summaryrefslogtreecommitdiffstats
path: root/usr.sbin/pw
diff options
context:
space:
mode:
authordavidn <davidn@FreeBSD.org>1999-10-26 08:34:09 +0000
committerdavidn <davidn@FreeBSD.org>1999-10-26 08:34:09 +0000
commit091d63007009782645e83fda77ebeff7eb52f243 (patch)
tree2aa1f2f02b890aebacec8f3289cb2e2be16b19ca /usr.sbin/pw
parent297001db2a5f0a61adb1417b3e483603abf2f786 (diff)
downloadFreeBSD-src-091d63007009782645e83fda77ebeff7eb52f243.zip
FreeBSD-src-091d63007009782645e83fda77ebeff7eb52f243.tar.gz
Add new functionality "lock" and "unlock" to provide a simple password
locking mechanism for users. This works by prepending the string "*LOCKED*" to the password field in master.passwd to prevent successful decoding.
Diffstat (limited to 'usr.sbin/pw')
-rw-r--r--usr.sbin/pw/pw.c14
-rw-r--r--usr.sbin/pw/pw.h2
-rw-r--r--usr.sbin/pw/pw_group.c6
-rw-r--r--usr.sbin/pw/pw_user.c33
4 files changed, 47 insertions, 8 deletions
diff --git a/usr.sbin/pw/pw.c b/usr.sbin/pw/pw.c
index 1da063c..2118854 100644
--- a/usr.sbin/pw/pw.c
+++ b/usr.sbin/pw/pw.c
@@ -35,16 +35,20 @@ static const char rcsid[] =
#include <sys/wait.h>
#include "pw.h"
-const char *Modes[] = {"add", "del", "mod", "show", "next", NULL};
+const char *Modes[] = {
+ "add", "del", "mod", "show", "next",
+ NULL};
const char *Which[] = {"user", "group", NULL};
static const char *Combo1[] = {
"useradd", "userdel", "usermod", "usershow", "usernext",
+ "lock", "unlock",
"groupadd", "groupdel", "groupmod", "groupshow", "groupnext",
NULL};
static const char *Combo2[] = {
"adduser", "deluser", "moduser", "showuser", "nextuser",
+ "lock", "unlock",
"addgroup", "delgroup", "modgroup", "showgroup", "nextgroup",
-NULL};
+ NULL};
struct pwf PWF =
{
@@ -102,6 +106,8 @@ main(int argc, char *argv[])
"V:C:qn:u:rY",
"V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY",
"V:C:qn:u:FPa7",
+ "V:C:q",
+ "V:C:q",
"V:C:q"
},
{ /* grp */
@@ -272,9 +278,9 @@ static void
cmdhelp(int mode, int which)
{
if (which == -1)
- fprintf(stderr, "usage: pw [user|group] [add|del|mod|show|next] [ help | switches/values ]\n");
+ fprintf(stderr, "usage:\n pw [user|group|lock|unlock] [add|del|mod|show|next] [help|switches/values]\n");
else if (mode == -1)
- fprintf(stderr, "usage: pw %s [add|del|mod|show|next] [ help | switches/values ]\n", Which[which]);
+ fprintf(stderr, "usage:\n pw %s [add|del|mod|show|next] [help|switches/values]\n", Which[which]);
else {
/*
diff --git a/usr.sbin/pw/pw.h b/usr.sbin/pw/pw.h
index f85eac7..aa437ec 100644
--- a/usr.sbin/pw/pw.h
+++ b/usr.sbin/pw/pw.h
@@ -50,6 +50,8 @@ enum _mode
M_UPDATE,
M_PRINT,
M_NEXT,
+ M_LOCK,
+ M_UNLOCK,
M_NUM
};
diff --git a/usr.sbin/pw/pw_group.c b/usr.sbin/pw/pw_group.c
index 54125d8..d489a6b 100644
--- a/usr.sbin/pw/pw_group.c
+++ b/usr.sbin/pw/pw_group.c
@@ -60,12 +60,14 @@ pw_group(struct userconf * cnf, int mode, struct cargs * args)
NULL
};
+ if (mode == M_LOCK || mode == M_UNLOCK)
