/* * chfn - change a user's password file information * * This command controls the GECOS field information in the password * file entry. * * The valid options are * * -f full name * -r room number * -w work phone number * -h home phone number * -o other information (*) * * (*) requires root permission to execute. */ int main (int argc, char **argv) { char *cp; /* temporary character pointer */ const struct passwd *pw; /* password file entry */ struct passwd pwent; /* modified password file entry */ char old_gecos[BUFSIZ]; /* buffer for old GECOS fields */ char new_gecos[BUFSIZ]; /* buffer for new GECOS fields */ int flag; /* flag currently being processed */ int fflg = 0; /* -f - set full name */ int rflg = 0; /* -r - set room number */ int wflg = 0; /* -w - set work phone number */ int hflg = 0; /* -h - set home phone number */ int oflg = 0; /* -o - set other information */ char *user; #ifdef USE_PAM pam_handle_t *pamh = NULL; struct passwd *pampw; int retval; #endif sanitize_env (); setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); /* * This command behaves different for root and non-root * users. */ amroot = (getuid () == 0); /* * Get the program name. The program name is used as a * prefix to most error messages. */ Prog = Basename (argv[0]); OPENLOG ("chfn"); /* * The remaining arguments will be processed one by one and executed * by this command. The name is the last argument if it does not * begin with a "-", otherwise the name is determined from the * environment and must agree with the real UID. Also, the UID will * be checked for any commands which are restricted to root only. */ while ((flag = getopt (argc, argv, "f:r:w:h:o:")) != EOF) { switch (flag) { case 'f': if (!may_change_field ('f')) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } fflg++; STRFCPY (fullnm, optarg); break; case 'h': if (!may_change_field ('h')) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } hflg++; STRFCPY (homeph, optarg); break; case 'r': if (!may_change_field ('r')) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } rflg++; STRFCPY (roomno, optarg); break; case 'o': if (!amroot) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } oflg++; STRFCPY (slop, optarg); break; case 'w': if (!may_change_field ('w')) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } wflg++; STRFCPY (workph, optarg); break; default: usage (); } } /* * Get the name of the user to check. It is either the command line * name, or the name getlogin() returns. */ if (optind < argc) { user = argv[optind]; pw = getpwnam (user); if (!pw) { fprintf (stderr, _("%s: unknown user %s\n"), Prog, user); exit (E_NOPERM); } } else { pw = get_my_pwent (); if (!pw) { fprintf (stderr, _ ("%s: Cannot determine your user name.\n"), Prog); exit (E_NOPERM); } user = xstrdup (pw->pw_name); } #ifdef USE_NIS /* * Now we make sure this is a LOCAL password entry for this user ... */ if (__ispwNIS ()) { char *nis_domain; char *nis_master; fprintf (stderr, _("%s: cannot change user `%s' on NIS client.\n"), Prog, user); if (!yp_get_default_domain (&nis_domain) && !yp_master (nis_domain, "passwd.byname", &nis_master)) { fprintf (stderr, _ ("%s: `%s' is the NIS master for this client.\n"), Prog, nis_master); } exit (E_NOPERM); } #endif /* * Non-privileged users are only allowed to change the gecos field * if the UID of the user matches the current real UID. */ if (!amroot && pw->pw_uid != getuid ()) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); closelog (); exit (E_NOPERM); } #ifdef WITH_SELINUX /* * If the UID of the user does not match the current real UID, * check if the change is allowed by SELinux policy. */ if ((pw->pw_uid != getuid ()) && (selinux_check_passwd_access (PASSWD__CHFN) != 0)) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); closelog (); exit (E_NOPERM); } #endif #ifndef USE_PAM /* * Non-privileged users are optionally authenticated (must enter the * password of the user whose information is being changed) before * any changes can be made. Idea from util-linux chfn/chsh. * --marekm */ if (!amroot && getdef_bool ("CHFN_AUTH")) passwd_check (pw->pw_name, pw->pw_passwd, "chfn"); #else /* !USE_PAM */ retval = PAM_SUCCESS; pampw = getpwuid (getuid ()); if (pampw == NULL) { retval = PAM_USER_UNKNOWN; } if (retval == PAM_SUCCESS) { retval = pam_start ("chfn", pampw->pw_name, &conv, &pamh); } if (retval == PAM_SUCCESS) { retval = pam_authenticate (pamh, 0); if (retval != PAM_SUCCESS) { pam_end (pamh, retval); } } if (retval == PAM_SUCCESS) { retval = pam_acct_mgmt (pamh, 0); if (retval != PAM_SUCCESS) { pam_end (pamh, retval); } } if (retval != PAM_SUCCESS) { fprintf (stderr, _("%s: PAM authentication failed\n"), Prog); exit (E_NOPERM); } #endif /* USE_PAM */ /* * Now get the full name. It is the first comma separated field in * the GECOS field. */ STRFCPY (old_gecos, pw->pw_gecos); cp = copy_field (old_gecos, fflg ? (char *) 0 : fullnm, slop); /* * Now get the room number. It is the next comma separated field, * if there is indeed one. */ if (cp) cp = copy_field (cp, rflg ? (char *) 0 : roomno, slop); /* * Now get the work phone number. It is the