Commit Graph

51 Commits

Author SHA1 Message Date
garga
43727d164b When passwd or group information is changed (by pw, vipw, chpass, ...)
temporary file is created and then a rename() call move it to official file.
This operation didn't have any check to make sure data was written to disk
and if a power cycle happens system could end up with a 0 length passwd
or group database.

There is a pfSense bug with more infor about it:

https://redmine.pfsense.org/issues/4523

The following changes were made to protect passwd and group operations:

* lib/libutil/gr_util.c:
 - Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file
 - After rename(), fsync() call on directory for faster result

* lib/libutil/pw_util.c
 - Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file

* usr.sbin/pwd_mkdb/pwd_mkdb.c
 - Added O_SYNC flag on dbopen() calls
 - After rename(), fsync() call on directory for faster result

* lib/libutil/pw_util.3
 - pw_lock() returns a file descriptor to master password file on success

Differential Revision:	https://reviews.freebsd.org/D2978
Approved by:	bapt
Sponsored by:	Netgate
2015-07-02 17:30:59 +00:00
bapt
87ba98d649 revert r283969,283970 not needed anymore after r283981 2015-06-04 08:00:11 +00:00
bapt
d5461fcfc0 Add a pw_mkdb2(3) function which does the same thing as pw_mkdb(3) except
it takes a new argument allowing to specify the endianness of the database
to generate

Differential Revision:	https://reviews.freebsd.org/D2730
Reviewed by:	ian
2015-06-03 20:48:28 +00:00
bapt
85a7bc8863 Add O_CLOEXEC to flopen
Requested by:	jilles
2012-12-27 20:24:44 +00:00
bapt
925e83c0bd Use flopen(3) instead of open(2) + flock(2) 2012-12-27 14:09:50 +00:00
bapt
dabdba1306 backout r242319, racy and not done in the right place
Reported by:	Garrett Cooper  <yanegomi@gmail.com>
2012-10-29 18:06:09 +00:00
bapt
aa97290070 make pw_init and gr_init fail if the specified master password or group file is
a directory.

MFC after:	1 month
2012-10-29 17:19:43 +00:00
bapt
4d9f5b8227 Revert user comparison back to user names as some user can share uids (root/toor
for example)

get the username information from old_pw structures to still allow renaming of a
user.

Reported by:	Claude Buisson <clbuisson@orange.fr>
Approved by:	des (mentor)
MFC after:	3 weeks
2012-06-19 11:39:56 +00:00
ed
a03b3637dd Detect file modification properly by using tv_nsec.
POSIX 2008 standardizes st_mtim, meaning we can simply use nanosecond
precision to detect file modification.

MFC after:	2 weeks
2012-02-10 13:40:32 +00:00
bapt
a00247bc12 Add new pw_make_v7 to make a passwd line (in v7 format) out of a struct passwd
while here, fix missing parentheses of the return statement of pw_make.

Approved by:	des (mentor)
2012-01-05 10:40:24 +00:00
bapt
b5cd6ab67f Modify pw_copy:
- if pw is NULL and oldpw is not NULL then the oldpw is deleted
- if pw->pw_name != oldpw->pw_name but pw->pw_uid == oldpw->pw_uid
then it renames the user

add new gr_* functions so now gr_util API is similar to pw_util API,
this allow to manipulate groups in a safe way.

Reviewed by:	des
Approved by:	des
MFC after:	1 month
2011-12-15 22:07:36 +00:00
des
5bab879758 Old patch I had lying around: clean up and use stpcpy(3) instead of
sprintf(3).
2010-08-16 11:22:12 +00:00
kib
a5ec5de71c sigset() is the name of function specified by SUSv4.
Replace it to avoid conflict.

