123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 |
- /* passwd.c - Program to update user password.
- *
- * Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com>
- * Modified 2012 Jason Kyungwan Han <asura321@gmail.com>
- *
- * http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/passwd.html
- USE_PASSWD(NEWTOY(passwd, ">1a:dlu", TOYFLAG_STAYROOT|TOYFLAG_USR|TOYFLAG_BIN))
- config PASSWD
- bool "passwd"
- default y
- depends on TOYBOX_SHADOW
- help
- usage: passwd [-a ALGO] [-dlu] [USER]
- Update user's authentication tokens. Defaults to current user.
- -a ALGO Encryption method (des, md5, sha256, sha512) default: des
- -d Set password to ''
- -l Lock (disable) account
- -u Unlock (enable) account
- config PASSWD_SAD
- bool "Add sad password checking heuristics"
- default n
- depends on PASSWD
- help
- Password changes are checked to make sure they're at least 6 chars long,
- don't include the entire username (but not a subset of it), or the entire
- previous password (but changing password1, password2, password3 is fine).
- This heuristic accepts "aaaaaa" and "123456".
- */
- #define FOR_passwd
- #include "toys.h"
- GLOBALS(
- char *a;
- )
- // Sad advisory heuristic, won't find password1 password2 password3...
- static void weak_check(char *new, char *old, char *user)
- {
- char *msg = 0;
- if (strlen(new) < 6) msg = "too short";
- if (*new) {
- if (strcasestr(new, user) || strcasestr(user, new)) msg = "user";
- if (*old && (strcasestr(new, old) || strcasestr(old, new))) msg = "old";
- }
- if (msg) xprintf("BAD PASSWORD: %s\n",msg);
- }
- void passwd_main(void)
- {
- uid_t myuid;
- struct passwd *pw = 0;
- struct spwd *sp;
- char *pass, *name, *encrypted = 0, salt[MAX_SALT_LEN];
- // If we're root or not -lud, load specified user. Exit if not allowed.
- if (!(myuid = getuid()) || !(toys.optflags&(FLAG_l|FLAG_u|FLAG_d))) {
- if (*toys.optargs) pw = xgetpwnam(*toys.optargs);
- else pw = xgetpwuid(myuid);
- }
- if (!pw || (myuid && (myuid != pw->pw_uid))) error_exit("Not root");
- // Get password from /etc/passwd or /etc/shadow
- // TODO: why still support non-shadow passwords...?
- name = pw->pw_name;
- if (*(pass = pw->pw_passwd)=='x' && (sp = getspnam(name))) pass = sp->sp_pwdp;
- if (FLAG(l)) {
- if (*pass=='!') error_exit("already locked");
- printf("Locking '%s'\n", name);
- encrypted = xmprintf("!%s", pass);
- } else if (FLAG(u)) {
- if (*pass!='!') error_exit("already unlocked");
- printf("Unlocking '%s'\n", name);
- encrypted = pass+1;
- } else if (FLAG(d)) {
- printf("Deleting password for '%s'\n", name);
- *(encrypted = toybuf) = 0;
- } else {
- if (!TT.a) TT.a = "des";
- if (get_salt(salt, TT.a)<0) error_exit("bad -a '%s'", TT.a);
- printf("Changing password for %s\n", name);
- if (myuid) {
- if (*pass=='!') error_exit("'%s' locked", name);
- if (read_password(toybuf+2048, 2048, "Old password:")) return;
- pass = crypt(toybuf+2048, pw->pw_passwd);
- if (!pass || strcmp(pass, pw->pw_passwd)) error_exit("No");
- }
- if (read_password(toybuf, 2048, "New password:")) return;
- if (CFG_PASSWD_SAD) weak_check(toybuf, toybuf+2048, name);
- if (read_password(toybuf+2048, 2048, "Retype password:")) return;
- if (strcmp(toybuf, toybuf+2048)) error_exit("Passwords do not match.");
- encrypted = crypt(toybuf, salt);
- }
- // Update the passwd
- if (update_password(*pw->pw_passwd=='x' ? "/etc/shadow" : "/etc/passwd",
- name, encrypted, 1)) error_msg("Failure");
- else fprintf(stderr, "Success\n");
- memset(toybuf, 0, sizeof(toybuf));
- memset(encrypted, 0, strlen(encrypted));
- free(encrypted);
- }
|