/*
* Read /etc/shadow.
*/
void
readshadow(void)
{
#ifdef SHADOW_PWD
struct login *lp;
struct spwd *sp;
size_t sz;
setspent();
while (sp = getspent()) {
if ((lp = findlogin(sp->sp_namp)) == NULL)
continue;
sz = strlen(sp->sp_pwdp);
lp->l_pwdp = salloc(sz + 1);
strcpy(lp->l_pwdp, sp->sp_pwdp);
lp->l_lstchg = sp->sp_lstchg;
lp->l_min = sp->sp_min;
lp->l_max = sp->sp_max;
lp->l_warn = sp->sp_warn;
lp->l_inact = sp->sp_inact;
lp->l_expire = sp->sp_expire;
lp->l_flag = sp->sp_flag;
}
endspent();
#endif /* SHADOW_PWD */
}
/*
result is a pointer to a spwd structure to store result in
buffer is the area where we are to dump our value
buflen is the length of buffer
*/
struct spwd *getspent_r(struct spwd *result, char *buffer, int buflen) {
struct spwd *lspwd = NULL;
struct request request;
struct dbase ldbase_shadow;
union id id;
int saved;
if (buflen <= 1) {
return NULL;
}
saved = errno;
memset(&ldbase_shadow, 0, sizeof ldbase_shadow);
ldbase_shadow.fname = SHADOW;
ldbase_shadow.parse = parse_shadow;
/* Need to make it so that is picks up the current fp */
if (!dbase_shadow.fp) {
setspent();
(void)dbase_chkfile(&dbase_shadow);
}
ldbase_shadow.fp = dbase_shadow.fp;
request.dbase = &ldbase_shadow;
request.buffer = buffer;
request.bufsize = buflen;
request.record = (union record *)result;
id.uid = -1;
dbase_lookup(&request, id, 0, (union record **)&lspwd);
errno = saved;
return((lspwd && lspwd->sp_namp) ? result : NULL);
}
static int
do_classic_auth (const char *username, const char *password)
{
int ret = 0;
const char *encr_pwd = NULL;
struct passwd *pw;
#ifdef HAVE_SHADOW
struct spwd *spw;
#endif
if ((pw = getpwnam (username)) == 0)
return 0;
#ifdef HAVE_SHADOW
setspent ();
/* Password expiration is not checked! */
if ((spw = getspnam (username)) == NULL)
encr_pwd = "*";
else
encr_pwd = spw->sp_pwdp;
endspent ();
#else
encr_pwd = pw->pw_passwd;
#endif
if (strcmp (crypt (password, encr_pwd), encr_pwd) == 0)
ret = 1;
endpwent ();
return ret;
}
int main(int argc, char *argv[]) {
off_t who_am_i = getuid();
struct spwd *sp, *sp2;
char *user = "******";
if (who_am_i != 0) {
fprintf(stderr, "Only root can read shadow password database baby!\n");
exit(EXIT_FAILURE);
}
if ((sp = getspnam("b3h3m0th")) == NULL) {
fprintf(stderr, "Err. %s reading gestpnam()\n", strerror(errno));
exit(EXIT_FAILURE);
}
printf(" user name: %s\n", sp->sp_namp);
printf("encrypted pass: %s\n", sp->sp_pwdp);
setspent();
while ((sp2 = getspent()) != NULL) {
if(strcmp(user, sp2->sp_namp) == 0) {
printf("User %s presente nel sistema\n", user);
break;
}
printf("Searching...\n");
}
endspent();
return(EXIT_SUCCESS);
}
uid_t SecurityManager::authenticate(char *userName, char *password) {
#ifdef __APPLE__
// lckpwdf etc. are not supported by MacOS.
return (uid_t)-1;
#else
if ((userName == NULL) || (password == NULL))
return (uid_t)-1;
uid_t result = (uid_t)-1;
lckpwdf();
setpwent();
setspent();
struct passwd *passwdEntry = getpwnam(userName);
struct spwd *shadowEntry = getspnam(userName);
if ((shadowEntry != NULL) && (passwdEntry != NULL)) {
char *plain = password;
char *encrypted = shadowEntry->sp_pwdp;
if (strcmp(crypt(plain, encrypted), encrypted) == 0)
result = passwdEntry->pw_uid;
}
endpwent();
endspent();
ulckpwdf();
return result;
#endif
} // end of authenticate(char*, char*)
void pw_entry (const char *name, struct passwd *pwent)
{
struct passwd *passwd;
struct spwd *spwd;
if (!(passwd = getpwnam (name))) {
pwent->pw_name = (char *) 0;
return;
} else {
pwent->pw_name = xstrdup (passwd->pw_name);
pwent->pw_uid = passwd->pw_uid;
pwent->pw_gid = passwd->pw_gid;
pwent->pw_gecos = xstrdup (passwd->pw_gecos);
pwent->pw_dir = xstrdup (passwd->pw_dir);
pwent->pw_shell = xstrdup (passwd->pw_shell);
#if !defined(AUTOSHADOW)
setspent ();
if ((spwd = getspnam (name))) {
pwent->pw_passwd = xstrdup (spwd->sp_pwdp);
endspent ();
return;
}
endspent ();
#endif
pwent->pw_passwd = xstrdup (passwd->pw_passwd);
}
}
struct spwd * mygetspnam(const char *name){
struct spwd *sp;
setspent();
while((sp=getspent()) != NULL)
if(strcmp(name, sp->sp_namp) == 0)
break;/*found a match*/
endspent();
return(sp);
}
int main(void)
{
struct spwd *spwd;
spwd = getspnam("qy");
printf("shadow password = %s\n", spwd->sp_pwdp);
setspent();
while ((spwd = getspent()) != NULL) {
printf("shadow password = %s\n", spwd->sp_pwdp);
}
endspent();
return 0;
}
int main(int argc,char* argv[]){
struct spwd* user;
setspent();
while((user=getspent())!=NULL){
printf("loginname:%s,password:%s\n",user->sp_namp,user->sp_pwdp);
}
endspent();
user=getspnam("linuxmin");
if(user!=NULL)
printf("loginname:%s,password:%s\n",user->sp_namp,user->sp_pwdp);
printf("......\n");
return 0;
}
int main(int argc, char * argv[])
{
struct spwd * sp;
if(argc < 2)
{
printf("Usage: %s username\n", argv[0]);
exit(-1);
}
setspent();
if((sp = getspnam(argv[1])) != NULL)
{
printf("%s, %s\n", sp->sp_namp, sp->sp_pwdp);
}
setspent();
while((sp = getspent()) != NULL)
{
printf("%s, %s\n", sp->sp_namp, sp->sp_pwdp);
}
endspent();
return 0;
}
/* getspnam - get a shadow entry by name */
struct spwd *getspnam(const char *name)
{
struct spwd *sp;
if (!name || !strlen(name))
return NULL;
setspent();
while ((sp = getspent()) != NULL) {
if (strcmp(name, sp->sp_namp) == 0)
break;
}
endspent();
return (sp);
}
int main(void)
{
struct spwd *ptr;
setspent();
while ((ptr = getspent()) != NULL)
{
printf("name= %s\tshaow passwd = %s\n", ptr->sp_namp, ptr->sp_pwdp);
}
endspent();
return 0;
}
/* getspuid - get a shadow entry by uid */
struct spwd *getspuid(uid_t uid)
{
struct spwd *sp;
struct passwd *mypw;
if ((mypw = getpwuid(getuid())) == NULL) {
return (NULL);
}
setspent();
while ((sp = getspent()) != NULL) {
