Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	usr.sbin/pwd_mkdb/pwd_mkdb.c	Lines:	189	293	64.5 %
Date:	2017-11-07	Branches:	98	195	50.3 %


/*	$OpenBSD: pwd_mkdb.c,v 1.53 2015/11/05 15:10:11 semarie Exp $	*/

/*-
 * Copyright (c) 1991, 1993, 1994
 *	The Regents of the University of California.  All rights reserved.
 * Portions Copyright (c) 1994, Jason Downs.  All rights reserved.
 * Portions Copyright (c) 1998, Todd C. Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>	/* MAXBSIZE */
#include <sys/stat.h>

#include <db.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <limits.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <limits.h>
#include <util.h>

#define MINIMUM(a, b)	(((a) < (b)) ? (a) : (b))

#define	INSECURE	1
#define	SECURE		2
#define	PERM_INSECURE	(S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)
#define	PERM_SECURE	(S_IRUSR|S_IWUSR)

#define FILE_SECURE	0x01
#define FILE_INSECURE	0x02
#define FILE_ORIG	0x04

#define	SHADOW_GROUP	"_shadow"

HASHINFO openinfo = {
	4096,		/* bsize */
	32,		/* ffactor */
	256,		/* nelem */
	2048 * 1024,	/* cachesize */
	NULL,		/* hash() */
	0		/* lorder */
};

static char *pname;				/* password file name */
static char *basedir;				/* dir holding master.passwd */
static int clean;				/* what to remove on cleanup */
static int hasyp;				/* are we running YP? */

void		cleanup(void);
__dead void	fatal(const char *, ...)
		    __attribute__((__format__ (printf, 1, 2)));
__dead void	fatalc(int, const char *, ...)
		    __attribute__((__format__ (printf, 2, 3)));
__dead void	fatalx(const char *, ...)
		    __attribute__((__format__ (printf, 1, 2)));
int		write_old_entry(FILE *, const struct passwd *);

void		cp(char *, char *, mode_t);
void		mv(char *, char *);
int		scan(FILE *, struct passwd *, int *);
void		usage(void);
char		*changedir(char *path, char *dir);
void		db_store(FILE *, FILE *, DB *, DB *,struct passwd *, int, char *, uid_t);

int
main(int argc, char **argv)
{
	DB *dp, *edp;
	DBT data, key;
	FILE *fp, *oldfp = NULL;
	struct stat st;
	struct passwd pwd;
	struct group *grp;
	sigset_t set;
	uid_t olduid;
	gid_t shadow;
	int ch, tfd, makeold, secureonly, flags, checkonly;
	char *username, buf[MAX(PATH_MAX, LINE_MAX * 2)];

	flags = checkonly = makeold = secureonly = 0;
	username = NULL;
	while ((ch = getopt(argc, argv, "cd:psu:v")) != -1)
		switch (ch) {
		case 'c':			/* verify only */
			checkonly = 1;
			break;
		case 'd':
			basedir = optarg;
			if (strlen(basedir) > PATH_MAX - 40)
				errx(1, "basedir too long");
			break;
		case 'p':			/* create V7 "file.orig" */
			makeold = 1;
			break;
		case 's':			/* only update spwd.db */
			secureonly = 1;
			break;
		case 'u':			/* only update this record */
			username = optarg;
			if (strlen(username) > _PW_NAME_LEN)
				errx(1, "username too long");
			break;
		case 'v':			/* backward compatible */
			break;
		case '?':
		default:
			usage();
		}
	argc -= optind;
	argv += optind;

	if (argc != 1 || (makeold && secureonly) ||
	    (username && (*username == '+' || *username == '-')))
		usage();

	if ((grp = getgrnam(SHADOW_GROUP)) == NULL)
		errx(1, "cannot find `%s' in the group database, aborting",
		    SHADOW_GROUP);
	shadow = grp->gr_gid;

	/*
	 * This could be changed to allow the user to interrupt.
	 * Probably not worth the effort.
	 */
	sigemptyset(&set);
	sigaddset(&set, SIGTSTP);
	sigaddset(&set, SIGHUP);
	sigaddset(&set, SIGINT);
	sigaddset(&set, SIGQUIT);
	sigaddset(&set, SIGTERM);
	(void)sigprocmask(SIG_BLOCK, &set, (sigset_t *)NULL);

	/* We don't care what the user wants. */
	(void)umask(0);

	if (**argv != '/' && basedir == NULL)
		errx(1, "%s must be specified as an absolute path", *argv);

	if ((pname = strdup(changedir(*argv, basedir))) == NULL)
		err(1, NULL);
	/* Open the original password file */
	if (!(fp = fopen(pname, "r")))
		fatal("%s", pname);

	/* Check only if password database is valid */
	if (checkonly) {
		u_int cnt;

		for (cnt = 1; scan(fp, &pwd, &flags); ++cnt)
			;
		exit(0);
	}

	if (fstat(fileno(fp), &st) == -1)
		fatal("%s", pname);

	/* Tweak openinfo values for large passwd files. */
	if (st.st_size > (off_t)100*1024)
		openinfo.cachesize = MINIMUM(st.st_size * 20, (off_t)12*1024*1024);
	if (st.st_size / 128 > openinfo.nelem)
		openinfo.nelem = st.st_size / 128;

