[apple/system_cmds.git] / pwd_mkdb.tproj / pwd_mkdb.c

/*	$OpenBSD: pwd_mkdb.c,v 1.36 2003/06/08 21:14:55 millert Exp $	*/

/*-
 * Copyright (c) 1991, 1993, 1994
 *	The Regents of the University of California.  All rights reserved.
 * Portions Copyright (c) 1994, Jason Downs.  All rights reserved.
 * Portions Copyright (c) 1998, Todd C. Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>
#ifndef lint
__unused static const char copyright[] =
"@(#) Copyright (c) 1991, 1993, 1994\n\
	The Regents of the University of California.  All rights reserved.\n";
#endif /* not lint */

#ifndef lint
#if 0
static const char sccsid[] = "from: @(#)pwd_mkdb.c	8.5 (Berkeley) 4/20/94";
#else
__unused static const char rcsid[] = "$OpenBSD: pwd_mkdb.c,v 1.36 2003/06/08 21:14:55 millert Exp $";
#endif
#endif /* not lint */

#include <sys/param.h>
#include <sys/stat.h>

#include <db.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <limits.h>
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <util.h>
#include <sys/param.h>
#include "pw_scan.h"

#define	INSECURE	1
#define	SECURE		2
#define	PERM_INSECURE	(S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)
#define	PERM_SECURE	(S_IRUSR|S_IWUSR)

#define FILE_SECURE	0x01
#define FILE_INSECURE	0x02
#define FILE_ORIG	0x04

#define	SHADOW_GROUP	"wheel"

HASHINFO openinfo = {
	.bsize = 4096,
	.ffactor = 32,
	.nelem = 256,
	.cachesize = 2048 * 1024,
	.hash = NULL,
	.lorder = 0
};

static char *pname;				/* password file name */
static char *basedir;				/* dir holding master.passwd */
static int clean;				/* what to remove on cleanup */
static int hasyp;				/* are we running YP? */

void	cleanup(void);
void	error(char *);
void	errorx(char *);
void	cp(char *, char *, mode_t);
void	mv(char *, char *);
int	scan(FILE *, struct passwd *, int *);
void	usage(void);
char	*changedir(char *path, char *dir);
void	db_store(FILE *, FILE *, DB *, DB *,struct passwd *, int, char *, uid_t);

int
main(int argc, char **argv)
{
	DB *dp, *edp;
	DBT data, key;
	FILE *fp, *oldfp = NULL;
	struct stat st;
	struct passwd pwd;
	struct group *grp;
	sigset_t set;
	uid_t olduid = UID_MAX;
	gid_t shadow;
	int ch, tfd, makeold, secureonly, flags, checkonly;
	char *username, buf[MAX(MAXPATHLEN, LINE_MAX * 2)];

	flags = checkonly = makeold = secureonly = 0;
	username = NULL;
	while ((ch = getopt(argc, argv, "cd:psu:v")) != -1)
		switch (ch) {
		case 'c':			/* verify only */
			checkonly = 1;
			break;
		case 'd':
			basedir = optarg;
			if (strlen(basedir) > MAXPATHLEN - 40)
				errx(1, "basedir too long");
			break;
		case 'p':			/* create V7 "file.orig" */
			makeold = 1;
			break;
		case 's':			/* only update spwd.db */
			secureonly = 1;
			break;
		case 'u':			/* only update this record */
			username = optarg;
			if (strlen(username) > _PW_NAME_LEN)
				errx(1, "username too long");
			break;
		case 'v':			/* backward compatible */
			break;
		case '?':
		default:
			usage();
		}
	argc -= optind;
	argv += optind;

	if (argc != 1 || (makeold && secureonly) ||
	    (username && (*username == '+' || *username == '-')))
		usage();

	if ((grp = getgrnam(SHADOW_GROUP)) == NULL)
		errx(1, "cannot find `%s' in the group database, aborting",
		    SHADOW_GROUP);
	shadow = grp->gr_gid;

	/*
	 * This could be changed to allow the user to interrupt.
	 * Probably not worth the effort.
	 */
	sigemptyset(&set);
	sigaddset(&set, SIGTSTP);
	sigaddset(&set, SIGHUP);
	sigaddset(&set, SIGINT);
	sigaddset(&set, SIGQUIT);
	sigaddset(&set, SIGTERM);
	(void)sigprocmask(SIG_BLOCK, &set, (sigset_t *)NULL);

	/* We don't care what the user wants. */
	(void)umask(0);

	if (**argv != '/' && basedir == NULL)
		errx(1, "%s must be specified as an absolute path", *argv);

	if ((pname = strdup(changedir(*argv, basedir))) == NULL)
		err(1, NULL);
	/* Open the original password file */
	if (!(fp = fopen(pname, "r")))
		error(pname);

	/* Check only if password database is valid */
	if (checkonly) {
		u_int cnt;

		for (cnt = 1; scan(fp, &pwd, &flags); ++cnt)
			;
		exit(0);
	}

	if (fstat(fileno(fp), &st) == -1)
		error(pname);

	/* Tweak openinfo values for large passwd files. */
	if (st.st_size > (off_t)100*1024)
		openinfo.cachesize = (u_int)MIN(st.st_size * 20, (off_t)12*1024*1024);
	if (st.st_size / 128 > openinfo.nelem)
		openinfo.nelem = (u_int)(st.st_size / 128);

