int
main(int argc, char *argv[])
{
struct passwd *pw = NULL, *opw = NULL, lpw;
int i, ch, pfd, tfd, dfd;
char *tz, *arg = NULL;
sigset_t fullset;
#ifdef YP
use_yp = _yp_check(NULL);
#endif
/* We need to use the system timezone for date conversions. */
if ((tz = getenv("TZ")) != NULL) {
unsetenv("TZ");
tzset();
setenv("TZ", tz, 1);
}
op = EDITENTRY;
while ((ch = getopt(argc, argv, "a:s:ly")) != -1)
switch(ch) {
case 'a':
op = LOADENTRY;
arg = optarg;
break;
case 's':
op = NEWSH;
arg = optarg;
break;
#ifdef YP
case 'l':
use_yp = 0;
break;
case 'y':
if (!use_yp) {
warnx("YP not in use.");
usage();
}
force_yp = 1;
break;
#endif
case '?':
default:
usage();
}
argc -= optind;
argv += optind;
#ifdef YP
if (op == LOADENTRY && use_yp)
errx(1, "cannot load using YP, use -l to load local.");
#endif
uid = getuid();
if (op == EDITENTRY || op == NEWSH)
switch(argc) {
case 0:
pw = getpwuid(uid);
#ifdef YP
if (pw && !force_yp)
use_yp = 0;
else if (use_yp)
pw = ypgetpwuid(uid);
#endif /* YP */
if (!pw)
errx(1, "unknown user: uid %u", uid);
break;
case 1:
pw = getpwnam(*argv);
#ifdef YP
if (pw && !force_yp)
use_yp = 0;
else if (use_yp)
pw = ypgetpwnam(*argv);
#endif /* YP */
if (!pw)
errx(1, "unknown user: %s", *argv);
if (uid && uid != pw->pw_uid)
baduser();
break;
default:
usage();
}
if (op == LOADENTRY) {
if (argc != 0)
errx(1, "option -a does not accept user argument");
if (uid)
baduser();
pw = &lpw;
if (!pw_scan(arg, pw, NULL))
exit(1);
opw = getpwnam(pw->pw_name);
}
if (opw == NULL && (opw = pw_dup(pw)) == NULL)
err(1, NULL);
/* Edit the user passwd information if requested. */
if (op == EDITENTRY) {
char tempname[] = _PATH_VARTMP "pw.XXXXXXXXXX";
int edit_status;
if ((pw = pw_dup(pw)) == NULL)
pw_error(NULL, 1, 1);
dfd = mkstemp(tempname);
if (dfd == -1 || fcntl(dfd, F_SETFD, 1) == -1)
pw_error(tempname, 1, 1);
display(tempname, dfd, pw);
edit_status = edit(tempname, pw);
close(dfd);
unlink(tempname);
switch (edit_status) {
case EDIT_OK:
break;
case EDIT_NOCHANGE:
pw_error(NULL, 0, 0);
break;
case EDIT_ERROR:
default:
pw_error(tempname, 1, 1);
break;
}
}
if (op == NEWSH) {
/* protect p_shell -- it thinks NULL is /bin/sh */
if (!arg[0])
usage();
if (p_shell(arg, pw, NULL))
pw_error(NULL, 0, 1);
}
/* Drop user's real uid and block all signals to avoid a DoS. */
setuid(0);
sigfillset(&fullset);
sigdelset(&fullset, SIGINT);
sigprocmask(SIG_BLOCK, &fullset, NULL);
/* Get the passwd lock file and open the passwd file for reading. */
pw_init();
for (i = 1; (tfd = pw_lock(0)) == -1; i++) {
if (i == 4)
(void)fputs("Attempting to lock password file, "
"please wait or press ^C to abort", stderr);
(void)signal(SIGINT, kbintr);
if (i % 16 == 0)
fputc('.', stderr);
usleep(250000);
(void)signal(SIGINT, SIG_IGN);
}
if (i >= 4)
fputc('\n', stderr);
pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0);
if (pfd == -1 || fcntl(pfd, F_SETFD, 1) == -1)
pw_error(_PATH_MASTERPASSWD, 1, 1);
#ifdef YP
if (use_yp) {
if (pw_yp(pw, uid))
pw_error(NULL, 0, 1);
else {
pw_abort();
exit(0);
}
} else
#endif /* YP */
{
/* Copy the passwd file to the lock file, updating pw. */
pw_copy(pfd, tfd, pw, opw);
/* If username changed we need to rebuild the entire db. */
arg = !strcmp(opw->pw_name, pw->pw_name) ? pw->pw_name : NULL;
/* Now finish the passwd file update. */
if (pw_mkdb(arg, 0) == -1)
pw_error(NULL, 0, 1);
}
exit(0);
}
void
yp_chpass(char *username)
{
char *master;
int r, rpcport, status;
struct yppasswd yppasswd;
struct passwd *pw;
struct timeval tv;
CLIENT *client;
extern char *domain;
(void)signal(SIGINT, kbintr);
(void)signal(SIGQUIT, kbintr);
if ((r = yp_get_default_domain(&domain)) != 0) {
warnx("can't get local YP domain. Reason: %s", yperr_string(r));
exit(1);
}
/*
* Find the host for the passwd map; it should be running
* the daemon.
