From 68f7c0883b1122ac52ae84fe24f5c16b991ad5d8 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Mon, 14 Jul 2014 09:04:02 +0000
Subject: [PATCH] rc.{local,securelevel,shutdown} become examples.  If versions
 of them are created in /etc, they are executed (they used to be sourced) to
 avoid polluting the rc variable space.  The powerdown= and securelevel=
 features are removed; they are likely only used by 2 people.  the secureleve
 is now always raised; this is the only sensible default. ok ajacoutot

---
 src/etc/Makefile                   | 25 ++++++++++++-------------
 src/etc/changelist                 |  8 ++++----
 src/etc/{ => examples}/rc.local    |  2 +-
 src/etc/examples/rc.securelevel    | 14 ++++++++++++++
 src/etc/{ => examples}/rc.shutdown |  6 +-----
 src/etc/rc                         | 16 +++++-----------
 src/etc/rc.securelevel             | 22 ----------------------
 7 files changed, 37 insertions(+), 56 deletions(-)
 rename src/etc/{ => examples}/rc.local (78%)
 create mode 100644 src/etc/examples/rc.securelevel
 rename src/etc/{ => examples}/rc.shutdown (56%)
 delete mode 100644 src/etc/rc.securelevel

diff --git a/src/etc/Makefile b/src/etc/Makefile
index 2b070cc7..66099fec 100644
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.370 2014/07/13 13:53:36 rpe Exp $
+#	$OpenBSD: Makefile,v 1.371 2014/07/14 09:04:02 deraadt Exp $
 
 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@@ -30,25 +30,24 @@ kernels: bootblocks ${ALL_KERNELS}
 # -rw-r--r--
 BINOWN= root
 BINGRP= wheel
-BIN1=	changelist csh.cshrc csh.login csh.logout daily \
+BIN1=	changelist csh.cshrc csh.login csh.logout daily dhclient.conf \
+	etc.${MACHINE}/disktab etc.${MACHINE}/login.conf \
 	ftpusers gettytab group hosts ksh.kshrc locate.rc \
-	man.conf monthly motd myname netstart networks \
-	newsyslog.conf protocols rc rc.conf rc.local \
-	rc.securelevel rc.shutdown rpc services shells syslog.conf \
-	weekly etc.${MACHINE}/login.conf etc.${MACHINE}/disktab \
-	dhclient.conf mailer.conf moduli pf.os mixerctl.conf
+	mailer.conf man.conf mixerctl.conf moduli monthly motd \
+	myname netstart networks newsyslog.conf pf.os protocols \
+	rc rc.conf rpc services shells syslog.conf weekly
+.if ${MACHINE} != "aviion" 
+BIN1+=	wsconsctl.conf
+.endif
 
 EXAMPLES=chio.conf dhcpd.conf exports ftpchroot hosts.lpd ifstated.conf \
 	inetd.conf mrouted.conf ntpd.conf printcap rbootd.conf remote \
 	sensorsd.conf
 
 EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \
-	ldapd.conf ldpd.conf ospf6d.conf ospfd.conf relayd.conf ripd.conf \
-	sasyncd.conf snmpd.conf ypldap.conf
-
-.if ${MACHINE} != "aviion" 
-BIN1+=	wsconsctl.conf
-.endif
+	ldapd.conf ldpd.conf ospf6d.conf ospfd.conf rc.local \
+	rc.securelevel rc.shutdown relayd.conf ripd.conf \
+	sasyncd.conf snmpd.conf ypldap.conf 
 
 # -rw-rw-r--
 BIN2=	motd
diff --git a/src/etc/changelist b/src/etc/changelist
index d6b7afd6..32330e93 100644
--- a/src/etc/changelist
+++ b/src/etc/changelist
@@ -1,4 +1,4 @@
-#	$OpenBSD: changelist,v 1.92 2014/07/13 13:53:36 rpe Exp $
+#	$OpenBSD: changelist,v 1.93 2014/07/14 09:04:02 deraadt Exp $
 #
 # List of files which the security script backs up and checks
 # for modifications.
@@ -110,9 +110,9 @@
 /etc/rc.conf
 /etc/rc.conf.local
 /etc/rc.d/rc.subr
-/etc/rc.local
-/etc/rc.securelevel
-/etc/rc.shutdown
++/etc/rc.local
++/etc/rc.securelevel
++/etc/rc.shutdown
 +/etc/relayd.conf
 +/etc/remote
 /etc/resolv.conf
diff --git a/src/etc/rc.local b/src/etc/examples/rc.local
similarity index 78%
rename from src/etc/rc.local
rename to src/etc/examples/rc.local
index 944b7b4e..5da81e27 100644
--- a/src/etc/rc.local
+++ b/src/etc/examples/rc.local
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
+#	$OpenBSD: rc.local,v 1.1 2014/07/14 09:04:02 deraadt Exp $
 