        /* If only updating a single record, stash the old uid */
	if (username) {
		dp = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
		if (dp == NULL)
			error(_PATH_MP_DB);
		buf[0] = _PW_KEYBYNAME;
		strlcpy(buf + 1, username, sizeof(buf) - 1);
		key.data = (u_char *)buf;
		key.size = strlen(buf + 1) + 1;
		if ((dp->get)(dp, &key, &data, 0) == 0) {
			char *p = (char *)data.data;
			/* Skip to uid field */
			while (*p++ != '\0')
				;
			while (*p++ != '\0')
				;
			memcpy(&olduid, p, sizeof(olduid));
		} else
			olduid = UID_MAX;
		(dp->close)(dp);
	}

	/* Open the temporary encrypted password database. */
	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	    changedir(_PATH_SMP_DB, basedir));
	if (username) {
		cp(changedir(_PATH_SMP_DB, basedir), buf, PERM_SECURE);
		edp = dbopen(buf,
		    O_RDWR, PERM_SECURE, DB_HASH, &openinfo);
	} else {
		edp = dbopen(buf,
		    O_RDWR|O_CREAT|O_EXCL, PERM_SECURE, DB_HASH, &openinfo);
	}
	if (!edp)
		error(buf);
	if (fchown(edp->fd(edp), (uid_t)-1, shadow) != 0)
		warn("%s: unable to set group to %s", _PATH_SMP_DB,
		    SHADOW_GROUP);
	else if (fchmod(edp->fd(edp), PERM_SECURE|S_IRGRP) != 0)
		warn("%s: unable to make group readable", _PATH_SMP_DB);
	clean |= FILE_SECURE;

	/* Open the temporary insecure password database. */
	if (!secureonly) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		if (username) {
			cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
			dp = dbopen(buf, O_RDWR, PERM_INSECURE, DB_HASH,
			    &openinfo);
		} else {
			dp = dbopen(buf, O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE,
			    DB_HASH, &openinfo);
		}
		if (dp == NULL)
			error(buf);
		clean |= FILE_INSECURE;
	} else
		dp = NULL;

	/*
	 * Open file for old password file.  Minor trickiness -- don't want to
	 * chance the file already existing, since someone (stupidly) might
	 * still be using this for permission checking.  So, open it first and
	 * fdopen the resulting fd.  The resulting file should be readable by
	 * everyone.
	 */
	if (makeold) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		if ((tfd = open(buf,
		    O_WRONLY|O_CREAT|O_EXCL, PERM_INSECURE)) < 0)
			error(buf);
		if ((oldfp = fdopen(tfd, "w")) == NULL)
			error(buf);
		clean |= FILE_ORIG;
	}

	/*
	 * The databases actually contain three copies of the original data.
	 * Each password file entry is converted into a rough approximation
	 * of a ``struct passwd'', with the strings placed inline.  This
	 * object is then stored as the data for three separate keys.  The
	 * first key * is the pw_name field prepended by the _PW_KEYBYNAME
	 * character.  The second key is the pw_uid field prepended by the
	 * _PW_KEYBYUID character.  The third key is the line number in the
	 * original file prepended by the _PW_KEYBYNUM character.  (The special
	 * characters are prepended to ensure that the keys do not collide.)
	 *
	 * If we see something go by that looks like YP, we save a special
	 * pointer record, which if YP is enabled in the C lib, will speed
	 * things up.
	 */

	/*
	 * Write the .db files.
	 * We do this three times, one per key type (for getpw{nam,uid,ent}).
	 * The first time through we also check for YP, issue warnings
	 * and save the V7 format passwd file if necessary.
	 */
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNAME, username, olduid);
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYUID, username, olduid);
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNUM, username, olduid);

	/* Store YP token, if needed. */
	if (hasyp && !username) {
		key.data = (u_char *)_PW_YPTOKEN;
		key.size = strlen(_PW_YPTOKEN);
		data.data = (u_char *)NULL;
		data.size = 0;

		if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1)
			error("put");

		if (dp && (dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
			error("put");
	}

	if ((edp->close)(edp))
		error("close edp");
	if (dp && (dp->close)(dp))
		error("close dp");
	if (makeold) {
		if (fclose(oldfp) == EOF)
			error("close old");
	}

	/* Set master.passwd permissions, in case caller forgot. */
	(void)fchmod(fileno(fp), S_IRUSR|S_IWUSR);
	if (fclose(fp) != 0)
		error("fclose");

	/* Install as the real password files. */
	if (!secureonly) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		mv(buf, changedir(_PATH_MP_DB, basedir));
	}
	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	    changedir(_PATH_SMP_DB, basedir));
	mv(buf, changedir(_PATH_SMP_DB, basedir));
	if (makeold) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		mv(buf, changedir(_PATH_PASSWD, basedir));
	}