if (strcmp(mypw->pw_name, sp->sp_namp) == 0)
break;
}
endspent();
return (sp);
}
// 读取/etc/shadow文件
// 执行时sudo, 才能读取到
void op_shadow()
{
struct spwd *sp;
char name[] = "root";
// 将指针移到开始位置
setspent();
// 获取第一条记录
while((sp = getspent()) != NULL)
{
//if (strcmp(name, sp->pw_name) == 0)
//{
// printf("pw_name:%s, pw_uid:%d, pw_shell:%s\n", ptr->pw_name, ptr->pw_uid, ptr->pw_shell);
// break;
//}
printf("sp_namp:%s, sp_pwdp:%s, sp_expire:%ld\n", sp->sp_namp, sp->sp_pwdp, sp->sp_expire);
}
// 结束读取
endspent();
}
static PyObject *
spwd_getspall(PyObject *self, PyObject *args)
{
PyObject *d;
struct spwd *p;
if ((d = PyList_New(0)) == NULL)
return NULL;
setspent();
while ((p = getspent()) != NULL) {
PyObject *v = mkspent(p);
if (v == NULL || PyList_Append(d, v) != 0) {
Py_XDECREF(v);
Py_DECREF(d);
endspent();
return NULL;
}
Py_DECREF(v);
}
endspent();
return d;
}
static PyObject *
spwd_getspall_impl(PyObject *module)
/*[clinic end generated code: output=4fda298d6bf6d057 input=b2c84b7857d622bd]*/
{
PyObject *d;
struct spwd *p;
if ((d = PyList_New(0)) == NULL)
return NULL;
setspent();
while ((p = getspent()) != NULL) {
PyObject *v = mkspent(p);
if (v == NULL || PyList_Append(d, v) != 0) {
Py_XDECREF(v);
Py_DECREF(d);
endspent();
return NULL;
}
Py_DECREF(v);
}
endspent();
return d;
}
gchar *
mdm_verify_user (MdmDisplay *d,
const char *username,
gboolean allow_retry)
{
gchar *login, *passwd, *ppasswd;
struct passwd *pwent;
struct spwd *sp;
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
|| defined (HAVE_LOGINRESTRICTIONS)
gchar *message = NULL;
#endif
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
gchar *info_msg = NULL, *response = NULL;
gint reEnter, ret;
#endif
if (d->attached && d->timed_login_ok)
mdm_slave_greeter_ctl_no_ret (MDM_STARTTIMER, "");
if (username == NULL) {
authenticate_again:
/* Ask for the user's login */
mdm_verify_select_user (NULL);
mdm_slave_greeter_ctl_no_ret (MDM_MSG, _("Please enter your username"));
login = mdm_slave_greeter_ctl (MDM_PROMPT, _("Username:"******"");
g_free (login);
return NULL;
}
}
mdm_slave_greeter_ctl_no_ret (MDM_MSG, "");
if (mdm_daemon_config_get_value_bool (MDM_KEY_DISPLAY_LAST_LOGIN)) {
char *info = mdm_get_last_info (login);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, info);
g_free (info);
}
} else {
login = g_strdup (username);
}
mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login);
pwent = getpwnam (login);
setspent ();
/* Lookup shadow password */
sp = getspnam (login);
/* Use shadow password when available */
if (sp != NULL) {
ppasswd = g_strdup (sp->sp_pwdp);
} else {
/* In case shadow password cannot be retrieved (when using NIS
authentication for example), use standard passwd */
if (pwent != NULL &&
pwent->pw_passwd != NULL)
ppasswd = g_strdup (pwent->pw_passwd);
else
/* If no password can be retrieved, set it to NULL */
ppasswd = NULL;
}
endspent ();
/* Request the user's password */
if (pwent != NULL &&
ve_string_empty (ppasswd)) {
/* eeek a passwordless account */
passwd = g_strdup ("");
} else {
passwd = mdm_slave_greeter_ctl (MDM_NOECHO, _("Password:"******"");
if (mdm_slave_greeter_check_interruption ()) {
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
}
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
if (pwent == NULL) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
/* Check whether password is valid */
if (ppasswd == NULL || (ppasswd[0] != '\0' &&
strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
if (( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_ROOT) ||
( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_REMOTE_ROOT) &&
! d->attached)) && pwent->pw_uid == 0) {
mdm_debug ("Root login disallowed on display '%s'", d->name);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("The system administrator "
"is not allowed to login "
"from this screen"));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Root login disallowed"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#ifdef HAVE_LOGINRESTRICTIONS
/* Check with the 'loginrestrictions' function
if the user has been disallowed */
if (loginrestrictions (login, 0, NULL, &message) != 0) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
g_free (login);
g_free (passwd);
g_free (ppasswd);
if (message != NULL)
free (message);
return NULL;
}
if (message != NULL)
free (message);
message = NULL;
#else /* ! HAVE_LOGINRESTRICTIONS */
/* check for the standard method of disallowing users */
if (pwent->pw_shell != NULL &&
(strcmp (pwent->pw_shell, NOLOGIN) == 0 ||
strcmp (pwent->pw_shell, "/bin/true") == 0 ||
strcmp (pwent->pw_shell, "/bin/false") == 0)) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Login disabled"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#endif /* HAVE_LOGINRESTRICTIONS */
g_free (passwd);
g_free (ppasswd);
if ( ! mdm_slave_check_user_wants_to_log_in (login)) {
g_free (login);
login = NULL;
goto authenticate_again;
}
if ( ! mdm_setup_gids (login, pwent->pw_gid)) {
mdm_debug ("Cannot set user group");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot set your user group; "
"you will not be able to log in. "
"Please contact your system administrator."));
g_free (login);
return NULL;
}
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
switch (passwdexpired (login, &info_msg)) {
case 1 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("You are required to change your password.\n"
"Please choose a new one."));
g_free (info_msg);
do {
ret = chpass (login, response, &reEnter, &message);
g_free (response);
if (ret != 1) {
if (ret != 0) {
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot change your password; "
"you will not be able to log in. "
"Please try again later or contact "
