03e754fd4d
this is now controlled by Veriexec's strict level.
423 lines
12 KiB
Groff
423 lines
12 KiB
Groff
.\" $NetBSD: init.8,v 1.37 2005/11/13 18:39:53 elad Exp $
|
|
.\"
|
|
.\" Copyright (c) 1980, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to Berkeley by
|
|
.\" Donn Seeley at Berkeley Software Design, Inc.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)init.8 8.6 (Berkeley) 5/26/95
|
|
.\"
|
|
.Dd November 13, 2005
|
|
.Dt INIT 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm init
|
|
.Nd process control initialization
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
program is the last stage of the boot process (after the kernel loads
|
|
and initializes all the devices).
|
|
It normally begins multi-user operation.
|
|
.Pp
|
|
The following table describes the state machine used by
|
|
.Nm :
|
|
.Bl -enum
|
|
.It
|
|
Single user shell.
|
|
.Nm
|
|
may be passed
|
|
.Fl s
|
|
from the boot program to prevent the system from going multi-user and
|
|
to instead execute a single user shell without starting the normal
|
|
daemons.
|
|
The system is then quiescent for maintenance work and may
|
|
later be made to go to state 2 (multi-user) by exiting the single-user
|
|
shell (with ^D).
|
|
.It
|
|
Multi-user boot (default operation).
|
|
Executes
|
|
.Pa /etc/rc
|
|
(see
|
|
.Xr rc 8 ) .
|
|
If this was the first state entered (as opposed to entering here after
|
|
state 1), then
|
|
.Pa /etc/rc
|
|
will be invoked with its first argument being
|
|
.Sq autoboot .
|
|
If
|
|
.Pa /etc/rc
|
|
exits with a non-zero (error) exit code, commence single user
|
|
operation by giving the super-user a shell on the console by going
|
|
to state 1 (single user).
|
|
Otherwise, proceed to state 3.
|
|
.It
|
|
Set up ttys as specified in
|
|
.Xr ttys 5 .
|
|
See below for more information.
|
|
On completion, continue to state 4.
|
|
.It
|
|
Multi-user operation.
|
|
Depending upon the signal received, change state appropriately;
|
|
on
|
|
.Dv SIGTERM ,
|
|
go to state 7;
|
|
on
|
|
.Dv SIGHUP ,
|
|
go to state 5;
|
|
on
|
|
.Dv SIGTSTP ,
|
|
go to state 6.
|
|
.It
|
|
Clean-up mode; re-read
|
|
.Xr ttys 5 ,
|
|
killing off the controlling processes on lines that are now
|
|
.Sq off ,
|
|
and starting processes that are newly
|
|
.Sq on .
|
|
On completion, go to state 4.
|
|
.It
|
|
.Sq Boring
|
|
mode; no new sessions.
|
|
Signals as per state 4.
|
|
.It
|
|
Shutdown mode.
|
|
Send
|
|
.Dv SIGHUP
|
|
to all controlling processes, reap the processes for 30 seconds,
|
|
and then go to state 1 (single user); warning if not all the processes died.
|
|
.El
|
|
.Pp
|
|
If the
|
|
.Sq console
|
|
entry in the
|
|
.Xr ttys 5
|
|
file is marked
|
|
.Dq insecure ,
|
|
then
|
|
.Nm
|
|
will require that the superuser password be
|
|
entered before the system will start a single-user shell.
|
|
The password check is skipped if the
|
|
.Sq console
|
|
is marked as
|
|
.Dq secure .
|
|
.Pp
|
|
The kernel runs with four different levels of security.
|
|
Any superuser process can raise the security level, but only
|
|
.Nm
|
|
can lower it.
|
|
.Pp
|
|
The security level mechanism is intended to allow the administrator
|
|
to protect the persistent code and data on the system, or a subset
|
|
thereof, from modification, even by the superuser.
|
|
In order for this protection to be effective, the administrator
|
|
must ensure that no program that is run while the security level
|
|
is 0 or lower, nor any data or configuration file used by any such
|
|
program, can be modified while the security level is greater than
|
|
0.
|
|
This may be achieved through the careful use of the
|
|
.Dq immutable
|
|
file flag to define and protect a Trusted Computing Base (TCB)
|
|
consisting of all such programs and data, or by ensuring that all
|
|
such programs and data are on filesystems that are mounted read-only
|
|
and running at security level 2 or higher.
|
|
.Em Particular care must be taken to ensure, if relying upon
|
|
.Em security level 1 and the use of file flags, that the integrity of the
|
|
.Em TCB cannot be compromised through the use of modifications to the
|
|
.Em disklabel or access to overlapping disk partitions, including the
|
|
.Em raw partition .
