From owner-freebsd-hackers Tue Oct 7 19:58:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA12615 for hackers-outgoing; Tue, 7 Oct 1997 19:58:25 -0700 (PDT) (envelope-from owner-freebsd-hackers) Received: from CU-SeeMe.educ.utas.edu.au (cu-seeme.educ.utas.edu.au [144.6.16.20]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA12600 for ; Tue, 7 Oct 1997 19:58:12 -0700 (PDT) (envelope-from brook@CU-SeeMe.educ.utas.edu.au) Received: from localhost (brook@localhost) by CU-SeeMe.educ.utas.edu.au (8.8.5/8.8.5) with SMTP id NAA06023 for ; Wed, 8 Oct 1997 13:59:47 +1100 (EST) Date: Wed, 8 Oct 1997 13:59:46 +1100 (EST) From: Brook Schofield To: freebsd-hackers@freebsd.org Subject: Modification to the `pw' command Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk #This is a modification to the `pw' command that I have made to allow the #enabling, disabling and setting of an encrypted password on the command #line. Comments, bugs... security problems please! #Brook diff -c -r pw/README pw.new/README *** pw/README Tue Dec 10 01:05:35 1996 --- pw.new/README Sun Sep 28 17:40:45 1997 *************** *** 20,22 **** --- 20,23 ---- $Id: README,v 1.1.1.1 1996/12/09 14:05:35 joerg Exp $ + Modifications to the `pw' command by Brook Schofiled include the `-W' command which allows the command line enabling, disabling and changing of passwords (in encrypted form). 19970928 diff -c -r pw/pw.8 pw.new/pw.8 *** pw/pw.8 Thu Mar 6 16:34:43 1997 --- pw.new/pw.8 Sun Sep 28 17:33:43 1997 *************** *** 22,30 **** .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" ! .\" $Id: pw.8,v 1.1.1.1.2.3 1997/03/06 05:34:43 mpp Exp $ .\" ! .Dd December 9, 1996 .Dt PW 8 .Os .Sh NAME --- 22,30 ---- .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" ! .\" $Id: pw.8,v 1.1.1.1.2.3 1997/09/28 05:34:43 mpp Exp $ .\" ! .Dd September 28, 1997 .Dt PW 8 .Os .Sh NAME *************** *** 52,57 **** --- 52,58 ---- .Op Fl h Ar fd .Op Fl N .Op Fl P + .Op Fl W Ar enc_pass .Nm pw .Ar useradd .Op name|uid *************** *** 96,101 **** --- 97,103 ---- .Op Fl h Ar fd .Op Fl N .Op Fl P + .Op Fl W Ar enc_pass .Nm pw .Ar usershow .Op name|uid *************** *** 120,125 **** --- 122,128 ---- .Op Fl h Ar fd .Op Fl N .Op Fl P + .Op Fl W Ar enc_pass .Nm pw .Ar groupdel .Op Fl n Ar name *************** *** 137,142 **** --- 140,146 ---- .Op Fl h Ar fd .Op Fl N .Op Fl P + .Op Fl W Ar enc_pass .Nm pw .Ar groupshow .Op Fl n Ar name *************** *** 429,434 **** --- 433,462 ---- then the password will be set to .Ql \&* , rendering the account inaccessible via passworded login. + .It Fl W Ar enc_pass + The + .Ql Fl w + option sets or modifies the value of the password for the account. The + .Ar enc_pass + is one of: + .Pp + .Bl -tag -width enc_pass -offset indent -compact + .It \&- + disables the account by prepending an + .Ql \&* + to the password. + .It \&+ + enables the account by removing an + .Ql \&* + from the password. + .It enc_pass + changes password entry to supplied string. The string + .Ar enc_pass + must already be encrypted with the + .Ar crypt() + function for the password to operate correctly. + .El + .Pp .El .Pp It is possible to use *************** *** 787,793 **** .Xr pw.conf 5 , .Xr pwd_mkdb 8 , .Xr login.conf 5 , ! .Xr vipw 8 .Sh HISTORY .Nm pw was written to mimic many of the options used in the SYSV --- 815,822 ---- .Xr pw.conf 5 , .Xr pwd_mkdb 8 , .Xr login.conf 5 , ! .Xr vipw 8 , ! .Xr crypt 3 .Sh HISTORY .Nm pw was written to mimic many of the options used in the SYSV *************** *** 797,799 **** --- 826,833 ---- .Bx 4.4 operating system, and combines all of the major elements into a single command. + .Nm pw + has been modified to allow the command line enabling, disabling and setting of + the password field using the + .Fl W + command. diff -c -r pw/pw.c pw.new/pw.c *** pw/pw.c Fri Feb 7 22:21:45 1997 --- pw.new/pw.c Sun Sep 28 17:51:26 1997 *************** *** 58,73 **** static const char *opts[W_NUM][M_NUM] = { { /* user */ ! "C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NP", "C:qn:u:r", ! "C:qn:u:c:d:e:l:p:g:G:mk:s:w:L:h:FNP", "C:qn:u:FPa", "C:q" }, { /* grp */ ! "C:qn:g:h:M:pNP", "C:qn:g:", ! "C:qn:g:l:h:FM:m:NP", "C:qn:g:FPa", "C:q" } --- 58,73 ---- static const