	/*
	 * Move the master password LAST -- chpass(1), passwd(1) and vipw(8)
	 * all use flock(2) on it to block other incarnations of themselves.
	 * The rename means that everything is unlocked, as the original file
	 * can no longer be accessed.
	 */
	mv(pname, changedir(_PATH_MASTERPASSWD, basedir));
	exit(0);
}

int
scan(FILE *fp, struct passwd *pw, int *flags)
{
	static int lcnt;
	static char line[LINE_MAX];
	char *p;

	if (fgets(line, sizeof(line), fp) == NULL)
		return (0);
	++lcnt;
	/*
	 * ``... if I swallow anything evil, put your fingers down my
	 * throat...''
	 *	-- The Who
	 */
	p = line;
	if (*p != '\0' && *(p += strlen(line) - 1) != '\n') {
		warnx("line too long");
		goto fmt;
	}
	*p = '\0';
	*flags = 0;
	if (!pw_scan(line, pw, flags)) {
		warnx("at line #%d", lcnt);
fmt:		errno = EFTYPE;	/* XXX */
		error(pname);
	}

	return (1);
}

void
cp(char *from, char *to, mode_t mode)
{
	static char buf[MAXBSIZE];
	int from_fd, to_fd;
	ssize_t rcount, wcount;

	if ((from_fd = open(from, O_RDONLY, 0)) < 0)
		error(from);
	if ((to_fd = open(to, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
		error(to);
	while ((rcount = read(from_fd, buf, MAXBSIZE)) > 0) {
		wcount = write(to_fd, buf, rcount);
		if (rcount != wcount || wcount == -1) {
			int sverrno = errno;

			(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
			errno = sverrno;
			error(buf);
		}
	}
	if (rcount < 0) {
		int sverrno = errno;

		(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
		errno = sverrno;
		error(buf);
	}
}

void
mv(char *from, char *to)
{
	char buf[MAXPATHLEN * 2];

	if (rename(from, to)) {
		int sverrno = errno;

		(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
		errno = sverrno;
		error(buf);
	}
}

void
error(char *name)
{
	warn("%s", name);
	cleanup();
	exit(1);
}

void
errorx(char *name)
{
	warnx("%s", name);
	cleanup();
	exit(1);
}

void
cleanup(void)
{
	char buf[MAXPATHLEN];

	if (clean & FILE_ORIG) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		(void)unlink(buf);
	}
	if (clean & FILE_SECURE) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_SMP_DB, basedir));
		(void)unlink(buf);
	}
	if (clean & FILE_INSECURE) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		(void)unlink(buf);
	}
}

void
usage(void)
{
	(void)fprintf(stderr,
	    "usage: pwd_mkdb [-c] [-p | -s] [-d basedir] [-u username] file\n");
	exit(1);
}

char *
changedir(char *path, char *dir)
{
	static char fixed[MAXPATHLEN];
	char *p;

	if (!dir)
		return (path);

	if ((p = strrchr(path, '/')) != NULL)
		path = p + 1;
	snprintf(fixed, sizeof(fixed), "%s/%s", dir, path);
	return (fixed);
}

void
db_store(FILE *fp, FILE *oldfp, DB *edp, DB *dp, struct passwd *pw,
	 int keytype, char *username, uid_t olduid)
{
	int flags = 0;
	int dbmode, found = 0;
	u_int cnt;
	char *p, *t, buf[LINE_MAX * 2], tbuf[1024];
	DBT data, key;
	size_t len;
	static int firsttime = 1;

	/* If given a username just add that record to the existing db. */
	dbmode = username ? 0 : R_NOOVERWRITE;

	rewind(fp);
	data.data = (u_char *)buf;
	key.data = (u_char *)tbuf;
	for (cnt = 1; scan(fp, pw, &flags); ++cnt) {

#ifdef __APPLE__
		if (pw->pw_name == NULL)
			continue;
#endif

		if (firsttime) {
			/* Look like YP? */
			if ((pw->pw_name[0] == '+') || (pw->pw_name[0] == '-'))
				hasyp++;

			/* Warn about potentially unsafe uid/gid overrides. */
			if (pw->pw_name[0] == '+') {
				if (!(flags & _PASSWORD_NOUID) && !pw->pw_uid)
					warnx("line %d: superuser override in "
					    "YP inclusion", cnt);
				if (!(flags & _PASSWORD_NOGID) && !pw->pw_gid)
					warnx("line %d: wheel override in "
					    "YP inclusion", cnt);
			}

			/* Create V7 format password file entry. */
			if (oldfp != NULL)
				if (fprintf(oldfp, "%s:*:%u:%u:%s:%s:%s\n",
				    pw->pw_name, pw->pw_uid, pw->pw_gid,
				    pw->pw_gecos, pw->pw_dir, pw->pw_shell)
				    == EOF)
					error("write old");
		}

		/* Are we updating a specific record? */
		if (username) {
			if (strcmp(username, pw->pw_name) != 0)
				continue;
			found = 1;
			/* If the uid changed, remove the old record by uid. */
			if (olduid != UID_MAX && olduid != pw->pw_uid) {
				tbuf[0] = _PW_KEYBYUID;
				memcpy(tbuf + 1, &olduid, sizeof(olduid));
				key.size = sizeof(olduid) + 1;
				(edp->del)(edp, &key, 0);
				if (dp)
					(dp->del)(dp, &key, 0);
			}
			/* XXX - should check to see if line number changed. */
		}