MFC after:	3 weeks
2009-11-26 13:41:15 +00:00
imp
130ae175fc Remove California Regent's clause 3, per letter 2007-01-09 01:02:06 +00:00
thomas
e5de30ab6d Minor comment fix. 2006-09-08 08:14:32 +00:00
thomas
2bf8d53a14 (pw_copy): Handle the case of a malformed line in master.passwd
(copy it silently, do not dereference NULL pointer).

PR:             bin/102848
Reviewed by:    security-officer (cperciva)
MFC after:      1 week
2006-09-04 15:09:21 +00:00
stefanf
f4d682445c Don't depend on NULL's expansion being a pointer, cast it before it is passed
to variadic functions.

Approved by:	das (mentor)
2004-05-18 15:53:58 +00:00
markm
3f45792057 ANSIfy, WARNSify, CONSTify. Bit of style(9)-ify. 2003-10-18 10:04:16 +00:00
markm
924232818d Tidy up. Sort headers. 2003-06-14 18:42:37 +00:00
des
dcecf33e14 Brucify. 2003-04-10 10:26:18 +00:00
des
f514349f09 Correctly detect the case where a password entry was changed while we were
preparing to edit it.

PR:		bin/50563
2003-04-09 18:20:51 +00:00
des
12196b5a56 Apply the correct fix for bin/50679: don't mess around with process groups
or the tty, just block selected signals in the parent like system(3) does.
Many thanks to bde for his assistance in finding the correct solution.

PR:		bin/50679
2003-04-09 16:39:47 +00:00
des
1d2413048f Band-aid for the "^C kills the editor" problem. I haven't yet found the
proper way to fix this.  The way this works is to prepend "exec " to
the editor command to eliminate the "shell in the middle" which prevents
us from properly reawakening the editor after a SIGTSTP.

PR:		bin/50679
2003-04-08 18:04:30 +00:00
das
f1bbc8cde6 Make pw_edit() use /bin/sh to interpret the EDITOR environment
variable.

PR:		48748
Reviewed by:	mike (mentor)
2003-03-17 02:12:55 +00:00
des
e0746634a5 Don't forget to '\n'-terminate new entries. This unbreaks chpass -a.
Submitted by:	joerg
2002-10-29 13:58:42 +00:00
n_hibma
e8868912eb Be more clear in error messages.
Distinguish between a held lock and a failed lock op.

If rpc.lockd is not running on a diskless client this makes clearer
what the problem is.
2002-06-23 19:23:46 +00:00
des
0e558b0a7a If no old_pw was passed to pw_copy, compare just the name.
Sponsored by:	DARPA, NAI Labs
2002-05-08 14:52:32 +00:00
des
ac9ea0e5ca Add passwd manipulation code based on parts of vipw and chpass.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:50:07 +00:00
des
e914cc2fa2 Make mppath and masterpasswd pointers instead of arrays, and initialize
them to point at static strings that contain the default paths.  This
makes 'vipw -d' work again (I broke it in rev 1.21; apologies for taking
so long to fix it.)

Spotted by:	Olivier Houchard <doginou@cognet.ci0.org>
Sponsored by:	DARPA, NAI Labs
2002-04-17 00:18:15 +00:00
des
929a8fb33d Remove bogus reference to _use_yp. 2002-04-15 15:50:59 +00:00
des
3f7a9ec821 ANSIfy and constify.
Sponsored by:	DARPA, NAI Labs
2002-02-05 06:49:11 +00:00
brian
8636b161b3 Fix the type of the NULL arg to execl()
Idea from: Theo de Raadt <deraadt@openbsd.org>
2001-07-09 09:24:06 +00:00
dd
d3657cb5d2 Don't pass NULL to the %s format.
Reviewed by:	kris
2001-04-22 03:00:09 +00:00
kris
b2ae75bb55 Don't call warn() without a format string. 2000-07-12 00:50:15 +00:00
peter
efabb9ccb1 $Id$ -> $FreeBSD$ 1999-08-28 01:35:59 +00:00
pb
0ff8a29fa6 Move call to umask(0) back into pw_util(), because the latter
function is also used by chpass(1) and passwd(1).
1999-06-29 01:04:10 +00:00
pb
2f10423ca8 Force umask to 077 (instead of 000) during the edit phase, to get
secure permissions in case the user attempts to save something to
a file of his own.