char *opts[W_NUM][M_NUM] = { { /* user */ ! "C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:W:h:Db:NP", "C:qn:u:r", ! "C:qn:u:c:d:e:l:p:g:G:mk:s:w:W:L:h:FNP", "C:qn:u:FPa", "C:q" }, { /* grp */ ! "C:qn:g:h:W:M:pNP", "C:qn:g:", ! "C:qn:g:l:h:W:FM:m:NP", "C:qn:g:FPa", "C:q" } *************** *** 226,231 **** --- 226,232 ---- "\t-L class user class\n" "\t-h fd read password on fd\n" "\t-N no update\n" + "\t-W enc_pass modified or encrypted password\n" " Setting defaults:\n" "\t-D set user defaults\n" "\t-b dir default home root dir\n" *************** *** 262,267 **** --- 263,269 ---- "\t-w method set new password using method\n" "\t-h fd read password on fd\n" "\t-N no update\n", + "\t-W enc_pass modified or encrypted password\n" "usage: %s usershow [uid|name] [switches]\n" "\t-n name login name\n" "\t-u uid user id\n" diff -c -r pw/pw_user.c pw.new/pw_user.c *** pw/pw_user.c Fri Feb 7 22:21:46 1997 --- pw.new/pw_user.c Sun Sep 28 18:15:16 1997 *************** *** 427,433 **** fprintf(stderr, "WARNING: home `%s' is not a directory\n", pwd->pw_dir); } ! if ((arg = getarg(args, 'w')) != NULL && getarg(args, 'h') == NULL) pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name); } else { --- 427,433 ---- fprintf(stderr, "WARNING: home `%s' is not a directory\n", pwd->pw_dir); } ! if (getarg(args,'W') != NULL && (arg = getarg(args, 'w')) != NULL && getarg(args, 'h') == NULL) pwd->pw_passwd = pw_password(cnf, args, pwd->pw_name); } else { *************** *** 457,462 **** --- 457,518 ---- /* * Shared add/edit code */ + if ((arg = getarg(args, 'W')) != NULL) { + /* All New Stuff Added by Brook! + * Modified by Brook Schofield 19970928A + * + * This new code suppliments the code for the -h & -w commands + * that the pw command uses to read from a file handle and generate + * a password. This code reads the password or options from the + * command line and either enables (+ option), disables (- option) + * or enters a password directly into the password database. + * This code if functionally equivalent to that of -h & -w and + * as expected without removing the security of the original `pw' code. + */ + + if (strcmp(arg->val, "-") == 0) { /* option `-W -' used */ + if (strncmp(pwd->pw_passwd, "*", 1) == 0) { /* test to see if account is disabled */ + if (mode == M_ADD) { /* option `adduser' used */ + pwd->pw_passwd = "*"; /* set password to `*' if -W specified during `adduser' */ + } else { + return EXIT_SUCCESS; /* return success as account is already disabled */ + } + } else { + strcpy(line,"*"); /* disable account by prepending an `*' */ + strcat(line,pwd->pw_passwd); /* to the start of the password entry */ + pwd->pw_passwd = line; /* store modified password */ + } + } else if (strcmp(arg->val, "+") == 0) { /* option `-W +' used */ + int i; + if (strncmp(pwd->pw_passwd, "*", 1) == 0) { /* test to see if accout is disabled */ + for(i = 1; pwd->pw_passwd[i] != '\0'; i++) { + line[i-1] = pwd->pw_passwd[i]; /* transfer all but first character to new passwd */ + } + line[i-1] = '\0'; /* terminate the password string */ + pwd->pw_passwd = line; /* store modified password */ + } else { + if (mode == M_ADD) { /* option `adduser' used */ + pwd->pw_passwd = "*"; /* set password to `*' if -W specified during `adduser' */ + } else { + return EXIT_SUCCESS; /* return success as account is enabled */ + } + } + } else { + int i; /* if an encrypted password was specified on the command line */ + if (strchr(arg->val,':')) /* check to see if the password contains invalid characters */ + cmderr(EX_DATAERR, "password contains invalid character"); + /* EX_DATAERR password contains invalid character */ + + for(i = 0; arg->val[i] != '\0'; i++) { /* checks for the occurrance of non-printing characters including spaces */ + if (!isgraph(arg->val[i])) /* uses isgraph(c) from */ + cmderr(EX_DATAERR, "password contains non-printing character"); + } /* the password should only contain `0-9a-zA-Z$.' other characters are */ + /* allowed by wouldn't be useful and would make the account disabled */ + + pwd->pw_passwd = arg->val; /* enter specified password as the new encrypted password */ + } + } + if ((arg = getarg(args, 'c')) != NULL) pwd->pw_gecos = pw_checkname((u_char*)arg->val, 1);