		/* Build the key. */
		tbuf[0] = keytype;
		switch (keytype) {
		case _PW_KEYBYNUM:
			memmove(tbuf + 1, &cnt, sizeof(cnt));
			key.size = sizeof(cnt) + 1;
			break;

		case _PW_KEYBYNAME:
			len = strlen(pw->pw_name);
			memmove(tbuf + 1, pw->pw_name, len);
			key.size = len + 1;
			break;

		case _PW_KEYBYUID:
			memmove(tbuf + 1, &pw->pw_uid, sizeof(pw->pw_uid));
			key.size = sizeof(pw->pw_uid) + 1;
			break;
		}

#define	COMPACT(e)	t = e; while ((*p++ = *t++));
		/* Create the secure record. */
		p = buf;
		COMPACT(pw->pw_name);
		COMPACT(pw->pw_passwd);
		memmove(p, &pw->pw_uid, sizeof(uid_t));
		p += sizeof(uid_t);
		memmove(p, &pw->pw_gid, sizeof(gid_t));
		p += sizeof(gid_t);
		memmove(p, &pw->pw_change, sizeof(time_t));
		p += sizeof(time_t);
		COMPACT(pw->pw_class);
		COMPACT(pw->pw_gecos);
		COMPACT(pw->pw_dir);
		COMPACT(pw->pw_shell);
		memmove(p, &pw->pw_expire, sizeof(time_t));
		p += sizeof(time_t);
		memmove(p, &flags, sizeof(int));
		p += sizeof(int);
		data.size = p - buf;

		/* Write the secure record. */
		if ((edp->put)(edp, &key, &data, dbmode) == -1)
			error("put");

		if (dp == NULL)
			continue;

		/* Star out password to make insecure record. */
		p = buf + strlen(pw->pw_name) + 1;	/* skip pw_name */
		len = strlen(pw->pw_passwd);
		memset(p, 0, len);			/* zero pw_passwd */
		t = p + len + 1;			/* skip pw_passwd */
		if (len != 0)
			*p++ = '*';
		*p++ = '\0';
		memmove(p, t, data.size - (t - buf));
		data.size -= len - 1;