	/* If only updating a single record, stash the old uid */
	if (username) {
		dp = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
		if (dp == NULL)
			fatal(_PATH_MP_DB);
		buf[0] = _PW_KEYBYNAME;
		strlcpy(buf + 1, username, sizeof(buf) - 1);
		key.data = (u_char *)buf;
		key.size = strlen(buf + 1) + 1;
		if ((dp->get)(dp, &key, &data, 0) == 0) {
			char *p = (char *)data.data;
			/* Skip to uid field */
			while (*p++ != '\0')
				;
			while (*p++ != '\0')
				;
			memcpy(&olduid, p, sizeof(olduid));
		} else
			olduid = UID_MAX;
		(dp->close)(dp);
	}

	/* Open the temporary encrypted password database. */
	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	    changedir(_PATH_SMP_DB, basedir));
	if (username) {
		cp(changedir(_PATH_SMP_DB, basedir), buf, PERM_SECURE);
		edp = dbopen(buf,
		    O_RDWR, PERM_SECURE, DB_HASH, &openinfo);
	} else {
		edp = dbopen(buf,
		    O_RDWR|O_CREAT|O_EXCL, PERM_SECURE, DB_HASH, &openinfo);
	}
	if (!edp)
		fatal("%s", buf);
	if (fchown(edp->fd(edp), (uid_t)-1, shadow) != 0)
		warn("%s: unable to set group to %s", _PATH_SMP_DB,
		    SHADOW_GROUP);
	else if (fchmod(edp->fd(edp), PERM_SECURE|S_IRGRP) != 0)
		warn("%s: unable to make group readable", _PATH_SMP_DB);
	clean |= FILE_SECURE;

	if (pledge("stdio rpath wpath cpath getpw fattr flock", NULL) == -1)
		err(1, "pledge");

	/* Open the temporary insecure password database. */
	if (!secureonly) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		if (username) {
			cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
			dp = dbopen(buf, O_RDWR, PERM_INSECURE, DB_HASH,
			    &openinfo);
		} else {
			dp = dbopen(buf, O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE,
			    DB_HASH, &openinfo);
		}
		if (dp == NULL)
			fatal("%s", buf);
		clean |= FILE_INSECURE;
	} else
		dp = NULL;

	/*
	 * Open file for old password file.  Minor trickiness -- don't want to
	 * change the file already existing, since someone (stupidly) might
	 * still be using this for permission checking.  So, open it first and
	 * fdopen the resulting fd.  The resulting file should be readable by
	 * everyone.
	 */
	if (makeold) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		if ((tfd = open(buf,
		    O_WRONLY|O_CREAT|O_EXCL, PERM_INSECURE)) < 0)
			fatal("%s", buf);
		if ((oldfp = fdopen(tfd, "w")) == NULL)
			fatal("%s", buf);
		clean |= FILE_ORIG;
	}

	/*
	 * The databases actually contain three copies of the original data.
	 * Each password file entry is converted into a rough approximation
	 * of a ``struct passwd'', with the strings placed inline.  This
	 * object is then stored as the data for three separate keys.  The
	 * first key * is the pw_name field prepended by the _PW_KEYBYNAME
	 * character.  The second key is the pw_uid field prepended by the
	 * _PW_KEYBYUID character.  The third key is the line number in the
	 * original file prepended by the _PW_KEYBYNUM character.  (The special
	 * characters are prepended to ensure that the keys do not collide.)
	 *
	 * If we see something go by that looks like YP, we save a special
	 * pointer record, which if YP is enabled in the C lib, will speed
	 * things up.
	 */

	/*
	 * Write the .db files.
	 * We do this three times, one per key type (for getpw{nam,uid,ent}).
	 * The first time through we also check for YP, issue warnings
	 * and save the V7 format passwd file if necessary.
	 */
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNAME, username, olduid);
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYUID, username, olduid);
	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNUM, username, olduid);

	/* Store YP token, if needed. */
	if (hasyp && !username) {
		key.data = (u_char *)_PW_YPTOKEN;
		key.size = strlen(_PW_YPTOKEN);
		data.data = (u_char *)NULL;
		data.size = 0;

		if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1)
			fatal("put");

		if (dp && (dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
			fatal("put");
	}

	if ((edp->close)(edp))
		fatal("close edp");
	if (dp && (dp->close)(dp))
		fatal("close dp");
	if (makeold) {
		if (fclose(oldfp) == EOF)
			fatal("close old");
	}

	/* Set master.passwd permissions, in case caller forgot. */
	(void)fchmod(fileno(fp), S_IRUSR|S_IWUSR);
	if (fclose(fp) != 0)
		fatal("fclose");

	/* Install as the real password files. */
	if (!secureonly) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		mv(buf, changedir(_PATH_MP_DB, basedir));
	}
	(void)snprintf(buf, sizeof(buf), "%s.tmp",
	    changedir(_PATH_SMP_DB, basedir));
	mv(buf, changedir(_PATH_SMP_DB, basedir));
	if (makeold) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		mv(buf, changedir(_PATH_PASSWD, basedir));
	}

