* NEWS, src/chpasswd.c, man/chpasswd.8.xml, man/login.defs.5.xml:

PAM enabled versions: restore the -e option to allow restoring
	passwords without knowing those passwords. Restore together the -m
	and -c options.
This commit is contained in:
nekral-guest 2010-03-25 20:35:59 +00:00
parent fcd5b38caf
commit 97961b8bee
5 changed files with 120 additions and 90 deletions

View File

@ -1,3 +1,10 @@
2010-03-25 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, src/chpasswd.c, man/chpasswd.8.xml, man/login.defs.5.xml:
PAM enabled versions: restore the -e option to allow restoring
passwords without knowing those passwords. Restore together the -m
and -c options.
2010-03-23 Nicolas François <nicolas.francois@centraliens.net>
* src/su.c, src/vipw.c, src/newgrp.c: When the child is

5
NEWS
View File

@ -8,6 +8,11 @@ shadow-4.1.4.2 -> shadow-4.1.5 UNRELEASED
* initial support for tcb (http://openwall.com/tcb/) for useradd,
userdel, usermod, chage, pwck, vipw.
-chpasswd
* PAM enabled versions: restore the -e option to allow restoring
passwords without knowing those passwords. Restore together the -m
and -c options. (These options were removed in shadow-4.1.4 on PAM
enabled versions)
- faillog
* The -l, -m, -r, -t options only act on the existing users, unless -a is
specified.

View File

@ -67,38 +67,37 @@
<emphasis remap='I'>user_name</emphasis>:<emphasis
remap='I'>password</emphasis>
</para>
<refsect2 condition="no_pam">
<para>
By default the supplied password must be in clear-text, and is
By default the passwords must be supplied in clear-text, and are
encrypted by <command>chpasswd</command>.
Also the password age will be updated, if present.
</para>
<para>
<para condition="no_pam">
The default encryption algorithm can be defined for the system with
the ENCRYPT_METHOD variable of <filename>/etc/login.defs</filename>,
and can be overwiten with the <option>-e</option>,
<option>-m</option>, or <option>-c</option> options.
the <option>ENCRYPT_METHOD</option> or
<option>MD5_CRYPT_ENAB</option> variables of
<filename>/etc/login.defs</filename>, and can be overwitten with the
<option>-e</option>, <option>-m</option>, or <option>-c</option>
options.
</para>
<para condition="pam">
By default, passwords are encrypted by PAM, but (even if not
recommended) you can select a different encryption method with the
<option>-e</option>, <option>-m</option>, or <option>-c</option>
options.
</para>
<para>
<command>chpasswd</command> first update the password in memory,
and then commit all the changes to disk if no errors occured for
any users.
<phrase condition="pam">Except when PAM is used to encrypt the
passwords,</phrase> <command>chpasswd</command> first updates all the
passwords in memory, and then commits all the changes to disk if no
errors occured for any user.
</para>
</refsect2>
<refsect2 condition="pam">
<para>
The supplied passwords must be in clear-text.
<para condition="pam">
When PAM is used to encrypt the passwords (and update the passwords in
the system database) then if a password cannot be updated
<command>chpasswd</command> continues updating the passwords of the
next users, and will return an error code on exit.
</para>
<para>
PAM is used to update the password in the system database
according to the PAM chpasswd configuration.
</para>
<para>
When <command>chpasswd</command> fails to update a password, it
continues updating the passwords of the next users, and will
return an error code on exit.
</para>
</refsect2>
<para>
This command is intended to be used in a large system environment
where many accounts are created at a single time.
@ -111,9 +110,12 @@
The options which apply to the <command>chpasswd</command> command
are:
</para>
<variablelist remap='IP' condition="no_pam">
<variablelist remap='IP'>
<varlistentry>
<term><option>-c</option>, <option>--crypt-method</option></term>
<term>
<option>-c</option>, <option>--crypt-method</option>
<replaceable>METHOD</replaceable>
</term>
<listitem>
<para>Use the specified method to encrypt the passwords.</para>
<para condition="no_sha_crypt">
@ -123,6 +125,17 @@
The available methods are DES, MD5, NONE, and SHA256 or SHA512
if your libc support these methods.
</para>
<para condition="pam">
By default, PAM is used to encrypt the passwords.
</para>
<para condition="no_pam">
By default (if none of the <option>-c</option>,
<option>-m</option>, or <option>-e</option> options are
specified), the encryption method is defined by the
<option>ENCRYPT_METHOD</option> or
<option>MD5_CRYPT_ENAB</option> variables of
<filename>/etc/login.defs</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
@ -140,7 +153,7 @@
</listitem>
</varlistentry>
</variablelist>
<variablelist remap='IP' condition="no_pam">
<variablelist remap='IP'>
<varlistentry>
<term><option>-m</option>, <option>--md5</option></term>
<listitem>
@ -151,7 +164,10 @@
</listitem>
</varlistentry>
<varlistentry condition="sha_crypt">
<term><option>-s</option>, <option>--sha-rounds</option></term>
<term>
<option>-s</option>, <option>--sha-rounds</option>
<replaceable>ROUNDS</replaceable>
</term>
<listitem>
<para>
Use the specified number of rounds to encrypt the passwords.
@ -170,7 +186,8 @@
</para>
<para>
By default, the number of rounds is defined by the
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
<option>SHA_CRYPT_MIN_ROUNDS</option> and
<option>SHA_CRYPT_MAX_ROUNDS</option> variables in
<filename>/etc/login.defs</filename>.
</para>
</listitem>
@ -184,22 +201,20 @@
Remember to set permissions or umask to prevent readability of
unencrypted files by other users.
</para>
<para condition="no_pam">
You should make sure the passwords and the encryption method respect
the system's password policy.
</para>
</refsect1>
<refsect1 id='configuration' condition="no_pam">
<refsect1 id='configuration'>
<title>CONFIGURATION</title>
<para>
The following configuration variables in
<filename>/etc/login.defs</filename> change the behavior of this
tool:
</para>
<variablelist>
<variablelist condition="no_pam">
&ENCRYPT_METHOD;
&MD5_CRYPT_ENAB;
</variablelist>
<variablelist>
&SHA_CRYPT_MIN_ROUNDS; <!--documents also SHA_CRYPT_MAX_ROUNDS-->
</variablelist>
</refsect1>
@ -207,19 +222,19 @@
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry condition="no_pam">
<varlistentry>
<term><filename>/etc/passwd</filename></term>
<listitem>
<para>User account information.</para>
</listitem>
</varlistentry>
<varlistentry condition="no_pam">
<varlistentry>
<term><filename>/etc/shadow</filename></term>
<listitem>
<para>Secure user account information.</para>
</listitem>
</varlistentry>
<varlistentry condition="no_pam">
<varlistentry>
<term><filename>/etc/login.defs</filename></term>
<listitem>
<para>Shadow password suite configuration.</para>
@ -243,7 +258,7 @@
<citerefentry>
<refentrytitle>newusers</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<phrase condition="no_pam">
<phrase>
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,

