We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals. These copyright strings are present in the comments and
are largely from CSRG's attempt at adding their copyright to every
binary file (which modern interpretations of the license doesn't
require).
Sponsored by: Netflix
Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.
Sponsored by: Netflix
On systems where mac_veriexec is enforced, init should run its scripts in verified mode.
This relies on the verify shell option introduced by D30464. init will detect if the shell
is /bin/sh, and in which case, add the verify option to the argument vector.
The verify option propagates to all files sourced by the shell, ensuring a better
protection than if the script was tested against an open(O_VERIFY) before running it.
This security can be bypassed with the kenv which overloads the shell to use.
However we feel confident that on systems running with mac_veriexec, this kenv will be blocked somehow.
Also, the verify option has no effect on systems where mac_veriexec is not loaded nor enforced.
Differential revision: https://reviews.freebsd.org/D34622
Reviewed by: sjg, wma
When calling shutdown, shutdown sends a signal to init and exits. This
causes a race condition for the waitpid function. If the signal wins the
race, wpid will be set to -1 and init calls death_single. If shutdown
wins the race, wpid will be set to the pid of the shutdown process and
the requested_transition will be ignored.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D36356
MFC after: 1 week
Sponsored by: Beckhoff Automation GmbH & Co. KG
Add boottrace annotations to record events in init(8), shutdown(8), and
reboot(8).
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #23
Differential Revision: https://reviews.freebsd.org/D31928
This can be useful for, e.g., unmounting filesystems that were needed
for shutdown.
Reviewed by: kib
Sponsored by: NetApp, Inc.
Sponsored by: Klara, Inc.
X-NetApp-PR: #63
Differential Revision: https://reviews.freebsd.org/D31230
This is a nop in practice, because it cannot be proven that this
particular bzero() is not significant. Make it explicit anyways, rather
than relying on an implementation detail of how the password is
collected.
Discussed with: Andrew Gierth <andrew tao146 riddles org uk>
The badsys() handler for SIGSYS was added as a transtion aid for kernels
lacking sysctl() in 1993. It is unsafe and unsound so remove it rather
than running the risk of a privilege-dropping system call being silently
omitted.
This partially reverts SCCSID 6.12 (Berkeley) 03/03/93 "add code to
change the system security level".
Reviewed by: mckusick, imp, kevans
Obtained from: CheriBSD
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D26289
Specifically, when running /etc/rc. This allows one to specify via
login.conf(5) an environment that should be used when running services to
ease, e.g., setting up env vars for an HTTP proxy consistently across cron
and services alike.
Future changes will extend cron(8)/service(8) to use environment vars
pecified in login.conf(5) as well to promote a more cohesive experience.
This is a part of D21481.
Submitted by: Andrew Gierth <andrew_tao173.riddles.org.uk>
'shutdown -c' is supposed to power cycle the system rather than doing a normal
reboot. However, when that fails, it halts the system. This is not quite right
since the intent isn't to halt the system but to restart. Make the default init
behavior be to restart the system. The halt(8) interface can be used if you'd
like to powercycle or halt.
MFC After: 1 week
Differential Revision: https://reviews.freebsd.org/D23129
Direct /etc/rc exec was introduced in r337321, with a fallback to
passing it to sh if direct exec fails. "Can't exec" is slightly
misleading in this case (the script is still executed, just not
directly).
after opening the console, replacing init as PID 1.
From the user point of view, it makes it possible to run eg the
shell as PID 1, using 'set init_exec=/bin/sh' at the loader(8)
prompt.
Reviewed by: kib
MFC after: 2 weeks
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16625
scripts. This means one should be able to eg rewrite their /etc/rc
in Python.
Reviewed by: kib
MFC after: 2 weeks
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16565
nothing - it was checking for ENXIO, which, with devfs, is no longer
returned - and was badly placed anyway, and replaces it with similar
one that works, and is done just before starting getty, instead of being
done when rereading ttys(5).
From the practical point of view, this makes init(8) handle disappearing
terminals (eg /dev/ttyU*) gracefully, without unneccessary getty restarts
and resulting error messages.
Reviewed by: imp@
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D14307
Mainly focus on files that use BSD 3-Clause license.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
In r231994, an attempt was made to fix crypt(3) failure returns (NULL).
However, instead of treating crypt(3) failure as authentication failure,
some of the changes treated crypt(3) failure as authentication success.
This is wrong.
r324225 fixed this for ppp, which also inspired this review. The other
changes in the 231994 revision were audited for correctness and look ok.
Reviewed by: jhb
Security: yes
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D12571
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
shell, ensure that we do sleep for at least the specified time, in
presence of signals.
Interrupted sleep(3) is followed by _exit(), which might cause 'Going
nowhere without my init' panic if init(8) exits before the reboot(2)
really started, or before SIGTSTP stopped init(8) (both events are
initiated by the parallel reboot(8) operation).
