static const char *
gethash(void)
{
const char *hash;
struct passwd *pw;
/* Check if the current user has a password entry */
errno = 0;
if (!(pw = getpwuid(getuid()))) {
if (errno)
die("slock: getpwuid: %s\n", strerror(errno));
else
die("slock: cannot retrieve password entry\n");
}
hash = pw->pw_passwd;
#if HAVE_SHADOW_H
if (!strcmp(hash, "x")) {
struct spwd *sp;
if (!(sp = getspnam(pw->pw_name)))
die("slock: getspnam: cannot retrieve shadow entry. "
"Make sure to suid or sgid slock.\n");
hash = sp->sp_pwdp;
}
#else
if (!strcmp(hash, "*")) {
#ifdef __OpenBSD__
if (!(pw = getpwuid_shadow(getuid())))
die("slock: getpwnam_shadow: cannot retrieve shadow entry. "
"Make sure to suid or sgid slock.\n");
hash = pw->pw_passwd;
#else
die("slock: getpwuid: cannot retrieve shadow entry. "
"Make sure to suid or sgid slock.\n");
#endif /* __OpenBSD__ */
}
#endif /* HAVE_SHADOW_H */
return hash;
}
int
main(int argc, char *argv[])
{
struct passwd *pw = NULL, *opw = NULL, lpw;
int i, ch, pfd, tfd, dfd;
char *tz, *arg = NULL;
sigset_t fullset;
/* We need to use the system timezone for date conversions. */
if ((tz = getenv("TZ")) != NULL) {
unsetenv("TZ");
tzset();
setenv("TZ", tz, 1);
}
op = EDITENTRY;
while ((ch = getopt(argc, argv, "a:s:")) != -1)
switch(ch) {
case 'a':
op = LOADENTRY;
arg = optarg;
break;
case 's':
op = NEWSH;
arg = optarg;
break;
case '?':
default:
usage();
}
argc -= optind;
argv += optind;
uid = getuid();
if (op == EDITENTRY || op == NEWSH)
switch(argc) {
case 0:
pw = getpwuid_shadow(uid);
if (!pw)
errx(1, "unknown user: uid %u", uid);
break;
case 1:
pw = getpwnam_shadow(*argv);
if (!pw)
errx(1, "unknown user: %s", *argv);
if (uid && uid != pw->pw_uid)
baduser();
break;
default:
usage();
}
if (op == LOADENTRY) {
if (argc != 0)
errx(1, "option -a does not accept user argument");
if (uid)
baduser();
pw = &lpw;
if (!pw_scan(arg, pw, NULL))
exit(1);
opw = getpwnam_shadow(pw->pw_name);
}
if (opw == NULL && (opw = pw_dup(pw)) == NULL)
err(1, NULL);
/* Edit the user passwd information if requested. */
if (op == EDITENTRY) {
char tempname[] = _PATH_VARTMP "pw.XXXXXXXXXX";
int edit_status;
if ((pw = pw_dup(pw)) == NULL)
pw_error(NULL, 1, 1);
dfd = mkostemp(tempname, O_CLOEXEC);
if (dfd == -1)
pw_error(tempname, 1, 1);
display(tempname, dfd, pw);
if (pledge("stdio rpath wpath cpath id proc exec",
NULL) == -1)
err(1, "pledge");
edit_status = edit(tempname, pw);
close(dfd);
unlink(tempname);
switch (edit_status) {
case EDIT_OK:
break;
case EDIT_NOCHANGE:
pw_error(NULL, 0, 0);
break;
case EDIT_ERROR:
default:
pw_error(tempname, 1, 1);
break;
}
}
if (op == NEWSH) {
if (pledge("stdio rpath wpath cpath id proc exec",
NULL) == -1)
err(1, "pledge");
/* protect p_shell -- it thinks NULL is /bin/sh */
if (!arg[0])
usage();
if (p_shell(arg, pw, NULL))
pw_error(NULL, 0, 1);
}
/* Drop user's real uid and block all signals to avoid a DoS. */
setuid(0);
sigfillset(&fullset);
sigdelset(&fullset, SIGINT);
sigprocmask(SIG_BLOCK, &fullset, NULL);
if (pledge("stdio rpath wpath cpath proc exec", NULL) == -1)
err(1, "pledge");
/* Get the passwd lock file and open the passwd file for reading. */
pw_init();
for (i = 1; (tfd = pw_lock(0)) == -1; i++) {
if (i == 4)
(void)fputs("Attempting to lock password file, "
"please wait or press ^C to abort", stderr);
(void)signal(SIGINT, kbintr);
if (i % 16 == 0)
fputc('.', stderr);
usleep(250000);
(void)signal(SIGINT, SIG_IGN);
}
if (i >= 4)
fputc('\n', stderr);
pfd = open(_PATH_MASTERPASSWD, O_RDONLY|O_CLOEXEC, 0);
if (pfd == -1)
pw_error(_PATH_MASTERPASSWD, 1, 1);
/* Copy the passwd file to the lock file, updating pw. */
pw_copy(pfd, tfd, pw, opw);
/* If username changed we need to rebuild the entire db. */
arg = !strcmp(opw->pw_name, pw->pw_name) ? pw->pw_name : NULL;
/* Now finish the passwd file update. */
if (pw_mkdb(arg, 0) == -1)
pw_error(NULL, 0, 1);
exit(0);
}
