diff options
-rw-r--r-- | lib/lib.h | 5 | ||||
-rw-r--r-- | lib/password.c | 142 | ||||
-rw-r--r-- | toys/passwd.c | 274 |
3 files changed, 421 insertions, 0 deletions
@@ -168,3 +168,8 @@ int sig_to_num(char *pidstr); char *num_to_sig(int sig); mode_t string_to_mode(char *mode_str, mode_t base); + +// password helper functions +int read_passwd(char * buff, int buflen, char* mesg); +int update_passwd(char *filename, char* username, char* encrypted); + diff --git a/lib/password.c b/lib/password.c new file mode 100644 index 00000000..2b11144e --- /dev/null +++ b/lib/password.c @@ -0,0 +1,142 @@ +/* vi: set sw=4 ts=4 : + * pwdutils.c - password read/update helper functions. + * + * Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com> + */ + +#include "toys.h" +#include <time.h> + + +int read_passwd(char * buff, int buflen, char* mesg) +{ + int i = 0; + struct termios termio, oldtermio; + tcgetattr(0, &oldtermio); + tcflush(0, TCIFLUSH); + termio = oldtermio; + + termio.c_iflag &= ~(IUCLC|IXON|IXOFF|IXANY); + termio.c_lflag &= ~(ECHO|ECHOE|ECHOK|ECHONL|TOSTOP); + tcsetattr(0, TCSANOW, &termio); + + fputs(mesg, stdout); + fflush(stdout); + + while (1) { + int ret = read(0, &buff[i], 1); + if ( ret < 0 ) { + buff[0] = 0; + tcsetattr(0, TCSANOW, &oldtermio); + return 1; + } + else if ( ret == 0 || buff[i] == '\n' || + buff[i] == '\r' || buflen == i+1) { + buff[i] = '\0'; + break; + } + i++; + } + + tcsetattr(0, TCSANOW, &oldtermio); + puts(""); + fflush(stdout); + return 0; +} + +static char *get_nextcolon(const char *line, char delim) +{ + char *current_ptr = NULL; + if((current_ptr = strchr(line, ':')) == NULL) + error_exit("Invalid Entry\n"); + return current_ptr; +} + +int update_passwd(char *filename, char* username, char* encrypted) +{ + char *filenamesfx = NULL, *namesfx = NULL; + char *shadow = NULL, *sfx = NULL; + FILE *exfp, *newfp; + int ret = -1; //fail + struct flock lock; + char *line = NULL; + + shadow = strstr(filename, "shadow"); + filenamesfx = xmsprintf("%s+", filename); + sfx = strchr(filenamesfx, '+'); + + exfp = fopen(filename, "r+"); + if(!exfp) { + perror_msg("Couldn't open file %s",filename); + goto free_storage; + } + + *sfx = '-'; + ret = unlink(filenamesfx); + ret = link(filename, filenamesfx); + if(ret < 0) error_msg("can't create backup file"); + + *sfx = '+'; + lock.l_type = F_WRLCK; + lock.l_whence = SEEK_SET; + lock.l_start = 0; + lock.l_len = 0; + + ret = fcntl(fileno(exfp), F_SETLK, &lock); + if(ret < 0) perror_msg("Couldn't lock file %s",filename); + + lock.l_type = F_UNLCK; //unlocking at a later stage + + newfp = fopen(filenamesfx, "w+"); + if(!newfp) { + error_msg("couldn't open file for writing"); + ret = -1; + fclose(exfp); + goto free_storage; + } + + ret = 0; + namesfx = xmsprintf("%s:",username); + while((line = get_line(fileno(exfp))) != NULL) + { + if(strncmp(line, namesfx, strlen(namesfx)) != 0) + fprintf(newfp, "%s\n", line); + else { + char *current_ptr = NULL; + fprintf(newfp, "%s%s:",namesfx,encrypted); + current_ptr = get_nextcolon(line, ':'); //past username + current_ptr++; //past colon ':' after username + current_ptr = get_nextcolon(current_ptr, ':'); //past passwd + current_ptr++; //past colon ':' after passwd + if(shadow) { + fprintf(newfp, "%u:",(unsigned)(time(NULL))/(24*60*60)); + current_ptr = get_nextcolon(current_ptr, ':'); + current_ptr++; //past time stamp