	/*
	 * Move the master password LAST -- chpass(1), passwd(1) and vipw(8)
	 * all use flock(2) on it to block other incarnations of themselves.
	 * The rename means that everything is unlocked, as the original file
	 * can no longer be accessed.
	 */
	mv(pname, changedir(_PATH_MASTERPASSWD, basedir));
	exit(0);
}

int
scan(FILE *fp, struct passwd *pw, int *flags)
{
	static int lcnt;
	static char line[LINE_MAX];
	char *p;

	if (fgets(line, sizeof(line), fp) == NULL)
		return (0);
	++lcnt;
	/*
	 * ``... if I swallow anything evil, put your fingers down my
	 * throat...''
	 *	-- The Who
	 */
	p = line;
	if (*p != '\0' && *(p += strlen(line) - 1) != '\n') {
		warnx("line too long");
		goto fmt;
	}
	*p = '\0';
	*flags = 0;
	if (!pw_scan(line, pw, flags)) {
		warnx("at line #%d", lcnt);
fmt:		fatalc(EFTYPE, "%s", pname);
	}

	return (1);
}

void
cp(char *from, char *to, mode_t mode)
{
	static char buf[MAXBSIZE];
	int from_fd, rcount, to_fd, wcount;

	if ((from_fd = open(from, O_RDONLY, 0)) < 0)
		fatal("%s", from);
	if ((to_fd = open(to, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
		fatal("%s", to);
	while ((rcount = read(from_fd, buf, MAXBSIZE)) > 0) {
		wcount = write(to_fd, buf, rcount);
		if (rcount != wcount || wcount == -1)
			fatal("%s to %s", from, to);
	}
	if (rcount < 0)
		fatal("%s to %s", from, to);
	close(to_fd);
	close(from_fd);
}

void
mv(char *from, char *to)
{
	if (rename(from, to))
		fatal("%s to %s", from, to);
}

void
fatal(const char *fmt, ...)
{
	va_list ap;

	va_start(ap, fmt);
	vwarn(fmt, ap);
	va_end(ap);
	cleanup();
	exit(EXIT_FAILURE);
}

void
fatalc(int code, const char *fmt, ...)
{
	va_list ap;

	va_start(ap, fmt);
	vwarnc(code, fmt, ap);
	va_end(ap);
	cleanup();
	exit(EXIT_FAILURE);
}

void
fatalx(const char *fmt, ...)
{
	va_list ap;

	va_start(ap, fmt);
	vwarnx(fmt, ap);
	va_end(ap);
	cleanup();
	exit(EXIT_FAILURE);
}

void
cleanup(void)
{
	char buf[PATH_MAX];

	if (clean & FILE_ORIG) {
		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
		(void)unlink(buf);
	}
	if (clean & FILE_SECURE) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_SMP_DB, basedir));
		(void)unlink(buf);
	}
	if (clean & FILE_INSECURE) {
		(void)snprintf(buf, sizeof(buf), "%s.tmp",
		    changedir(_PATH_MP_DB, basedir));
		(void)unlink(buf);
	}
}

void
usage(void)
{
	(void)fprintf(stderr,
	    "usage: pwd_mkdb [-c] [-p | -s] [-d directory] [-u username] file\n");
	exit(EXIT_FAILURE);
}

char *
changedir(char *path, char *dir)
{
	static char fixed[PATH_MAX];
	char *p;

	if (!dir)
		return (path);

	if ((p = strrchr(path, '/')) != NULL)
		path = p + 1;
	snprintf(fixed, sizeof(fixed), "%s/%s", dir, path);
	return (fixed);
}

int
write_old_entry(FILE *to, const struct passwd *pw)
{
	char gidstr[16], uidstr[16];

	if (to == NULL)
		return (0);

	/* Preserve gid/uid -1 */
	if (pw->pw_gid == (gid_t)-1)
		strlcpy(gidstr, "-1", sizeof(gidstr));
	else
		snprintf(gidstr, sizeof(gidstr), "%u", (u_int)pw->pw_gid);

	if (pw->pw_uid == (uid_t)-1)
		strlcpy(uidstr, "-1", sizeof(uidstr));
	else
		snprintf(uidstr, sizeof(uidstr), "%u", (u_int)pw->pw_uid);

	return (fprintf(to, "%s:*:%s:%s:%s:%s:%s\n", pw->pw_name, uidstr,
	    gidstr, pw->pw_gecos, pw->pw_dir, pw->pw_shell));
}

void
db_store(FILE *fp, FILE *oldfp, DB *edp, DB *dp, struct passwd *pw,
	 int keytype, char *username, uid_t olduid)
{
	char *p, *t, buf[LINE_MAX * 2], tbuf[_PW_BUF_LEN];
	int flags = 0, dbmode, found = 0;
	static int firsttime = 1;
	DBT data, key;
	size_t len;
	u_int cnt;

	/* If given a username just add that record to the existing db. */
	dbmode = username ? 0 : R_NOOVERWRITE;

	rewind(fp);
	data.data = (u_char *)buf;
	key.data = (u_char *)tbuf;
	for (cnt = 1; scan(fp, pw, &flags); ++cnt) {

		if (firsttime) {
			/* Look like YP? */
			if ((pw->pw_name[0] == '+') || (pw->pw_name[0] == '-'))
				hasyp++;

			/* Warn about potentially unsafe uid/gid overrides. */
			if (pw->pw_name[0] == '+') {
				if (!(flags & _PASSWORD_NOUID) && !pw->pw_uid)
					warnx("line %d: superuser override in "
					    "YP inclusion", cnt);
				if (!(flags & _PASSWORD_NOGID) && !pw->pw_gid)
					warnx("line %d: wheel override in "
					    "YP inclusion", cnt);
			}

			/* Create V7 format password file entry. */
			if (write_old_entry(oldfp, pw) == -1)
				fatal("write old");
		}