View File

@ -245,11 +245,12 @@
</para>
</listitem>
</varlistentry>
<varlistentry condition="no_pam">
<varlistentry>
<term>chpasswd</term>
<listitem>
<para>
ENCRYPT_METHOD MD5_CRYPT_ENAB
<phrase condition="no_pam">ENCRYPT_METHOD
MD5_CRYPT_ENAB </phrase>
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
</para>

View File

@ -54,7 +54,6 @@
* Global variables
*/
char *Prog;
#ifndef USE_PAM
static bool cflg = false;
static bool eflg = false;
static bool md5flg = false;
@ -70,7 +69,6 @@ static long sha_rounds = 5000;
static bool is_shadow_pwd;
static bool pw_locked = false;
static bool spw_locked = false;
#endif /* !USE_PAM */
/* local function prototypes */
static void fail_exit (int code);
@ -78,17 +76,14 @@ static void usage (int status);
static void process_flags (int argc, char **argv);
static void check_flags (void);
static void check_perms (void);
#ifndef USE_PAM
static void open_files (void);
static void close_files (void);
#endif /* !USE_PAM */
/*
* fail_exit - exit with a failure code after unlocking the files
*/
static void fail_exit (int code)
{
#ifndef USE_PAM
if (pw_locked) {
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
@ -104,7 +99,6 @@ static void fail_exit (int code)
/* continue */
}
}
#endif /* !USE_PAM */
exit (code);
}
@ -120,9 +114,8 @@ static void usage (int status)
"\n"
"Options:\n"),
Prog);
#ifndef USE_PAM
(void) fprintf (usageout,
_(" -c, --crypt-method the crypt method (one of %s)\n"),
_(" -c, --crypt-method <METHOD> the crypt method (one of %s)\n"),
#ifndef USE_SHA_CRYPT
"NONE DES MD5"
#else /* USE_SHA_CRYPT */
@ -130,9 +123,7 @@ static void usage (int status)
#endif /* USE_SHA_CRYPT */
);
(void) fputs (_(" -e, --encrypted supplied passwords are encrypted\n"), usageout);
#endif /* !USE_PAM */
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
#ifndef USE_PAM
(void) fputs (_(" -m, --md5 encrypt the clear text password using\n"
" the MD5 algorithm\n"),
usageout);
@ -141,7 +132,6 @@ static void usage (int status)
" crypt algorithms\n"),
usageout);
#endif /* USE_SHA_CRYPT */
#endif /* !USE_PAM */
(void) fputs ("\n", usageout);
exit (status);
@ -157,34 +147,27 @@ static void process_flags (int argc, char **argv)
int option_index = 0;
int c;
static struct option long_options[] = {
#ifndef USE_PAM
{"crypt-method", required_argument, NULL, 'c'},
{"encrypted", no_argument, NULL, 'e'},
{"md5", no_argument, NULL, 'm'},
#ifdef USE_SHA_CRYPT
{"sha-rounds", required_argument, NULL, 's'},
#endif /* USE_SHA_CRYPT */
#endif /* !USE_PAM */
{"help", no_argument, NULL, 'h'},
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
#ifndef USE_PAM
#ifdef USE_SHA_CRYPT
"c:ehms:",
#else /* !USE_SHA_CRYPT */
"c:ehm",
#endif /* !USE_SHA_CRYPT */
#else
"h",
#endif /* !USE_PAM */
long_options, &option_index)) != -1) {
switch (c) {
case 'h':
usage (E_SUCCESS);
break;
#ifndef USE_PAM
case 'c':
cflg = true;
crypt_method = optarg;
@ -206,7 +189,6 @@ static void process_flags (int argc, char **argv)
