1.\" $NetBSD: init.8,v 1.31 2004/02/19 13:24:31 lukem Exp $ 2.\" 3.\" Copyright (c) 1980, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" This code is derived from software contributed to Berkeley by 7.\" Donn Seeley at Berkeley Software Design, Inc. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of the University nor the names of its contributors 18.\" may be used to endorse or promote products derived from this software 19.\" without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" @(#)init.8 8.6 (Berkeley) 5/26/95 34.\" 35.Dd February 19, 2004 36.Dt INIT 8 37.Os 38.Sh NAME 39.Nm init 40.Nd process control initialization 41.Sh SYNOPSIS 42.Nm 43.Sh DESCRIPTION 44The 45.Nm 46program is the last stage of the boot process (after the kernel loads 47and initializes all the devices). 48It normally begins multi-user operation. 49.Pp 50The following table describes the state machine used by 51.Nm : 52.Bl -enum 53.It 54Single user shell. 55.Nm 56may be passed 57.Fl s 58from the boot program to prevent the system from going multi-user and 59to instead execute a single user shell without starting the normal 60daemons. 61The system is then quiescent for maintenance work and may 62later be made to go to state 2 (multi-user) by exiting the single-user 63shell (with ^D). 64.It 65Multi-user boot (default operation). 66Executes 67.Pa /etc/rc 68(see 69.Xr rc 8 ) . 70If this was the first state entered (as opposed to entering here after 71state 1), then 72.Pa /etc/rc 73will be invoked with its first argument being 74.Sq autoboot . 75If 76.Pa /etc/rc 77exits with a non-zero (error) exit code, commence single user 78operation by giving the super-user a shell on the console by going 79to state 1 (single user). 80Otherwise, proceed to state 3. 81.It 82Set up ttys as specified in 83.Xr ttys 5 . 84See below for more information. 85On completion, continue to state 4. 86.It 87Multi-user operation. 88Depending upon the signal received, change state appropriately; 89on 90.Dv SIGTERM , 91go to state 7; 92on 93.Dv SIGHUP , 94go to state 5; 95on 96.Dv SIGTSTP , 97go to state 6. 98.It 99Clean-up mode; re-read 100.Xr ttys 5 , 101killing off the controlling processes on lines that are now 102.Sq off , 103and starting processes that are newly 104.Sq on . 105On completion, go to state 4. 106.It 107.Sq Boring 108mode; no new sessions. 109Signals as per state 4. 110.It 111Shutdown mode. 112Send 113.Dv SIGHUP 114to all controlling processes, reap the processes for 30 seconds, 115and the go to state 1 (single user); warning if not all the processes died. 116.El 117.Pp 118If the 119.Sq console 120entry in the 121.Xr ttys 5 122file is marked 123.Dq insecure , 124then 125.Nm 126will require that the superuser password be 127entered before the system will start a single-user shell. 128The password check is skipped if the 129.Sq console 130is marked as 131.Dq secure . 132.Pp 133The kernel runs with four different levels of security. 134Any superuser process can raise the security level, but only 135.Nm 136can lower it. 137.Pp 138The security level mechanism is intended to allow the administrator 139to protect the persistent code and data on the system, or a subset 140thereof, from modification, even by the superuser. 141In order for this protection to be effective, the administrator 142must ensure that no program that is run while the security level 143is 0 or lower, nor any data or configuration file used by any such 144program, can be modified while the security level is greater than 1450. 146This may be achieved through the careful use of the 147.Dq immutable 148file flag to define and protect a Trusted Computing Base (TCB) 149consisting of all such programs and data, or by ensuring that all 150such programs and data are on filesystems that are mounted read-only 151and running at security level 2 or higher. 152.Em Particular care must be taken to ensure, if relying upon 153.Em security level 1 and the use of file flags, that the integrity of the 154.Em TCB cannot be compromised through the use of modifications to the 155.Em disklabel or access to overlapping disk partitions, including the 156.Em raw partition . 157.Pp 158Do not overlook the fact that shell scripts (or anything else fed to an 159interpreter, through any mechanism) and the kernel itself are "programs 160that run while the security level is 0" and must be considered part of 161the TCB. 162.Pp 163Security levels are defined as follows: 164.Bl -tag -width flag 165.It Ic -1 166Permanently insecure mode \- always run system in level 0 mode. 167.It Ic 0 168Insecure mode \- immutable and append-only flags may be changed. 169All devices may be read or written subject to their permissions. 170.It Ic 1 171Secure mode \- system immutable and system append-only flags may not 172be turned off; disks for mounted filesystems, 173.Pa /dev/mem , 174and 175.Pa /dev/kmem 176are read-only. 177.Pp 178The verified exec in-kernel fingerprint table may not be changed 179(see 180.Xr veriexecctl 8 ) . 181.It Ic 2 182Highly secure mode \- same as secure mode, plus disks are always 183read-only whether mounted or not, new disks may not be mounted, 184and existing mounts may only be downgraded from read-write to read-only. 185This level precludes tampering with filesystems by unmounting them, 186but also inhibits running 187.Xr newfs 8 188while the system is multi-user. 189.Pp 190The 191.Xr settimeofday 2 192system call can only advance the time. 193.Pp 194The state of 195.Xr ipf 8 196(the in-kernel IP filtering facility) may not be changed. 