		/* Are we updating a specific record? */
		if (username) {
			if (strcmp(username, pw->pw_name) != 0)
				continue;
			found = 1;
			/* If the uid changed, remove the old record by uid. */
			if (olduid != UID_MAX && olduid != pw->pw_uid) {
				tbuf[0] = _PW_KEYBYUID;
				memcpy(tbuf + 1, &olduid, sizeof(olduid));
				key.size = sizeof(olduid) + 1;
				(edp->del)(edp, &key, 0);
				if (dp)
					(dp->del)(dp, &key, 0);
			}
			/* XXX - should check to see if line number changed. */
		}

		/* Build the key. */
		tbuf[0] = keytype;
		switch (keytype) {
		case _PW_KEYBYNUM:
			memmove(tbuf + 1, &cnt, sizeof(cnt));
			key.size = sizeof(cnt) + 1;
			break;

		case _PW_KEYBYNAME:
			len = strlen(pw->pw_name);
			memmove(tbuf + 1, pw->pw_name, len);
			key.size = len + 1;
			break;

		case _PW_KEYBYUID:
			memmove(tbuf + 1, &pw->pw_uid, sizeof(pw->pw_uid));
			key.size = sizeof(pw->pw_uid) + 1;
			break;
		}

#define	COMPACT(e)	t = e; while ((*p++ = *t++));
		/* Create the secure record. */
		p = buf;
		COMPACT(pw->pw_name);
		COMPACT(pw->pw_passwd);
		memmove(p, &pw->pw_uid, sizeof(uid_t));
		p += sizeof(uid_t);
		memmove(p, &pw->pw_gid, sizeof(gid_t));
		p += sizeof(gid_t);
		memmove(p, &pw->pw_change, sizeof(time_t));
		p += sizeof(time_t);
		COMPACT(pw->pw_class);
		COMPACT(pw->pw_gecos);
		COMPACT(pw->pw_dir);
		COMPACT(pw->pw_shell);
		memmove(p, &pw->pw_expire, sizeof(time_t));
		p += sizeof(time_t);
		memmove(p, &flags, sizeof(int));
		p += sizeof(int);
		data.size = p - buf;

		/* Write the secure record. */
		if ((edp->put)(edp, &key, &data, dbmode) == -1)
			fatal("put");

		if (dp == NULL)
			continue;

		/* Star out password to make insecure record. */
		p = buf + strlen(pw->pw_name) + 1;	/* skip pw_name */
		len = strlen(pw->pw_passwd);
		explicit_bzero(p, len);			/* zero pw_passwd */
		t = p + len + 1;			/* skip pw_passwd */
		if (len != 0)
			*p++ = '*';
		*p++ = '\0';
		memmove(p, t, data.size - (t - buf));
		data.size -= len - 1;

