2 * Copyright (c) 1990, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
4 * Copyright (c) 2002 Networks Associates Technology, Inc.
7 * Portions of this software were developed for the FreeBSD Project by
8 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
10 * ("CBOSS"), as part of the DARPA CHATS research program.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 * must display the following acknowledgement:
22 * This product includes software developed by the University of
23 * California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 * may be used to endorse or promote products derived from this software
26 * without specific prior written permission.
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 * $FreeBSD: src/lib/libutil/pw_util.c,v 1.35 2004/05/18 15:53:58 stefanf Exp $
41 * $DragonFly: src/lib/libutil/pw_util.c,v 1.1 2005/08/01 18:13:20 joerg Exp $
45 * This file is used by all the "password" programs; vipw(8), chpass(1),
49 #include <sys/param.h>
50 #include <sys/errno.h>
52 #include <sys/resource.h>
71 static pid_t editpid
= -1;
72 static int lockfd
= -1;
73 static char masterpasswd
[PATH_MAX
];
74 static char passwd_dir
[PATH_MAX
];
75 static char tempname
[PATH_MAX
];
76 static int initialized
;
89 * Initialize statics and set limits, signals & umask to try to avoid
90 * interruptions, crashes etc. that might expose passord data.
93 pw_init(const char *dir
, const char *master
)
100 strcpy(passwd_dir
, _PATH_ETC
);
102 if (strlen(dir
) >= sizeof(passwd_dir
)) {
103 errno
= ENAMETOOLONG
;
106 strcpy(passwd_dir
, dir
);
109 if (master
== NULL
) {
111 strcpy(masterpasswd
, _PATH_MASTERPASSWD
);
112 } else if (snprintf(masterpasswd
, sizeof(masterpasswd
), "%s/%s",
113 passwd_dir
, _MASTERPASSWD
) > (int)sizeof(masterpasswd
)) {
114 errno
= ENAMETOOLONG
;
118 if (strlen(master
) >= sizeof(masterpasswd
)) {
119 errno
= ENAMETOOLONG
;
122 strcpy(masterpasswd
, master
);
126 * The code that follows is extremely disruptive to the calling
127 * process, and is therefore disabled until someone can conceive
128 * of a realistic scenario where it would fend off a compromise.
129 * Race conditions concerning the temporary files can be guarded
130 * against in other ways than masking signals (by checking stat(2)
131 * results after creation).
134 /* Unlimited resource limits. */
135 rlim
.rlim_cur
= rlim
.rlim_max
= RLIM_INFINITY
;
136 (void)setrlimit(RLIMIT_CPU
, &rlim
);
137 (void)setrlimit(RLIMIT_FSIZE
, &rlim
);
138 (void)setrlimit(RLIMIT_STACK
, &rlim
);
139 (void)setrlimit(RLIMIT_DATA
, &rlim
);
140 (void)setrlimit(RLIMIT_RSS
, &rlim
);
142 /* Don't drop core (not really necessary, but GP's). */
143 rlim
.rlim_cur
= rlim
.rlim_max
= 0;
144 (void)setrlimit(RLIMIT_CORE
, &rlim
);
146 /* Turn off signals. */
147 (void)signal(SIGALRM
, SIG_IGN
);
148 (void)signal(SIGHUP
, SIG_IGN
);
149 (void)signal(SIGINT
, SIG_IGN
);
150 (void)signal(SIGPIPE
, SIG_IGN
);
151 (void)signal(SIGQUIT
, SIG_IGN
);
152 (void)signal(SIGTERM
, SIG_IGN
);
153 (void)signal(SIGCONT
, pw_cont
);
155 /* Create with exact permissions. */
163 * Lock the master password file.
169 if (*masterpasswd
== '\0')
173 * If the master password file doesn't exist, the system is hosed.
174 * Might as well try to build one. Set the close-on-exec bit so
175 * that users can't get at the encrypted passwords while editing.
176 * Open should allow flock'ing the file; see 4.4BSD. XXX
181 lockfd
= open(masterpasswd
, O_RDONLY
, 0);
182 if (lockfd
< 0 || fcntl(lockfd
, F_SETFD
, 1) == -1)
183 err(1, "%s", masterpasswd
);
184 /* XXX vulnerable to race conditions */
185 if (flock(lockfd
, LOCK_EX
|LOCK_NB
) == -1) {
186 if (errno
== EWOULDBLOCK
) {
187 errx(1, "the password db file is busy");
189 err(1, "could not lock the passwd file: ");
194 * If the password file was replaced while we were trying to
195 * get the lock, our hardlink count will be 0 and we have to
198 if (fstat(lockfd
, &st
) == -1)
199 err(1, "fstat() failed: ");
200 if (st
.st_nlink
!= 0)
209 * Create and open a presumably safe temp file for editing the password
210 * data, and copy the master password file into it.