Move umask stuff out of pw_init() into main() for better visibility
of overall umask tweaking logic.

PR:		misc/11797
1999-06-26 12:15:39 +00:00
sheldonh
038f23db19 Add -d option to vipw(8) to allow selection of an alternative directory
for the password files.

PR:	2703
Submitted by:	jmg
1999-06-26 07:16:42 +00:00
dillon
3fa521a2d2 oops. Fix indentation of the 'for' loop I just added. 1998-12-13 01:39:32 +00:00
dillon
99ae894df3 Handle the race condition where vipw may lock a password file which has
just been replaced.  After our lock succeeds we check if st_nlink is 0
    and if it is we close the descriptor and retry our open/lock sequence.
1998-12-13 01:36:45 +00:00
des
1c3787c6df Since vfork() was changed to fork(), we have to pass errno back from the
child to the parent somehow.

PR:		8353
Submitted by:	Andrew J. Korty <ajk@purdue.edu>
1998-10-20 11:34:11 +00:00
des
3ca80efd3a Calls one or more of malloc(), warn(), err(), syslog(), execlp() or
execvp() in the child branch of a vfork(). Changed to use fork()
instead.

Some of these (mv, find, apply, xargs) might benefit greatly from
being rewritten to use vfork() properly.

PR:		Loosely related to bin/8252
Approved by:	jkh and bde
1998-10-13 14:52:33 +00:00
charnier
54e2b69a0f Statisize usage(). 1997-10-27 07:53:22 +00:00
jkh
418d0a6a92 Changes to support full make parallelism (-j<n>) in the world
target.
Reviewed by:	<many different folks>
Submitted by:	Nickolay N. Dudorov" <nnd@nnd.itfs.nsk.su>
1997-10-05 09:40:24 +00:00
wosch
e4b768f0ee Endless loop.
$ vipw
[corrupt a line in editor, exit editor]
pwd_mkdb: corrupted entry
pwd_mkdb: at line #2
pwd_mkdb:
/etc/pw.012585: Inappropriate file type or format
re-edit the password file? [y]: n^D^D
[hang]
1997-09-29 13:13:51 +00:00
joerg
e309caa011 Cosmetic: distinguish in diag message between rebuilding and updating
the database.

PR:		3397
Submitted by:	taob@risc.org (Brian Tao)
1997-08-24 18:23:21 +00:00
guido
70bae2bee1 Implement incremental passwd database updates. This is done by ading a '-u'
option to pwd_mkdb and adding this option to utilities invoking it.
Further, the filling of both the secure and insecure databases has been
merged into one loop giving also a performance improvemnet.
Note that I did *not* change the adduser command. I don't read perl
(it is a write only language anyway).
The change will drastically improve performance for passwd and
friends with large passwd files. Vipw's performance won't change.
In order to do that some kind of diff should be made between the
old and new master.passwd and depending the amount of changes, an
incremental or complete update of the databases should be agreed
upon.
1996-07-01 19:38:50 +00:00
wpaul
0d181a55dc Small NIS tweak: frob pw_error() a little so that it can say either
'NIS information unchanged' or '/etc/master.passwd unchanged'
depending on which was is being modified (conditional on -DYP).

This is to save me the trouble of writing a whole other error
routine (nis_error()?) for the upcoming changes to passwd and
chpass.
1995-08-13 16:05:06 +00:00
rgrimes
4f960dd75f Remove trailing whitespace. 1995-05-30 03:57:47 +00:00
ache
644d3b582f Fix suspended vipw hangs
Obtained from: NetBSD
1995-03-09 21:53:12 +00:00