*/
if ((r = yp_master(domain, "passwd.byname", &master)) != 0) {
warnx("can't find the master YP server. Reason: %s",
yperr_string(r));
exit(1);
}
/* Ask the portmapper for the port of the daemon. */
if ((rpcport = getrpcport(master, YPPASSWDPROG,
YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) {
warnx("master YP server not running yppasswd daemon.");
warnx("Can't change password.");
exit(1);
}
if (rpcport >= IPPORT_RESERVED) {
warnx("yppasswd daemon is on an invalid port.");
exit(1);
}
/* If user doesn't exist, just prompt for old password and exit. */
pw = ypgetpwnam(username);
if (pw) {
if (pw->pw_uid == 0) {
syslog(LOG_ERR, "attempted root password change");
pw = NULL;
} else if (*pw->pw_passwd == '\0') {
syslog(LOG_ERR, "%s attempting to add password",
username);
pw = NULL;
}
}
if (pw == NULL) {
char *p, salt[_PASSWORD_LEN + 1];
login_cap_t *lc;
/* no such user, get appropriate salt to thwart timing attack */
if ((p = getpass("Old password:"******"xx", sizeof(salt));
crypt(p, salt);
memset(p, 0, strlen(p));
}
warnx("YP passwd database unchanged.");
exit(1);
}
/* prompt for new password */
yppasswd.newpw.pw_passwd = ypgetnewpasswd(pw, &yppasswd.oldpass);
/* tell rpc.yppasswdd */
yppasswd.newpw.pw_name = pw->pw_name;
yppasswd.newpw.pw_uid = pw->pw_uid;
yppasswd.newpw.pw_gid = pw->pw_gid;
yppasswd.newpw.pw_gecos = pw->pw_gecos;
yppasswd.newpw.pw_dir = pw->pw_dir;
yppasswd.newpw.pw_shell = pw->pw_shell;
client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
if (client == NULL) {
warnx("cannot contact yppasswdd on %s: Reason: %s",
master, yperr_string(YPERR_YPBIND));
free(yppasswd.newpw.pw_passwd);
exit(1);
}
client->cl_auth = authunix_create_default();
tv.tv_sec = 2;
tv.tv_usec = 0;
r = clnt_call(client, YPPASSWDPROC_UPDATE,
xdr_yppasswd, &yppasswd, xdr_int, &status, tv);
if (r)
warnx("rpc to yppasswdd failed.");
else if (status) {
printf("Couldn't change YP password.\n");
free(yppasswd.newpw.pw_passwd);
exit(1);
}
printf("The YP password has been changed on %s, the master YP passwd server.\n",
master);
free(yppasswd.newpw.pw_passwd);
(void)writev(BACK_CHANNEL, iov, 2);
exit(0);
}
int
yp_passwd(char *username)
{
struct yppasswd yppwd;
int r, rpcport, status, secure=0;
struct passwd *pw;
struct timeval tv;
login_cap_t *lc;
CLIENT *client;
char *master;
uid_t uid;
/*
* Get local domain
*/
if ((r = yp_get_default_domain(&domain)) != 0) {
warnx("can't get local YP domain. Reason: %s",
yperr_string(r));
return (1);
}
/*
* Find the host for the passwd map; it should be running
* the daemon.
*/
if ((r = yp_master(domain, "master.passwd.byname", &master)) == 0) {
secure=1;
} else if ((r = yp_master(domain, "passwd.byname", &master)) != 0) {
warnx("can't find the master YP server. Reason: %s",
yperr_string(r));
return (1);
}
/*
* Ask the portmapper for the port of the daemon.