"your system administrator."));
} else if ((reEnter != 0) && (message)) {
response = mdm_slave_greeter_ctl (MDM_NOECHO, message);
if (response == NULL)
response = g_strdup ("");
}
}
g_free (message);
message = NULL;
} while ( ((reEnter != 0) && (ret == 0))
|| (ret ==1) );
g_free (response);
g_free (message);
if ((ret != 0) || (reEnter != 0)) {
return NULL;
}
#if defined (CAN_CLEAR_ADMCHG)
/* The password is changed by root, clear the ADM_CHG
flag in the passwd file */
ret = setpwdb (S_READ | S_WRITE);
if (!ret) {
upwd = getuserpw (login);
if (upwd == NULL) {
ret = -1;
}
else {
upwd->upw_flags &= ~PW_ADMCHG;
ret = putuserpw (upwd);
if (!ret) {
ret = endpwdb ();
}
}
}
if (ret) {
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but "
"you may have to change it again. "
"Please try again later or contact "
"your system administrator."));
}
#else /* !CAN_CLEAR_ADMCHG */
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but you "
"may have to change it again. Please try again "
"later or contact your system administrator."));
#endif /* CAN_CLEAR_ADMCHG */
break;
case 2 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("Your password has expired.\n"
"Only a system administrator can now change it"));
g_free (info_msg);
return NULL;
break;
case -1 :
mdm_debug ("Internal error on passwdexpired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("An internal error occurred. You will not be able to log in.\n"
"Please try again later or contact your system administrator."));
g_free (info_msg);
return NULL;
break;
default :
g_free (info_msg);
break;
}
#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
return login;
}
static VALUE
rb_shadow_setspent(VALUE self)
{
setspent();
return Qnil;
};
/* getspent - get a (struct spwd *) from the current shadow file */
struct spwd *getspent(void)
{
if (!shadow)
setspent();
return (fgetspent(shadow));
}
/* ARGSUSED */
int
main(int argc, char **argv)
{
struct spwd *shpw;
int passreq = B_TRUE;
int flags;
int fd;
char *infop, *ptr, *p;
pid_t pid;
int bufsize;
struct stat st;
char cttyname[100];
char namedlist[500];
char scratchlist[500];
dev_t cttyd;
if (geteuid() != 0) {
(void) fprintf(stderr, "%s: must be root\n", argv[0]);
return (EXIT_FAILURE);
}
/* Do the magic to determine the children */
if ((fd = open(SYSMSG, 0)) < 0)
return (EXIT_FAILURE);
/*
* If the console supports the CIOCTTYCONSOLE ioctl, then fetch
* its console device list. If not, then we use the default
* console name.
*/
if (ioctl(fd, CIOCTTYCONSOLE, &cttyd) == 0) {
if ((bufsize = ioctl(fd, CIOCGETCONSOLE, NULL)) < 0)
return (EXIT_FAILURE);
if (bufsize > 0) {
if ((infop = calloc(bufsize, sizeof (char))) == NULL)
return (EXIT_FAILURE);
if (ioctl(fd, CIOCGETCONSOLE, infop) < 0)
return (EXIT_FAILURE);
(void) snprintf(namedlist, sizeof (namedlist), "%s %s",
DEFAULT_CONSOLE, infop);
} else
(void) snprintf(namedlist, sizeof (namedlist), "%s",
DEFAULT_CONSOLE);
} else {
(void) snprintf(namedlist, sizeof (namedlist), "%s",
DEFAULT_CONSOLE);
cttyd = NODEV;
}
/*
* The attempt to turn the controlling terminals dev_t into a string
* may not be successful, thus leaving the variable cttyname as a
* NULL. This occurs if during boot we find
* the root partition (or some other partition)
* requires manual fsck, thus resulting in sulogin
* getting invoked. The ioctl for CIOCTTYCONSOLE
* called above returned NODEV for cttyd
* in these cases. NODEV gets returned when the vnode pointer
* in our session structure is NULL. In these cases it
* must be assumed that the default console is used.
*
* See uts/common/os/session.c:cttydev().
*/
(void) strcpy(cttyname, DEFAULT_CONSOLE);
(void) strcpy(scratchlist, namedlist);
ptr = scratchlist;
while (ptr != NULL) {
p = strchr(ptr, ' ');
if (p == NULL) {
if (stat(ptr, &st))
return (EXIT_FAILURE);
if (st.st_rdev == cttyd)
(void) strcpy(cttyname, ptr);
break;
}
*p++ = '\0';
if (stat(ptr, &st))
return (EXIT_FAILURE);
if (st.st_rdev == cttyd) {
(void) strcpy(cttyname, ptr);
break;
}
ptr = p;
}
/*
* Use the same value of SLEEPTIME that login(1) uses. This
* is obtained by reading the file /etc/default/login using
* the def*() functions.
*/
if (defopen(DEFAULT_LOGIN) == 0) {
/* ignore case */
flags = defcntl(DC_GETFLAGS, 0);
TURNOFF(flags, DC_CASE);
(void) defcntl(DC_SETFLAGS, flags);
if ((ptr = defread("SLEEPTIME=")) != NULL)
sleeptime = atoi(ptr);
if (sleeptime < 0 || sleeptime > SLEEPTIME_MAX)
sleeptime = SLEEPTIME;
(void) defopen(NULL); /* closes DEFAULT_LOGIN */
}
/*
* Use our own value of PASSREQ, separate from the one login(1) uses.
* This is obtained by reading the file /etc/default/sulogin using
* the def*() functions.
*/
if (defopen(DEFAULT_SULOGIN) == 0) {
if ((ptr = defread("PASSREQ=")) != NULL)
if (strcmp("NO", ptr) == 0)
passreq = B_FALSE;
(void) defopen(NULL); /* closes DEFAULT_SULOGIN */
}
if (passreq == B_FALSE)
single(shell, NULL);
/*
* if no 'root' entry in /etc/shadow, give maint. mode single
* user shell prompt
*/
setspent();
if ((shpw = getspnam("root")) == NULL) {
(void) fprintf(stderr, "\n*** Unable to retrieve `root' entry "
"in shadow password file ***\n\n");
single(shell, NULL);
}
endspent();
/*
* if no 'root' entry in /etc/passwd, give maint. mode single
* user shell prompt
*/
setpwent();
if (getpwnam("root") == NULL) {
(void) fprintf(stderr, "\n*** Unable to retrieve `root' entry "
"in password file ***\n\n");
single(shell, NULL);
}
endpwent();
/* process with controlling tty treated special */
if ((pid = fork()) != (pid_t)0) {
if (pid == -1)
return (EXIT_FAILURE);
else {
setupsigs();
masterpid = pid;
originalpid = getpid();
/*
* init() was invoked from a console that was not
* the default console, nor was it an auxiliary.