|
|
.Pp
|
|
Do not overlook the fact that shell scripts (or anything else fed to an
|
|
interpreter, through any mechanism) and the kernel itself are "programs
|
|
that run while the security level is 0" and must be considered part of
|
|
the TCB.
|
|
.Pp
|
|
Security levels are defined as follows:
|
|
.Bl -tag -width flag
|
|
.It Ic -1
|
|
Permanently insecure mode \- always run system in level 0 mode.
|
|
.It Ic 0
|
|
Insecure mode \- immutable and append-only flags may be changed.
|
|
All devices may be read or written subject to their permissions.
|
|
.It Ic 1
|
|
Secure mode \- system immutable and system append-only flags may not
|
|
be turned off; disks for mounted filesystems,
|
|
.Pa /dev/mem ,
|
|
and
|
|
.Pa /dev/kmem
|
|
are read-only.
|
|
.It Ic 2
|
|
Highly secure mode \- same as secure mode, plus disks are always
|
|
read-only whether mounted or not, new disks may not be mounted,
|
|
and existing mounts may only be downgraded from read-write to read-only.
|
|
This level precludes tampering with filesystems by unmounting them,
|
|
but also inhibits running
|
|
.Xr newfs 8
|
|
while the system is multi-user.
|
|
.Pp
|
|
The
|
|
.Xr settimeofday 2
|
|
system call can only advance the time.
|
|
.Pp
|
|
The state of
|
|
.Xr ipf 8
|
|
(the in-kernel IP filtering facility) may not be changed.
|
|
.Pp
|
|
Users may not change the per-process core name template format, only the
|
|
default can be changed.
|
|
.Pp
|
|
Downgrading from highly secure mode to insecure mode (that is, to single-user
|
|
mode) always requires the root password to be entered on the console, whether
|
|
the console is marked as
|
|
.Dq secure
|
|
in
|
|
.Pa /etc/ttys
|
|
or not.
|
|
.El
|
|
.Pp
|
|
Normally, the system runs in level 0 mode while single user
|
|
and in level 1 mode while multi-user.
|
|
If the level 2 mode is desired while running multi-user,
|
|
it can be set in the startup script
|
|
.Pa /etc/rc
|
|
using
|
|
.Xr sysctl 8 .
|
|
If it is desired to run the system in level 0 mode while multi-user,
|
|
the administrator must build a kernel with
|
|
.Sy options INSECURE
|
|
in the kernel configuration file, which initializes the kernel's
|
|
.Va securelevel
|
|
variable to -1.
|
|
See
|
|
.Xr config 1
|
|
and
|
|
.Xr options 4
|
|
for details.
|
|
.Pp
|
|
In multi-user operation,
|
|
.Nm
|
|
maintains
|
|
processes for the terminal ports found in the file
|
|
.Xr ttys 5 .
|
|
.Nm
|
|
reads this file, and executes the command found in the second field.
|
|
This command is usually
|
|
.Xr getty 8 ;
|
|
it opens and initializes the tty line and executes the
|
|
.Xr login 1
|
|
program.
|
|
The
|
|
.Xr login 1
|
|
program, when a valid user logs in, executes a shell for that user.
|
|
When this shell dies, either because the user logged out or an
|
|
abnormal termination occurred (a signal), the
|
|
.Nm
|
|
program wakes up, deletes the user from the
|
|
.Xr utmp 5
|
|
file of current users and records the logout in the
|
|
.Xr wtmp 5
|
|
file.
|
|
The cycle is
|
|
then restarted by
|
|
.Nm
|
|
executing a new
|
|
.Xr getty 8
|
|
for the line.
|
|
.pl +1
|
|
.Pp
|
|
Line status (on, off, secure, getty, or window information)
|
|
may be changed in the
|
|
.Xr ttys 5
|
|
file without a reboot by sending the signal
|
|
.Dv SIGHUP
|
|
to
|
|
.Nm
|
|
with the command
|
|
.Dq Li "kill \-s HUP 1" .
|
|
This is referenced in the table above as state 5.
|
|
On receipt of this signal,
|
|
.Nm
|
|
re-reads the
|
|
.Xr ttys 5
|
|
file.
|
|
When a line is turned off in
|
|
.Xr ttys 5 ,
|
|
.Nm
|
|
will send a
|
|
.Dv SIGHUP
|
|
signal to the controlling process
|
|
for the session associated with the line.
|
|
For any lines that were previously turned off in the
|
|
.Xr ttys 5
|
|
file and are now on,
|
|
.Nm
|
|
executes a new
|
|
.Xr getty 8
|
|
to enable a new login.
|
|
If the getty or window field for a line is changed,
|
|
the change takes effect at the end of the current
|
|
login session (e.g., the next time
|
|
.Nm
|
|
starts a process on the line).
|
|
If a line is commented out or deleted from
|
|
.Xr ttys 5 ,
|
|
.Nm
|
|
will not do anything at all to that line.
