2012/9/10 Antoine Jacoutot <ajacou...@bsdfrog.org>
> Hi.
>
> This diff adds 2 new options to usermod(8):
> -U to unlock a user's password
> -Z to lock a user's password
>
> In effect locking/unlocking the password means to add a '!' in front of
> the encrypted entry in master.passwd.
> Note that this disable the _password_ not the account of course (you
> could still connect using ssh+key for e.g.).
>
> That said, I have some use for it and would like to be able to have this
> if at all possible.
> Behavior is basically the same as Linux's usermod(8) except that I am
> using -Z for locking the password (-Z is for SElinux in Linux land and
> -L is used instead but we use it ourselves for the login class).
>
> Comments?
>
>
>
>
noob remarks:
it doesnt lock it modify the password (unexpected behavior)
though every other login way (like keys) works.
>
>
> Index: user.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/user/user.c,v
> retrieving revision 1.90
> diff -u -r1.90 user.c
> --- user.c 29 Jan 2012 08:38:54 -0000 1.90
> +++ user.c 10 Sep 2012 15:00:21 -0000
> @@ -100,7 +100,9 @@
> F_UID = 0x0400,
> F_USERNAME = 0x0800,
> F_CLASS = 0x1000,
> - F_SETSECGROUP = 0x4000
> + F_SETSECGROUP = 0x4000,
> + F_PWLOCK = 0x8000,
> + F_PWUNLOCK = 0x10000
> };
>
> #define CONFFILE "/etc/usermgmt.conf"
> @@ -1339,11 +1341,14 @@
> struct group *grp;
> const char *homedir;
> char buf[LINE_MAX];
> + char locked_str[] = "!";
> + char pw_len[PasswordLength + 1];
> size_t colonc, loginc;
> size_t cc;
> FILE *master;
> char newdir[MaxFileNameLen];
> char *colon;
> + char *pw_tmp;
> int len;
> int masterfd;
> int ptmpfd;
> @@ -1359,6 +1364,9 @@
> if (!is_local(login_name, _PATH_MASTERPASSWD)) {
> errx(EXIT_FAILURE, "User `%s' must be a local user",
> login_name);
> }
> + if ((up->u_flags & (F_PWLOCK | F_PWUNLOCK)) && (pwp->pw_uid == 0))
> {
> + errx(EXIT_FAILURE, "(un)locking is not supported for
> `%s'", pwp->pw_name);
> + }
> /* keep dir name in case we need it for '-m' */
> homedir = pwp->pw_dir;
>
> @@ -1410,6 +1418,29 @@
> pwp->pw_passwd = up->u_password;
> }
> }
> + if (up->u_flags & F_PWLOCK) {
> + if (strncmp(pwp->pw_passwd, locked_str,
> sizeof(locked_str)-1) == 0) {
> + warnx("user '%s' is already locked",
> pwp->pw_name);
> + } else {
> + pw_tmp = malloc(strlen(pwp->pw_passwd) +
> sizeof(locked_str));
> + if (pw_tmp == NULL) {
> + (void) close(ptmpfd);
> + pw_abort();
> + errx(EXIT_FAILURE, "cannot
> allocate memory");
> + }
> + strlcpy(pw_tmp, locked_str,
> sizeof(pw_len));
> + strlcat(pw_tmp, pwp->pw_passwd,
> sizeof(pw_len));
> + pwp->pw_passwd = pw_tmp;
> + free (pw_tmp);
> + }
> + }
> + if (up->u_flags & F_PWUNLOCK) {
> + if (strncmp(pwp->pw_passwd, locked_str,
> sizeof(locked_str)-1) != 0) {
> + warnx("user '%s' is not locked",
> pwp->pw_name);
> + } else {
> + pwp->pw_passwd += sizeof(locked_str)-1;
> + }
> + }
> if (up->u_flags & F_UID) {
> /* check uid isn't already allocated */
> if (!(up->u_flags & F_DUPUID) &&