I do not see other calls to sleep(STALL_TIMEOUT) as having the same
disasterous consequences and kept them as is until the similar change
is proven required.
Reported and tested by: Andy Farkas <chuzzwassa@gmail.com>
Sponsored by: The FreeBSD Foundation
MFC after: 3 weeks
it via kern.proc.pathname sysctl(2). In some cases - booting from NFS
or rerooting after replacing the init binary with a new one - the sysctl
would fail. In other cases - after upgrading, which moves the old init
to /sbin/init.bak - it would return /sbin/init.bak, which is the actual
path of the running init, instead of /sbin/init.
Reported by: Melissa Jenkins <melissa-freebsd at littlebluecar.co.uk>, jilles@
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
this by myself, but apparently it sometimes happens when rerooting from
single user mode.
Reported by: jilles@
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
the root filesystem without full reboot, using "reboot -r". This can
be used to to eg. boot from a temporary md_image preloaded by loader(8),
setup an iSCSI session, and continue booting from rootfs mounted over
iSCSI.
Reviewed by: kib@, bapt@
MFC after: 1 month
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D3693
to shut down; close laptop lid" scenario which otherwise tended to end
with a laptop overheating or the battery dying.
The implementation uses a new sysctl, kern.suspend_blocked; init(8) sets
this while rc.suspend runs, and the ACPI sleep code ignores requests while
the sysctl is set.
Discussed on: freebsd-acpi (35 emails)
MFC after: 1 week
The tracking generated warnings when the line number of an existing tty in
/etc/ttys changed, which would corrupt utmp (as it was indexed by the line
number). With utmpx, the line number no longer matters, so the tracking is
no longer needed.
Though we should open the TTY with O_NONBLOCK to prevent rc(8) execution
from potentially stalling, we must not forget to clear the flag later
on, to prevent read(2) calls from failing later on.
This prevented the shell pathname prompt from working properly.
Reported by: kib
If the environment doesn't offer a working /dev/console, the existing
version of init(8) will simply refuse running rc(8) scripts. This means
you'll only have a system running init(8) and nothing else.
Change the code to do the following:
- Open /dev/console like we used to do, but make it more robust to use
O_NONBLOCK to prevent blocking on a carrier.
- If this fails, use /dev/null as stdin and /var/log/init.log as stdout
and stderr.
- If even this fails, use /dev/null as stdin, stdout and stderr.
So why us this useful? Well, if you remove the `getpid() == 1' check in
main(), you can now use init(8) inside jails to properly execute rc(8).
It still requires some polishing, as existing tools assume init(8) has
PID 1.
Also it is now possible to use use init(8) on `headless' devices that
don't even have a serial boot console.
This has the following advantages:
- During boot, the BOOT_TIME record is now written right after the file
systems become writable, but before users are allowed to log in. This
means that they can't cause `hidden logins' by logging in right before
init(8) kicks in.
- The pututxline(3) function may potentially block on file locking,
though this is very rare to occur. By placing it in an rc script, the
user can still kill it with ^C if needed.
- Most importantly: jails don't use init(8). This means that a force
reboot of a system running jails will leave stale entries in the
accounting database of the jails individually.
These tools declare global variables without using the static keyword,
even though their use is limited to a single C-file, or without placing
an extern declaration of them in the proper header file.
It does not make sense to shut down daemons that were not started. In
particular, this fixes loss of mixer settings when shutting down using
shutdown(8), init(8) or ctrl+alt+del from single-user mode.
If /etc/rc reboots, /etc/rc.shutdown is not run.
Also fix segfaults and other erratic behaviour if init receives SIGHUP or
SIGTSTP while in single-user mode.
This commit does not attempt to fix any badness with signal handlers
(assumption that pointers can be read and written atomically, EINTR race
condition). I believe it does not make this badness any worse.
Silence on: -arch@
According to a comment, we cannot safely remove utmpx entries here
anymore. This is because the libc routines may block on file locking. In
an ideal world login(1) should just remove the entries, which is why I'm
disabling this code for now. If it turns out we get lots of stale
entries here, we should figure out a way to deal with that.
logwtmp() gets called with the raw strings that are written to disk. For
regular user entries, this isn't too bad, but when booting/shutting
down, the contents get rather cryptic.
Just call the standardized pututxline().
Even though I thought this bug was somewhere in the TTY layer, it turns
out init(8) doesn't make sure /dev/console is opened initially properly.
I've added revoke() to two pieces of code:
- death(): Apart from killing the gettys on shutdown, this doesn't
guarantee the TTY to be closed immediately.
- runshutdown(): Just like setctty(), we should revoke /dev/console.
Applications like syslogd may have file descriptors to the console.