		/* Write the insecure record. */
		if ((dp->put)(dp, &key, &data, dbmode) == -1)
			fatal("put");
	}
	if (firsttime) {
		firsttime = 0;
		if (username && !found && olduid != UID_MAX)
			fatalx("can't find user in master.passwd");
	}
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: pwd_mkdb.c,v 1.53 2015/11/05 15:10:11 semarie Exp $ */
2
3			/*-
4			* Copyright (c) 1991, 1993, 1994
5			* The Regents of the University of California. All rights reserved.
6			* Portions Copyright (c) 1994, Jason Downs. All rights reserved.
7			* Portions Copyright (c) 1998, Todd C. Miller. All rights reserved.
8			*
9			* Redistribution and use in source and binary forms, with or without
10			* modification, are permitted provided that the following conditions
11			* are met:
12			* 1. Redistributions of source code must retain the above copyright
13			* notice, this list of conditions and the following disclaimer.
14			* 2. Redistributions in binary form must reproduce the above copyright
15			* notice, this list of conditions and the following disclaimer in the
16			* documentation and/or other materials provided with the distribution.
17			* 3. Neither the name of the University nor the names of its contributors
18			* may be used to endorse or promote products derived from this software
19			* without specific prior written permission.
20			*
21			* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22			* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24			* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25			* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26			* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27			* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29			* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30			* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31			* SUCH DAMAGE.
32			*/
33
34			#include <sys/param.h> /* MAXBSIZE */
35			#include <sys/stat.h>
36
37			#include <db.h>
38			#include <err.h>
39			#include <errno.h>
40			#include <fcntl.h>
41			#include <grp.h>
42			#include <limits.h>
43			#include <pwd.h>
44			#include <signal.h>
45			#include <stdarg.h>
46			#include <stdio.h>
47			#include <stdlib.h>
48			#include <string.h>
49			#include <unistd.h>
50			#include <limits.h>
51			#include <util.h>
52
53			#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
54
55			#define INSECURE 1
56			#define SECURE 2
57			#define PERM_INSECURE (S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH)
58			#define PERM_SECURE (S_IRUSR\|S_IWUSR)
59
60			#define FILE_SECURE 0x01
61			#define FILE_INSECURE 0x02
62			#define FILE_ORIG 0x04
63
64			#define SHADOW_GROUP "_shadow"
65
66			HASHINFO openinfo = {
67			4096, /* bsize */
68			32, /* ffactor */
69			256, /* nelem */
70			2048 * 1024, /* cachesize */
71			NULL, /* hash() */
72			0 /* lorder */
73			};
74
75			static char pname; / password file name */
76			static char basedir; / dir holding master.passwd */
77			static int clean; /* what to remove on cleanup */
78			static int hasyp; /* are we running YP? */
79
80			void cleanup(void);
81			__dead void fatal(const char *, ...)
82			__attribute__((__format__ (printf, 1, 2)));
83			__dead void fatalc(int, const char *, ...)
84			__attribute__((__format__ (printf, 2, 3)));
85			__dead void fatalx(const char *, ...)
86			__attribute__((__format__ (printf, 1, 2)));
87			int write_old_entry(FILE , const struct passwd );
88
89			void cp(char , char , mode_t);
90			void mv(char , char );
91			int scan(FILE , struct passwd , int *);
92			void usage(void);
93			char changedir(char path, char *dir);
94			void db_store(FILE , FILE , DB , DB ,struct passwd , int, char , uid_t);
95
96			int
97			main(int argc, char **argv)
98			{
99			DB dp, edp;
100		2	DBT data, key;
101			FILE fp, oldfp = NULL;
102		1	struct stat st;
103		1	struct passwd pwd;
104			struct group *grp;
105		1	sigset_t set;
106			uid_t olduid;
107			gid_t shadow;
108		1	int ch, tfd, makeold, secureonly, flags, checkonly;
109		1	char username, buf[MAX(PATH_MAX, LINE_MAX 2)];
110
111		1	flags = checkonly = makeold = secureonly = 0;
112			username = NULL;
113	✓✓	5	while ((ch = getopt(argc, argv, "cd:psu:v")) != -1)
114	✓✗✓✓ ✗✓✗	6	switch (ch) {
115			case 'c': /* verify only */
116			checkonly = 1;
117			break;
118			case 'd':
119		1	basedir = optarg;
120	✓✗	1	if (strlen(basedir) > PATH_MAX - 40)
121			errx(1, "basedir too long");
122			break;
123			case 'p': /* create V7 "file.orig" */
124			makeold = 1;
125		1	break;
126			case 's': /* only update spwd.db */
127			secureonly = 1;
128			break;
129			case 'u': /* only update this record */
130		1	username = optarg;
131	✓✗	1	if (strlen(username) > _PW_NAME_LEN)
132			errx(1, "username too long");
133			break;
134			case 'v': /* backward compatible */
135			break;
136			case '?':
137			default:
138			usage();
139			}
140		1	argc -= optind;
141		1	argv += optind;
142
143	✓✗✓✗ ✗✓	3	if (argc != 1 \|\| (makeold && secureonly) \|\|