220 if (*masterpasswd
== '\0')
222 if ((p
= strrchr(masterpasswd
, '/')))
226 if (snprintf(tempname
, sizeof(tempname
), "%.*spw.XXXXXX",
227 (int)(p
- masterpasswd
), masterpasswd
) >= (int)sizeof(tempname
)) {
228 errno
= ENAMETOOLONG
;
231 if ((tfd
= mkstemp(tempname
)) == -1)
234 while ((nr
= read(mfd
, buf
, sizeof(buf
))) > 0)
235 if (write(tfd
, buf
, (size_t)nr
) != nr
)
248 * Regenerate the password database.
251 pw_mkdb(const char *user
)
256 (void)fflush(stderr
);
257 switch ((pid
= fork())) {
263 execl(_PATH_PWD_MKDB
, "pwd_mkdb", "-p",
264 "-d", passwd_dir
, tempname
, (char *)NULL
);
266 execl(_PATH_PWD_MKDB
, "pwd_mkdb", "-p",
267 "-d", passwd_dir
, "-u", user
, tempname
,
275 if (waitpid(pid
, &pstat
, 0) == -1)
277 if (WIFEXITED(pstat
) && WEXITSTATUS(pstat
) == 0)
284 * Edit the temp file. Return -1 on error, >0 if the file was modified, 0
288 pw_edit(int notsetuid
)
290 struct sigaction sa
, sa_int
, sa_quit
;
291 sigset_t oldsigset
, sigset
;
292 struct stat st1
, st2
;
296 if ((editor
= getenv("EDITOR")) == NULL
)
298 if (stat(tempname
, &st1
) == -1)
300 sa
.sa_handler
= SIG_IGN
;
301 sigemptyset(&sa
.sa_mask
);
303 sigaction(SIGINT
, &sa
, &sa_int
);
304 sigaction(SIGQUIT
, &sa
, &sa_quit
);
305 sigemptyset(&sigset
);
306 sigaddset(&sigset
, SIGCHLD
);
307 sigprocmask(SIG_BLOCK
, &sigset
, &oldsigset
);
308 switch ((editpid
= fork())) {
312 sigaction(SIGINT
, &sa_int
, NULL
);
313 sigaction(SIGQUIT
, &sa_quit
, NULL
);
314 sigprocmask(SIG_SETMASK
, &oldsigset
, NULL
);
316 (void)setgid(getgid());
317 (void)setuid(getuid());
320 execlp(editor
, basename(editor
), tempname
, (char *)NULL
);
327 if (waitpid(editpid
, &pstat
, WUNTRACED
) == -1) {
333 } else if (WIFSTOPPED(pstat
)) {
334 raise(WSTOPSIG(pstat
));
335 } else if (WIFEXITED(pstat
) && WEXITSTATUS(pstat
) == 0) {
344 sigaction(SIGINT
, &sa_int
, NULL
);
345 sigaction(SIGQUIT
, &sa_quit
, NULL
);
346 sigprocmask(SIG_SETMASK
, &oldsigset
, NULL
);
347 if (stat(tempname
, &st2
) == -1)
349 return (st1
.st_mtime
!= st2
.st_mtime
);
353 * Clean up. Preserve errno for the caller's convenience.
365 kill(editpid
, SIGTERM
);
366 kill(editpid
, SIGCONT
);
367 waitpid(editpid
, &status
, 0);
370 if (*tempname
!= '\0') {
380 * Compares two struct pwds.
383 pw_equal(const struct passwd
*pw1
, const struct passwd
*pw2
)
385 return (strcmp(pw1
->pw_name
, pw2
->pw_name
) == 0 &&
386 pw1
->pw_uid
== pw2
->pw_uid
&&
387 pw1
->pw_gid
== pw2
->pw_gid
&&
388 strcmp(pw1
->pw_class
, pw2
->pw_class
) == 0 &&
389 pw1
->pw_change
== pw2
->pw_change
&&
390 pw1
->pw_expire
== pw2
->pw_expire
&&
391 strcmp(pw1
->pw_gecos
, pw2
->pw_gecos
) == 0 &&
392 strcmp(pw1
->pw_dir
, pw2
->pw_dir
) == 0 &&
393 strcmp(pw1
->pw_shell
, pw2
->pw_shell
) == 0);
397 * Make a passwd line out of a struct passwd.