third field. */ if (cp) cp = copy_field (cp, wflg ? (char *) 0 : workph, slop); /* * Now get the home phone number. It is the fourth field. */ if (cp) cp = copy_field (cp, hflg ? (char *) 0 : homeph, slop); /* * Anything left over is "slop". */ if (cp && !oflg) { if (slop[0]) strcat (slop, ","); strcat (slop, cp); } /* * If none of the fields were changed from the command line, let the * user interactively change them. */ if (!fflg && !rflg && !wflg && !hflg && !oflg) { printf (_("Changing the user information for %s\n"), user); new_fields (); } /* * Check all of the fields for valid information */ if (valid_field (fullnm, ":,=")) { fprintf (stderr, _("%s: invalid name: \"%s\"\n"), Prog, fullnm); closelog (); exit (E_NOPERM); } if (valid_field (roomno, ":,=")) { fprintf (stderr, _("%s: invalid room number: \"%s\"\n"), Prog, roomno); closelog (); exit (E_NOPERM); } if (valid_field (workph, ":,=")) { fprintf (stderr, _("%s: invalid work phone: \"%s\"\n"), Prog, workph); closelog (); exit (E_NOPERM); } if (valid_field (homeph, ":,=")) { fprintf (stderr, _("%s: invalid home phone: \"%s\"\n"), Prog, homeph); closelog (); exit (E_NOPERM); } if (valid_field (slop, ":")) { fprintf (stderr, _("%s: \"%s\" contains illegal characters\n"), Prog, slop); closelog (); exit (E_NOPERM); } /* * Build the new GECOS field by plastering all the pieces together, * if they will fit ... */ if (strlen (fullnm) + strlen (roomno) + strlen (workph) + strlen (homeph) + strlen (slop) > (unsigned int) 80) { fprintf (stderr, _("%s: fields too long\n"), Prog); closelog (); exit (E_NOPERM); } snprintf (new_gecos, sizeof new_gecos, "%s,%s,%s,%s%s%s", fullnm, roomno, workph, homeph, slop[0] ? "," : "", slop); /* * Before going any further, raise the ulimit to prevent colliding * into a lowered ulimit, and set the real UID to root to protect * against unexpected signals. Any keyboard signals are set to be * ignored. */ if (setuid (0)) { fprintf (stderr, _("Cannot change ID to root.\n")); SYSLOG ((LOG_ERR, "can't setuid(0)")); closelog (); exit (E_NOPERM); } pwd_init (); /* * The passwd entry is now ready to be committed back to the * password file. Get a lock on the file and open it. */ if (!pw_lock ()) { fprintf (stderr, _ ("Cannot lock the password file; try again later.\n")); SYSLOG ((LOG_WARN, "can't lock /etc/passwd")); closelog (); exit (E_NOPERM); } if (!pw_open (O_RDWR)) { fprintf (stderr, _("Cannot open the password file.\n")); pw_unlock (); SYSLOG ((LOG_ERR, "can't open /etc/passwd")); closelog (); exit (E_NOPERM); } /* * Get the entry to update using pw_locate() - we want the real one * from /etc/passwd, not the one from getpwnam() which could contain * the shadow password if (despite the warnings) someone enables * AUTOSHADOW (or SHADOW_COMPAT in libc). --marekm */ pw = pw_locate (user); if (!pw) { pw_unlock (); fprintf (stderr, _("%s: %s not found in /etc/passwd\n"), Prog, user); exit (E_NOPERM); } /* * Make a copy of the entry, then change the gecos field. The other * fields remain unchanged. */ pwent = *pw; pwent.pw_gecos = new_gecos; /* * Update the passwd file entry. If there is a DBM file, update that * entry as well. */ if (!pw_update (&pwent)) { fprintf (stderr, _("Error updating the password entry.\n")); pw_unlock (); SYSLOG ((LOG_ERR, "error updating passwd entry")); closelog (); exit (E_NOPERM); } /* * Changes have all been made, so commit them and unlock the file. */ if (!pw_close ()) { fprintf (stderr, _("Cannot commit password file changes.\n")); pw_unlock (); SYSLOG ((LOG_ERR, "can't rewrite /etc/passwd")); closelog (); exit (E_NOPERM); } if (!pw_unlock ()) { fprintf (stderr, _("Cannot unlock the password file.\n")); SYSLOG ((LOG_ERR, "can't unlock /etc/passwd")); closelog (); exit (E_NOPERM); } SYSLOG ((LOG_INFO, "changed user `%s' information", user)); nscd_flush_cache ("passwd"); #ifdef USE_PAM if (retval == PAM_SUCCESS) pam_end (pamh, PAM_SUCCESS); #endif /* USE_PAM */ closelog (); exit (E_SUCCESS); }
/* * chfn - change a user's password file information * * This command controls the GECOS field information in the password * file entry. * * The valid options are * * -f full name * -r room number * -w work phone number * -h home phone number * -o other information (*) * * (*) requires root permission to execute. */ int main (int argc, char **argv) { const struct passwd *pw; /* password file entry */ char new_gecos[BUFSIZ]; /* buffer for new GECOS fields */ char *user; /* * Get the program name. The program name is used as a * prefix to most error messages. */ Prog = Basename (argv[0]); sanitize_env (); (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); process_root_flag ("-R", argc, argv); /* * This command behaves different for root and non-root * users. */ amroot = (getuid () == 0); OPENLOG ("chfn"); /* parse the command line options */ process_flags (argc, argv); /* * Get the name of the user to check. It is either the command line * name, or the name getlogin() returns. */ if (optind < argc) { user = argv[optind]; pw = xgetpwnam (user); if (NULL == pw) { fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, user); fail_exit (E_NOPERM); } } else { pw = get_my_pwent (); if (NULL == pw) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); fail_exit (E_NOPERM); } user = xstrdup (pw->pw_name); } #ifdef USE_NIS /* * Now we make sure this is a LOCAL password entry for this user ... */ if (__ispwNIS ()) { char *nis_domain; char *nis_master; fprintf (stderr, _("%s: cannot change user '%s' on NIS client.