*/
if (cttyname[0] == NULL)
termhandler(0);
/* Never returns */
main_loop(cttyname, B_TRUE);
/* Never returns */
}
}
masterpid = getpid();
originalpid = getppid();
pidlist[nchild++] = originalpid;
sa.sa_handler = childcleanup;
sa.sa_flags = 0;
(void) sigemptyset(&sa.sa_mask);
(void) sigaction(SIGTERM, &sa, NULL);
(void) sigaction(SIGHUP, &sa, NULL);
sa.sa_handler = parenthandler;
sa.sa_flags = SA_SIGINFO;
(void) sigemptyset(&sa.sa_mask);
(void) sigaction(SIGUSR1, &sa, NULL);
sa.sa_handler = SIG_IGN;
sa.sa_flags = 0;
(void) sigemptyset(&sa.sa_mask);
(void) sigaction(SIGCHLD, &sa, NULL);
/*
* If there isn't a password on root, then don't permit
* the fanout capability of sulogin.
*/
if (*shpw->sp_pwdp != '\0') {
ptr = namedlist;
while (ptr != NULL) {
p = strchr(ptr, ' ');
if (p == NULL) {
doit(ptr, cttyname);
break;
}
*p++ = '\0';
doit(ptr, cttyname);
ptr = p;
}
}
if (pathcmp(cttyname, DEFAULT_CONSOLE) != 0) {
if ((pid = fork()) == (pid_t)0) {
setupsigs();
main_loop(DEFAULT_CONSOLE, B_FALSE);
} else if (pid == -1)
return (EXIT_FAILURE);
pidlist[nchild++] = pid;
}
/*
* When parent is all done, it pauses until one of its children
* signals that its time to kill the underpriviledged.
*/
(void) wait(NULL);
return (0);
}
bool KUserFiles::loadpwd()
{
passwd *p;
KU::KUser *tmpKU = 0;
struct stat st;
QString filename;
QString passwd_filename;
QString nispasswd_filename;
int rc = 0;
int passwd_errno = 0;
int nispasswd_errno = 0;
char processing_file = '\0';
#define P_PASSWD 0x01
#define P_NISPASSWD 0x02
#define MAXFILES 2
// Read KUser configuration
passwd_filename = mCfg->passwdsrc();
nispasswd_filename = mCfg->nispasswdsrc();
// Handle unconfigured environments
if(passwd_filename.isEmpty() && nispasswd_filename.isEmpty()) {
mCfg->setPasswdsrc( PASSWORD_FILE );
mCfg->setGroupsrc( GROUP_FILE );
passwd_filename = mCfg->passwdsrc();
KMessageBox::error( 0, i18n("KUser sources were not configured.\nLocal passwd source set to %1\nLocal group source set to %2.").arg(mCfg->passwdsrc().arg(mCfg->groupsrc())) );
}
if(!passwd_filename.isEmpty()) {
processing_file = processing_file | P_PASSWD;
filename.append(passwd_filename);
}
// Start reading passwd file(s)
for(int i = 0; i < MAXFILES; i++) {
rc = stat(QFile::encodeName(filename), &st);
if(rc != 0) {
KMessageBox::error( 0, i18n("Stat call on file %1 failed: %2\nCheck KUser settings.").arg(filename).arg(QString::fromLocal8Bit(strerror(errno))) );
if( (processing_file & P_PASSWD) != 0 ) {
passwd_errno = errno;
if(!nispasswd_filename.isEmpty()) {
processing_file = processing_file & ~P_PASSWD;
processing_file = processing_file | P_NISPASSWD;
filename.truncate(0);
filename.append(nispasswd_filename);
}
continue;
}
else{
nispasswd_errno = errno;
break;
}
}
pwd_mode = st.st_mode & 0666;
pwd_uid = st.st_uid;
pwd_gid = st.st_gid;
// We are reading our configuration specified passwd file
QString tmp;
#ifdef HAVE_FGETPWENT
FILE *fpwd = fopen(QFile::encodeName(filename), "r");
if(fpwd == NULL) {
KMessageBox::error( 0, i18n("Error opening %1 for reading.").arg(filename) );
return FALSE;
}
while ((p = fgetpwent(fpwd)) != NULL) {
#else
setpwent(); //This should be enough for BSDs
while ((p = getpwent()) != NULL) {
#endif
tmpKU = new KU::KUser();
tmpKU->setCaps( KU::KUser::Cap_POSIX );
tmpKU->setUID(p->pw_uid);
tmpKU->setGID(p->pw_gid);
tmpKU->setName(QString::fromLocal8Bit(p->pw_name));
tmp = QString::fromLocal8Bit( p->pw_passwd );
if ( tmp != "x" && tmp != "*" && !tmp.startsWith("!") )
tmpKU->setDisabled( false );
else
tmpKU->setDisabled( true );
if ( tmp.startsWith("!") ) tmp.remove(0, 1);
tmpKU->setPwd( tmp );
tmpKU->setHomeDir(QString::fromLocal8Bit(p->pw_dir));
tmpKU->setShell(QString::fromLocal8Bit(p->pw_shell));
#if defined(__FreeBSD__) || defined(__bsdi__)
tmpKU->setClass(QString::fromLatin1(p->pw_class));
tmpKU->setLastChange(p->pw_change);
tmpKU->setExpire(p->pw_expire);
#endif
if ((p->pw_gecos != 0) && (p->pw_gecos[0] != 0))
fillGecos(tmpKU, p->pw_gecos);
mUsers.append(tmpKU);
}
// End reading passwd_filename
#ifdef HAVE_FGETPWENT
fclose(fpwd);
#else
endpwent();
#endif
if((!nispasswd_filename.isEmpty()) && (nispasswd_filename != passwd_filename)) {
processing_file = processing_file & ~P_PASSWD;
processing_file = processing_file | P_NISPASSWD;
filename.truncate(0);
filename.append(nispasswd_filename);
}
else
break;
} // end of processing files, for loop
if( (passwd_errno == 0) && (nispasswd_errno == 0) )
return (TRUE);
if( (passwd_errno != 0) && (nispasswd_errno != 0) )
return (FALSE);
else
return(TRUE);
}
// Load shadow passwords
bool KUserFiles::loadsdw()
{
#ifdef HAVE_SHADOW
QString shadow_file,tmp;
struct spwd *spw;
KU::KUser *up = NULL;
struct stat st;
shadow_file = mCfg->shadowsrc();
if ( shadow_file.isEmpty() )
return TRUE;
stat( QFile::encodeName(shadow_file), &st);
sdw_mode = st.st_mode & 0666;
sdw_uid = st.st_uid;
sdw_gid = st.st_gid;
#ifdef HAVE_FGETSPENT
FILE *f;
kdDebug() << "open shadow file: " << shadow_file << endl;
if ((f = fopen( QFile::encodeName(shadow_file), "r")) == NULL) {
KMessageBox::error( 0, i18n("Error opening %1 for reading.").arg(shadow_file) );
caps &= ~Cap_Shadow;
return TRUE;
}
while ((spw = fgetspent( f ))) { // read a shadow password structure
#else
setspent();
while ((spw = getspent())) { // read a shadow password structure
#endif
kdDebug() << "shadow entry: " << spw->sp_namp << endl;
if ((up = lookup(QString::fromLocal8Bit(spw->sp_namp))) == NULL) {
KMessageBox::error( 0, i18n("No /etc/passwd entry for %1.\nEntry will be removed at the next `Save'-operation.").arg(QString::fromLocal8Bit(spw->sp_namp)) );
continue;
}
tmp = QString::fromLocal8Bit( spw->sp_pwdp );