144	✓✗✓✗	3	(username && (username == '+' \|\| username == '-')))
145			usage();
146
147	✗✓	1	if ((grp = getgrnam(SHADOW_GROUP)) == NULL)
148			errx(1, "cannot find `%s' in the group database, aborting",
149			SHADOW_GROUP);
150		1	shadow = grp->gr_gid;
151
152			/*
153			* This could be changed to allow the user to interrupt.
154			* Probably not worth the effort.
155			*/
156		1	sigemptyset(&set);
157		1	sigaddset(&set, SIGTSTP);
158		1	sigaddset(&set, SIGHUP);
159		1	sigaddset(&set, SIGINT);
160		1	sigaddset(&set, SIGQUIT);
161		1	sigaddset(&set, SIGTERM);
162		1	(void)sigprocmask(SIG_BLOCK, &set, (sigset_t *)NULL);
163
164			/* We don't care what the user wants. */
165		1	(void)umask(0);
166
167	✗✓	1	if (**argv != '/' && basedir == NULL)
168			errx(1, "%s must be specified as an absolute path", *argv);
169
170	✗✓	1	if ((pname = strdup(changedir(*argv, basedir))) == NULL)
171			err(1, NULL);
172			/* Open the original password file */
173	✗✓	1	if (!(fp = fopen(pname, "r")))
174			fatal("%s", pname);
175
176			/* Check only if password database is valid */
177	✗✓	1	if (checkonly) {
178			u_int cnt;
179
180			for (cnt = 1; scan(fp, &pwd, &flags); ++cnt)
181			;
182			exit(0);
183			}
184
185	✓✗✗✓	3	if (fstat(fileno(fp), &st) == -1)
186			fatal("%s", pname);
187
188			/* Tweak openinfo values for large passwd files. */
189	✗✓	1	if (st.st_size > (off_t)100*1024)
190			openinfo.cachesize = MINIMUM(st.st_size * 20, (off_t)1210241024);
191	✗✓	1	if (st.st_size / 128 > openinfo.nelem)
192			openinfo.nelem = st.st_size / 128;
193
194			/* If only updating a single record, stash the old uid */
195	✓✗	1	if (username) {
196		1	dp = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
197	✗✓	1	if (dp == NULL)
198			fatal(_PATH_MP_DB);
199		1	buf[0] = _PW_KEYBYNAME;
200		1	strlcpy(buf + 1, username, sizeof(buf) - 1);
201		1	key.data = (u_char *)buf;
202		1	key.size = strlen(buf + 1) + 1;
203	✗✓	1	if ((dp->get)(dp, &key, &data, 0) == 0) {
204			char p = (char )data.data;
205			/* Skip to uid field */
206			while (*p++ != '\0')
207			;
208			while (*p++ != '\0')
209			;
210			memcpy(&olduid, p, sizeof(olduid));
211			} else
212			olduid = UID_MAX;
213		1	(dp->close)(dp);
214		1	}
215
216			/* Open the temporary encrypted password database. */
217		2	(void)snprintf(buf, sizeof(buf), "%s.tmp",
218		1	changedir(_PATH_SMP_DB, basedir));
219	✓✗	1	if (username) {
220		1	cp(changedir(_PATH_SMP_DB, basedir), buf, PERM_SECURE);
221		1	edp = dbopen(buf,
222			O_RDWR, PERM_SECURE, DB_HASH, &openinfo);
223		1	} else {
224			edp = dbopen(buf,
225			O_RDWR\|O_CREAT\|O_EXCL, PERM_SECURE, DB_HASH, &openinfo);
226			}
227	✗✓	1	if (!edp)
228			fatal("%s", buf);
229	✗✓	1	if (fchown(edp->fd(edp), (uid_t)-1, shadow) != 0)
230			warn("%s: unable to set group to %s", _PATH_SMP_DB,
231			SHADOW_GROUP);
232	✗✓	1	else if (fchmod(edp->fd(edp), PERM_SECURE\|S_IRGRP) != 0)
233			warn("%s: unable to make group readable", _PATH_SMP_DB);
234		1	clean \|= FILE_SECURE;
235
236	✗✓	1	if (pledge("stdio rpath wpath cpath getpw fattr flock", NULL) == -1)
237			err(1, "pledge");
238
239			/* Open the temporary insecure password database. */
240	✓✗	1	if (!secureonly) {
241		1	(void)snprintf(buf, sizeof(buf), "%s.tmp",
242		1	changedir(_PATH_MP_DB, basedir));
243	✓✗	1	if (username) {
244		1	cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
245		1	dp = dbopen(buf, O_RDWR, PERM_INSECURE, DB_HASH,
246			&openinfo);
247		1	} else {
248			dp = dbopen(buf, O_RDWR\|O_CREAT\|O_EXCL, PERM_INSECURE,
249			DB_HASH, &openinfo);
250			}
251	✗✓	1	if (dp == NULL)
252			fatal("%s", buf);
253		1	clean \|= FILE_INSECURE;
254		1	} else
255			dp = NULL;
256
257			/*
258			* Open file for old password file. Minor trickiness -- don't want to
259			* change the file already existing, since someone (stupidly) might
260			* still be using this for permission checking. So, open it first and
261			* fdopen the resulting fd. The resulting file should be readable by
262			* everyone.
263			*/
264	✓✗	1	if (makeold) {
265		1	(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
266	✗✓	2	if ((tfd = open(buf,
267		1	O_WRONLY\|O_CREAT\|O_EXCL, PERM_INSECURE)) < 0)
268			fatal("%s", buf);
269	✗✓	1	if ((oldfp = fdopen(tfd, "w")) == NULL)
270			fatal("%s", buf);
271		1	clean \|= FILE_ORIG;
272		1	}
273
274			/*
275			* The databases actually contain three copies of the original data.
276			* Each password file entry is converted into a rough approximation
277			* of a ``struct passwd'', with the strings placed inline. This
278			* object is then stored as the data for three separate keys. The
279			* first key * is the pw_name field prepended by the _PW_KEYBYNAME
280			* character. The second key is the pw_uid field prepended by the
281			* _PW_KEYBYUID character. The third key is the line number in the
282			* original file prepended by the _PW_KEYBYNUM character. (The special
283			* characters are prepended to ensure that the keys do not collide.)
284			*
