source-git / passwd

Clone
Source Code
GIT

Files

  1.   734bd10d8c91ee1a94a33d1c45587f098c6c2b7e
  2.   libuser.c
Blob Blame History Raw 
/*
 * Copyright Red Hat, Inc., 2002, 2006, 2015.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, and the entire permission notice in its entirety,
 *    including the disclaimer of warranties.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior
 *    written permission.
 *
 * ALTERNATIVELY, this product may be distributed under the terms of
 * the GNU Public License, in which case the provisions of the GPL are
 * required INSTEAD OF the above restrictions.  (This clause is
 * necessary due to a potential bad interaction between the GPL and
 * the restrictions contained in a BSD-style copyright.)
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * This file contains libuser wrappers with prototypes which match the
 * declarations in pwdb.h.  Where possible, behavior is kept as close
 * to that of the previous versions as possible.
 */

#include "config.h"

#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <time.h>

/* GValueArray is a part of external API of libuser; warnings about it being
   deprecated do no good. */
#define GLIB_VERSION_MIN_REQUIRED GLIB_VERSION_2_30

#include <libuser/user.h>
#include <libintl.h>
#include "pwdb.h"

extern const char *progname;

#define CHECK_ERROR(x) \
if (x != NULL) { \
	fprintf(stderr, "%s: Libuser error at line: %d - %s.\n", \
		progname, __LINE__, lu_strerror(x)); \
	lu_error_free(&x); \
	return -1; \
}

static struct lu_context *libuser = NULL;

/* Shut down libuser. */
static void
shutdown_libuser(void)
{
	lu_end(libuser);
	libuser = NULL;
}

/* Start up the library, suggesting the name of the user which was
 * passed in as the name the library should use if it needs to
 * authenticate to data sources. */
static void
startup_libuser(const char *user)
{
	struct lu_error *error = NULL;
	if (libuser != NULL) {
		shutdown_libuser();
	}
	libuser = lu_start(user, lu_user, NULL, NULL,
			   lu_prompt_console, NULL, &error);
	if (error != NULL || libuser == NULL) {
		fprintf(stderr,
			_("%s: libuser initialization error:"), progname);
	}
	if (error != NULL) {
		fprintf(stderr,
			" %s\n", lu_strerror(error));
		_exit(1);
	}
	if (libuser == NULL) {
		fprintf(stderr,
			" unknown error\n");
		_exit(1);
	}
}

/* Lock an account. */
int
pwdb_lock_password(const char *username)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;
	gboolean started = FALSE;
	if (libuser == NULL) {
		startup_libuser("root");
		started = TRUE;
	}
	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		if (lu_user_lock(libuser, ent, &error)) {
			retval = 0;
		}
	}
	lu_ent_free(ent);
	CHECK_ERROR(error);
	if (started) {
		shutdown_libuser();
	}
	return retval;
}

int
pwdb_unlock_password(const char *username, int force)
{
	int retval = 1, i;
	struct lu_ent *ent;
	struct lu_error *error = NULL;
	const char *current = NULL;
	gboolean started = FALSE;
	if (libuser == NULL) {
		startup_libuser("root");
		started = TRUE;
	}
	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		current = lu_ent_get_first_value_strdup(ent, LU_SHADOWPASSWORD);
		if (current == NULL)
			lu_ent_get_first_value_strdup(ent, LU_USERPASSWORD);
		if (current && (force == 0)) {
			/* Search for a non-locking character. */
			for (i = 0; (current[i] == '!'); i++) {
				/*nothing */
			};
			/* If the first non-locking character is the end of the
			 * string, */
			if (current[i] == '\0') {
				fprintf(stderr, "%s: %s\n", progname,
					_("Warning: unlocked password would be empty."));
				/* warn the admin, because this is probably a
				 * bad idea. */
				retval = -2;
			}
		}
		if (retval != -2) {
			/* Go blind, or force it. */
			if (lu_user_unlock(libuser, ent, &error)) {
				retval = 0;
			}
		}
	}
	lu_ent_free(ent);
	CHECK_ERROR(error);
	if (started) {
		shutdown_libuser();
	}
	return retval;
}

/* Try to remove a user's password.  Note that some of the underlying modules
 * libuser uses don't support this. */
int
pwdb_clear_password(const char *username)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;
	gboolean started = FALSE;
	if (libuser == NULL) {
		startup_libuser("root");
		started = TRUE;
	}
	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		const char *current;

		current = lu_ent_get_first_value_strdup(ent, LU_SHADOWPASSWORD);
		if (current == NULL)
			lu_ent_get_first_value_strdup(ent, LU_USERPASSWORD);
		if (current != NULL && *current == '!')
			/* Just note this, do not abort, do not change exit
			 * code; if someone wants to use -d at all, let's not
			 * break their scripts. */
			fprintf(stderr, "%s: %s\n", progname,
				_("Note: deleting a password also unlocks the "
				  "password."));
		if (lu_user_removepass(libuser, ent, &error)) {
			retval = 0;
		}
	}
	lu_ent_free(ent);
	CHECK_ERROR(error);
	if (started) {
		shutdown_libuser();
	}
	return retval;
}

static long long
ent_value_int64(struct lu_ent *ent, const char *attribute)
{
	GValueArray *values;
	GValue *value;
        value = NULL;
        values = lu_ent_get(ent, attribute);
        if (values) {
		value = g_value_array_get_nth(values, 0);
	}
	if (value) {
		if (G_VALUE_HOLDS_STRING(value)) {
			return strtoll(g_value_get_string(value), NULL, 10);
		}
	        else if (G_VALUE_HOLDS_LONG(value)) {
	                return g_value_get_long(value);
	        }
	        else if (G_VALUE_HOLDS_INT64(value)) {
	                return (long long)g_value_get_int64(value);
		}
        }
        return -1;
}

int
pwdb_display_status(const char *username)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;
	char *current;
	char *realname;
	const char *msg;
	int shadow = 1;
	time_t sp_lstchg = 0;
	long long sp_min = 0;
	long long sp_max = 0;
	long long sp_warn = 0;
	long long sp_inact= 0;
	char date[80];
	const char *status;
	struct tm tm;

	startup_libuser(username);