		/* Write the insecure record. */
		if ((dp->put)(dp, &key, &data, dbmode) == -1)
			error("put");
	}
	if (firsttime) {
		firsttime = 0;
		if (username && !found && olduid != UID_MAX)
			errorx("can't find user in master.passwd");
	}
}
Commit	Line	Data
c3a08f59 A	1	/* $OpenBSD: pwd_mkdb.c,v 1.36 2003/06/08 21:14:55 millert Exp $ */
c3a08f59 A	2
1815bff5 A	3	/*-
	4	* Copyright (c) 1991, 1993, 1994
	5	* The Regents of the University of California. All rights reserved.
c3a08f59 A	6	* Portions Copyright (c) 1994, Jason Downs. All rights reserved.
c3a08f59 A	7	* Portions Copyright (c) 1998, Todd C. Miller. All rights reserved.
1815bff5 A	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
c3a08f59	17	* 3. Neither the name of the University nor the names of its contributors
1815bff5 A	18	* may be used to endorse or promote products derived from this software
	19	* without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
	22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	24	* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
	25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	31	* SUCH DAMAGE.
	32	*/
	33
34d340d7	34	#include <sys/cdefs.h>
1815bff5	35	#ifndef lint
34d340d7	36	__unused static const char copyright[] =
1815bff5 A	37	"@(#) Copyright (c) 1991, 1993, 1994\n\
	38	The Regents of the University of California. All rights reserved.\n";
	39	#endif /* not lint */
	40
	41	#ifndef lint
c3a08f59 A	42	#if 0
	43	static const char sccsid[] = "from: @(#)pwd_mkdb.c 8.5 (Berkeley) 4/20/94";
	44	#else
34d340d7	45	__unused static const char rcsid[] = "$OpenBSD: pwd_mkdb.c,v 1.36 2003/06/08 21:14:55 millert Exp $";
c3a08f59	46	#endif
1815bff5 A	47	#endif /* not lint */
	48
	49	#include <sys/param.h>
	50	#include <sys/stat.h>
	51
	52	#include <db.h>
	53	#include <err.h>
	54	#include <errno.h>
	55	#include <fcntl.h>
c3a08f59	56	#include <grp.h>
1815bff5 A	57	#include <limits.h>
	58	#include <pwd.h>
	59	#include <signal.h>
	60	#include <stdio.h>
	61	#include <stdlib.h>
	62	#include <string.h>
	63	#include <unistd.h>
c3a08f59 A	64	#include <util.h>
c3a08f59 A	65	#include <sys/param.h>
34d340d7	66	#include "pw_scan.h"
1815bff5 A	67
	68	#define INSECURE 1
	69	#define SECURE 2
	70	#define PERM_INSECURE (S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH)
	71	#define PERM_SECURE (S_IRUSR\|S_IWUSR)
	72
c3a08f59 A	73	#define FILE_SECURE 0x01
	74	#define FILE_INSECURE 0x02
	75	#define FILE_ORIG 0x04
	76
	77	#define SHADOW_GROUP "wheel"
	78
1815bff5	79	HASHINFO openinfo = {
cf37c299 A	80	.bsize = 4096,
	81	.ffactor = 32,
	82	.nelem = 256,
	83	.cachesize = 2048 * 1024,
	84	.hash = NULL,
	85	.lorder = 0
1815bff5 A	86	};
1815bff5 A	87
1815bff5	88	static char pname; / password file name */
c3a08f59 A	89	static char basedir; / dir holding master.passwd */
	90	static int clean; /* what to remove on cleanup */
	91	static int hasyp; /* are we running YP? */
	92
	93	void cleanup(void);
	94	void error(char *);
	95	void errorx(char *);
	96	void cp(char , char , mode_t);
	97	void mv(char , char );
	98	int scan(FILE , struct passwd , int *);
	99	void usage(void);
	100	char changedir(char path, char *dir);
	101	void db_store(FILE , FILE , DB , DB ,struct passwd , int, char , uid_t);
1815bff5 A	102
1815bff5 A	103	int
c3a08f59	104	main(int argc, char **argv)
1815bff5 A	105	{
	106	DB dp, edp;
	107	DBT data, key;
c3a08f59 A	108	FILE fp, oldfp = NULL;
	109	struct stat st;
	110	struct passwd pwd;
	111	struct group *grp;
1815bff5	112	sigset_t set;
cf37c299	113	uid_t olduid = UID_MAX;
c3a08f59 A	114	gid_t shadow;
	115	int ch, tfd, makeold, secureonly, flags, checkonly;
	116	char username, buf[MAX(MAXPATHLEN, LINE_MAX 2)];
	117
	118	flags = checkonly = makeold = secureonly = 0;
	119	username = NULL;
	120	while ((ch = getopt(argc, argv, "cd:psu:v")) != -1)
	121	switch (ch) {
	122	case 'c': /* verify only */
	123	checkonly = 1;
	124	break;
	125	case 'd':
	126	basedir = optarg;
	127	if (strlen(basedir) > MAXPATHLEN - 40)
	128	errx(1, "basedir too long");
	129	break;
1815bff5 A	130	case 'p': /* create V7 "file.orig" */
	131	makeold = 1;
	132	break;
c3a08f59 A	133	case 's': /* only update spwd.db */
	134	secureonly = 1;
	135	break;
	136	case 'u': /* only update this record */
	137	username = optarg;
	138	if (strlen(username) > _PW_NAME_LEN)
	139	errx(1, "username too long");
	140	break;
1815bff5 A	141	case 'v': /* backward compatible */
	142	break;
	143	case '?':
	144	default:
	145	usage();
	146	}
	147	argc -= optind;
	148	argv += optind;
	149
c3a08f59 A	150	if (argc != 1 \|\| (makeold && secureonly) \|\|
c3a08f59 A	151	(username && (username == '+' \|\| username == '-')))
1815bff5	152	usage();
cf37c299	153
c3a08f59 A	154	if ((grp = getgrnam(SHADOW_GROUP)) == NULL)