\n"), Prog, user); if (!yp_get_default_domain (&nis_domain) && !yp_master (nis_domain, "passwd.byname", &nis_master)) { fprintf (stderr, _ ("%s: '%s' is the NIS master for this client.\n"), Prog, nis_master); } fail_exit (E_NOPERM); } #endif /* Check that the caller is allowed to change the gecos of the * specified user */ check_perms (pw); /* If some fields were not set on the command line, load the value from * the old gecos fields. */ get_old_fields (pw->pw_gecos); /* * If none of the fields were changed from the command line, let the * user interactively change them. */ if (!fflg && !rflg && !wflg && !hflg && !oflg) { printf (_("Changing the user information for %s\n"), user); new_fields (); } /* * Check all of the fields for valid information */ check_fields (); /* * Build the new GECOS field by plastering all the pieces together, * if they will fit ... */ if ((strlen (fullnm) + strlen (roomno) + strlen (workph) + strlen (homeph) + strlen (slop)) > (unsigned int) 80) { fprintf (stderr, _("%s: fields too long\n"), Prog); fail_exit (E_NOPERM); } snprintf (new_gecos, sizeof new_gecos, "%s,%s,%s,%s%s%s", fullnm, roomno, workph, homeph, ('\0' != slop[0]) ? "," : "", slop); /* Rewrite the user's gecos in the passwd file */ update_gecos (user, new_gecos); SYSLOG ((LOG_INFO, "changed user '%s' information", user)); nscd_flush_cache ("passwd"); closelog (); exit (E_SUCCESS); }
/* * gpasswd - administer the /etc/group file */ int main (int argc, char **argv) { struct group grent; #ifdef SHADOWGRP struct sgrp sgent; #endif struct passwd *pw = NULL; #ifdef WITH_AUDIT audit_help_open (); #endif sanitize_env (); (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); /* * Make a note of whether or not this command was invoked by root. * This will be used to bypass certain checks later on. Also, set * the real user ID to match the effective user ID. This will * prevent the invoker from issuing signals which would interfere * with this command. */ bywho = getuid (); Prog = Basename (argv[0]); OPENLOG ("gpasswd"); setbuf (stdout, NULL); setbuf (stderr, NULL); #ifdef SHADOWGRP is_shadowgrp = sgr_file_present (); #endif /* * Determine the name of the user that invoked this command. This * is really hit or miss because there are so many ways that command * can be executed and so many ways to trip up the routines that * report the user name. */ pw = get_my_pwent (); if (NULL == pw) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); exit (E_NOPERM); } myname = xstrdup (pw->pw_name); /* * Register an exit function to warn for any inconsistency that we * could create. */ if (atexit (do_cleanups) != 0) { fprintf(stderr, "%s: cannot set exit function\n", Prog); exit (1); } /* Parse the options */ process_flags (argc, argv); /* * Replicate the group so it can be modified later on. */ #ifdef SHADOWGRP get_group (&grent, &sgent); #else get_group (&grent); #endif /* * Check if the user is allowed to change the password of this group. */ #ifdef SHADOWGRP check_perms (&grent, &sgent); #else check_perms (&grent); #endif /* * Removing a password is straight forward. Just set the password * field to a "". */ if (rflg) { grent.gr_passwd = ""; /* XXX warning: const */ #ifdef SHADOWGRP sgent.sg_passwd = ""; /* XXX warning: const */ #endif goto output; } else if (Rflg) { /* * Same thing for restricting the group. Set the password * field to "!". */ grent.gr_passwd = "!"; /* XXX warning: const */ #ifdef SHADOWGRP sgent.sg_passwd = "!"; /* XXX warning: const */ #endif goto output; } /* * Adding a member to a member list is pretty straightforward as * well. Call the appropriate routine and split. */ if (aflg) { printf (_("Adding user %s to group %s\n"), user, group); grent.gr_mem = add_list (grent.gr_mem, user); #ifdef SHADOWGRP if (is_shadowgrp) { sgent.sg_mem = add_list (sgent.sg_mem, user); } #endif goto output; } /* * Removing a member from the member list is the same deal as adding * one, except the routine is different. */ if (dflg) { bool removed = false; printf (_("Removing user %s from group %s\n"), user, group); if (is_on_list (grent.gr_mem, user)) { removed = true; grent.gr_mem = del_list (grent.gr_mem, user); } #ifdef SHADOWGRP if (is_shadowgrp) { if (is_on_list (sgent.sg_mem, user)) { removed = true; sgent.sg_mem = del_list (sgent.sg_mem, user); } } #endif if (!removed) { fprintf (stderr, _("%s: user '%s' is not a member of '%s'\n"), Prog, user, group); exit (E_BAD_ARG); } goto output; } #ifdef SHADOWGRP /* * Replacing the entire list of administrators is simple. Check the * list to make sure everyone is a real user. Then slap the new list * in place. */ if (Aflg) { sgent.sg_adm = comma_to_list (admins); if (!Mflg) { goto output; } } #endif /* SHADOWGRP */ /* * Replacing