colon. + fprintf(newfp, "%s\n",current_ptr); + } + else { + fprintf(newfp, "%s\n",current_ptr); + } + } + + free(line); + } + free(namesfx); + fcntl(fileno(exfp), F_SETLK, &lock); + fclose(exfp); + + errno = 0; + fflush(newfp); + fsync(fileno(newfp)); + fclose(newfp); + rename(filenamesfx, filename); + if(errno) { + perror_msg("File Writing/Saving failed: "); + unlink(filenamesfx); + ret = -1; + } + +free_storage: + free(filenamesfx); + return ret; +} diff --git a/toys/passwd.c b/toys/passwd.c new file mode 100644 index 00000000..501ce952 --- /dev/null +++ b/toys/passwd.c @@ -0,0 +1,274 @@ +/* vi: set sw=4 ts=4: + * + * passwd.c - Program to upadte user password. + * + * Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com> + * Modified 2012 Jason Kyungwan Han <asura321@gmail.com> + * + * Not in SUSv4. + +USE_PASSWD(NEWTOY(passwd, ">1a:dlu", TOYFLAG_STAYROOT|TOYFLAG_USR|TOYFLAG_BIN)) + +config PASSWD + bool "passwd" + default y + help + usage: passwd [-a ALGO] [-d] [-l] [-u] <account name> + + update user’s authentication tokens. Default : current user + + -a ALGO Encryption method (des, md5, sha256, sha512) default: des + -d Set password to '' + -l Lock (disable) account + -u Unlock (enable) account + +*/ + +#include "toys.h" +#include <time.h> + + +DEFINE_GLOBALS( + char *algo; +) + +#define TT this.passwd + +#define FLAG_u (1 << 0) +#define FLAG_l (1 << 1) +#define FLAG_d (1 << 2) +#define FLAG_a (1 << 3) + +#define MAX_SALT_LEN 20 //3 for id, 16 for key, 1 for '\0' +#define URANDOM_PATH "/dev/urandom" + +#ifndef _GNU_SOURCE +char *strcasestr(const char *haystack, const char *needle); +#endif + +unsigned int random_number_generator(int fd) +{ + unsigned int randnum; + xreadall(fd, &randnum, sizeof(randnum)); + return randnum; +} + + + +char inttoc(int i) +{ + // salt value uses 64 chracters in "./0-9a-zA-Z" + const char character_set[]="./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + i &= 0x3f; // masking for using 10 bits only + return character_set[i]; +} + +int get_salt(char *salt) +{ + int i, salt_length = 0; + int randfd; + if(!strncmp(TT.algo,"des",3)){ + // 2 bytes salt value is used in des + salt_length = 2; + } else { + *salt++ = '$'; + if(!strncmp(TT.algo,"md5",3)){ + *salt++ = '1'; + // 8 bytes salt value is used in md5 + salt_length = 8; + } else if(!strncmp(TT.algo,"sha256",6)){ + *salt++ = '5'; + // 16 bytes salt value is used in sha256 + salt_length = 16; + } else if(!strncmp(TT.algo,"sha512",6)){ + *salt++ = '6'; + // 16 bytes salt value is used in sha512 + salt_length = 16; + } else return 1; + + *salt++ = '$'; + } + + randfd = xopen(URANDOM_PATH, O_RDONLY); + for(i=0; i<salt_length; i++) + salt[i] = inttoc(random_number_generator(randfd)); + salt[salt_length+1] = '\0'; + xclose(randfd); + + return 0; +} + +static int str_check(char *s, char *p) +{ + if((strcasestr(s, p) != NULL) || (strcasestr(p, s) != NULL)) + return 1; + return 0; +} + +static void strength_check(char *newp, char *oldp, char *user) +{ + char *msg = NULL; + if(strlen(newp) < 6) { //Min passwd len + msg = "too short"; + xprintf("BAD PASSWORD: %s\n",msg); + } + if(!newp[0]) + return; //passwd is empty + + if(str_check(newp, user)) { + msg = "user based password"; + xprintf("BAD PASSWORD: %s\n",msg); + } + + if(oldp[0] && str_check(newp, oldp)) { + msg = "based on old passwd"; + xprintf("BAD PASSWORD: %s\n",msg); + } +} + +static int