400 pw_make(const struct passwd
*pw
)
404 asprintf(&line
, "%s:%s:%ju:%ju:%s:%ju:%ju:%s:%s:%s", pw
->pw_name
,
405 pw
->pw_passwd
, (uintmax_t)pw
->pw_uid
, (uintmax_t)pw
->pw_gid
,
406 pw
->pw_class
, (uintmax_t)pw
->pw_change
, (uintmax_t)pw
->pw_expire
,
407 pw
->pw_gecos
, pw
->pw_dir
, pw
->pw_shell
);
412 * Copy password file from one descriptor to another, replacing or adding
413 * a single record on the way.
416 pw_copy(int ffd
, int tfd
, const struct passwd
*pw
, struct passwd
*old_pw
)
418 char buf
[8192], *end
, *line
, *p
, *q
, *r
, t
;
423 if ((line
= pw_make(pw
)) == NULL
)
430 /* find the end of the current line */
431 for (p
= q
; q
< end
&& *q
!= '\0'; ++q
)
435 /* if we don't have a complete line, fill up the buffer */
439 if ((size_t)(q
- p
) >= sizeof(buf
)) {
440 warnx("passwd line too long");
441 errno
= EINVAL
; /* hack */
445 q
= memmove(buf
, p
, end
- p
);
450 readlen
= read(ffd
, end
, sizeof(buf
) - (end
- buf
));
454 len
= (size_t)readlen
;
455 if (len
== 0 && p
== buf
)
459 if (len
< (ssize_t
)sizeof(buf
)) {
461 if (len
> 0 && buf
[len
- 1] != '\n')
462 ++len
, *end
++ = '\n';
467 /* is it a blank line or a comment? */
468 for (r
= p
; r
< q
&& isspace(*r
); ++r
)
470 if (r
== q
|| *r
== '#') {
472 if (write(tfd
, p
, q
- p
+ 1) != q
- p
+ 1)
478 /* is it the one we're looking for? */
481 fpw
= pw_scan(r
, _PWSCAN_MASTER
);
483 if (strcmp(fpw
->pw_name
, pw
->pw_name
) != 0) {
486 if (write(tfd
, p
, q
- p
+ 1) != q
- p
+ 1)
491 if (old_pw
&& !pw_equal(fpw
, old_pw
)) {
492 warnx("entry inconsistent");
494 errno
= EINVAL
; /* hack */
499 /* it is, replace it */
501 if (write(tfd
, line
, len
) != (int)len
)
504 /* we're done, just copy the rest over */
506 if (write(tfd
, q
, end
- q
) != end
- q
)
509 readlen
= read(ffd
, buf
, sizeof(buf
));
513 len
= (size_t)readlen
;
521 /* if we got here, we have a new entry */
523 if ((size_t)write(tfd
, line
, len
) != len
||
524 write(tfd
, "\n", 1) != 1)
535 * Return the current value of tempname.
545 * Duplicate a struct passwd.
548 pw_dup(const struct passwd
*pw
)
554 (pw
->pw_name
? strlen(pw
->pw_name
) + 1 : 0) +
555 (pw
->pw_passwd
? strlen(pw
->pw_passwd
) + 1 : 0) +
556 (pw
->pw_class
? strlen(pw
->pw_class
) + 1 : 0) +
557 (pw
->pw_gecos
? strlen(pw
->pw_gecos
) + 1 : 0) +
558 (pw
->pw_dir
? strlen(pw
->pw_dir
) + 1 : 0) +
559 (pw
->pw_shell
? strlen(pw
->pw_shell
) + 1 : 0);
560 if ((npw
= malloc((size_t)len
)) == NULL
)
562 memcpy(npw
, pw
, sizeof(*npw
));
565 npw
->pw_name
= ((char *)npw
) + len
;
566 len
+= sprintf(npw
->pw_name
, "%s", pw
->pw_name
) + 1;
569 npw
->pw_passwd
= ((char *)npw
) + len
;
570 len
+= sprintf(npw
->pw_passwd
, "%s", pw
->pw_passwd
) + 1;
573 npw
->pw_class
= ((char *)npw
) + len
;
574 len
+= sprintf(npw
->pw_class
, "%s", pw
->pw_class
) + 1;
577 npw
->pw_gecos
= ((char *)npw
) + len
;
578 len
+= sprintf(npw
->pw_gecos
, "%s", pw
->pw_gecos
) + 1;
581 npw
->pw_dir
= ((char *)npw
) + len
;
582 len
+= sprintf(npw
->pw_dir
, "%s", pw
->pw_dir
) + 1;
585 npw
->pw_shell
= ((char *)npw
) + len
;
586 len
+= sprintf(npw
->pw_shell
, "%s", pw
->pw_shell
) + 1;
592 * Wrapper around an internal libc function
595 pw_scan(const char *line
, int flags
)
597 struct passwd pw
, *ret
;
600 if ((bp
= strdup(line
)) == NULL
)
602 if (!__pw_scan(bp
, &pw
, flags
)) {