ASCII only by transforming UTF-8 characters and non-ASCII
bytes to a single '?'. This prevents sending of potentially harmful bytes to
terminals who don't support UTF-8.

written with help from schwarze@
text suggestions by jmc@

OK schwarze@ and semarie@

show more ...

Fix write to other user's tty. The device has to be opened with
O_WRONLY, but without O_CREAT. So freopen(3) has to be replaced
with open(2) and dup2(2).
from deraadt@

Change all tame callers to namechange to pledge(2).

unfortunately tame "stdio" can only happen well after the sequence of:
utmp parsing, tty opening, setresgid to drop privs. it only protects
a basic io loop.
discussed with doug

Since the dawn of time, this has contained freopen() for the tty path
with mode "w", as root, since "w" implies O_CREAT. That will create
the raw file in /dev if it does not yet exist (due to a lie

Since the dawn of time, this has contained freopen() for the tty path
with mode "w", as root, since "w" implies O_CREAT. That will create
the raw file in /dev if it does not yet exist (due to a lie in utmp).
It should use "r+", to open it for for O_RDWR only.
Oh man this reminds me of 1988, how old is this bug?
ok doug

show more ...

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

remove casts to time_t * which are not needed

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(th

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

show more ...

sync synopsis and usage.

if the utmp file is (mysteriously gone) do not assume that the user is
on the specified tty; problem noted by ilja@suresec.org, ok various

make these use setres[ug]id for simple privilege dropping;
ok deraadt@ millert@ moritz@

add missing includes
ok deraadt@ tedu@

mostly ansi cleanup; pval ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

a few more strlcpy

do not use sys/types.h and sys/param.h together; andrushock@korovino.net

ansi, and revoke privs after opening the tty

use sizeof w/ defines; niklas@ millert@ ok.

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be don

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

show more ...

kill more registers

millert@ ok

avoid stdio in signal handler

-Wall cleanup; ok millert@