verify_passwd(char * pwd) +{ + char * pass; + + if (!pwd) return 1; + if (pwd[0] == '!' || pwd[0] == '*') return 1; + + pass = crypt(toybuf, pwd); + if (pass != NULL && strcmp(pass, pwd)==0) + return 0; + + return 1; +} + +static char *new_password(char *oldp, char *user) +{ + char *newp = NULL; + + if(read_passwd(toybuf, sizeof(toybuf), "New password:")) + return NULL; //may be due to Ctrl-C + + newp = xstrdup(toybuf); + strength_check(newp, oldp, user); + if(read_passwd(toybuf, sizeof(toybuf), "Retype password:")) { + free(newp); + return NULL; //may be due to Ctrl-C + } + + if(strcmp(newp, toybuf) == 0) + return newp; + else error_msg("Passwords do not match.\n"); + /*Failure Case */ + free(newp); + return NULL; +} + + +void passwd_main(void) +{ + uid_t myuid; + struct passwd *pw; + struct spwd *sp; + char *name = NULL; + char *pass = NULL, *encrypted = NULL, *newp = NULL; + char *orig = (char *)""; + char salt[MAX_SALT_LEN]; + int ret = -1; + + myuid = getuid(); + if((myuid != 0) && (toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) + error_exit("You need to be root to do these actions\n"); + + pw = getpwuid(myuid); + + if(!pw) + error_exit("Unknown uid '%u'",myuid); + + if(toys.optargs[0]) + name = toys.optargs[0]; + else + name = xstrdup(pw->pw_name); + + pw = getpwnam(name); + if(!pw) error_exit("Unknown user '%s'",name); + + if(myuid != 0 && (myuid != pw->pw_uid)) + error_exit("You need to be root to change '%s' password\n", name); + + pass = pw->pw_passwd; + if(pw->pw_passwd[0] == 'x') { + /*get shadow passwd */ + sp = getspnam(name); + if(sp) + pass = sp->sp_pwdp; + } + + + if(!(toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) { + printf("Changing password for %s\n",name); + if(pass[0] == '!') + error_exit("Can't change, password is locked for %s",name); + if(myuid != 0) { + /*Validate user */ + + if(read_passwd(toybuf, sizeof(toybuf), "Origial password:")) { + if(!toys.optargs[0]) free(name); + return; + } + orig = toybuf; + if(verify_passwd(pass)) + error_exit("Authentication failed\n"); + } + + orig = xstrdup(orig); + + /*Get new password */ + newp = new_password(orig, name); + if(!newp) { + free(orig); + if(!toys.optargs[0]) free(name); + return; //new password is not set well. + } + + /*Encrypt the passwd */ + if(!(toys.optflags & FLAG_a)) TT.algo = "des"; + + if(get_salt(salt)) + error_exit("Error: Unkown encryption algorithm\n"); + + encrypted = crypt(newp, salt); + free(newp); + free(orig); + } + else if(toys.optflags & FLAG_l) { + if(pass[0] == '!') + error_exit("password is already locked for %s",name); + printf("Locking password for %s\n",name); + encrypted = xmsprintf("!%s",pass); + } + else if(toys.optflags & FLAG_u) { + if(pass[0] != '!') + error_exit("password is already unlocked for %s",name); + + printf("Unlocking password for %s\n",name); + encrypted = xstrdup(&pass[1]); + } + else if(toys.optflags & FLAG_d) { + printf("Deleting password for %s\n",name); + encrypted = (char*)xzalloc(sizeof(char)*2); //1 = "", 2 = '\0' + } + + /*Update the passwd */ + if(pw->pw_passwd[0] == 'x') + ret = update_passwd("/etc/shadow", name, encrypted); + else + ret = update_passwd("/etc/passwd", name, encrypted); + + if((toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) + free(encrypted); + + if(!toys.optargs[0]) free(name); + if(!ret) + error_msg("Success"); + else + error_msg("Failure"); +} |