197.Pp 198Users may not change the per-process core name template format, only the 199default can be changed. 200.Pp 201Downgrading from highly secure mode to insecure mode (that is, to single-user 202mode) always requires the root password to be entered on the console, whether 203the console is marked as 204.Dq secure 205in 206.Pa /etc/ttys 207or not. 208.El 209.Pp 210Normally, the system runs in level 0 mode while single user 211and in level 1 mode while multi-user. 212If the level 2 mode is desired while running multi-user, 213it can be set in the startup script 214.Pa /etc/rc 215using 216.Xr sysctl 8 . 217If it is desired to run the system in level 0 mode while multi-user, 218the administrator must build a kernel with 219.Sy options INSECURE 220in the kernel configuration file, which initializes the kernel's 221.Va securelevel 222variable to -1. 223See 224.Xr options 4 225and 226.Xr config 8 227for details. 228.Pp 229In multi-user operation, 230.Nm 231maintains 232processes for the terminal ports found in the file 233.Xr ttys 5 . 234.Nm 235reads this file, and executes the command found in the second field. 236This command is usually 237.Xr getty 8 ; 238it opens and initializes the tty line and executes the 239.Xr login 1 240program. 241The 242.Xr login 1 243program, when a valid user logs in, executes a shell for that user. 244When this shell dies, either because the user logged out or an 245abnormal termination occurred (a signal), the 246.Nm 247program wakes up, deletes the user from the 248.Xr utmp 5 249file of current users and records the logout in the 250.Xr wtmp 5 251file. 252The cycle is 253then restarted by 254.Nm 255executing a new 256.Xr getty 8 257for the line. 258.pl +1 259.Pp 260Line status (on, off, secure, getty, or window information) 261may be changed in the 262.Xr ttys 5 263file without a reboot by sending the signal 264.Dv SIGHUP 265to 266.Nm 267with the command 268.Dq Li "kill \-s HUP 1" . 269This is referenced in the table above as state 5. 270On receipt of this signal, 271.Nm 272re-reads the 273.Xr ttys 5 274file. 275When a line is turned off in 276.Xr ttys 5 , 277.Nm 278will send a 279.Dv SIGHUP 280signal to the controlling process 281for the session associated with the line. 282For any lines that were previously turned off in the 283.Xr ttys 5 284file and are now on, 285.Nm 286executes a new 287.Xr getty 8 288to enable a new login. 289If the getty or window field for a line is changed, 290the change takes effect at the end of the current 291login session (e.g., the next time 292.Nm 293starts a process on the line). 294If a line is commented out or deleted from 295.Xr ttys 5 , 296.Nm 297will not do anything at all to that line. 298However, it will complain that the relationship between lines 299in the 300.Xr ttys 5 301file and records in the 302.Xr utmp 5 303file is out of sync, 304so this practice is not recommended. 305.Pp 306.Nm 307will terminate multi-user operations and resume single-user mode 308if sent a terminate 309.Pq Dv TERM 310signal, for example, 311.Dq Li "kill \-s TERM 1" . 312If there are processes outstanding that are deadlocked (because of 313hardware or software failure), 314.Nm 315will not wait for them all to die (which might take forever), but 316will time out after 30 seconds and print a warning message. 317.Pp 318.Nm 319will cease creating new 320.Xr getty 8 Ns 's 321and allow the system to slowly die away, if it is sent a terminal stop 322.Pq Dv TSTP 323signal, i.e. 324.Dq Li "kill \-s TSTP 1" . 325A later hangup will resume full 326multi-user operations, or a terminate will start a single user shell. 327This hook is used by 328.Xr reboot 8 329and 330.Xr halt 8 . 331.Pp 332The role of 333.Nm 334is so critical that if it dies, the system will reboot itself 335automatically. 336If, at bootstrap time, the 337.Nm 338process cannot be located, the system will panic with the message 339.Dq panic: init died (signal %d, exit %d) . 340.Sh FILES 341.Bl -tag -width /var/log/wtmp -compact 342.It Pa /dev/console 343System console device. 344.It Pa /dev/tty* 345Terminal ports found in 346.Xr ttys 5 . 347.It Pa /var/run/utmp 348Record of Current users on the system. 349.It Pa /var/log/wtmp 350Record of all logins and logouts. 351.It Pa /etc/ttys 352The terminal initialization information file. 353.It Pa /etc/rc 354System startup commands. 355.El 356.Sh DIAGNOSTICS 357.Bl -diag 358.It "getty repeating too quickly on port %s, sleeping" 359A process being started to service a line is exiting quickly 360each time it is started. 361This is often caused by a ringing or noisy terminal line. 362.Em "Init will sleep for 10 seconds" , 363.Em "then continue trying to start the process" . 364.Pp 365.It "some processes would not die; ps axl advised." 366A process is hung and could not be killed when the system was 367shutting down. 368This condition is usually caused by a process that is stuck in a 369device driver because of a persistent device error condition. 370.El 371.Sh SEE ALSO 372.Xr kill 1 , 373.Xr login 1 , 374.Xr sh 1 , 375.Xr options 4 , 376.Xr ttys 5 , 377.Xr config 8 , 378.Xr getty 8 , 379.Xr halt 8 , 380.Xr rc 8 , 381.Xr reboot 8 , 382.Xr shutdown 8 383.Sh HISTORY 384A 385.Nm 386command appeared in 387.At v6 . 388.Sh BUGS 389Systems without 390.Xr sysctl 8 391behave as though they have security level \-1. 392.Pp 393The security level 2 restrictions relating to TCB integrity protection 394should be enforced at security level 1. 395Restrictions dependent upon security level but not relating to TCB 396integrity protection should be selected by 397.Xr sysctl 8 398settings available only at security level 0 or lower. 399