create_tempfile: pass pointer to full pathname to strlcat()

Fixes a potential buffer overrun. Also check strlcpy() and strlcat()
return value to detect truncations. Based on a diff from naddy@.
OK

create_tempfile: pass pointer to full pathname to strlcat()

Fixes a potential buffer overrun. Also check strlcpy() and strlcat()
return value to detect truncations. Based on a diff from naddy@.
OK naddy@ tb@ deraadt@

show more ...

userspace: remove vestigial '?' cases from top-level getopt(3) loops

getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument.

userspace: remove vestigial '?' cases from top-level getopt(3) loops

getopt(3) returns '?' when it encounters a flag not present in the in
the optstring or if a flag is missing its option argument. We can
handle this case with the "default" failure case with no loss of
legibility. Hence, remove all the redundant "case '?':" lines.

Prompted by dlg@. With help from dlg@ and millert@.

Link: https://marc.info/?l=openbsd-tech&m=167011979726449&w=2

ok naddy@ millert@ dlg@

show more ...

Stop using MAXBSIZE to eliminate sys/param.h including (which injects a
ton of namespace intrusion). Create local sizes, and refactor some code
along the way.
ok millert

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

install -d should error out if no directory is given
(this would have prevented a recent typo in bsd.port.mk from
going in)
as discussed with theo, merge the check that's in FreeBSD

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

This no longer uses utime(3), so it doesn't need <utime.h>

properly track file names and fds in case the installed file was already
there, so that mode-changing operations still work.

This fixes affected ports.


work by tedu@ and I, okay tedu@

recommit ingo's 1.68 fix, now that we got a fix for the fringe case
described in 1.69

Revert previous.
It appears the flag combination -S -p not only preserved the modification
time as documented, but also the file mode unless the file content changed,
so with the change in rev. 1.68,

Revert previous.
It appears the flag combination -S -p not only preserved the modification
time as documented, but also the file mode unless the file content changed,
so with the change in rev. 1.68, the flag -p no longer applies the given
file mode if the file content does not change.
Regression in the lang/go-boostrap build system reported by espie@.

show more ...

Fix a race condition: do not unlink(2) a file and then open(2) it
with O_CREAT|O_EXCL; instead, always create it with a temporary name,
then rename(2) it into place atomically. For example, the race

Fix a race condition: do not unlink(2) a file and then open(2) it
with O_CREAT|O_EXCL; instead, always create it with a temporary name,
then rename(2) it into place atomically. For example, the race caused
failures in parallel builds that (foolishly) install the same file twice.

This patch makes the -S option a no-op,
making install(1) always behave like -S used to.

Based on a minimally different patch
from Lauri Tirkkonen <lotheac at iki dot fi>,
and including a manual page tweak from deraadt@.

OK deraadt@; "seems the right thing to do" tedu@.

show more ...

Use uid_from_user(3) and gid_from_group(3) in utilities that
do repeated lookups. OK tb@

Use waitpid()/EINTR idiom for the specific pid, rather than generic wait(),
in case the parent process was started with a dangling child. This style
ensures any potential parent:child interlock isn'

Use waitpid()/EINTR idiom for the specific pid, rather than generic wait(),
in case the parent process was started with a dangling child. This style
ensures any potential parent:child interlock isn't disrupted due to the
"wrong" child being waited on first. Then the other other childs can safely
zombie.
ok millert jca brynet

show more ...

spelling and usage() fixes;

Add -F option to install(1) that calls fsync(2) on the installed
file right before closing it. OK tedu@ phessler@

Remove use of sysexits.h.

when using -D, do not use the mode set for the target file as the directory mode

ok millert@

kill trailing whitespace

add -D to create the full destination path before installing the source into it

ok millert@

Use futimens() to preserve timestamps with subsec precision.
Don't cast file sizes to size_t when comparing file contents for the -C option

ok deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Use errc/warnc to simplify code.
Also, in 'ftp', always put the error message last, after the hostname/ipaddr.

ok jsing@ krw@ millert@

remove erroneous char cast to switch expression processing getopt(3);
not used in any cases.

ok deraadt@, guenther@, millert@

unsigned char casts for ctype
ok okan

Copy approach from mkdir to fix a race condition where multiple install -d's
trying to create overlapping paths in parallel could error out. ok millert@