	155	errx(1, "cannot find `%s' in the group database, aborting",
	156	SHADOW_GROUP);
	157	shadow = grp->gr_gid;
1815bff5 A	158
	159	/*
	160	* This could be changed to allow the user to interrupt.
	161	* Probably not worth the effort.
	162	*/
	163	sigemptyset(&set);
	164	sigaddset(&set, SIGTSTP);
	165	sigaddset(&set, SIGHUP);
	166	sigaddset(&set, SIGINT);
	167	sigaddset(&set, SIGQUIT);
	168	sigaddset(&set, SIGTERM);
	169	(void)sigprocmask(SIG_BLOCK, &set, (sigset_t *)NULL);
	170
	171	/* We don't care what the user wants. */
	172	(void)umask(0);
	173
c3a08f59 A	174	if (**argv != '/' && basedir == NULL)
	175	errx(1, "%s must be specified as an absolute path", *argv);
	176
	177	if ((pname = strdup(changedir(*argv, basedir))) == NULL)
	178	err(1, NULL);
1815bff5 A	179	/* Open the original password file */
	180	if (!(fp = fopen(pname, "r")))
	181	error(pname);
	182
c3a08f59 A	183	/* Check only if password database is valid */
	184	if (checkonly) {
	185	u_int cnt;
	186
	187	for (cnt = 1; scan(fp, &pwd, &flags); ++cnt)
	188	;
	189	exit(0);
	190	}
	191
	192	if (fstat(fileno(fp), &st) == -1)
	193	error(pname);
	194
	195	/* Tweak openinfo values for large passwd files. */
	196	if (st.st_size > (off_t)100*1024)
cf37c299	197	openinfo.cachesize = (u_int)MIN(st.st_size * 20, (off_t)1210241024);
c3a08f59	198	if (st.st_size / 128 > openinfo.nelem)
cf37c299	199	openinfo.nelem = (u_int)(st.st_size / 128);
c3a08f59 A	200
	201	/* If only updating a single record, stash the old uid */
	202	if (username) {
	203	dp = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
	204	if (dp == NULL)
	205	error(_PATH_MP_DB);
	206	buf[0] = _PW_KEYBYNAME;
	207	strlcpy(buf + 1, username, sizeof(buf) - 1);
	208	key.data = (u_char *)buf;
	209	key.size = strlen(buf + 1) + 1;
	210	if ((dp->get)(dp, &key, &data, 0) == 0) {
	211	char p = (char )data.data;
	212	/* Skip to uid field */
	213	while (*p++ != '\0')
	214	;
	215	while (*p++ != '\0')
	216	;
	217	memcpy(&olduid, p, sizeof(olduid));
	218	} else
	219	olduid = UID_MAX;
	220	(dp->close)(dp);
	221	}
	222
	223	/* Open the temporary encrypted password database. */
	224	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	225	changedir(_PATH_SMP_DB, basedir));
	226	if (username) {
	227	cp(changedir(_PATH_SMP_DB, basedir), buf, PERM_SECURE);
	228	edp = dbopen(buf,
	229	O_RDWR, PERM_SECURE, DB_HASH, &openinfo);
	230	} else {
	231	edp = dbopen(buf,
	232	O_RDWR\|O_CREAT\|O_EXCL, PERM_SECURE, DB_HASH, &openinfo);
	233	}
	234	if (!edp)
1815bff5	235	error(buf);
c3a08f59 A	236	if (fchown(edp->fd(edp), (uid_t)-1, shadow) != 0)
	237	warn("%s: unable to set group to %s", _PATH_SMP_DB,
	238	SHADOW_GROUP);
	239	else if (fchmod(edp->fd(edp), PERM_SECURE\|S_IRGRP) != 0)
	240	warn("%s: unable to make group readable", _PATH_SMP_DB);
	241	clean \|= FILE_SECURE;
	242
	243	/* Open the temporary insecure password database. */
	244	if (!secureonly) {
	245	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	246	changedir(_PATH_MP_DB, basedir));
	247	if (username) {
	248	cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
	249	dp = dbopen(buf, O_RDWR, PERM_INSECURE, DB_HASH,
	250	&openinfo);
	251	} else {
	252	dp = dbopen(buf, O_RDWR\|O_CREAT\|O_EXCL, PERM_INSECURE,
	253	DB_HASH, &openinfo);
	254	}
	255	if (dp == NULL)
	256	error(buf);
	257	clean \|= FILE_INSECURE;
	258	} else
	259	dp = NULL;
1815bff5 A	260
	261	/*
	262	* Open file for old password file. Minor trickiness -- don't want to
	263	* chance the file already existing, since someone (stupidly) might
	264	* still be using this for permission checking. So, open it first and
	265	* fdopen the resulting fd. The resulting file should be readable by
	266	* everyone.
	267	*/
	268	if (makeold) {
	269	(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
	270	if ((tfd = open(buf,
	271	O_WRONLY\|O_CREAT\|O_EXCL, PERM_INSECURE)) < 0)
	272	error(buf);
	273	if ((oldfp = fdopen(tfd, "w")) == NULL)
	274	error(buf);
c3a08f59	275	clean \|= FILE_ORIG;
1815bff5 A	276	}
	277
	278	/*
	279	* The databases actually contain three copies of the original data.
	280	* Each password file entry is converted into a rough approximation
	281	* of a ``struct passwd'', with the strings placed inline. This
	282	* object is then stored as the data for three separate keys. The
	283	* first key * is the pw_name field prepended by the _PW_KEYBYNAME
	284	* character. The second key is the pw_uid field prepended by the
	285	* _PW_KEYBYUID character. The third key is the line number in the
	286	* original file prepended by the _PW_KEYBYNUM character. (The special
	287	* characters are prepended to ensure that the keys do not collide.)
c3a08f59 A	288	*
	289	* If we see something go by that looks like YP, we save a special
	290	* pointer record, which if YP is enabled in the C lib, will speed
