1 /* $NetBSD: local_passwd.c,v 1.30 2005/02/26 07:19:25 thorpej Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1993, 1994 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 #if 0 35 static char sccsid[] = "from: @(#)local_passwd.c 8.3 (Berkeley) 4/2/94"; 36 #else 37 __RCSID("$NetBSD: local_passwd.c,v 1.30 2005/02/26 07:19:25 thorpej Exp $"); 38 #endif 39 #endif /* not lint */ 40 41 #include <sys/types.h> 42 #include <sys/stat.h> 43 #include <ctype.h> 44 #include <err.h> 45 #include <errno.h> 46 #include <fcntl.h> 47 #include <pwd.h> 48 #include <stdio.h> 49 #include <stdlib.h> 50 #include <string.h> 51 #include <limits.h> 52 #include <time.h> 53 #include <unistd.h> 54 #include <util.h> 55 #include <login_cap.h> 56 57 #include "extern.h" 58 59 static uid_t uid; 60 61 static char * 62 getnewpasswd(struct passwd *pw, int min_pw_len) 63 { 64 int tries; 65 char *p, *t; 66 char buf[_PASSWORD_LEN+1], salt[_PASSWORD_LEN+1]; 67 char option[LINE_MAX], *key, *opt; 68 69 (void)printf("Changing local password for %s.\n", pw->pw_name); 70 71 if (uid && pw->pw_passwd[0] && 72 strcmp(crypt(getpass("Old password:"), pw->pw_passwd), 73 pw->pw_passwd)) { 74 errno = EACCES; 75 pw_error(NULL, 1, 1); 76 } 77 78 for (buf[0] = '\0', tries = 0;;) { 79 p = getpass("New password:"); 80 if (!*p) { 81 (void)printf("Password unchanged.\n"); 82 pw_error(NULL, 0, 0); 83 } 84 if (min_pw_len > 0 && strlen(p) < min_pw_len) { 85 (void) printf("Password is too short.\n"); 86 continue; 87 } 88 if (strlen(p) <= 5 && ++tries < 2) { 89 (void)printf("Please enter a longer password.\n"); 90 continue; 91 } 92 for (t = p; *t && islower((unsigned char)*t); ++t); 93 if (!*t && ++tries < 2) { 94 (void)printf("Please don't use an all-lower case " 95 "password.\nUnusual capitalization, " 96 "control characters or digits are " 97 "suggested.\n"); 98 continue; 99 } 100 (void)strlcpy(buf, p, sizeof(buf)); 101 if (!strcmp(buf, getpass("Retype new password:"))) 102 break; 103 (void)printf("Mismatch; try again, EOF to quit.\n"); 104 } 105 106 pw_getpwconf(option, sizeof(option), pw, "localcipher"); 107 opt = option; 108 key = strsep(&opt, ","); 109 if(pw_gensalt(salt, _PASSWORD_LEN, key, opt) == -1) { 110 warn("Couldn't generate salt"); 111 pw_error(NULL, 0, 0); 112 } 113 return(crypt(buf, salt)); 114 } 115 116 #ifdef USE_PAM 117 118 void 119 pwlocal_usage(const char *prefix) 120 { 121 122 (void) fprintf(stderr, "%s %s [-d files | -l] [user]\n", 123 prefix, getprogname()); 124 } 125 126 void 127 pwlocal_process(const char *username, int argc, char **argv) 128 { 129 struct passwd *pw; 130 struct passwd old_pw; 131 time_t old_change; 132 int pfd, tfd; 133 int min_pw_len = 0; 134 int pw_expiry = 0; 135 int ch; 136 #ifdef LOGIN_CAP 137 login_cap_t *lc; 138 #endif 139 140 while ((ch = getopt(argc, argv, "l")) != -1) { 141 switch (ch) { 142 case 'l': 143 /* 144 * Aborb the -l that may have gotten us here. 145 */ 146 break; 147 148 default: 149 usage(); 150 /* NOTREACHED */ 151 } 152 } 153 154 argc -= optind; 155 argv += optind; 156 157 switch (argc) { 158 case 0: 159 /* username already provided */ 160 break; 161 case 1: 162 username = argv[0]; 163 break; 164 default: 165 usage(); 166 /* NOTREACHED */ 167 } 168 169 if (!