	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		realname = lu_ent_get_first_value_strdup(ent, LU_USERNAME);
		if (realname == NULL) {
			fprintf(stderr, "%s: %s\n", progname,
				_("Corrupted passwd entry."));
			goto bail;
		}
		current = lu_ent_get_first_value_strdup(ent, LU_SHADOWPASSWORD);
		if (current == NULL) {
			shadow = 0;
			current = lu_ent_get_first_value_strdup(ent, LU_USERPASSWORD);
		} else {
			sp_lstchg = (time_t) ent_value_int64(ent, LU_SHADOWLASTCHANGE);
			sp_min = ent_value_int64(ent, LU_SHADOWMIN);
			sp_max = ent_value_int64(ent, LU_SHADOWMAX);
			sp_warn = ent_value_int64(ent, LU_SHADOWWARNING);
			sp_inact = ent_value_int64(ent, LU_SHADOWINACTIVE);
		}
		if (current) {
			status = "PS";
			if (strlen(current) == 0) {
				msg = _("Empty password.");
				status = "NP";
			} else if (current[0] == '!') {
				msg = _("Password locked.");
				status = "LK";
			} else if (current[0] == '$') {
				if (strncmp(current, "$1$", 3) == 0) {
					msg = _("Password set, MD5 crypt.");
				} else if (strncmp(current, "$2a$", 4) ==
					   0) {
					msg = _("Password set, blowfish crypt.");
				} else if (strncmp(current, "$5$", 3) ==
					   0) {
					msg = _("Password set, SHA256 crypt.");
				} else if (strncmp(current, "$6$", 3) ==
					   0) {
					msg = _("Password set, SHA512 crypt.");
				} else {
					msg = _("Password set, unknown crypt variant.");
				}
			} else if (strlen(current) < 11) {
				msg = _("Alternate authentication scheme in use.");
				if (current[0] == '*' || current[0] == 'x') {
					status = "LK";
				}
			} else {
				msg = _("Password set, DES crypt.");
			}
			if (shadow) {
				sp_lstchg = sp_lstchg * 24L * 3600L;
				localtime_r(&sp_lstchg, &tm);
				strftime(date, sizeof(date), "%Y-%m-%d", &tm);
				printf("%s %s %s %lld %lld %lld %lld (%s)\n", realname, status,
					date, sp_min, sp_max, sp_warn, sp_inact, msg);
			} else {
				printf("%s %s (%s)\n", realname, status, msg);
			}
			g_free(current);
		} else {
			printf(_("No password set.\n"));
		}
		g_free(realname);
		retval = 0;
	} else {
		printf(_("Unknown user.\n"));
		retval = 2;
	}
bail:
	CHECK_ERROR(error);

	shutdown_libuser();
	return retval;
}

int
pwdb_update_gecos(const char *username, const char *gecos)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;

	startup_libuser(username);

	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		lu_ent_set_string(ent, LU_GECOS, gecos);

		if (lu_user_modify(libuser, ent, &error)) {
			retval = 0;
		}
	}

	CHECK_ERROR(error);

	shutdown_libuser();
	return retval;
}

int
pwdb_update_shell(const char *username, const char *shell)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;

	startup_libuser(username);

	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		lu_ent_set_string(ent, LU_LOGINSHELL, shell);

		if (lu_user_modify(libuser, ent, &error)) {
			retval = 0;
		}
	}

	CHECK_ERROR(error);

	shutdown_libuser();
	return retval;
}


int
pwdb_update_aging(const char *username,
		  long min, long max, long warn, long inact, long lastchg)
{
	int retval = 1;
	struct lu_ent *ent;
	struct lu_error *error = NULL;

	startup_libuser(username);

	ent = lu_ent_new();
	if (lu_user_lookup_name(libuser, username, ent, &error)) {
		if (!lu_ent_get(ent, LU_SHADOWMIN) &&
		    !lu_ent_get(ent, LU_SHADOWMAX) &&
		    !lu_ent_get(ent, LU_SHADOWWARNING) &&
		    !lu_ent_get(ent, LU_SHADOWINACTIVE)) {
			fprintf(stderr, _("%s: user account has no support "
					  "for password aging.\n"), progname);
			shutdown_libuser();
			return retval;
		}

		if (min != -2)
			lu_ent_set_long(ent, LU_SHADOWMIN, min);
		if (max != -2)
			lu_ent_set_long(ent, LU_SHADOWMAX, max);
		if (warn != -2)
			lu_ent_set_long(ent, LU_SHADOWWARNING, warn);
		if (inact != -2)
			lu_ent_set_long(ent, LU_SHADOWINACTIVE, inact);
		if (lastchg != -2)
			lu_ent_set_long(ent, LU_SHADOWLASTCHANGE, lastchg);

		if (lu_user_modify(libuser, ent, &error)) {
			retval = 0;
		}
	}

	CHECK_ERROR(error);

	shutdown_libuser();
	return retval;
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation