From 94e2d83c186d4afb92d60f40368db9f892fd7bcc Mon Sep 17 00:00:00 2001
From: iedowse <iedowse@FreeBSD.org>
Date: Sun, 11 Jan 2004 18:28:08 +0000
Subject: Add a `-H <fd>' option that is like `-h <fd>', but accepts an already
 encrypted password on the specified file descriptor.

PR:		bin/22033
MFC after:	2 weeks
---
 usr.sbin/pw/pw.8       | 16 +++++++++++-----
 usr.sbin/pw/pw.c       | 10 ++++++----
 usr.sbin/pw/pw_group.c | 11 +++++++++--
 usr.sbin/pw/pw_user.c  | 37 ++++++++++++++++++++++++++-----------
 4 files changed, 52 insertions(+), 22 deletions(-)

(limited to 'usr.sbin/pw')

diff --git a/usr.sbin/pw/pw.8 b/usr.sbin/pw/pw.8
index 068bd74..0220564 100644
--- a/usr.sbin/pw/pw.8
+++ b/usr.sbin/pw/pw.8
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd December 9, 1996
+.Dd January 11, 2004
 .Dt PW 8
 .Os
 .Sh NAME
@@ -51,7 +51,7 @@
 .Op Fl s Ar shell
 .Op Fl o
 .Op Fl L Ar class
-.Op Fl h Ar fd
+.Op Fl h Ar fd | Fl H Ar fd
 .Op Fl N
 .Op Fl P
 .Op Fl Y
@@ -101,7 +101,7 @@
 .Op Fl w Ar method
 .Op Fl s Ar shell
 .Op Fl L Ar class
-.Op Fl h Ar fd
+.Op Fl h Ar fd | Fl H Ar fd
 .Op Fl N
 .Op Fl P
 .Op Fl Y
@@ -130,7 +130,7 @@
 .Op Fl g Ar gid
 .Op Fl M Ar members
 .Op Fl o
-.Op Fl h Ar fd
+.Op Fl h Ar fd | Fl H Ar fd
 .Op Fl N
 .Op Fl P
 .Op Fl Y
@@ -152,7 +152,7 @@
 .Op Fl l Ar name
 .Op Fl M Ar members
 .Op Fl m Ar newmembers
-.Op Fl h Ar fd
+.Op Fl h Ar fd | Fl H Ar fd
 .Op Fl N
 .Op Fl P
 .Op Fl Y
@@ -508,6 +508,12 @@ is given as the argument
 then the password will be set to
 .Ql \&* ,
 rendering the account inaccessible via password-based login.
+.It Fl H Ar fd
+Read an encrypted password string from the specified file descriptor.
+This is like
+.Fl h ,
+but the password should be supplied already encrypted in a form
+suitable for writing directly to the password database.
 .El
 .Pp
 It is possible to use
diff --git a/usr.sbin/pw/pw.c b/usr.sbin/pw/pw.c
index 01ba43a..4010e84 100644
--- a/usr.sbin/pw/pw.c
+++ b/usr.sbin/pw/pw.c
@@ -106,18 +106,18 @@ main(int argc, char *argv[])
 	static const char *opts[W_NUM][M_NUM] =
 	{
 		{ /* user */
-			"V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y",
+			"V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:H:Db:NPy:Y",
 			"V:C:qn:u:rY",
-			"V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY",
+			"V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:H:FNPY",
 			"V:C:qn:u:FPa7",
 			"V:C:q",
 			"V:C:q",
 			"V:C:q"
 		},
 		{ /* grp  */
-			"V:C:qn:g:h:M:pNPY",
+			"V:C:qn:g:h:H:M:pNPY",
 			"V:C:qn:g:Y",
-			"V:C:qn:g:l:h:FM:m:NPY",
+			"V:C:qn:g:l:h:H:FM:m:NPY",
 			"V:C:qn:g:FPa",
 			"V:C:q"
 		 }
@@ -315,6 +315,7 @@ cmdhelp(int mode, int which)
 				"\t-o             duplicate uid ok\n"
 				"\t-L class       user class\n"
 				"\t-h fd          read password on fd\n"
+				"\t-H fd          read encrypted password on fd\n"
 				"\t-Y             update NIS maps\n"
 				"\t-N             no update\n"
 				"  Setting defaults:\n"
@@ -357,6 +358,7 @@ cmdhelp(int mode, int which)
 				"\t-s shell       name of login shell\n"
 				"\t-w method      set new password using method\n"
 				"\t-h fd          read password on fd\n"
+				"\t-H fd          read encrypted password on fd\n"
 				"\t-Y             update NIS maps\n"
 				"\t-N             no update\n",
 				"usage: pw usershow [uid|name] [switches]\n"
diff --git a/usr.sbin/pw/pw_group.c b/usr.sbin/pw/pw_group.c
index c9af998..1c63a11 100644
--- a/usr.sbin/pw/pw_group.c
+++ b/usr.sbin/pw/pw_group.c
@@ -158,11 +158,13 @@ pw_group(struct userconf * cnf, int mode, struct cargs * args)
 	 * software.
 	 */
 