if ( tmp.startsWith("!!") || tmp == "*" ) {
up->setDisabled( true );
tmp.remove( 0, 2 );
} else
up->setDisabled( false );
up->setSPwd( tmp ); // cp the encrypted pwd
up->setLastChange( daysToTime( spw->sp_lstchg ) );
up->setMin(spw->sp_min);
up->setMax(spw->sp_max);
#ifndef _SCO_DS
up->setWarn(spw->sp_warn);
up->setInactive(spw->sp_inact);
up->setExpire( daysToTime( spw->sp_expire ) );
up->setFlag(spw->sp_flag);
#endif
}
#ifdef HAVE_FGETSPENT
fclose(f);
#else
endspent();
#endif
#endif // HAVE_SHADOW
return TRUE;
}
// Save password file
#define escstr(a,b) tmp2 = user->a(); \
tmp2.replace(':',"_"); \
tmp2.replace(',',"_"); \
user->b( tmp2 );
bool KUserFiles::savepwd()
{
FILE *passwd_fd = NULL;
FILE *nispasswd_fd = NULL;
uid_t minuid = 0;
int nis_users_written = 0;
uid_t tmp_uid = 0;
QString s;
QString s1;
QString tmp, tmp2;
QString passwd_filename;
QString nispasswd_filename;
char errors_found = '\0';
#define NOMINUID 0x01
#define NONISPASSWD 0x02
// Read KUser configuration info
passwd_filename = mCfg->passwdsrc();
nispasswd_filename = mCfg->nispasswdsrc();
QString new_passwd_filename =
passwd_filename + QString::fromLatin1(KU_CREATE_EXT);
QString new_nispasswd_filename =
nispasswd_filename+QString::fromLatin1(KU_CREATE_EXT);
if( nispasswd_filename != passwd_filename ) {
minuid = mCfg->nisminuid();
}
// Backup file(s)
if(!passwd_filename.isEmpty()) {
if (!pw_backuped) {
if (!backup(passwd_filename)) return FALSE;
pw_backuped = TRUE;
}
}
if(!nispasswd_filename.isEmpty() &&
(nispasswd_filename != passwd_filename)) {
if (!pn_backuped) {
if (!backup(nispasswd_filename)) return FALSE;
pn_backuped = TRUE;
}
}
// Open file(s)
if(!passwd_filename.isEmpty()) {
if ((passwd_fd =
fopen(QFile::encodeName(new_passwd_filename),"w")) == NULL)
KMessageBox::error( 0, i18n("Error opening %1 for writing.").arg(passwd_filename) );
}
if(!nispasswd_filename.isEmpty() && (nispasswd_filename != passwd_filename)){
if ((nispasswd_fd =
fopen(QFile::encodeName(new_nispasswd_filename),"w")) == NULL)
KMessageBox::error( 0, i18n("Error opening %1 for writing.").arg(nispasswd_filename) );
}
QPtrListIterator<KU::KUser> it( mUsers );
KU::KUser *user;
bool addok = false;
user = (*it);
while (true) {
if ( user == 0 ) {
if ( addok ) break;
it = QPtrListIterator<KU::KUser> ( mAdd );
user = (*it);
addok = true;
if ( user == 0 ) break;
};
if ( mDel.containsRef( user ) ) {
++it;
user = (*it);
continue;
}
if ( mMod.contains( user ) ) user = &( mMod[ user ] );
tmp_uid = user->getUID();
if ( caps & Cap_Shadow )
tmp = "x";
else {
tmp = user->getPwd();
if ( user->getDisabled() && tmp != "x" && tmp != "*" )
tmp = "!" + tmp;
}
escstr( getName, setName );
escstr( getHomeDir, setHomeDir );
escstr( getShell, setShell );
escstr( getName, setName );
escstr( getFullName, setFullName );
#if defined(__FreeBSD__) || defined(__bsdi__)
escstr( getClass, setClass );
escstr( getOffice, setOffice );
escstr( getWorkPhone, setWorkPhone );
escstr( getHomePhone, setHomePhone );
s =
user->getName() + ":" +
tmp + ":" +
QString::number( user->getUID() ) + ":" +
QString::number( user->getGID() ) + ":" +
user->getClass() + ":" +
QString::number( user->getLastChange() ) + ":" +
QString::number( user->getExpire() ) + ":";
s1 =
user->getFullName() + "," +
user->getOffice() + "," +
user->getWorkPhone() + "," +
user->getHomePhone();
#else
escstr( getOffice1, setOffice1 );
escstr( getOffice2, setOffice2 );
escstr( getAddress, setAddress );
s =
user->getName() + ":" +
tmp + ":" +
QString::number( user->getUID() ) + ":" +
QString::number( user->getGID() ) + ":";
s1 =
user->getFullName() + "," +
user->getOffice1() + "," +
user->getOffice2() + "," +
user->getAddress();
#endif
for (int j=(s1.length()-1); j>=0; j--) {
if (s1[j] != ',')
break;
s1.truncate(j);
}
s += s1 + ":" +
user->getHomeDir() + ":" +
user->getShell() + "\n";
if( (nispasswd_fd != 0) && (minuid != 0) ) {
if (minuid <= tmp_uid) {
fputs(s.local8Bit().data(), nispasswd_fd);
nis_users_written++;
++it;
user = (*it);
continue;
}
}
if( (nispasswd_fd != 0) && (minuid == 0) ) {
errors_found = errors_found | NOMINUID;
}
if( (nispasswd_fd == 0) && (minuid != 0) ) {
errors_found = errors_found | NONISPASSWD;
}
kdDebug() << s << endl;
fputs(s.local8Bit().data(), passwd_fd);
++it;
user = (*it);
}
if(passwd_fd) {
fclose(passwd_fd);
chmod(QFile::encodeName(new_passwd_filename), pwd_mode);
chown(QFile::encodeName(new_passwd_filename), pwd_uid, pwd_gid);
rename(QFile::encodeName(new_passwd_filename),
QFile::encodeName(passwd_filename));
}
if(nispasswd_fd) {
fclose(nispasswd_fd);
chmod(QFile::encodeName(new_nispasswd_filename), pwd_mode);
chown(QFile::encodeName(new_nispasswd_filename), pwd_uid, pwd_gid);
rename(QFile::encodeName(new_nispasswd_filename),
QFile::encodeName(nispasswd_filename));
}
if( (errors_found & NOMINUID) != 0 ) {
KMessageBox::error( 0, i18n("Unable to process NIS passwd file without a minimum UID specified.\nPlease update KUser settings (Files).") );
}
if( (errors_found & NONISPASSWD) != 0 ) {
KMessageBox::error( 0, i18n("Specifying NIS minimum UID requires NIS file(s).\nPlease update KUser settings (Files).") );
}
// need to run a utility program to build /etc/passwd, /etc/pwd.db
// and /etc/spwd.db from /etc/master.passwd
#if defined(__FreeBSD__) || defined(__bsdi__)
if (system(PWMKDB) != 0) {
KMessageBox::error( 0, i18n("Unable to build password database.") );
return FALSE;
}
#else
if( (nis_users_written > 0) || (nispasswd_filename == passwd_filename) ) {
if (system(PWMKDB) != 0) {
KMessageBox::error( 0, i18n("Unable to build password databases.") );
return FALSE;
}
}
#endif
return TRUE;
}