*/
if ((rpcport = getrpcport(master, YPPASSWDPROG,
YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) {
warnx("master YP server not running yppasswd daemon.");
warnx("Can't change password.");
return (1);
}
/*
* Be sure the port is privileged
*/
if (rpcport >= IPPORT_RESERVED) {
warnx("yppasswd daemon is on an invalid port.");
return (1);
}
/* Get user's login identity */
if (!(pw = ypgetpwnam(username, secure))) {
warnx("unknown user %s.", username);
return (1);
}
if ((lc = login_getclass(pw->pw_class)) == NULL) {
warnx("unable to get login class for user %s.", username);
return (1);
}
uid = getuid();
if (uid && uid != pw->pw_uid) {
warnx("you may only change your own password: %s",
strerror(EACCES));
return (1);
}
/* prompt for new password */
yppwd.newpw.pw_passwd = ypgetnewpasswd(pw, lc, &yppwd.oldpass);
/* tell rpc.yppasswdd */
yppwd.newpw.pw_name = pw->pw_name;
yppwd.newpw.pw_uid = pw->pw_uid;
yppwd.newpw.pw_gid = pw->pw_gid;
yppwd.newpw.pw_gecos = pw->pw_gecos;
yppwd.newpw.pw_dir = pw->pw_dir;
yppwd.newpw.pw_shell = pw->pw_shell;
client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
if (client==NULL) {
warnx("cannot contact yppasswdd on %s: Reason: %s",
master, yperr_string(YPERR_YPBIND));
free(yppwd.newpw.pw_passwd);
return (YPERR_YPBIND);
}
client->cl_auth = authunix_create_default();
tv.tv_sec = 2;
tv.tv_usec = 0;
r = clnt_call(client, YPPASSWDPROC_UPDATE,
xdr_yppasswd, &yppwd, xdr_int, &status, tv);
if (r) {
printf("rpc to yppasswdd failed.\n");
free(yppwd.newpw.pw_passwd);
return (1);
} else if (status) {
printf("Couldn't change YP password.\n");
free(yppwd.newpw.pw_passwd);
return (1);
} else {
printf("The YP password has been changed on %s, "
"the master YP passwd server.\n", master);
free(yppwd.newpw.pw_passwd);
return (0);
}
}
void
pwyp_process(const char *username, int argc, char **argv)
{
char *master;
int ch, r, rpcport, status;
enum clnt_stat yr;
struct yppasswd ypp;
struct passwd pwb, pwb2, *pw;
char pwbuf[1024];
struct timeval tv;
CLIENT *client;
while ((ch = getopt(argc, argv, "y")) != -1) {
switch (ch) {
case 'y':
/*
* Abosrb the -y that may have gotten us here.
*/
break;
default:
usage();
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;
switch (argc) {
case 0:
/* username already provided */
break;
case 1:
username = argv[0];
break;
default:
usage();
/*NOTREACHED*/
}
if (_yp_check(NULL) == 0) {
/* can't use YP. */
errx(EXIT_FAILURE, "NIS not in use.");
}
uid = getuid();
/*
* Get local domain
*/
if ((r = yp_get_default_domain(&domain)) != 0)
errx(EXIT_FAILURE, "Can't get local NIS domain (%s)",
yperr_string(r));
/*
* Find the host for the passwd map; it should be running
* the daemon.
*/
if ((r = yp_master(domain, "passwd.byname", &master)) != 0)
errx(EXIT_FAILURE, "Can't find the master NIS server (%s)",
yperr_string(r));
/*
* Ask the portmapper for the port of the daemon.
*/
if ((rpcport = getrpcport(master, YPPASSWDPROG,
YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0)
errx(EXIT_FAILURE, "Master NIS server not running yppasswd "
"daemon");
/*
* Be sure the port is privileged
*/
if (rpcport >= IPPORT_RESERVED)
errx(EXIT_FAILURE, "Yppasswd daemon is on an invalid port");
/* Bail out if this is a local (non-yp) user, */
/* then get user's login identity */
if (!ypgetpwnam(username, &pwb) ||
getpwnam_r(username, &pwb2, pwbuf, sizeof(pwbuf), &pw) ||
pw == NULL)
errx(EXIT_FAILURE, "NIS unknown user %s", username);
if (uid && uid != pwb.pw_uid) {
errno = EACCES;
err(EXIT_FAILURE, "You may only change your own password");
}
makeypp(&ypp, &pwb);
client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
if (client == NULL)
errx(EXIT_FAILURE, "Cannot contact yppasswdd on %s (%s)",
master, yperr_string(YPERR_YPBIND));
client->cl_auth = authunix_create_default();
tv.tv_sec = 2;
tv.tv_usec = 0;
yr = clnt_call(client, YPPASSWDPROC_UPDATE,
xdr_yppasswd, &ypp, xdr_int, &status, tv);
if (yr != RPC_SUCCESS)
errx(EXIT_FAILURE, "RPC to yppasswdd failed (%s)",
clnt_sperrno(yr));
else if (status)
printf("Couldn't change NIS password.\n");
else
printf("The NIS password has been changed on %s, %s\n",
master, "the master NIS passwd server.");
}