the entire list of members is simple. Check the list to * make sure everyone is a real user. Then slap the new list in * place. */ if (Mflg) { #ifdef SHADOWGRP sgent.sg_mem = comma_to_list (members); #endif grent.gr_mem = comma_to_list (members); goto output; } /* * If the password is being changed, the input and output must both * be a tty. The typical keyboard signals are caught so the termio * modes can be restored. */ if ((isatty (0) == 0) || (isatty (1) == 0)) { fprintf (stderr, _("%s: Not a tty\n"), Prog); exit (E_NOPERM); } catch_signals (0); /* save tty modes */ (void) signal (SIGHUP, catch_signals); (void) signal (SIGINT, catch_signals); (void) signal (SIGQUIT, catch_signals); (void) signal (SIGTERM, catch_signals); #ifdef SIGTSTP (void) signal (SIGTSTP, catch_signals); #endif /* Prompt for the new password */ #ifdef SHADOWGRP change_passwd (&grent, &sgent); #else change_passwd (&grent); #endif /* * This is the common arrival point to output the new group file. * The freshly crafted entry is in allocated space. The group file * will be locked and opened for writing. The new entry will be * output, etc. */ output: if (setuid (0) != 0) { fputs (_("Cannot change ID to root.\n"), stderr); SYSLOG ((LOG_ERR, "can't setuid(0)")); closelog (); exit (E_NOPERM); } pwd_init (); open_files (); #ifdef SHADOWGRP update_group (&grent, &sgent); #else update_group (&grent); #endif close_files (); nscd_flush_cache ("group"); exit (E_SUCCESS); }
int main(int argc, char **argv) { char *cp; /* temporary character pointer */ const struct passwd *pw; /* password file entry */ struct passwd pwent; /* modified password file entry */ char old_gecos[BUFSIZ]; /* buffer for old GECOS fields */ char new_gecos[BUFSIZ]; /* buffer for new GECOS fields */ int flag; /* flag currently being processed */ int fflg = 0; /* -f - set full name */ int rflg = 0; /* -r - set room number */ int wflg = 0; /* -w - set work phone number */ int hflg = 0; /* -h - set home phone number */ int oflg = 0; /* -o - set other information */ char *user; sanitize_env(); setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); /* * This command behaves different for root and non-root * users. */ amroot = (getuid () == 0); #ifdef NDBM pw_dbm_mode = O_RDWR; #endif /* * Get the program name. The program name is used as a * prefix to most error messages. It is also used as input * to the openlog() function for error logging. */ Prog = Basename(argv[0]); openlog("chfn", LOG_PID, LOG_AUTH); /* * The remaining arguments will be processed one by one and * executed by this command. The name is the last argument * if it does not begin with a "-", otherwise the name is * determined from the environment and must agree with the * real UID. Also, the UID will be checked for any commands * which are restricted to root only. */ while ((flag = getopt (argc, argv, "f:r:w:h:o:")) != EOF) { switch (flag) { case 'f': if (!may_change_field('f')) { fprintf(stderr, _("%s: Permission denied.\n"), Prog); exit(1); } fflg++; STRFCPY(fullnm, optarg); break; case 'r': if (!may_change_field('r')) { fprintf(stderr, _("%s: Permission denied.\n"), Prog); exit(1); } rflg++; STRFCPY(roomno, optarg); break; case 'w': if (!may_change_field('w')) { fprintf(stderr, _("%s: Permission denied.\n"), Prog); exit(1); } wflg++; STRFCPY(workph, optarg); break; case 'h': if (!may_change_field('h')) { fprintf(stderr, _("%s: Permission denied.\n"), Prog); exit(1); } hflg++; STRFCPY(homeph, optarg); break; case 'o': if (!amroot) { fprintf(stderr, _("%s: Permission denied.\n"), Prog); exit(1); } oflg++; STRFCPY(slop, optarg); break; default: usage(); } } /* * Get the name of the user to check. It is either * the command line name, or the name getlogin() * returns. */ if (optind < argc) { user = argv[optind]; pw = getpwnam(user); if (!pw) { fprintf(stderr, _("%s: Unknown user %s\n"), Prog, user); exit(1); } } else { pw = get_my_pwent(); if (!pw) { fprintf(stderr, _("%s: Cannot determine your user name.\n"), Prog); exit(1); } user = xstrdup(pw->pw_name); } #ifdef USE_NIS /* * Now we make sure this is a LOCAL password entry for * this user ... */ if (__ispwNIS ()) { char *nis_domain; char *nis_master; fprintf (stderr, _("%s: cannot change user `%s' on NIS client.\n"), Prog, user); if (! yp_get_default_domain (&nis_domain) && ! yp_master (nis_domain, "passwd.byname", &nis_master)) { fprintf (stderr, _("%s: `%s' is the NIS master for this client.