285			* If we see something go by that looks like YP, we save a special
286			* pointer record, which if YP is enabled in the C lib, will speed
287			* things up.
288			*/
289
290			/*
291			* Write the .db files.
292			* We do this three times, one per key type (for getpw{nam,uid,ent}).
293			* The first time through we also check for YP, issue warnings
294			* and save the V7 format passwd file if necessary.
295			*/
296		1	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNAME, username, olduid);
297		1	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYUID, username, olduid);
298		1	db_store(fp, oldfp, edp, dp, &pwd, _PW_KEYBYNUM, username, olduid);
299
300			/* Store YP token, if needed. */
301	✗✓	1	if (hasyp && !username) {
302			key.data = (u_char *)_PW_YPTOKEN;
303			key.size = strlen(_PW_YPTOKEN);
304			data.data = (u_char *)NULL;
305			data.size = 0;
306
307			if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1)
308			fatal("put");
309
310			if (dp && (dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
311			fatal("put");
312			}
313
314	✗✓	1	if ((edp->close)(edp))
315			fatal("close edp");
316	✓✗✗✓	2	if (dp && (dp->close)(dp))
317			fatal("close dp");
318	✓✗	1	if (makeold) {
319	✗✓	1	if (fclose(oldfp) == EOF)
320			fatal("close old");
321			}
322
323			/* Set master.passwd permissions, in case caller forgot. */
324	✓✗	3	(void)fchmod(fileno(fp), S_IRUSR\|S_IWUSR);
325	✗✓	1	if (fclose(fp) != 0)
326			fatal("fclose");
327
328			/* Install as the real password files. */
329	✓✗	1	if (!secureonly) {
330		1	(void)snprintf(buf, sizeof(buf), "%s.tmp",
331		1	changedir(_PATH_MP_DB, basedir));
332		1	mv(buf, changedir(_PATH_MP_DB, basedir));
333		1	}
334		1	(void)snprintf(buf, sizeof(buf), "%s.tmp",
335		1	changedir(_PATH_SMP_DB, basedir));
336		1	mv(buf, changedir(_PATH_SMP_DB, basedir));
337	✓✗	1	if (makeold) {
338		1	(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
339		1	mv(buf, changedir(_PATH_PASSWD, basedir));
340		1	}
341
342			/*
343			* Move the master password LAST -- chpass(1), passwd(1) and vipw(8)
344			* all use flock(2) on it to block other incarnations of themselves.
345			* The rename means that everything is unlocked, as the original file
346			* can no longer be accessed.
347			*/
348			mv(pname, changedir(_PATH_MASTERPASSWD, basedir));
349			exit(0);
350			}
351
352			int
353			scan(FILE fp, struct passwd pw, int *flags)
354			{
355			static int lcnt;
356			static char line[LINE_MAX];
357			char *p;
358
359	✓✓	408	if (fgets(line, sizeof(line), fp) == NULL)
360		3	return (0);
361		201	++lcnt;
362			/*
363			* ``... if I swallow anything evil, put your fingers down my
364			* throat...''
365			* -- The Who
366			*/
367			p = line;
368	✓✗✗✓	402	if (p != '\0' && (p += strlen(line) - 1) != '\n') {
369			warnx("line too long");
370			goto fmt;
371			}
372		201	*p = '\0';
373		201	*flags = 0;
374	✗✓	201	if (!pw_scan(line, pw, flags)) {
375			warnx("at line #%d", lcnt);
376			fmt: fatalc(EFTYPE, "%s", pname);
377			}
378
379		201	return (1);
380		204	}
381
382			void
383			cp(char from, char to, mode_t mode)
384			{
385			static char buf[MAXBSIZE];
386			int from_fd, rcount, to_fd, wcount;
387
388	✗✓	4	if ((from_fd = open(from, O_RDONLY, 0)) < 0)
389			fatal("%s", from);
390	✗✓	2	if ((to_fd = open(to, O_WRONLY\|O_CREAT\|O_EXCL, mode)) < 0)
391			fatal("%s", to);
392	✓✓	4	while ((rcount = read(from_fd, buf, MAXBSIZE)) > 0) {
393		2	wcount = write(to_fd, buf, rcount);
394	✓✗	2	if (rcount != wcount \|\| wcount == -1)
395			fatal("%s to %s", from, to);
396			}
397	✗✓	2	if (rcount < 0)
398			fatal("%s to %s", from, to);
399		2	close(to_fd);
400		2	close(from_fd);
401		2	}
402
403			void
404			mv(char from, char to)
405			{
406	✗✓	8	if (rename(from, to))
407			fatal("%s to %s", from, to);
408		4	}
409
410			void
411			fatal(const char *fmt, ...)
412			{
413			va_list ap;
414
415			va_start(ap, fmt);
416			vwarn(fmt, ap);
417			va_end(ap);
418			cleanup();
419			exit(EXIT_FAILURE);
420			}
421
422			void
423			fatalc(int code, const char *fmt, ...)
424			{
425			va_list ap;
426
427			va_start(ap, fmt);
428			vwarnc(code, fmt, ap);
429			va_end(ap);
430			cleanup();
431			exit(EXIT_FAILURE);
432			}
433
434			void
435			fatalx(const char *fmt, ...)
436			{
437			va_list ap;
438
439			va_start(ap, fmt);
440			vwarnx(fmt, ap);
441			va_end(ap);
442			cleanup();
443			exit(EXIT_FAILURE);
444			}
445
446			void
447			cleanup(void)
448			{
449			char buf[PATH_MAX];
450
451			if (clean & FILE_ORIG) {
452			(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
453			(void)unlink(buf);
454			}
455			if (clean & FILE_SECURE) {
456			(void)snprintf(buf, sizeof(buf), "%s.tmp",
457			changedir(_PATH_SMP_DB, basedir));
458			(void)unlink(buf);
459			}
460			if (clean & FILE_INSECURE) {
461			(void)snprintf(buf, sizeof(buf), "%s.tmp",
462			changedir(_PATH_MP_DB, basedir));
463			(void)unlink(buf);
464			}
465			}
466
467			void
468			usage(void)
469			{
470			(void)fprintf(stderr,