+ errx(EX_USAGE, "'lock' command is not available for groups");
+
/*
* With M_NEXT, we only need to return the
* next gid to stdout
*/
- if (mode == M_NEXT)
- {
+ if (mode == M_NEXT) {
gid_t next = gr_gidpolicy(cnf, args);
if (getarg(args, 'q'))
return next;
diff --git a/usr.sbin/pw/pw_user.c b/usr.sbin/pw/pw_user.c
index da6c83b..c9d2b40 100644
--- a/usr.sbin/pw/pw_user.c
+++ b/usr.sbin/pw/pw_user.c
@@ -55,6 +55,7 @@ static const char rcsid[] =
#endif
static int randinit;
+static char locked_str[] = "*LOCKED*";
static int print_user(struct passwd * pwd, int pretty, int v7);
static uid_t pw_uidpolicy(struct userconf * cnf, struct cargs * args);
@@ -104,6 +105,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
{
int rc;
char *p = NULL;
+ char *passtmp;
struct carg *a_name;
struct carg *a_uid;
struct carg *arg;
@@ -127,6 +129,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
0
};
+
/*
* With M_NEXT, we only need to return the
* next uid to stdout
@@ -303,7 +306,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
/*
* Update, delete & print require that the user exists
*/
- if (mode == M_UPDATE || mode == M_DELETE || mode == M_PRINT) {
+ if (mode == M_UPDATE || mode == M_DELETE ||
+ mode == M_PRINT || mode == M_LOCK || mode == M_UNLOCK) {
if (a_name == NULL && pwd == NULL) /* Try harder */
pwd = GETPWUID(atoi(a_uid->val));
@@ -323,6 +327,31 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
a_name = addarg(args, 'n', newstr(pwd->pw_name));
/*
+ * The M_LOCK and M_UNLOCK functions simply add or remove
+ * a "*LOCKED*" prefix from in front of the password to
+ * prevent it decoding correctly, and therefore prevents
+ * access. Of course, this only prevents access via
+ * password authentication (not ssh, kerberos or any
+ * other method that does not use the UNIX password) but
+ * that is a known limitation.
+ */
+
+ if (mode == M_LOCK) {
+ if (strncmp(pwd->pw_passwd, locked_str, sizeof(locked_str)-1) == 0)
+ errx(EX_DATAERR, "user '%s' is already locked", pwd->pw_name);
+ passtmp = malloc(strlen(pwd->pw_passwd) + sizeof(locked_str));
+ if (passtmp == NULL) /* disaster */
+ errx(EX_UNAVAILABLE, "out of memory");
+ strcpy(passtmp, locked_str);
+ strcat(passtmp, pwd->pw_passwd);
+ pwd->pw_passwd = passtmp;
+ } else if (mode == M_UNLOCK) {
+ if (strncmp(pwd->pw_passwd, locked_str, sizeof(locked_str)-1) != 0)
+ errx(EX_DATAERR, "user '%s' is not locked", pwd->pw_name);
+ pwd->pw_passwd += sizeof(locked_str)-1;
+ }
+
+ /*
* Handle deletions now
*/
if (mode == M_DELETE) {
@@ -563,7 +592,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
warnc(rc, "NIS passwd update");
/* NOTE: we treat NIS-only update errors as non-fatal */
}
- } else if (mode == M_UPDATE) {
+ } else if (mode == M_UPDATE || mode == M_LOCK || mode == M_UNLOCK) {
rc = chgpwent(a_name->val, pwd);
if (rc == -1) {
warnx("user '%s' does not exist (NIS?)", pwd->pw_name);
OpenPOWER on IntegriCloud