> getpwuid((uid_t)(up->u_uid)) != NULL) {
> @@ -1617,7 +1648,7 @@
> "[-p password] [-r low..high]\n"
> " [-s shell] [-u uid] user\n", prog);
> } else if (strcmp(prog, "usermod") == 0) {
> - (void) fprintf(stderr, "usage: %s [-mov] "
> + (void) fprintf(stderr, "usage: %s [-UZmov] "
> "[-c comment] [-d home-directory] [-e expiry-time]\n"
> " [-f inactive-time] "
> "[-G secondary-group[,group,...]]\n"
> @@ -1788,7 +1819,7 @@
> free(u.u_primgrp);
> u.u_primgrp = NULL;
> have_new_user = 0;
> - while ((c = getopt(argc, argv, "G:L:S:c:d:e:f:g:l:mop:s:u:v")) !=
> -1) {
> + while ((c = getopt(argc, argv, "G:L:S:UZc:d:e:f:g:l:mop:s:u:v"))
> != -1) {
> switch(c) {
> case 'G':
> while ((u.u_groupv[u.u_groupc] = strsep(&optarg,
> ",")) != NULL &&
> @@ -1814,6 +1845,12 @@
> }
> u.u_flags |= F_SETSECGROUP;
> break;
> + case 'U':
> + u.u_flags |= F_PWUNLOCK;
> + break;
> + case 'Z':
> + u.u_flags |= F_PWLOCK;
> + break;
> case 'c':
> memsave(&u.u_comment, optarg, strlen(optarg));
> u.u_flags |= F_COMMENT;
> @@ -1883,6 +1920,10 @@
> }
> if ((u.u_flags & F_SECGROUP) && (u.u_flags & F_SETSECGROUP))
> errx(EXIT_FAILURE, "options 'G' and 'S' are mutually
> exclusive");
> + if ((u.u_flags & F_PWLOCK) && (u.u_flags & F_PWUNLOCK))
> + errx(EXIT_FAILURE, "options 'U' and 'Z' are mutually
> exclusive");
> + if ((u.u_flags & F_PASSWORD) && (u.u_flags & (F_PWLOCK |
> F_PWUNLOCK)))
> + errx(EXIT_FAILURE, "options 'U' or 'Z' with 'p' are
> mutually exclusive");
> argc -= optind;
> argv += optind;
> if (argc != 1) {
> Index: usermod.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/user/usermod.8,v
> retrieving revision 1.28
> diff -u -r1.28 usermod.8
> --- usermod.8 28 Jan 2012 14:25:45 -0000 1.28
> +++ usermod.8 10 Sep 2012 15:00:21 -0000
> @@ -40,7 +40,7 @@
> .Sh SYNOPSIS
> .Nm usermod
> .Bk -words
> -.Op Fl mov
> +.Op Fl UZmov
> .Op Fl c Ar comment
> .Op Fl d Ar home-directory
> .Op Fl e Ar expiry-time
> @@ -176,6 +176,11 @@
> See
> .Xr usermgmt.conf 5
> for more details.
> +.Fl p
> +cannot be used with
> +.Fl U
> +or
> +.Fl Z .
> .It Fl S Ar secondary-group Ns Op , Ns Ar group , Ns ...
> Sets the secondary groups the user will be a member of in the
> .Pa /etc/group
> @@ -199,6 +204,15 @@
> See
> .Xr usermgmt.conf 5
> for more details.
> +.It Fl U
> +Unlock the user's local password by removing the
> +.Ql \&!
> +in front of it.
> +.Fl U
> +and
> +.Fl Z
> +are mutually exclusive and cannot be used with
> +.Fl p.
> .It Fl u Ar uid
> Specifies a new UID for the user.
> Boundaries for this value can be preset for all users
> @@ -212,6 +226,15 @@
> for more details.
> .It Fl v
> Enables verbose mode - explain the commands as they are executed.
> +.It Fl Z
> +Lock the user's local password by putting a
> +.Ql \&!
> +in front of it.
> +.Fl Z
> +and
> +.Fl U
> +are mutually exclusive and cannot be used with
> +.Fl p.
> .El
> .Pp
> Once the information has been verified,
>
>
> --
> Antoine
>
>
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
