emaste 8d5207ff27 chpass: reject change/expiry dates beyond y2106
The pwd.db and spwd.db files store the change and expire dates as
unsigned 32-bit ints, which overflow in 2106.  Reject larger values for
now, until the introduction of a v5 password database.

i386 has 32-bit time_t and so dates beyond y2038 are already rejected by
mktime.

PR:		227589
Reviewed by:	lidl
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
2018-04-19 12:50:49 +00:00

197 lines
5.0 KiB
C

/*-
* SPDX-License-Identifier: BSD-4-Clause
*
* Copyright (c) 1988, 1993, 1994
* The Regents of the University of California. All rights reserved.
* Copyright (c) 2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
* ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef lint
#if 0
static char sccsid[] = "@(#)util.c 8.4 (Berkeley) 4/2/94";
#endif
#endif /* not lint */
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <ctype.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include "chpass.h"
static const char *months[] =
{ "January", "February", "March", "April", "May", "June",
"July", "August", "September", "October", "November",
"December", NULL };
char *
ttoa(time_t tval)
{
struct tm *tp;
static char tbuf[50];
if (tval) {
tp = localtime(&tval);
(void)sprintf(tbuf, "%s %d, %d", months[tp->tm_mon],
tp->tm_mday, tp->tm_year + 1900);
}
else
*tbuf = '\0';
return (tbuf);
}
int
atot(char *p, time_t *store)
{
static struct tm *lt;
char *t;
const char **mp;
time_t tval;
int day, month, year;
if (!*p) {
*store = 0;
return (0);
}
if (!lt) {
unsetenv("TZ");
(void)time(&tval);
lt = localtime(&tval);
}
if (!(t = strtok(p, " \t")))
goto bad;
if (isdigit(*t)) {
month = atoi(t);
} else {
for (mp = months;; ++mp) {
if (!*mp)
goto bad;
if (!strncasecmp(*mp, t, 3)) {
month = mp - months + 1;
break;
}
}
}
if (!(t = strtok(NULL, " \t,")) || !isdigit(*t))
goto bad;
day = atoi(t);
if (!(t = strtok(NULL, " \t,")) || !isdigit(*t))
goto bad;
year = atoi(t);
if (day < 1 || day > 31 || month < 1 || month > 12)
goto bad;
/* Allow two digit years 1969-2068 */
if (year < 69)
year += 2000;
else if (year < 100)
year += 1900;
if (year < 1969)
bad: return (1);
lt->tm_year = year - 1900;
lt->tm_mon = month - 1;
lt->tm_mday = day;
lt->tm_hour = 0;
lt->tm_min = 0;
lt->tm_sec = 0;
lt->tm_isdst = -1;
if ((tval = mktime(lt)) < 0)
return (1);
#ifndef __i386__
/*
* PR227589: The pwd.db and spwd.db files store the change and expire
* dates as unsigned 32-bit ints which overflow in 2106, so larger
* values must be rejected until the introduction of a v5 password
* database. i386 has 32-bit time_t and so dates beyond y2038 are
* already rejected by mktime above.
*/
if (tval > UINT32_MAX)
return (1);
#endif
*store = tval;
return (0);
}
int
ok_shell(char *name)
{
char *p, *sh;
setusershell();
while ((sh = getusershell())) {
if (!strcmp(name, sh)) {
endusershell();
return (1);
}
/* allow just shell name, but use "real" path */
if ((p = strrchr(sh, '/')) && strcmp(name, p + 1) == 0) {
endusershell();
return (1);
}
}
endusershell();
return (0);
}
char *
dup_shell(char *name)
{
char *p, *sh, *ret;
setusershell();
while ((sh = getusershell())) {
if (!strcmp(name, sh)) {
endusershell();
return (strdup(name));
}
/* allow just shell name, but use "real" path */
if ((p = strrchr(sh, '/')) && strcmp(name, p + 1) == 0) {
ret = strdup(sh);
endusershell();
return (ret);
}
}
endusershell();
return (NULL);
}