	291	* things up.
1815bff5	292	*/
1815bff5	293
c3a08f59 A	294	/*
	295	* Write the .db files.
	296	* We do this three times, one per key type (for getpw{nam,uid,ent}).
	297	* The first time through we also check for YP, issue warnings
	298	* and save the V7 format passwd file if necessary.
	299	*/
	300	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNAME, username, olduid);
	301	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYUID, username, olduid);
	302	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNUM, username, olduid);
1815bff5	303
c3a08f59 A	304	/* Store YP token, if needed. */
	305	if (hasyp && !username) {
	306	key.data = (u_char *)_PW_YPTOKEN;
	307	key.size = strlen(_PW_YPTOKEN);
	308	data.data = (u_char *)NULL;
	309	data.size = 0;
1815bff5	310
1815bff5 A	311	if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1)
	312	error("put");
	313
c3a08f59	314	if (dp && (dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
1815bff5 A	315	error("put");
	316	}
	317
c3a08f59 A	318	if ((edp->close)(edp))
	319	error("close edp");
	320	if (dp && (dp->close)(dp))
	321	error("close dp");
	322	if (makeold) {
	323	if (fclose(oldfp) == EOF)
	324	error("close old");
	325	}
1815bff5 A	326
	327	/* Set master.passwd permissions, in case caller forgot. */
	328	(void)fchmod(fileno(fp), S_IRUSR\|S_IWUSR);
c3a08f59 A	329	if (fclose(fp) != 0)
c3a08f59 A	330	error("fclose");
1815bff5 A	331
1815bff5 A	332	/* Install as the real password files. */
c3a08f59 A	333	if (!secureonly) {
	334	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	335	changedir(_PATH_MP_DB, basedir));
	336	mv(buf, changedir(_PATH_MP_DB, basedir));
	337	}
	338	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	339	changedir(_PATH_SMP_DB, basedir));
	340	mv(buf, changedir(_PATH_SMP_DB, basedir));
1815bff5 A	341	if (makeold) {
1815bff5 A	342	(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
c3a08f59	343	mv(buf, changedir(_PATH_PASSWD, basedir));
1815bff5	344	}
c3a08f59	345
1815bff5 A	346	/*
	347	* Move the master password LAST -- chpass(1), passwd(1) and vipw(8)
	348	* all use flock(2) on it to block other incarnations of themselves.
	349	* The rename means that everything is unlocked, as the original file
	350	* can no longer be accessed.
	351	*/
c3a08f59	352	mv(pname, changedir(_PATH_MASTERPASSWD, basedir));
1815bff5 A	353	exit(0);
	354	}
	355
	356	int
c3a08f59	357	scan(FILE fp, struct passwd pw, int *flags)
1815bff5 A	358	{
	359	static int lcnt;
	360	static char line[LINE_MAX];
	361	char *p;
	362
c3a08f59	363	if (fgets(line, sizeof(line), fp) == NULL)
1815bff5	364	return (0);
1815bff5 A	365	++lcnt;
	366	/*
	367	* ``... if I swallow anything evil, put your fingers down my
	368	* throat...''
	369	* -- The Who
	370	*/
c3a08f59 A	371	p = line;
c3a08f59 A	372	if (p != '\0' && (p += strlen(line) - 1) != '\n') {
1815bff5 A	373	warnx("line too long");
1815bff5 A	374	goto fmt;
1815bff5 A	375	}
1815bff5 A	376	*p = '\0';
c3a08f59 A	377	*flags = 0;
c3a08f59 A	378	if (!pw_scan(line, pw, flags)) {
1815bff5 A	379	warnx("at line #%d", lcnt);
	380	fmt: errno = EFTYPE; /* XXX */
	381	error(pname);
	382	}
	383
	384	return (1);
	385	}
	386
cf37c299 A	387	void
	388	cp(char from, char to, mode_t mode)
	389	{
c3a08f59	390	static char buf[MAXBSIZE];
cf37c299 A	391	int from_fd, to_fd;
cf37c299 A	392	ssize_t rcount, wcount;
c3a08f59 A	393
	394	if ((from_fd = open(from, O_RDONLY, 0)) < 0)
	395	error(from);
	396	if ((to_fd = open(to, O_WRONLY\|O_CREAT\|O_EXCL, mode)) < 0)
	397	error(to);
	398	while ((rcount = read(from_fd, buf, MAXBSIZE)) > 0) {
	399	wcount = write(to_fd, buf, rcount);
	400	if (rcount != wcount \|\| wcount == -1) {
	401	int sverrno = errno;
	402
	403	(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
	404	errno = sverrno;
	405	error(buf);
	406	}
	407	}
	408	if (rcount < 0) {
	409	int sverrno = errno;
	410
	411	(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
	412	errno = sverrno;
	413	error(buf);
	414	}
	415	}
	416
1815bff5	417	void
cf37c299	418	mv(char from, char to)
1815bff5	419	{
c3a08f59	420	char buf[MAXPATHLEN * 2];
1815bff5 A	421
	422	if (rename(from, to)) {
	423	int sverrno = errno;
c3a08f59	424
1815bff5 A	425	(void)snprintf(buf, sizeof(buf), "%s to %s", from, to);
	426	errno = sverrno;
	427	error(buf);
	428	}
	429	}
	430
	431	void
cf37c299	432	error(char *name)
1815bff5	433	{
c3a08f59 A	434	warn("%s", name);
	435	cleanup();
	436	exit(1);
	437	}
	438
	439	void
cf37c299	440	errorx(char *name)
c3a08f59	441	{
c3a08f59	442	warnx("%s", name);
1815bff5 A	443	cleanup();
	444	exit(1);
	445	}
	446
	447	void
cf37c299	448	cleanup(void)
1815bff5 A	449	{
	450	char buf[MAXPATHLEN];
	451
c3a08f59	452	if (clean & FILE_ORIG) {
1815bff5 A	453	(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