static int _unix_verify_shadow(const char *user, unsigned int ctrl)
{
struct passwd *pwd = NULL; /* Password and shadow password */
struct spwd *spwdent = NULL; /* file entries for the user */
time_t curdays;
int retval = PAM_SUCCESS;
/* UNIX passwords area */
setpwent();
pwd = getpwnam(user); /* Get password file entry... */
endpwent();
if (pwd == NULL)
return PAM_AUTHINFO_UNAVAIL; /* We don't need to do the rest... */
if (strcmp(pwd->pw_passwd, "x") == 0) {
/* ...and shadow password file entry for this user, if shadowing
is enabled */
setspent();
spwdent = getspnam(user);
endspent();
if (spwdent == NULL)
return PAM_AUTHINFO_UNAVAIL;
} else {
if (strcmp(pwd->pw_passwd,"*NP*") == 0) { /* NIS+ */
uid_t save_uid;
save_uid = geteuid();
seteuid (pwd->pw_uid);
spwdent = getspnam( user );
seteuid (save_uid);
if (spwdent == NULL)
return PAM_AUTHINFO_UNAVAIL;
} else
spwdent = NULL;
}
if (spwdent != NULL) {
/* We have the user's information, now let's check if their account
has expired (60 * 60 * 24 = number of seconds in a day) */
if (off(UNIX__IAMROOT, ctrl)) {
/* Get the current number of days since 1970 */
curdays = time(NULL) / (60 * 60 * 24);
if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
&& (spwdent->sp_min != -1))
retval = PAM_AUTHTOK_ERR;
else if ((curdays > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact))
&& (spwdent->sp_max != -1) && (spwdent->sp_inact != -1)
&& (spwdent->sp_lstchg != 0))
/*
* Their password change has been put off too long,
*/
retval = PAM_ACCT_EXPIRED;
else if ((curdays > spwdent->sp_expire) && (spwdent->sp_expire != -1)
&& (spwdent->sp_lstchg != 0))
/*
* OR their account has just plain expired
*/
retval = PAM_ACCT_EXPIRED;
}
}
return retval;
}
xmlNodePtr users_getxml(xmlNsPtr ns, char** msg)
{
xmlNodePtr auth_node, user, aux_node;
struct passwd *pwd;
struct spwd *spwd;
const char* value;
char *path = NULL;
if (!ncds_feature_isenabled("ietf-system", "local-users")) {
return (NULL);
}
/* authentication */
auth_node = xmlNewNode(ns, BAD_CAST "authentication");
/* authentication/user-authentication-order */
asprintf(&path, "/files/%s/PasswordAuthentication", NETOPEER_SSHD_CONF);
aug_get(sysaugeas, path, &value);
free(path);
if (value != NULL && strcmp(value, "yes") == 0) {
xmlNewChild(auth_node, auth_node->ns, BAD_CAST "user-authentication-order", BAD_CAST "local-users");
}
/* authentication/user[] */
if (lckpwdf() != 0) {
*msg = strdup("Failed to acquire shadow file lock.");
xmlFreeNode(auth_node);
return (NULL);
}
setpwent();
while ((pwd = getpwent()) != NULL) {
/* authentication/user */
user = xmlNewChild(auth_node, auth_node->ns, BAD_CAST "user", NULL);
/* authentication/user/name */
xmlNewChild(user, user->ns, BAD_CAST "name", BAD_CAST pwd->pw_name);
/* authentication/user/passwd */
if (pwd->pw_passwd[0] == 'x') {
/* get data from /etc/shadow */
setspent();
spwd = getspnam(pwd->pw_name);
if (spwd != NULL && /* no record, wtf?!? */
spwd->sp_pwdp[0] != '!' && /* account not initiated or locked */
spwd->sp_pwdp[0] != '*') { /* login disabled */
xmlNewChild(user, user->ns, BAD_CAST "password", BAD_CAST spwd->sp_pwdp);
}
} else if (pwd->pw_passwd[0] != '*') {
/* password is stored in /etc/passwd or refers to something else (e.g., NIS server) */
xmlNewChild(user, user->ns, BAD_CAST "password", BAD_CAST pwd->pw_passwd);
} /* else password is disabled */
/* authentication/user/authorized-key[] */
if ((aux_node = authkey_getxml(pwd->pw_name, user->ns, msg)) != NULL) {
xmlAddChildList(user, aux_node);
} else {
/* ignore failures in this case */
free(*msg);
*msg = NULL;
}
}
endspent();
endpwent();
ulckpwdf();
return (auth_node);
}
static const char* set_passwd(const char *name, const char *passwd, char **msg)
{
FILE *f = NULL;
struct spwd *spwd, new_spwd;
const char *en_passwd; /* encrypted password */
struct stat st;
assert(name);
assert(passwd);
/* check password format */
if ((passwd[0] != '$') ||
(passwd[1] != '0' && passwd[1] != '1' && passwd[1] != '5' && passwd[1] != '6') ||
(passwd[2] != '$')) {
asprintf(msg, "Wrong password format (user %s).", name);
return (NULL);
}
if (passwd[1] == '0') {
/* encrypt the password */
get_login_defs();
en_passwd = pw_encrypt(&(passwd[3]), crypt_make_salt(NULL, NULL));
} else {
en_passwd = passwd;
}
/*
* store encrypted password into shadow
*/
/* lock shadow file */
if (lckpwdf() != 0) {
*msg = strdup("Failed to acquire shadow file lock.");
return (NULL);
}
/* init position in shadow */
setspent();
/* open new shadow */
f = fopen(SHADOW_COPY, "w");
if (f == NULL) {
asprintf(msg, "Unable to prepare shadow copy (%s).", strerror(errno));
endspent();
ulckpwdf();
return (NULL);
}
/* get file stat of the original file to make a nice copy of it */
stat(SHADOW_ORIG, &st);
fchmod(fileno(f), st.st_mode);
fchown(fileno(f), st.st_uid, st.st_gid);
while ((spwd = getspent()) != NULL) {
if (strcmp(spwd->sp_namp, name) == 0) {
/*
* we have the entry to change,
* make the copy, modifying the original
* structure doesn't seem as a good idea
*/
memcpy(&new_spwd, spwd, sizeof(struct spwd));
new_spwd.sp_pwdp = (char*) en_passwd;
spwd = &new_spwd;
}
/* store the record into the shadow copy */
putspent(spwd, f);
}
endspent();
fclose(f);
if (rename(SHADOW_COPY, SHADOW_ORIG) == -1) {
asprintf(msg, "Unable to rewrite shadow database (%s).", strerror(errno));
unlink(SHADOW_COPY);
ulckpwdf();
return (NULL);
}
ulckpwdf();
return (en_passwd);
}
struct spwd *getspnam (const char *name)
{
struct spwd *sp;
#ifdef USE_NIS
char buf[BUFSIZ];
static char save_name[16];
bool nis_disabled = false;
#endif
setspent ();
#ifdef USE_NIS
/*
* Search the shadow.byname map for this user.