|
|
However, it will complain that the relationship between lines
|
|
in the
|
|
.Xr ttys 5
|
|
file and records in the
|
|
.Xr utmp 5
|
|
file is out of sync,
|
|
so this practice is not recommended.
|
|
.Pp
|
|
.Nm
|
|
will terminate multi-user operations and resume single-user mode
|
|
if sent a terminate
|
|
.Pq Dv TERM
|
|
signal, for example,
|
|
.Dq Li "kill \-s TERM 1" .
|
|
If there are processes outstanding that are deadlocked (because of
|
|
hardware or software failure),
|
|
.Nm
|
|
will not wait for them all to die (which might take forever), but
|
|
will time out after 30 seconds and print a warning message.
|
|
.Pp
|
|
.Nm
|
|
will cease creating new
|
|
.Xr getty 8 Ns 's
|
|
and allow the system to slowly die away, if it is sent a terminal stop
|
|
.Pq Dv TSTP
|
|
signal, i.e.
|
|
.Dq Li "kill \-s TSTP 1" .
|
|
A later hangup will resume full
|
|
multi-user operations, or a terminate will start a single user shell.
|
|
This hook is used by
|
|
.Xr reboot 8
|
|
and
|
|
.Xr halt 8 .
|
|
.Pp
|
|
The role of
|
|
.Nm
|
|
is so critical that if it dies, the system will reboot itself
|
|
automatically.
|
|
If, at bootstrap time, the
|
|
.Nm
|
|
process cannot be located, the system will panic with the message
|
|
.Dq panic: init died (signal %d, exit %d) .
|
|
.Pp
|
|
If
|
|
.Pa /dev/console
|
|
does not exist,
|
|
.Nm
|
|
will create a MFS (memory based file system) mounted over
|
|
.Pa /dev .
|
|
Then it will create a
|
|
.Pa /dev/console
|
|
device so you can see things happening.
|
|
The
|
|
.Xr MAKEDEV 8
|
|
and
|
|
.Pa MAKEDEV.local
|
|
scripts are placed in the new
|
|
.Pa /dev
|
|
directory.
|
|
Then
|
|
.Nm
|
|
changes the working directory to
|
|
.Pa /dev
|
|
and runs the scripts using the
|
|
.Dq init
|
|
special target.
|
|
This creates the standard devices considered necessary to boot the
|
|
system.
|
|
.Sh FILES
|
|
.Bl -tag -width /var/log/wtmp -compact
|
|
.It Pa /dev/console
|
|
System console device.
|
|
.It Pa /dev/tty*
|
|
Terminal ports found in
|
|
.Xr ttys 5 .
|
|
.It Pa /var/run/utmp
|
|
Record of Current users on the system.
|
|
.It Pa /var/log/wtmp
|
|
Record of all logins and logouts.
|
|
.It Pa /etc/ttys
|
|
The terminal initialization information file.
|
|
.It Pa /etc/rc
|
|
System startup commands.
|
|
.El
|
|
.Sh DIAGNOSTICS
|
|
.Bl -diag
|
|
.It "getty repeating too quickly on port %s, sleeping"
|
|
A process being started to service a line is exiting quickly
|
|
each time it is started.
|
|
This is often caused by a ringing or noisy terminal line.
|
|
.Em "Init will sleep for 10 seconds" ,
|
|
.Em "then continue trying to start the process" .
|
|
.Pp
|
|
.It "some processes would not die; ps axl advised."
|
|
A process is hung and could not be killed when the system was
|
|
shutting down.
|
|
This condition is usually caused by a process that is stuck in a
|
|
device driver because of a persistent device error condition.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr config 1 ,
|
|
.Xr kill 1 ,
|
|
.Xr login 1 ,
|
|
.Xr sh 1 ,
|
|
.Xr options 4 ,
|
|
.Xr ttys 5 ,
|
|
.Xr MAKEDEV 8 ,
|
|
.Xr getty 8 ,
|
|
.Xr halt 8 ,
|
|
.Xr mfs 8 ,
|
|
.Xr rc 8 ,
|
|
.Xr reboot 8 ,
|
|
.Xr shutdown 8
|
|
.Sh HISTORY
|
|
A
|
|
.Nm
|
|
command appeared in
|
|
.At v6 .
|
|
.Sh BUGS
|
|
Systems without
|
|
.Xr sysctl 8
|
|
behave as though they have security level \-1.
|
|
.Pp
|
|
The security level 2 restrictions relating to TCB integrity protection
|
|
should be enforced at security level 1.
|
|
Restrictions dependent upon security level but not relating to TCB
|
|
integrity protection should be selected by
|
|
.Xr sysctl 8
|
|
settings available only at security level 0 or lower.
|