1815bff5 A	454	(void)unlink(buf);
c3a08f59 A	455	}
	456	if (clean & FILE_SECURE) {
	457	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	458	changedir(_PATH_SMP_DB, basedir));
1815bff5	459	(void)unlink(buf);
c3a08f59 A	460	}
	461	if (clean & FILE_INSECURE) {
	462	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	463	changedir(_PATH_MP_DB, basedir));
1815bff5 A	464	(void)unlink(buf);
	465	}
	466	}
	467
	468	void
c3a08f59	469	usage(void)
1815bff5	470	{
c3a08f59 A	471	(void)fprintf(stderr,
c3a08f59 A	472	"usage: pwd_mkdb [-c] [-p \| -s] [-d basedir] [-u username] file\n");
1815bff5 A	473	exit(1);
1815bff5 A	474	}
c3a08f59 A	475
	476	char *
	477	changedir(char path, char dir)
	478	{
	479	static char fixed[MAXPATHLEN];
	480	char *p;
	481
	482	if (!dir)
	483	return (path);
	484
	485	if ((p = strrchr(path, '/')) != NULL)
	486	path = p + 1;
	487	snprintf(fixed, sizeof(fixed), "%s/%s", dir, path);
	488	return (fixed);
	489	}
	490
	491	void
	492	db_store(FILE fp, FILE oldfp, DB edp, DB dp, struct passwd *pw,
	493	int keytype, char *username, uid_t olduid)
	494	{
	495	int flags = 0;
	496	int dbmode, found = 0;
	497	u_int cnt;
	498	char p, t, buf[LINE_MAX * 2], tbuf[1024];
	499	DBT data, key;
	500	size_t len;
	501	static int firsttime = 1;
	502
	503	/* If given a username just add that record to the existing db. */
	504	dbmode = username ? 0 : R_NOOVERWRITE;
	505
	506	rewind(fp);
	507	data.data = (u_char *)buf;
	508	key.data = (u_char *)tbuf;
	509	for (cnt = 1; scan(fp, pw, &flags); ++cnt) {
	510
83f6dbe8 A	511	#ifdef __APPLE__
	512	if (pw->pw_name == NULL)
	513	continue;
	514	#endif
	515
c3a08f59 A	516	if (firsttime) {
	517	/* Look like YP? */
	518	if ((pw->pw_name[0] == '+') \|\| (pw->pw_name[0] == '-'))
	519	hasyp++;
	520
	521	/* Warn about potentially unsafe uid/gid overrides. */
	522	if (pw->pw_name[0] == '+') {
	523	if (!(flags & _PASSWORD_NOUID) && !pw->pw_uid)
	524	warnx("line %d: superuser override in "
	525	"YP inclusion", cnt);
	526	if (!(flags & _PASSWORD_NOGID) && !pw->pw_gid)
	527	warnx("line %d: wheel override in "
	528	"YP inclusion", cnt);
	529	}
	530
	531	/* Create V7 format password file entry. */
	532	if (oldfp != NULL)
	533	if (fprintf(oldfp, "%s:*:%u:%u:%s:%s:%s\n",
	534	pw->pw_name, pw->pw_uid, pw->pw_gid,
	535	pw->pw_gecos, pw->pw_dir, pw->pw_shell)
	536	== EOF)
	537	error("write old");
	538	}
	539
	540	/* Are we updating a specific record? */
	541	if (username) {
	542	if (strcmp(username, pw->pw_name) != 0)
	543	continue;
	544	found = 1;
	545	/* If the uid changed, remove the old record by uid. */
	546	if (olduid != UID_MAX && olduid != pw->pw_uid) {
	547	tbuf[0] = _PW_KEYBYUID;
	548	memcpy(tbuf + 1, &olduid, sizeof(olduid));
	549	key.size = sizeof(olduid) + 1;
	550	(edp->del)(edp, &key, 0);
	551	if (dp)
	552	(dp->del)(dp, &key, 0);
	553	}
	554	/* XXX - should check to see if line number changed. */
	555	}
	556
	557	/* Build the key. */
	558	tbuf[0] = keytype;
	559	switch (keytype) {
	560	case _PW_KEYBYNUM:
	561	memmove(tbuf + 1, &cnt, sizeof(cnt));
	562	key.size = sizeof(cnt) + 1;
	563	break;
	564
	565	case _PW_KEYBYNAME:
	566	len = strlen(pw->pw_name);
	567	memmove(tbuf + 1, pw->pw_name, len);
	568	key.size = len + 1;
	569	break;
	570
	571	case _PW_KEYBYUID:
	572	memmove(tbuf + 1, &pw->pw_uid, sizeof(pw->pw_uid));
	573	key.size = sizeof(pw->pw_uid) + 1;
	574	break;
	575	}
	576
	577	#define COMPACT(e) t = e; while ((p++ = t++));
	578	/* Create the secure record. */
	579	p = buf;
580	COMPACT(pw->pw_name);
581	COMPACT(pw->pw_passwd);
582	memmove(p, &pw->pw_uid, sizeof(uid_t));
583	p += sizeof(uid_t);
584	memmove(p, &pw->pw_gid, sizeof(gid_t));
585	p += sizeof(gid_t);
586	memmove(p, &pw->pw_change, sizeof(time_t));
587	p += sizeof(time_t);
588	COMPACT(pw->pw_class);
589	COMPACT(pw->pw_gecos);
590	COMPACT(pw->pw_dir);
591	COMPACT(pw->pw_shell);
592	memmove(p, &pw->pw_expire, sizeof(time_t));
593	p += sizeof(time_t);
594	memmove(p, &flags, sizeof(int));
595	p += sizeof(int);
596	data.size = p - buf;
597
598	/* Write the secure record. */
599	if ((edp->put)(edp, &key, &data, dbmode) == -1)
600	error("put");
601
602	if (dp == NULL)
603	continue;
604
605	/* Star out password to make insecure record. */
606	p = buf + strlen(pw->pw_name) + 1; /* skip pw_name */
607	len = strlen(pw->pw_passwd);
608	memset(p, 0, len); /* zero pw_passwd */
609	t = p + len + 1; /* skip pw_passwd */
610	if (len != 0)
611	p++ = '';
612	*p++ = '\0';
613	memmove(p, t, data.size - (t - buf));
614	data.size -= len - 1;
615
616	/* Write the insecure record. */
617	if ((dp->put)(dp, &key, &data, dbmode) == -1)
618	error("put");
619	}
620	if (firsttime) {
621	firsttime = 0;
622	if (username && !found && olduid != UID_MAX)
623	errorx("can't find user in master.passwd");
624	}
625	}