(pw = getpwnam(username))) 170 errx(1, "unknown user %s", username); 171 172 uid = getuid(); 173 if (uid && uid != pw->pw_uid) 174 errx(1, "%s", strerror(EACCES)); 175 176 /* Save the old pw information for comparing on pw_copy(). */ 177 old_pw = *pw; 178 179 /* 180 * Get class restrictions for this user, then get the new password. 181 */ 182 #ifdef LOGIN_CAP 183 if((lc = login_getclass(pw->pw_class))) { 184 min_pw_len = (int) login_getcapnum(lc, "minpasswordlen", 0, 0); 185 pw_expiry = (int) login_getcaptime(lc, "passwordtime", 0, 0); 186 login_close(lc); 187 } 188 #endif 189 190 pw->pw_passwd = getnewpasswd(pw, min_pw_len); 191 old_change = pw->pw_change; 192 pw->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 193 194 /* 195 * Now that the user has given us a new password, let us 196 * change the database. 197 */ 198 pw_init(); 199 tfd = pw_lock(0); 200 if (tfd < 0) { 201 warnx ("The passwd file is busy, waiting..."); 202 tfd = pw_lock(10); 203 if (tfd < 0) 204 errx(1, "The passwd file is still busy, " 205 "try again later."); 206 } 207 208 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 209 if (pfd < 0) 210 pw_error(_PATH_MASTERPASSWD, 1, 1); 211 212 pw_copy(pfd, tfd, pw, &old_pw); 213 214 if (pw_mkdb(username, old_change == pw->pw_change) < 0) 215 pw_error((char *)NULL, 0, 1); 216 } 217 218 #else /* ! USE_PAM */ 219 220 static int force_local; 221 222 int 223 local_init(progname) 224 const char *progname; 225 { 226 force_local = 0; 227 return (0); 228 } 229 230 int 231 local_arg(char arg, const char *optarg) 232 { 233 switch (arg) { 234 case 'l': 235 force_local = 1; 236 break; 237 default: 238 return(0); 239 } 240 return(1); 241 } 242 243 int 244 local_arg_end() 245 { 246 if (force_local) 247 return(PW_USE_FORCE); 248 return(PW_USE); 249 } 250 251 void 252 local_end() 253 { 254 /* NOOP */ 255 } 256 257 int 258 local_chpw(uname) 259 const char *uname; 260 { 261 struct passwd *pw; 262 struct passwd old_pw; 263 time_t old_change; 264 int pfd, tfd; 265 int min_pw_len = 0; 266 int pw_expiry = 0; 267 #ifdef LOGIN_CAP 268 login_cap_t *lc; 269 #endif 270 271 if (!(pw = getpwnam(uname))) { 272 warnx("unknown user %s", uname); 273 return (1); 274 } 275 276 uid = getuid(); 277 if (uid && uid != pw->pw_uid) { 278 warnx("%s", strerror(EACCES)); 279 return (1); 280 } 281 282 /* Save the old pw information for comparing on pw_copy(). */ 283 old_pw = *pw; 284 285 /* 286 * Get class restrictions for this user, then get the new password. 287 */ 288 #ifdef LOGIN_CAP 289 if((lc = login_getclass(pw->pw_class))) { 290 min_pw_len = (int) login_getcapnum(lc, "minpasswordlen", 0, 0); 291 pw_expiry = (int) login_getcaptime(lc, "passwordtime", 0, 0); 292 login_close(lc); 293 } 294 #endif 295 296 pw->pw_passwd = getnewpasswd(pw, min_pw_len); 297 old_change = pw->pw_change; 298 pw->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 299 300 /* 301 * Now that the user has given us a new password, let us 302 * change the database. 303 */ 304 pw_init(); 305 tfd = pw_lock(0); 306 if (tfd < 0) { 307 warnx ("The passwd file is busy, waiting..."); 308 tfd = pw_lock(10); 309 if (tfd < 0) 310 errx(1, "The passwd file is still busy, " 311 "try again later."); 312 } 313 314 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 315 if (pfd < 0) 316 pw_error(_PATH_MASTERPASSWD, 1, 1); 317 318 pw_copy(pfd, tfd, pw, &old_pw); 319 320 if (pw_mkdb(uname, old_change == pw->pw_change) < 0) 321 pw_error((char *)NULL, 0, 1); 322 return (0); 323 } 324 325 #endif /* USE_PAM */ 326