\n"), Prog, nis_master); } exit (1); } #endif /* * Non-privileged users are only allowed to change the * gecos field if the UID of the user matches the current * real UID. */ if (!amroot && pw->pw_uid != getuid()) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); closelog(); exit(1); } /* * Non-privileged users are optionally authenticated * (must enter the password of the user whose information * is being changed) before any changes can be made. * Idea from util-linux chfn/chsh. --marekm */ if (!amroot && getdef_bool("CHFN_AUTH")) passwd_check(pw->pw_name, pw->pw_passwd, "chfn"); /* * Now get the full name. It is the first comma separated field * in the GECOS field. */ STRFCPY(old_gecos, pw->pw_gecos); cp = copy_field (old_gecos, fflg ? (char *) 0:fullnm, slop); /* * Now get the room number. It is the next comma separated field, * if there is indeed one. */ if (cp) cp = copy_field (cp, rflg ? (char *) 0:roomno, slop); /* * Now get the work phone number. It is the third field. */ if (cp) cp = copy_field (cp, wflg ? (char *) 0:workph, slop); /* * Now get the home phone number. It is the fourth field. */ if (cp) cp = copy_field (cp, hflg ? (char *) 0:homeph, slop); /* * Anything left over is "slop". */ if (cp && !oflg) { if (slop[0]) strcat (slop, ","); strcat (slop, cp); } /* * If none of the fields were changed from the command line, * let the user interactively change them. */ if (!fflg && !rflg && !wflg && !hflg && !oflg) { printf(_("Changing the user information for %s\n"), user); new_fields(); } /* * Check all of the fields for valid information */ if (valid_field(fullnm, ":,=")) { fprintf(stderr, _("%s: invalid name: \"%s\"\n"), Prog, fullnm); closelog(); exit(1); } if (valid_field(roomno, ":,=")) { fprintf(stderr, _("%s: invalid room number: \"%s\"\n"), Prog, roomno); closelog(); exit(1); } if (valid_field(workph, ":,=")) { fprintf(stderr, _("%s: invalid work phone: \"%s\"\n"), Prog, workph); closelog(); exit(1); } if (valid_field (homeph, ":,=")) { fprintf(stderr, _("%s: invalid home phone: \"%s\"\n"), Prog, homeph); closelog(); exit(1); } if (valid_field(slop, ":")) { fprintf(stderr, _("%s: \"%s\" contains illegal characters\n"), Prog, slop); closelog(); exit(1); } /* * Build the new GECOS field by plastering all the pieces together, * if they will fit ... */ if (strlen(fullnm) + strlen(roomno) + strlen(workph) + strlen(homeph) + strlen(slop) > (unsigned int) 80) { fprintf(stderr, _("%s: fields too long\n"), Prog); closelog(); exit(1); } snprintf(new_gecos, sizeof new_gecos, "%s,%s,%s,%s%s%s", fullnm, roomno, workph, homeph, slop[0] ? "," : "", slop); /* * Before going any further, raise the ulimit to prevent * colliding into a lowered ulimit, and set the real UID * to root to protect against unexpected signals. Any * keyboard signals are set to be ignored. */ if (setuid(0)) { fprintf(stderr, _("Cannot change ID to root.\n")); SYSLOG((LOG_ERR, NOTROOT2)); closelog(); exit(1); } pwd_init(); /* * The passwd entry is now ready to be committed back to * the password file. Get a lock on the file and open it. */ if (!pw_lock()) { fprintf(stderr, _("Cannot lock the password file; try again later.\n")); SYSLOG((LOG_WARN, PWDBUSY2)); closelog(); exit(1); } if (!pw_open(O_RDWR)) { fprintf(stderr, _("Cannot open the password file.\n")); pw_unlock(); SYSLOG((LOG_ERR, OPNERROR2)); closelog(); exit(1); } /* * Get the entry to update using pw_locate() - we want the real * one from /etc/passwd, not the one from getpwnam() which could * contain the shadow password if (despite the warnings) someone * enables AUTOSHADOW (or SHADOW_COMPAT in libc). --marekm */ pw = pw_locate(user); if (!pw) { pw_unlock(); fprintf(stderr, _("%s: %s not found in /etc/passwd\n"), Prog, user); exit(1); } /* * Make a copy of the entry, then change the gecos field. The other * fields remain unchanged. */ pwent = *pw; pwent.pw_gecos = new_gecos; /* * Update the passwd file entry. If there is a DBM file, * update that entry as well. */ if (!pw_update(&pwent)) { fprintf(stderr, _("Error updating the password entry.\n")); pw_unlock(); SYSLOG((LOG_ERR, UPDERROR2)); closelog(); exit(1); } #ifdef NDBM if (pw_dbm_present() && !pw_dbm_update(&pwent)) { fprintf(stderr, _("Error updating the DBM password entry.\n")); pw_unlock (); SYSLOG((LOG_ERR, DBMERROR2)); closelog(); exit(1); } endpwent(); #endif /* * Changes have all been made, so commit them and unlock the * file. */ if (!pw_close()) { fprintf(stderr, _("Cannot commit password file changes.\n")); pw_unlock(); SYSLOG((LOG_ERR, CLSERROR2)); closelog(); exit(1); } if (!pw_unlock()) { fprintf(stderr, _("Cannot unlock the password file.\n")); SYSLOG((LOG_ERR, UNLKERROR2)); closelog(); exit(1); } SYSLOG((LOG_INFO, CHGGECOS, user)); closelog(); exit (0); }
/* * passwd - change a user's password file information * * This command controls the password file and commands which are used * to modify it. * * The valid options are * * -d delete the password for the named account (*) * -e expire the password for the named account (*) * -f execute chfn command to interpret flags * -g execute gpasswd command to interpret flags * -i # set sp_inact to # days (*) * -k change password only if expired * -l lock the password of the named account (*) * -n # set sp_min to # days (*) * -r # change password in # repository * -s execute chsh command to interpret flags * -S show password status of named account * -u unlock the password of the named account (*) * -w # set sp_warn to # days (*) * -x # set sp_max to # days (*) * * (*) requires root permission to execute. * * All of the time fields are entered in days and converted to the * appropriate internal format. For finer resolute the chage * command must be used. */ int main (int argc, char **argv) { const struct passwd *pw; /* Password file entry for user */ #ifndef