 # Site-specific startup actions, daemons, and other things which
 # can be done AFTER your system goes into securemode.  For actions
diff --git a/src/etc/examples/rc.securelevel b/src/etc/examples/rc.securelevel
new file mode 100644
index 00000000..70e678a8
--- /dev/null
+++ b/src/etc/examples/rc.securelevel
@@ -0,0 +1,14 @@
+#	$OpenBSD: rc.securelevel,v 1.1 2014/07/14 09:04:02 deraadt Exp $
+#
+# site-specific startup actions, daemons, and other things which
+# can be done BEFORE your system goes into securemode.  For actions
+# which should be done AFTER your system has gone into securemode
+# please see /etc/rc.local
+
+echo -n 'starting pre-securelevel daemons:'
+
+#
+# Place local actions here.
+#
+
+echo '.'
diff --git a/src/etc/rc.shutdown b/src/etc/examples/rc.shutdown
similarity index 56%
rename from src/etc/rc.shutdown
rename to src/etc/examples/rc.shutdown
index 9976eb04..fb615f89 100644
--- a/src/etc/rc.shutdown
+++ b/src/etc/examples/rc.shutdown
@@ -1,10 +1,6 @@
-#	$OpenBSD: rc.shutdown,v 1.12 2011/04/22 06:08:14 ajacoutot Exp $
+#	$OpenBSD: rc.shutdown,v 1.1 2014/07/14 09:04:02 deraadt Exp $
 #
 # If it exists, this script is run at system-shutdown by reboot(8),
 # halt(8).  If the architecture supports keyboard requested halting,
 # it is also run by init(8) when such an event happens.
 #
-
-powerdown=NO	# set to YES for powerdown
-
-# Add your local shutdown actions here.
diff --git a/src/etc/rc b/src/etc/rc
index e65e9fa5..20be0ffb 100644
--- a/src/etc/rc
+++ b/src/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.430 2014/07/14 03:45:55 deraadt Exp $
+#	$OpenBSD: rc,v 1.431 2014/07/14 09:04:02 deraadt Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -283,7 +283,7 @@ if [ X"$1" = X"shutdown" ]; then
 		fi
 
 		echo /etc/rc.shutdown in progress...
-		[ -f /etc/rc.shutdown ] && . /etc/rc.shutdown
+		[ -f /etc/rc.shutdown ] && sh /etc/rc.shutdown
 		echo /etc/rc.shutdown complete.
 	else
 		echo single user: not running shutdown scripts
@@ -296,9 +296,6 @@ if [ X"$1" = X"shutdown" ]; then
 		esac
 	done
 
-	if [ X"${powerdown}" = X"YES" ]; then
-		exit 2
-	fi
 	exit 0
 fi
 
@@ -460,11 +457,8 @@ echo clearing /tmp
 
 setup_X_sockets
 
-[ -f /etc/rc.securelevel ] && . /etc/rc.securelevel
-if [ X"${securelevel}" != X"" ]; then
-	echo -n 'setting kernel security level: '
-	sysctl kern.securelevel=${securelevel}
-fi
+[ -f /etc/rc.securelevel ] && sh /etc/rc.securelevel
+sysctl kern.securelevel=1
 
 # patch /etc/motd
 if [ ! -f /etc/motd ]; then
@@ -537,7 +531,7 @@ if [ -n "${pkg_scripts}" ]; then
 	echo '.'
 fi
 
-[ -f /etc/rc.local ] && . /etc/rc.local
+[ -f /etc/rc.local ] && sh /etc/rc.local
 
 ifconfig -g carp -carpdemote 128	# disable carp interlock
 
diff --git a/src/etc/rc.securelevel b/src/etc/rc.securelevel
deleted file mode 100644
index fa3ce362..00000000
--- a/src/etc/rc.securelevel
+++ /dev/null
@@ -1,22 +0,0 @@
-#	$OpenBSD: rc.securelevel,v 1.16 2004/07/06 04:05:03 deraadt Exp $
-#
-# site-specific startup actions, daemons, and other things which
-# can be done BEFORE your system goes into securemode.  For actions
-# which should be done AFTER your system has gone into securemode
-# please see /etc/rc.local
-
-# This is the desired security level
-# XXX
-# XXX it is not really acceptable to put this value in a configuration
-# XXX file, because locking it down requires immutability on about
-# XXX 5 files instead of 2 (the kernel and init)
-# XXX
-securelevel=1
-
-echo -n 'starting pre-securelevel daemons:'
-
-#
-# Place local actions here.
-#
-
-echo '.'