}
break;
#endif /* USE_SHA_CRYPT */
#endif /* !USE_PAM */
default:
usage (E_USAGE);
break;
@ -224,7 +206,6 @@ static void process_flags (int argc, char **argv)
*/
static void check_flags (void)
{
#ifndef USE_PAM
#ifdef USE_SHA_CRYPT
if (sflg && !cflg) {
fprintf (stderr,
@ -249,7 +230,7 @@ static void check_flags (void)
#ifdef USE_SHA_CRYPT
&& (0 != strcmp (crypt_method, "SHA256"))
&& (0 != strcmp (crypt_method, "SHA512"))
#endif
#endif /* USE_SHA_CRYPT */
) {
fprintf (stderr,
_("%s: unsupported crypt method: %s\n"),
@ -257,7 +238,6 @@ static void check_flags (void)
usage (E_USAGE);
}
}
#endif /* USE_PAM */
}
/*
@ -274,6 +254,10 @@ static void check_perms (void)
{
#ifdef USE_PAM
#ifdef ACCT_TOOLS_SETUID
/* If chpasswd uses PAM and is SUID, check the permissions,
* otherwise, the permissions are enforced by the access to the
* passwd and shadow files.
*/
pam_handle_t *pamh = NULL;
int retval;
struct passwd *pampw;
@ -307,7 +291,6 @@ static void check_perms (void)
#endif /* USE_PAM */
}
#ifndef USE_PAM
/*
* open_files - lock and open the password databases
*/
@ -383,7 +366,6 @@ static void close_files (void)
}
pw_locked = false;
}
#endif
int main (int argc, char **argv)
{
@ -392,13 +374,9 @@ int main (int argc, char **argv)
char *newpwd;
char *cp;
#ifndef USE_PAM
const struct spwd *sp;
struct spwd newsp;
const struct passwd *pw;
struct passwd newpw;
#endif /* !USE_PAM */
#ifdef USE_PAM
bool use_pam = true;
#endif /* USE_PAM */
int errors = 0;
int line = 0;
@ -411,15 +389,24 @@ int main (int argc, char **argv)
process_flags (argc, argv);
#ifdef USE_PAM
if (md5flg || eflg || cflg) {
use_pam = false;
}
#endif /* USE_PAM */
OPENLOG ("chpasswd");
check_perms ();
#ifndef USE_PAM
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
{
is_shadow_pwd = spw_file_present ();
open_files ();
#endif
}
/*
* Read each line, separating the user name from the password. The
@ -468,13 +455,21 @@ int main (int argc, char **argv)
newpwd = cp;
#ifdef USE_PAM
if (use_pam){
if (do_pam_passwd_non_interractive ("chpasswd", name, newpwd) != 0) {
fprintf (stderr,
_("%s: (line %d, user %s) password not changed\n"),
Prog, line, name);
errors++;
}
#else /* !USE_PAM */
} else
#endif /* USE_PAM */
{
const struct spwd *sp;
struct spwd newsp;
const struct passwd *pw;
struct passwd newpw;
if ( !eflg
&& ( (NULL == crypt_method)
|| (0 != strcmp (crypt_method, "NONE")))) {
@ -553,7 +548,7 @@ int main (int argc, char **argv)
continue;
}
}
#endif /* !USE_PAM */
}
}
/*
@ -567,17 +562,24 @@ int main (int argc, char **argv)
* password database.
*/
if (0 != errors) {
#ifndef USE_PAM
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
{
fprintf (stderr,
_("%s: error detected, changes ignored\n"), Prog);
#endif
_("%s: error detected, changes ignored\n"),
Prog);
}
fail_exit (1);
}
#ifndef USE_PAM
#ifdef USE_PAM
if (!use_pam)
#endif /* USE_PAM */
{
/* Save the changes */
close_files ();
#endif
}
nscd_flush_cache ("passwd");