USE_PAM char *cp; /* Miscellaneous character pointing */ const struct spwd *sp; /* Shadow file entry for user */ #endif /* !USE_PAM */ (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); /* * The program behaves differently when executed by root than when * executed by a normal user. */ amroot = (getuid () == 0); /* * Get the program name. The program name is used as a prefix to * most error messages. */ Prog = Basename (argv[0]); sanitize_env (); OPENLOG ("passwd"); { /* * Parse the command line options. */ int option_index = 0; int c; static struct option long_options[] = { {"all", no_argument, NULL, 'a'}, {"delete", no_argument, NULL, 'd'}, {"expire", no_argument, NULL, 'e'}, {"help", no_argument, NULL, 'h'}, {"inactive", required_argument, NULL, 'i'}, {"keep-tokens", no_argument, NULL, 'k'}, {"lock", no_argument, NULL, 'l'}, {"mindays", required_argument, NULL, 'n'}, {"quiet", no_argument, NULL, 'q'}, {"root", required_argument, NULL, 'R'}, {"repository", required_argument, NULL, 'r'}, {"status", no_argument, NULL, 'S'}, {"unlock", no_argument, NULL, 'u'}, {"warndays", required_argument, NULL, 'w'}, {"maxdays", required_argument, NULL, 'x'}, {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, "adei:kln:qR:r:Suw:x:", long_options, &option_index)) != -1) { switch (c) { case 'a': aflg = true; break; case 'd': dflg = true; anyflag = true; break; case 'e': eflg = true; anyflag = true; break; case 'i': if ( (getlong (optarg, &inact) == 0) || (inact < -1)) { fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, optarg); usage (E_BAD_ARG); } iflg = true; anyflag = true; break; case 'k': /* change only if expired, like Linux-PAM passwd -k. */ kflg = true; /* ok for users */ break; case 'l': lflg = true; anyflag = true; break; case 'n': if ( (getlong (optarg, &age_min) == 0) || (age_min < -1)) { fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, optarg); usage (E_BAD_ARG); } nflg = true; anyflag = true; break; case 'q': qflg = true; /* ok for users */ break; case 'R': if ('/' != optarg[0]) { fprintf (stderr, _("%s: invalid chroot path '%s'\n"), Prog, optarg); exit (E_BAD_ARG); } newroot = optarg; if (access (newroot, F_OK) != 0) { fprintf(stderr, _("%s: chroot directory %s does not exist\n"), Prog, newroot); exit (E_BAD_ARG); } if ( chroot(newroot) != 0 ) { fprintf(stderr, _("%s: unable to chroot to directory %s\n"), Prog, newroot); exit (E_BAD_ARG); } break; case 'r': /* -r repository (files|nis|nisplus) */ /* only "files" supported for now */ if (strcmp (optarg, "files") != 0) { fprintf (stderr, _("%s: repository %s not supported\n"), Prog, optarg); exit (E_BAD_ARG); } break; case 'S': Sflg = true; /* ok for users */ break; case 'u': uflg = true; anyflag = true; break; case 'w': if ( (getlong (optarg, &warn) == 0) || (warn < -1)) { fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, optarg); usage (E_BAD_ARG); } wflg = true; anyflag = true; break; case 'x': if ( (getlong (optarg, &age_max) == 0) || (age_max < -1)) { fprintf (stderr, _("%s: invalid numeric argument '%s'\n"), Prog, optarg); usage (E_BAD_ARG); } xflg = true; anyflag = true; break; default: usage (E_BAD_ARG); } } } /* * Now I have to get the user name. The name will be gotten from the * command line if possible. Otherwise it is figured out from the * environment. */ pw = get_my_pwent (); if (NULL == pw) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); exit (E_NOPERM); } myname = xstrdup (pw->pw_name); if (optind < argc) { name = argv[optind]; } else { name = myname; } /* * Make sure that at most one username was specified. */ if (argc > (optind+1)) { usage (E_USAGE); } /* * The -a flag requires -S, no other flags, no username, and * you must be root. --marekm */ if (aflg) { if (anyflag || !Sflg || (optind < argc)) { usage (E_USAGE); } if (!amroot) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } setpwent (); while ( (pw = getpwent ()) != NULL ) { print_status (pw); } endpwent (); exit (E_SUCCESS); } #if 0 /* * Allow certain users (administrators) to change passwords of * certain users. Not implemented yet. --marekm */ if (may_change_passwd (myname, name)) amroot = 1; #endif /* * If any of the flags were given, a user name must be supplied on * the command line. Only an unadorned command line doesn't require * the user's name be given. Also, -x, -n, -w, -i, -e, -d, * -l, -u may appear with each other. -S, -k must appear alone. */ /* * -S now ok for normal users (check status of my own account), and * doesn't require username. --marekm */ if (anyflag && optind >= argc) { usage (E_USAGE); } if ( (Sflg && kflg) || (anyflag && (Sflg || kflg))) { usage (E_USAGE); } if (anyflag && !amroot) { fprintf (stderr, _("%s: Permission denied.