471			"usage: pwd_mkdb [-c] [-p \| -s] [-d directory] [-u username] file\n");
472			exit(EXIT_FAILURE);
473			}
474
475			char *
476			changedir(char path, char dir)
477			{
478			static char fixed[PATH_MAX];
479			char *p;
480
481	✗✓	22	if (!dir)
482			return (path);
483
484	✓✗	11	if ((p = strrchr(path, '/')) != NULL)
485		11	path = p + 1;
486		11	snprintf(fixed, sizeof(fixed), "%s/%s", dir, path);
487		11	return (fixed);
488		11	}
489
490			int
491			write_old_entry(FILE to, const struct passwd pw)
492			{
493		134	char gidstr[16], uidstr[16];
494
495	✗✓	67	if (to == NULL)
496			return (0);
497
498			/* Preserve gid/uid -1 */
499	✗✓	67	if (pw->pw_gid == (gid_t)-1)
500			strlcpy(gidstr, "-1", sizeof(gidstr));
501			else
502		67	snprintf(gidstr, sizeof(gidstr), "%u", (u_int)pw->pw_gid);
503
504	✗✓	67	if (pw->pw_uid == (uid_t)-1)
505			strlcpy(uidstr, "-1", sizeof(uidstr));
506			else
507		67	snprintf(uidstr, sizeof(uidstr), "%u", (u_int)pw->pw_uid);
508
509		134	return (fprintf(to, "%s:*:%s:%s:%s:%s:%s\n", pw->pw_name, uidstr,
510		67	gidstr, pw->pw_gecos, pw->pw_dir, pw->pw_shell));
511		67	}
512
513			void
514			db_store(FILE fp, FILE oldfp, DB edp, DB dp, struct passwd *pw,
515			int keytype, char *username, uid_t olduid)
516			{
517		6	char p, t, buf[LINE_MAX * 2], tbuf[_PW_BUF_LEN];
518		3	int flags = 0, dbmode, found = 0;
519			static int firsttime = 1;
520		3	DBT data, key;
521			size_t len;
522			u_int cnt;
523
524			/* If given a username just add that record to the existing db. */
525		3	dbmode = username ? 0 : R_NOOVERWRITE;
526
527		3	rewind(fp);
528		3	data.data = (u_char *)buf;
529		3	key.data = (u_char *)tbuf;
530	✓✓	408	for (cnt = 1; scan(fp, pw, &flags); ++cnt) {
531
532	✓✓	201	if (firsttime) {
533			/* Look like YP? */
534	✓✗✗✓	134	if ((pw->pw_name[0] == '+') \|\| (pw->pw_name[0] == '-'))
535			hasyp++;
536
537			/* Warn about potentially unsafe uid/gid overrides. */
538	✗✓	67	if (pw->pw_name[0] == '+') {
539			if (!(flags & _PASSWORD_NOUID) && !pw->pw_uid)
540			warnx("line %d: superuser override in "
541			"YP inclusion", cnt);
542			if (!(flags & _PASSWORD_NOGID) && !pw->pw_gid)
543			warnx("line %d: wheel override in "
544			"YP inclusion", cnt);
545			}
546
547			/* Create V7 format password file entry. */
548	✗✓	67	if (write_old_entry(oldfp, pw) == -1)
549			fatal("write old");
550			}
551
552			/* Are we updating a specific record? */
553	✓✗	201	if (username) {
554	✓✓	201	if (strcmp(username, pw->pw_name) != 0)
555			continue;
556			found = 1;
557			/* If the uid changed, remove the old record by uid. */
558	✗✓✗✗	3	if (olduid != UID_MAX && olduid != pw->pw_uid) {
559			tbuf[0] = _PW_KEYBYUID;
560			memcpy(tbuf + 1, &olduid, sizeof(olduid));
561			key.size = sizeof(olduid) + 1;
562			(edp->del)(edp, &key, 0);
563			if (dp)
564			(dp->del)(dp, &key, 0);
565			}
566			/* XXX - should check to see if line number changed. */
567			}
568
569			/* Build the key. */
570		6	tbuf[0] = keytype;
571	✓✓✓✓	6	switch (keytype) {
572			case _PW_KEYBYNUM:
573		1	memmove(tbuf + 1, &cnt, sizeof(cnt));
574			key.size = sizeof(cnt) + 1;
575		1	break;
576
577			case _PW_KEYBYNAME:
578		1	len = strlen(pw->pw_name);
579		1	memmove(tbuf + 1, pw->pw_name, len);
580		1	key.size = len + 1;
581		1	break;
582
583			case _PW_KEYBYUID:
584		1	memmove(tbuf + 1, &pw->pw_uid, sizeof(pw->pw_uid));
585			key.size = sizeof(pw->pw_uid) + 1;
586		1	break;
587			}
588
589			#define COMPACT(e) t = e; while ((p++ = t++));
590			/* Create the secure record. */
591		3	p = buf;
592	✓✓	30	COMPACT(pw->pw_name);
593	✓✓	9	COMPACT(pw->pw_passwd);
594		3	memmove(p, &pw->pw_uid, sizeof(uid_t));
595		3	p += sizeof(uid_t);
596		3	memmove(p, &pw->pw_gid, sizeof(gid_t));
597		3	p += sizeof(gid_t);
598		3	memmove(p, &pw->pw_change, sizeof(time_t));
599		3	p += sizeof(time_t);
600	✓✓	24	COMPACT(pw->pw_class);
601	✓✓	45	COMPACT(pw->pw_gecos);
602	✓✓	42	COMPACT(pw->pw_dir);
603	✓✓	45	COMPACT(pw->pw_shell);
604		3	memmove(p, &pw->pw_expire, sizeof(time_t));
605		3	p += sizeof(time_t);
606		3	memmove(p, &flags, sizeof(int));
607		3	p += sizeof(int);
608		3	data.size = p - buf;
609
610			/* Write the secure record. */
611	✗✓	3	if ((edp->put)(edp, &key, &data, dbmode) == -1)
612			fatal("put");
613
614	✓✗	3	if (dp == NULL)
615			continue;
616
617			/* Star out password to make insecure record. */
618		3	p = buf + strlen(pw->pw_name) + 1; /* skip pw_name */
619		3	len = strlen(pw->pw_passwd);
620		3	explicit_bzero(p, len); /* zero pw_passwd */
621		3	t = p + len + 1; /* skip pw_passwd */
622	✓✗	3	if (len != 0)
623		3	p++ = '';
624		3	*p++ = '\0';
625		3	memmove(p, t, data.size - (t - buf));
626		3	data.size -= len - 1;
627
628			/* Write the insecure record. */
629	✗✓	3	if ((dp->put)(dp, &key, &data, dbmode) == -1)
630			fatal("put");
631			}
632	✓✓	3	if (firsttime) {
633		1	firsttime = 0;
634	✗✓	1	if (username && !found && olduid != UID_MAX)
635			fatalx("can't find user in master.passwd");
636			}
637		3	}