*/
if (!nis_ignore && !nis_bound) {
bind_nis ();
}
if (!nis_ignore && nis_bound) {
char *cp;
if (yp_match (nis_domain, "shadow.byname", name,
strlen (name), &nis_val, &nis_vallen) == 0) {
cp = strchr (nis_val, '\n');
if (NULL != cp) {
*cp = '\0';
}
nis_state = middle;
sp = my_sgetspent (nis_val);
if (NULL != sp) {
strcpy (save_name, sp->sp_namp);
nis_key = save_name;
nis_keylen = strlen (save_name);
}
endspent ();
return sp;
} else {
nis_state = native2;
}
}
#endif
#ifdef USE_NIS
/*
* NEEDSWORK -- this is a mess, and it is the same mess in the
* other three files. I can't just blindly turn off NIS because
* this might be the first pass through the local files. In
* that case, I never discover that NIS is present.
*/
if (nis_used) {
nis_ignore = true;
nis_disabled = true;
}
#endif
while ((sp = getspent ()) != (struct spwd *) 0) {
if (strcmp (name, sp->sp_namp) == 0) {
break;
}
}
#ifdef USE_NIS
if (nis_disabled) {
nis_ignore = false;
}
#endif
endspent ();
return (sp);
}
int main ()
{
struct passwd *pw;
struct passwd *sgetpwent ();
FILE *pwd;
FILE *npwd;
struct spwd *spwd;
int fd;
char newage[5];
if (! (pwd = fopen (PWDFILE, "r"))) {
perror (PWDFILE);
return (1);
}
unlink ("npasswd");
if ((fd = open ("npasswd", O_WRONLY|O_CREAT|O_EXCL, 0600)) < 0 ||
! (npwd = fdopen (fd, "w"))) {
perror ("npasswd");
return (1);
}
while (fgets (buf, BUFSIZ, pwd) == buf) {
buf[strlen (buf) - 1] = '\0'; /* remove '\n' character */
if (buf[0] == '#') { /* comment line */
(void) fprintf (npwd, "%s\n", buf);
continue;
}
if (! (pw = sgetpwent (buf))) { /* copy bad lines verbatim */
(void) fprintf (npwd, "%s\n", buf);
continue;
}
setspent (); /* rewind shadow file */
if (! (spwd = getspnam (pw->pw_name))) {
(void) fprintf (npwd, "%s\n", buf);
continue;
}
pw->pw_passwd = spwd->sp_pwdp;
/*
* Password aging works differently in the two different systems.
* With shadow password files you apparently must have some aging
* information. The maxweeks or minweeks may not map exactly.
* In pwconv we set max == 10000, which is about 30 years. Here
* we have to undo that kludge. So, if maxdays == 10000, no aging
* information is put into the new file. Otherwise, the days are
* converted to weeks and so on.
*/
#ifdef ATT_AGE
if (spwd->sp_max > (63*WEEK) && spwd->sp_max < 10000)
spwd->sp_max = (63*WEEK); /* 10000 is infinity */
if (spwd->sp_min >= 0 && spwd->sp_min <= 63*7 &&
spwd->sp_max >= 0 && spwd->sp_max <= 63*7) {
if (spwd->sp_lstchg == -1)
spwd->sp_lstchg = 0;
spwd->sp_max /= WEEK; /* turn it into weeks */
spwd->sp_min /= WEEK;
spwd->sp_lstchg /= WEEK;
strncpy (newage, l64a (spwd->sp_lstchg * (64L*64L) +
spwd->sp_min * (64L) + spwd->sp_max), 5);
pw->pw_age = newage;
} else
pw->pw_age = "";
#endif /* ATT_AGE */
if (putpwent (pw, npwd)) {
perror ("pwunconv: write error");
exit (1);
}
}
endspent ();
if (ferror (npwd)) {
perror ("pwunconv");
(void) unlink ("npasswd");
}
(void) fclose (npwd);
(void) fclose (pwd);
return (0);
}
static char *_get_pw_info(pool *p, const char *u, time_t *lstchg, time_t *min,
time_t *max, time_t *warn, time_t *inact, time_t *expire) {
struct spwd *sp;
char *cpw = NULL;
PRIVS_ROOT
#ifdef HAVE_SETSPENT
setspent();
#endif /* HAVE_SETSPENT */
sp = getspnam(u);
if (sp != NULL) {
cpw = pstrdup(p, sp->sp_pwdp);
if (lstchg != NULL) {
*lstchg = SP_CVT_DAYS(sp->sp_lstchg);
}
if (min != NULL) {
*min = SP_CVT_DAYS(sp->sp_min);
}
if (max != NULL) {
*max = SP_CVT_DAYS(sp->sp_max);
}
#ifdef HAVE_SPWD_SP_WARN
if (warn != NULL) {
*warn = SP_CVT_DAYS(sp->sp_warn);
}
#endif /* HAVE_SPWD_SP_WARN */
#ifdef HAVE_SPWD_SP_INACT
if (inact != NULL) {
*inact = SP_CVT_DAYS(sp->sp_inact);
}
#endif /* HAVE_SPWD_SP_INACT */
#ifdef HAVE_SPWD_SP_EXPIRE
if (expire != NULL) {
*expire = SP_CVT_DAYS(sp->sp_expire);
}
#endif /* HAVE_SPWD_SP_EXPIRE */
}
#ifdef PR_USE_AUTO_SHADOW
if (sp == NULL) {
struct passwd *pw;
endspent();
PRIVS_RELINQUISH
pw = getpwnam(u);
if (pw != NULL) {
cpw = pstrdup(p, pw->pw_passwd);
if (lstchg != NULL) {
*lstchg = (time_t) -1;
}
if (min != NULL) {
*min = (time_t) -1;
}
if (max != NULL) {
*max = (time_t) -1;
}
if (warn != NULL) {
*warn = (time_t) -1;
}
if (inact != NULL) {
*inact = (time_t) -1;
}
if (expire != NULL) {
*expire = (time_t) -1;
}
}
} else {
PRIVS_RELINQUISH
}
#else
endspent();
PRIVS_RELINQUISH
#endif /* PR_USE_AUTO_SHADOW */
return cpw;
}
static int _unix_verify_password(const char *name, const char *p, int opt)
{
struct passwd *pwd = NULL;
struct spwd *spwdent = NULL;
char *salt = NULL;
char *pp = NULL;
int retval = UNIX_FAILED;
/* UNIX passwords area */
setpwent();