\n"), Prog); exit (E_NOPERM); } pw = xgetpwnam (name); if (NULL == pw) { fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, name); exit (E_NOPERM); } #ifdef WITH_SELINUX /* only do this check when getuid()==0 because it's a pre-condition for changing a password without entering the old one */ if ((is_selinux_enabled() > 0) && (getuid() == 0) && (check_selinux_access (name, pw->pw_uid, PASSWD__PASSWD) != 0)) { security_context_t user_context = NULL; const char *user = "******"; if (getprevcon (&user_context) == 0) { user = user_context; } SYSLOG ((LOG_ALERT, "%s is not authorized to change the password of %s", user, name)); fprintf(stderr, _("%s: %s is not authorized to change the password of %s\n"), Prog, user, name); if (NULL != user_context) { freecon (user_context); } exit (E_NOPERM); } #endif /* WITH_SELINUX */ /* * If the UID of the user does not match the current real UID, * check if I'm root. */ if (!amroot && (pw->pw_uid != getuid ())) { fprintf (stderr, _("%s: You may not view or modify password information for %s.\n"), Prog, name); SYSLOG ((LOG_WARN, "%s: can't view or modify password information for %s", Prog, name)); closelog (); exit (E_NOPERM); } if (Sflg) { print_status (pw); exit (E_SUCCESS); } #ifndef USE_PAM /* * The user name is valid, so let's get the shadow file entry. */ sp = getspnam (name); /* !USE_PAM, no need for xgetspnam */ if (NULL == sp) { sp = pwd_to_spwd (pw); } cp = sp->sp_pwdp; /* * If there are no other flags, just change the password. */ if (!anyflag) { STRFCPY (crypt_passwd, cp); /* * See if the user is permitted to change the password. * Otherwise, go ahead and set a new password. */ check_password (pw, sp); /* * Let the user know whose password is being changed. */ if (!qflg) { printf (_("Changing password for %s\n"), name); } if (new_password (pw)) { fprintf (stderr, _("The password for %s is unchanged.\n"), name); closelog (); exit (E_NOPERM); } do_update_pwd = true; do_update_age = true; } #endif /* !USE_PAM */ /* * Before going any further, raise the ulimit to prevent colliding * into a lowered ulimit, and set the real UID to root to protect * against unexpected signals. Any keyboard signals are set to be * ignored. */ pwd_init (); #ifdef USE_PAM /* * Don't set the real UID for PAM... */ if (!anyflag) { do_pam_passwd (name, qflg, kflg); exit (E_SUCCESS); } #endif /* USE_PAM */ if (setuid (0) != 0) { fputs (_("Cannot change ID to root.\n"), stderr); SYSLOG ((LOG_ERR, "can't setuid(0)")); closelog (); exit (E_NOPERM); } if (spw_file_present ()) { update_shadow (); } else { update_noshadow (); } nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname)); closelog (); if (!qflg) { if (!anyflag) { #ifndef USE_PAM printf (_("%s: password changed.\n"), Prog); #endif /* USE_PAM */ } else { printf (_("%s: password expiry information changed.\n"), Prog); } } return E_SUCCESS; }
/* * expiry - check and enforce password expiration policy * * expiry checks (-c) the current password expiration and forces (-f) * changes when required. It is callable as a normal user command. */ int main (int argc, char **argv) { struct passwd *pwd; struct spwd *spwd; Prog = Basename (argv[0]); sanitize_env (); /* * Start by disabling all of the keyboard signals. */ (void) signal (SIGHUP, catch_signals); (void) signal (SIGINT, catch_signals); (void) signal (SIGQUIT, catch_signals); #ifdef SIGTSTP (void) signal (SIGTSTP, catch_signals); #endif /* * expiry takes one of two arguments. The default action is to give * the usage message. */ (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); OPENLOG ("expiry"); process_flags (argc, argv); /* * Get user entries for /etc/passwd and /etc/shadow */ pwd = get_my_pwent (); if (NULL == pwd) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); exit (10); } spwd = getspnam (pwd->pw_name); /* !USE_PAM, No need for xgetspnam */ /* * If checking accounts, use agecheck() function. */ if (cflg) { /* * Print out number of days until expiration. */ agecheck (spwd); /* * Exit with status indicating state of account. */ exit (isexpired (pwd, spwd)); } /* * Otherwise, force a password change with the expire() function. * It will force the change or give a message indicating what to * do. * It won't return unless the account is unexpired. */ (void) expire (pwd, spwd); return E_SUCCESS; }
/* * newuidmap - Set the uid_map for the specified process */ int main(int argc, char **argv) { char proc_dir_name[32]; char *target_str; pid_t target, parent; int proc_dir_fd; int ranges; struct map_range *mappings; struct stat st; struct passwd *pw; int written; Prog = Basename (argv[0]); /* * The valid syntax are * newuidmap target_pid */ if (argc < 2) usage(); /* Find the process that needs its user namespace * uid mapping set. */ target_str = argv[1]; if (!get_pid(target_str, &target)) usage(); /* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */ written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/", target); if ((written <= 0) || (written >= sizeof(proc_dir_name))) { fprintf(stderr, "%s: snprintf of proc path failed: %s\n", Prog, strerror(errno)); } proc_dir_fd = open(proc_dir_name, O_DIRECTORY); if (proc_dir_fd < 0) { fprintf(stderr, _("%s: Could not open proc directory for target %u\n"), Prog, target); return EXIT_FAILURE; } /* Who am i? */ pw = get_my_pwent (); if (NULL == pw) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) getuid ())); return EXIT_FAILURE; } /* Get the effective uid and effective gid of the target process */ if (fstat(proc_dir_fd, &st) < 0) { fprintf(stderr, _("%s: Could not stat directory for target %u\n"), Prog, target); return EXIT_FAILURE; } /* Verify real user and real group matches the password entry * and the effective user and group of the program whose * mappings we have been asked to set. */ if ((getuid() != pw->pw_uid) || (getgid() != pw->pw_gid) || (pw->pw_uid != st.st_uid) || (pw->pw_gid != st.st_gid)) { fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), Prog, target, (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); return EXIT_FAILURE; } if (!sub_uid_open(O_RDONLY)) { return EXIT_FAILURE; } ranges = ((argc - 2) + 2) / 3; mappings = get_map_ranges(ranges, argc - 2, argv + 2); if (!mappings) usage(); verify_ranges(pw, ranges, mappings); write_mapping(proc_dir_fd, ranges, mappings, "uid_map"); sub_uid_close(); return EXIT_SUCCESS; }
/* * su - switch user id * * su changes the user's ids to the values for the specified user. if * no new user name is specified, "root" or UID 0 is used by default. * * Any additional arguments are passed to the user's shell. In * particular, the argument "-c" will cause the next argument to be * interpreted as a command by the common shell programs. */ int main (int argc, char **argv) { const char *cp; const char *tty = NULL; /* Name of tty SU is run from */ bool doshell = false; bool fakelogin = false; bool amroot = false; uid_t my_uid; struct passwd *pw = NULL; char **envp = environ; char *shellstr = NULL; char *command = NULL; #ifdef USE_PAM char **envcp; int ret; #else /* !USE_PAM */ int err = 0; RETSIGTYPE (*oldsig) (int); int is_console = 0; struct spwd *spwd = 0; #ifdef SU_ACCESS char *oldpass; #endif #endif /* !USE_PAM */ (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); change_environment = true; /* * Get the program name. The program name is used as a prefix to * most error messages. */ Prog = Basename (argv[0]); OPENLOG ("su"); /* * Process the command line arguments. */ { /* * Parse the command line options. */ int option_index = 0; int c; static struct option long_options[] = { {"command", required_argument, NULL, 'c'}, {"help", no_argument, NULL, 'h'}, {"login", no_argument, NULL, 'l'}, {"preserve-environment", no_argument, NULL, 'p'}, {"shell", required_argument, NULL, 's'}, {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, "c:hlmps:", long_options, &option_index)) != -1) { switch (c) { case 'c': command = optarg; break; case 'h': usage (E_SUCCESS); break; case 'l': fakelogin = true; break; case 'm': case 'p': /* This will only have an effect if the target * user do not have a restricted shell, or if * su is called by root. */ change_environment = false; break; case 's': shellstr = optarg; break; default: usage (E_USAGE); /* NOT REACHED */ } } if ((optind < argc) && (strcmp (argv[optind], "-") == 0)) { fakelogin = true; optind++; if ( (optind < argc) && (strcmp (argv[optind], "--") == 0)) { optind++; } } } initenv (); my_uid = getuid (); amroot = (my_uid == 0); /* * Get the tty name. Entries will be logged indicating that the user * tried to change to the named new user from the current terminal. */ tty = ttyname (0); if ((isatty (0) != 0) && (NULL != tty)) { #ifndef USE_PAM is_console = console (tty); #endif } else { /* * Be more paranoid, like su from SimplePAMApps. --marekm */ if (!amroot) { fprintf (stderr, _("%s: must be run from a terminal\n"), Prog); exit (1); } tty = "???"; } /* * The next argument must be either a user ID, or some flag to a * subshell. Pretty sticky since you can't have an argument which * doesn't start with a "-" unless you specify the new user name. * Any remaining arguments will be passed to the user's login shell. */ if ((optind < argc) && ('-' != argv[optind][0])) { STRFCPY (name, argv[optind++]); /* use this login id */ if ((optind < argc) && (strcmp (argv[optind], "--") == 0)) { optind++; } } if ('\0' == name[0]) { /* use default user */ struct passwd *root_pw = getpwnam ("root"); if ((NULL != root_pw) && (0 == root_pw->pw_uid)) { (void) strcpy (name, "root"); } else { root_pw = getpwuid (0); if (NULL == root_pw) { SYSLOG ((LOG_CRIT, "There is no UID 0 user.")); su_failure (tty); } (void) strcpy (name, root_pw->pw_name); } } doshell = (argc == optind); /* any arguments remaining? */ if (NULL != command) { doshell = false; } /* * Get the user's real name. The current UID is used to determine * who has executed su. That user ID must exist. */ pw = get_my_pwent (); if (NULL == pw) { fprintf (stderr, _("%s: Cannot determine your user name.\n"), Prog); SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)", (unsigned long) my_uid)); su_failure (tty); } STRFCPY (oldname, pw->pw_name); #ifndef USE_PAM #ifdef SU_ACCESS /* * Sort out the password of user calling su, in case needed later * -- chris */ spwd = getspnam (oldname); /* !USE_PAM, no need for xgetspnam */ if (NULL != spwd) { pw->pw_passwd = spwd->sp_pwdp; } oldpass = xstrdup (pw->pw_passwd); #endif /* SU_ACCESS */ #else /* USE_PAM */ ret = pam_start ("su", name, &conv, &pamh); if (PAM_SUCCESS != ret) { SYSLOG ((LOG_ERR, "pam_start: error %d", ret); fprintf (stderr, _("%s: pam_start: error %d\n"), Prog, ret)); exit (1); }