ladybird/Userland/Utilities/passwd.cpp

/*
 * Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>
 * Copyright (c) 2021, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <AK/ScopeGuard.h>
#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <LibCore/System.h>
#include <LibMain/Main.h>
#include <string.h>
#include <unistd.h>

ErrorOr<int> serenity_main(Main::Arguments arguments)
{
    if (geteuid() != 0) {
        warnln("Not running as root :^(");
        return 1;
    }

    TRY(Core::System::setegid(0));

    TRY(Core::System::pledge("stdio wpath rpath cpath fattr tty"));
    TRY(Core::System::unveil("/etc", "rwc"));
    TRY(Core::System::unveil(nullptr, nullptr));

    bool del = false;
    bool lock = false;
    bool unlock = false;
    const char* username = nullptr;

    auto args_parser = Core::ArgsParser();
    args_parser.set_general_help("Modify an account password.");
    args_parser.add_option(del, "Delete password", "delete", 'd');
    args_parser.add_option(lock, "Lock password", "lock", 'l');
    args_parser.add_option(unlock, "Unlock password", "unlock", 'u');
    args_parser.add_positional_argument(username, "Username", "username", Core::ArgsParser::Required::No);

    args_parser.parse(arguments);

    uid_t current_uid = getuid();

    // target_account is the account we are changing the password of.
    auto target_account = TRY((username)
            ? Core::Account::from_name(username)
            : Core::Account::from_uid(current_uid));

    setpwent();

    if (current_uid != 0 && current_uid != target_account.uid()) {
        warnln("You can't modify passwd for {}", username);
        return 1;
    }

    if (del) {
        target_account.delete_password();
    } else if (lock) {
        target_account.set_password_enabled(false);
    } else if (unlock) {
        target_account.set_password_enabled(true);
    } else {
        if (current_uid != 0) {
            auto current_password = TRY(Core::get_password("Current password: "));

            if (!target_account.authenticate(current_password)) {
                warnln("Incorrect or disabled password.");
                warnln("Password for user {} unchanged.", target_account.username());
                return 1;
            }
        }

        auto new_password = TRY(Core::get_password("New password: "));
        auto new_password_retype = TRY(Core::get_password("Retype new password: "));

        if (new_password.is_empty() && new_password_retype.is_empty()) {
            warnln("No password supplied.");
            warnln("Password for user {} unchanged.", target_account.username());
            return 1;
        }

        if (new_password.view() != new_password_retype.view()) {
            warnln("Sorry, passwords don't match.");
            warnln("Password for user {} unchanged.", target_account.username());
            return 1;
        }

        target_account.set_password(new_password);
    }

    TRY(Core::System::pledge("stdio wpath rpath cpath fattr"));

    TRY(target_account.sync());

    outln("Password for user {} successfully updated.", target_account.username());
    return 0;
}
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`/*`
Everywhere: Use my cool new @serenityos.org email address 2021-08-31 19:32:46 -07:00			`* Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>`
passwd+LibCore: Make passwd replace /etc files atomically Before this patch, we had a nasty race condition when changing a user's password: there was a time window between truncating /etc/shadow and writing out its new contents, where you could simply "su" to root without using a password. Instead of writing directly to /etc/passwd and /etc/shadow, we now create temporary files in /etc and fill them with the new contents. Those files are then atomically renamed to /etc/passwd and /etc/shadow. Sadly, fixing this race requires giving the passwd program a lot more privileges. This is something we can and should improve upon. :^) 2021-01-21 09:58:31 +01:00			`* Copyright (c) 2021, Andreas Kling <kling@serenityos.org>`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`*`
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt * 2021-04-22 01:24:48 -07:00			`* SPDX-License-Identifier: BSD-2-Clause`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`*/`