-	if ((arg = getarg(args, 'h')) != NULL) {
+	if ((arg = getarg(args, 'h')) != NULL ||
+	    (arg = getarg(args, 'H')) != NULL) {
 		if (strcmp(arg->val, "-") == 0)
 			grp->gr_passwd = "*";	/* No access */
 		else {
 			int             fd = atoi(arg->val);
+			int		precrypt = (arg->ch == 'H');
 			int             b;
 			int             istty = isatty(fd);
 			struct termios  t;
@@ -196,7 +198,12 @@ pw_group(struct userconf * cnf, int mode, struct cargs * args)
 				*p = '\0';
 			if (!*line)
 				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
-			grp->gr_passwd = pw_pwcrypt(line);
+			if (precrypt) {
+				if (strchr(line, ':') != NULL)
+					return EX_DATAERR;
+				grp->gr_passwd = line;
+			} else
+				grp->gr_passwd = pw_pwcrypt(line);
 		}
 	}
 
diff --git a/usr.sbin/pw/pw_user.c b/usr.sbin/pw/pw_user.c
index a001e3e..149a1ee 100644
--- a/usr.sbin/pw/pw_user.c
+++ b/usr.sbin/pw/pw_user.c
@@ -86,6 +86,7 @@ static void     rmopie(char const * name);
  * -L class       user class
  * -l name        new login name
  * -h fd          password filehandle
+ * -H fd          encrypted password filehandle
  * -F             force print or add
  *   Setting defaults:
  * -D             set user defaults
@@ -544,7 +545,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 				warnx("WARNING: home `%s' is not a directory", pwd->pw_dir);
 		}
 
-		if ((arg = getarg(args, 'w')) != NULL && getarg(args, 'h') == NULL) {
+		if ((arg = getarg(args, 'w')) != NULL &&
+		    getarg(args, 'h') == NULL && getarg(args, 'H') == NULL) {
 			login_cap_t *lc;
 
 			lc = login_getpwclass(pwd);
@@ -602,7 +604,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 		}
 	}
 
-	if ((arg = getarg(args, 'h')) != NULL) {
+	if ((arg = getarg(args, 'h')) != NULL ||
+	    (arg = getarg(args, 'H')) != NULL) {
 		if (strcmp(arg->val, "-") == 0) {
 			if (!pwd->pw_passwd || *pwd->pw_passwd != '*') {
 				pwd->pw_passwd = "*";	/* No access */
@@ -610,6 +613,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 			}
 		} else {
 			int             fd = atoi(arg->val);
+			int		precrypt = (arg->ch == 'H');
 			int             b;
 			int             istty = isatty(fd);
 			struct termios  t;
@@ -624,7 +628,10 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 					/* Disable echo */
 					n.c_lflag &= ~(ECHO);
 					tcsetattr(fd, TCSANOW, &n);
-					printf("%sassword for user %s:", (mode == M_UPDATE) ? "New p" : "P", pwd->pw_name);
+					printf("%s%spassword for user %s:",
+					     (mode == M_UPDATE) ? "new " : "",
+					     precrypt ? "encrypted " : "",
+					     pwd->pw_name);
 					fflush(stdout);
 				}
 			}
@@ -635,7 +642,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 				fflush(stdout);
 			}
 			if (b < 0) {
-				warn("-h file descriptor");
+				warn("-%c file descriptor", precrypt ? 'H' :
+				    'h');
 				return EX_IOERR;
 			}
 			line[b] = '\0';
@@ -643,12 +651,18 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args)
 				*p = '\0';
 			if (!*line)
 				errx(EX_DATAERR, "empty password read on file descriptor %d", fd);
-			lc = login_getpwclass(pwd);
-			if (lc == NULL ||
-			    login_setcryptfmt(lc, "md5", NULL) == NULL)
-				warn("setting crypt(3) format");
-			login_close(lc);
-			pwd->pw_passwd = pw_pwcrypt(line);
+			if (precrypt) {
+				if (strchr(line, ':') != NULL)
+					return EX_DATAERR;
+				pwd->pw_passwd = line;
+			} else {
+				lc = login_getpwclass(pwd);
+				if (lc == NULL ||
+				    login_setcryptfmt(lc, "md5", NULL) == NULL)
+					warn("setting crypt(3) format");
+				login_close(lc);
+				pwd->pw_passwd = pw_pwcrypt(line);
+			}
 			edited = 1;
 		}
 	}
@@ -1086,7 +1100,8 @@ pw_password(struct userconf * cnf, struct cargs * args, char const * user)
 		/*
 		 * We give this information back to the user
 		 */
-		if (getarg(args, 'h') == NULL && getarg(args, 'N') == NULL) {
+		if (getarg(args, 'h') == NULL && getarg(args, 'H') == NULL &&
+		    getarg(args, 'N') == NULL) {
 			if (isatty(STDOUT_FILENO))
 				printf("Password for '%s' is: ", user);
 			printf("%s\n", pwbuf);
-- 
cgit v1.1