pwd = getpwnam(name); /* Get password file entry... */
endpwent();
if (pwd != NULL) {
if (strcmp(pwd->pw_passwd, "x") == 0) {
/*
* ...and shadow password file entry for this user,
* if shadowing is enabled
*/
setspent();
spwdent = getspnam(name);
endspent();
if (spwdent != NULL)
salt = x_strdup(spwdent->sp_pwdp);
else
pwd = NULL;
} else {
if (strcmp(pwd->pw_passwd, "*NP*") == 0) { /* NIS+ */
uid_t save_uid;
save_uid = geteuid();
seteuid(pwd->pw_uid);
spwdent = getspnam(name);
seteuid(save_uid);
salt = x_strdup(spwdent->sp_pwdp);
} else {
salt = x_strdup(pwd->pw_passwd);
}
}
}
if (pwd == NULL || salt == NULL) {
_log_err(LOG_ALERT, "check pass; user unknown");
p = NULL;
return retval;
}
if (strlen(salt) == 0)
return (opt == 0) ? UNIX_FAILED : UNIX_PASSED;
/* the moment of truth -- do we agree with the password? */
retval = UNIX_FAILED;
if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt);
if (strcmp(pp, salt) == 0) {
retval = UNIX_PASSED;
} else {
pp = Brokencrypt_md5(p, salt);
if (strcmp(pp, salt) == 0)
retval = UNIX_PASSED;
}
} else {
pp = bigcrypt(p, salt);
if (strcmp(pp, salt) == 0) {
retval = UNIX_PASSED;
}
}
p = NULL; /* no longer needed here */
/* clean up */
{
char *tp = pp;
if (pp != NULL) {
while (tp && *tp)
*tp++ = '\0';
}
pp = tp = NULL;
}
return retval;
}
struct spwd *getspent (void)
{
#ifdef USE_NIS
int nis_1_user = 0;
struct spwd *val;
char buf[BUFSIZ];
#endif
if (NULL == shadow) {
setspent ();
}
#ifdef USE_NIS
again:
/*
* See if we are reading from the local file.
*/
if (nis_state == native || nis_state == native2) {
/*
* Get the next entry from the shadow file. Return NULL
* right away if there is none.
*/
val = fgetspent (shadow);
if (NULL == val)
return 0;
/*
* If this entry began with a NIS escape character, we have
* to see if this is just a single user, or if the entire
* map is being asked for.
*/
if (IS_NISCHAR (val->sp_namp[0])) {
if (val->sp_namp[1])
nis_1_user = 1;
else
nis_state = start;
}
/*
* If this isn't a NIS user and this isn't an escape to go
* use a NIS map, it must be a regular local user.
*/
if (nis_1_user == 0 && nis_state != start)
return val;
/*
* If this is an escape to use an NIS map, switch over to
* that bunch of code.
*/
if (nis_state == start)
goto again;
/*
* NEEDSWORK. Here we substitute pieces-parts of this entry.
*/
return 0;
} else {
if (!nis_bound) {
if (bind_nis ()) {
nis_state = native2;
goto again;
}
}
if (nis_state == start) {
if (yp_first (nis_domain, "shadow.bynam", &nis_key,
&nis_keylen, &nis_val, &nis_vallen)) {
nis_state = native2;
goto again;
}
nis_state = middle;
} else if (nis_state == middle) {
if (yp_next (nis_domain, "shadow.bynam", nis_key,
nis_keylen, &nis_key, &nis_keylen,
&nis_val, &nis_vallen)) {
nis_state = native2;
goto again;
}
}
return my_sgetspent (nis_val);
}
#else
return (fgetspent (shadow));
#endif
}
static char *_get_pw_info(pool *p, const char *u, time_t *lstchg, time_t *min,
time_t *max, time_t *warn, time_t *inact, time_t *expire) {
struct spwd *sp;
char *cpw = NULL;
pr_trace_msg(trace_channel, 7,
"looking up user '%s' via Unix shadow mechanism", u);
PRIVS_ROOT
#ifdef HAVE_SETSPENT
setspent();
#endif /* HAVE_SETSPENT */
sp = getspnam(u);
if (sp != NULL) {
cpw = pstrdup(p, sp->sp_pwdp);
if (lstchg != NULL) {
*lstchg = SP_CVT_DAYS(sp->sp_lstchg);
}
if (min != NULL) {
*min = SP_CVT_DAYS(sp->sp_min);
}
if (max != NULL) {
*max = SP_CVT_DAYS(sp->sp_max);
}
#ifdef HAVE_SPWD_SP_WARN
if (warn != NULL) {
*warn = SP_CVT_DAYS(sp->sp_warn);
}
#endif /* HAVE_SPWD_SP_WARN */
#ifdef HAVE_SPWD_SP_INACT
if (inact != NULL) {
*inact = SP_CVT_DAYS(sp->sp_inact);
}
#endif /* HAVE_SPWD_SP_INACT */
#ifdef HAVE_SPWD_SP_EXPIRE
if (expire != NULL) {
*expire = SP_CVT_DAYS(sp->sp_expire);
}
#endif /* HAVE_SPWD_SP_EXPIRE */
} else {
pr_log_debug(DEBUG5, "mod_auth_unix: getspnam(3) for user '%s' error: %s",
u, strerror(errno));
}
#ifdef PR_USE_AUTO_SHADOW
if (sp == NULL) {
struct passwd *pw;
pr_trace_msg(trace_channel, 7,
"looking up user '%s' via Unix autoshadow mechanism", u);
endspent();
PRIVS_RELINQUISH
pw = getpwnam(u);
if (pw != NULL) {
cpw = pstrdup(p, pw->pw_passwd);
if (lstchg != NULL) {
*lstchg = (time_t) -1;
}
if (min != NULL) {
*min = (time_t) -1;
}
if (max != NULL) {
*max = (time_t) -1;
}
if (warn != NULL) {
*warn = (time_t) -1;
}
if (inact != NULL) {
*inact = (time_t) -1;
}
if (expire != NULL) {
*expire = (time_t) -1;
}
} else {
pr_log_debug(DEBUG5, "mod_auth_unix: getpwnam(3) for user '%s' error: %s",
u, strerror(errno));
}
} else {
PRIVS_RELINQUISH
}
#else
endspent();
PRIVS_RELINQUISH
#endif /* PR_USE_AUTO_SHADOW */
return cpw;
}