LibCore: Make get_password return SecretString instead of String We shouldn't let secrets sit around in memory, as they could potentially be retrieved by an attacker, or left in memory during a core dump. 2021-09-11 09:53:25 -07:00			`#include <AK/ScopeGuard.h>`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`#include <LibCore/Account.h>`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`#include <LibCore/ArgsParser.h>`
			`#include <LibCore/GetPassword.h>`
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`#include <LibCore/System.h>`
			`#include <LibMain/Main.h>`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`#include <string.h>`
			`#include <unistd.h>`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`ErrorOr<int> serenity_main(Main::Arguments arguments)`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`{`
			`if (geteuid() != 0) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-09 22:14:20 +01:00			`warnln("Not running as root :^(");`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`return 1;`
			`}`

passwd: Use LibCore syscall wrapper for setegid() 2021-12-16 19:32:23 +01:00			`TRY(Core::System::setegid(0));`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`TRY(Core::System::pledge("stdio wpath rpath cpath fattr tty"));`
			`TRY(Core::System::unveil("/etc", "rwc"));`
			`TRY(Core::System::unveil(nullptr, nullptr));`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
			`bool del = false;`
			`bool lock = false;`
			`bool unlock = false;`
			`const char* username = nullptr;`

			`auto args_parser = Core::ArgsParser();`
Userland: Write some '--help' descriptions where appropriate 2020-12-05 16:22:58 +01:00			`args_parser.set_general_help("Modify an account password.");`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`args_parser.add_option(del, "Delete password", "delete", 'd');`
			`args_parser.add_option(lock, "Lock password", "lock", 'l');`
			`args_parser.add_option(unlock, "Unlock password", "unlock", 'u');`
			`args_parser.add_positional_argument(username, "Username", "username", Core::ArgsParser::Required::No);`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`args_parser.parse(arguments);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`uid_t current_uid = getuid();`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`// target_account is the account we are changing the password of.`
			`auto target_account = TRY((username)`
			`? Core::Account::from_name(username)`
			`: Core::Account::from_uid(current_uid));`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00
passwd: Drop privileges after opening files for writing Once we have /etc/passwd and /etc/shadow open for writing, there's no need for passwd to continue running as root. We can also drop a bunch of pledge promises, further tightening things. 2021-01-09 17:46:30 +01:00			`setpwent();`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`if (current_uid != 0 && current_uid != target_account.uid()) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-09 22:14:20 +01:00			`warnln("You can't modify passwd for {}", username);`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`return 1;`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`}`

			`if (del) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.delete_password();`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else if (lock) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.set_password_enabled(false);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else if (unlock) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.set_password_enabled(true);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else {`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00			`if (current_uid != 0) {`
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`auto current_password = TRY(Core::get_password("Current password: "));`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`if (!target_account.authenticate(current_password)) {`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00			`warnln("Incorrect or disabled password.");`
passwd: Provide more verbose output regarding status of changed passwd passwd should explicitly indicate the status of the password change. 2021-05-24 16:27:35 -04:00			`warnln("Password for user {} unchanged.", target_account.username());`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00			`return 1;`
			`}`
			`}`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`auto new_password = TRY(Core::get_password("New password: "));`
			`auto new_password_retype = TRY(Core::get_password("Retype new password: "));`
passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00
passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`if (new_password.is_empty() && new_password_retype.is_empty()) {`
passwd: Do not allow empty passwords The user should use the delete flag when wanting to issue an empty password. passwd should return an error after receiving empty input. 2021-05-24 16:41:36 -04:00			`warnln("No password supplied.");`
			`warnln("Password for user {} unchanged.", target_account.username());`
			`return 1;`
			`}`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`if (new_password.view() != new_password_retype.view()) {`
passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00			`warnln("Sorry, passwords don't match.");`
passwd: Provide more verbose output regarding status of changed passwd passwd should explicitly indicate the status of the password change. 2021-05-24 16:27:35 -04:00			`warnln("Password for user {} unchanged.", target_account.username());`
passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00			`return 1;`
			`}`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`target_account.set_password(new_password);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`}`

passwd: Port to LibMain 2021-12-11 17:23:20 +01:00			`TRY(Core::System::pledge("stdio wpath rpath cpath fattr"));`
passwd: Drop "tty" pledge promise after getting password from user This leaves us with a total pledge of "stdio" when writing to /etc/passwd and /etc/shadow which is kinda neat. :^) 2021-01-09 22:22:07 +01:00
LibCore+passwd+usermod: Make Core::Account::sync() return ErrorOr<void> 2021-12-16 21:41:57 +01:00			`TRY(target_account.sync());`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
LibCore+passwd+usermod: Make Core::Account::sync() return ErrorOr<void> 2021-12-16 21:41:57 +01:00			`outln("Password for user {} successfully updated.", target_account.username());`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`return 0;`
			`}`