ladybird/Userland/Utilities/passwd.cpp

/*
 * Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>
 * Copyright (c) 2021, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char** argv)
{
    if (geteuid() != 0) {
        warnln("Not running as root :^(");
        return 1;
    }

    if (setegid(0) < 0) {
        perror("setegid");
        return 1;
    }

    if (pledge("stdio wpath rpath cpath fattr tty", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    if (unveil("/etc", "rwc") < 0) {
        perror("unveil");
        return 1;
    }

    unveil(nullptr, nullptr);

    bool del = false;
    bool lock = false;
    bool unlock = false;
    const char* username = nullptr;

    auto args_parser = Core::ArgsParser();
    args_parser.set_general_help("Modify an account password.");
    args_parser.add_option(del, "Delete password", "delete", 'd');
    args_parser.add_option(lock, "Lock password", "lock", 'l');
    args_parser.add_option(unlock, "Unlock password", "unlock", 'u');
    args_parser.add_positional_argument(username, "Username", "username", Core::ArgsParser::Required::No);

    args_parser.parse(argc, argv);

    uid_t current_uid = getuid();

    auto account_or_error = (username)
        ? Core::Account::from_name(username)
        : Core::Account::from_uid(current_uid);

    if (account_or_error.is_error()) {
        warnln("Core::Account::{}: {}", (username) ? "from_name" : "from_uid", account_or_error.error());
        return 1;
    }

    setpwent();

    if (pledge("stdio wpath rpath cpath fattr tty", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    // target_account is the account we are changing the password of.
    auto& target_account = account_or_error.value();

    if (current_uid != 0 && current_uid != target_account.uid()) {
        warnln("You can't modify passwd for {}", username);
        return 1;
    }

    if (del) {
        target_account.delete_password();
    } else if (lock) {
        target_account.set_password_enabled(false);
    } else if (unlock) {
        target_account.set_password_enabled(true);
    } else {
        if (current_uid != 0) {
            auto current_password = Core::get_password("Current password: ");
            if (current_password.is_error()) {
                warnln("{}", current_password.error());
                return 1;
            }

            if (!target_account.authenticate(current_password.value().characters())) {
                warnln("Incorrect or disabled password.");
                warnln("Password for user {} unchanged.", target_account.username());
                return 1;
            }
        }

        auto new_password = Core::get_password("New password: ");
        if (new_password.is_error()) {
            warnln("{}", new_password.error());
            return 1;
        }

        auto new_password_retype = Core::get_password("Retype new password: ");
        if (new_password_retype.is_error()) {
            warnln("{}", new_password_retype.error());
            return 1;
        }

        if (new_password.value().is_empty() && new_password_retype.value().is_empty()) {
            warnln("No password supplied.");
            warnln("Password for user {} unchanged.", target_account.username());
            return 1;
        }

        if (new_password.value() != new_password_retype.value()) {
            warnln("Sorry, passwords don't match.");
            warnln("Password for user {} unchanged.", target_account.username());
            return 1;
        }

        target_account.set_password(new_password.value().characters());
    }

    if (pledge("stdio wpath rpath cpath fattr", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    if (!target_account.sync()) {
        perror("Core::Account::Sync");
    } else {
        outln("Password for user {} successfully updated.", target_account.username());
    }

    return 0;
}
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`/*`
Everywhere: Use my cool new @serenityos.org email address 2021-08-31 19:32:46 -07:00			`* Copyright (c) 2020, Peter Elliott <pelliott@serenityos.org>`
passwd+LibCore: Make passwd replace /etc files atomically Before this patch, we had a nasty race condition when changing a user's password: there was a time window between truncating /etc/shadow and writing out its new contents, where you could simply "su" to root without using a password. Instead of writing directly to /etc/passwd and /etc/shadow, we now create temporary files in /etc and fill them with the new contents. Those files are then atomically renamed to /etc/passwd and /etc/shadow. Sadly, fixing this race requires giving the passwd program a lot more privileges. This is something we can and should improve upon. :^) 2021-01-21 09:58:31 +01:00			`* Copyright (c) 2021, Andreas Kling <kling@serenityos.org>`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`*`
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt * 2021-04-22 01:24:48 -07:00			`* SPDX-License-Identifier: BSD-2-Clause`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`*/`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`#include <LibCore/Account.h>`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`#include <LibCore/ArgsParser.h>`
			`#include <LibCore/GetPassword.h>`
			`#include <string.h>`
			`#include <unistd.h>`

			`int main(int argc, char** argv)`
			`{`
			`if (geteuid() != 0) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-09 22:14:20 +01:00			`warnln("Not running as root :^(");`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`return 1;`
			`}`

passwd+LibCore: Make passwd replace /etc files atomically Before this patch, we had a nasty race condition when changing a user's password: there was a time window between truncating /etc/shadow and writing out its new contents, where you could simply "su" to root without using a password. Instead of writing directly to /etc/passwd and /etc/shadow, we now create temporary files in /etc and fill them with the new contents. Those files are then atomically renamed to /etc/passwd and /etc/shadow. Sadly, fixing this race requires giving the passwd program a lot more privileges. This is something we can and should improve upon. :^) 2021-01-21 09:58:31 +01:00			`if (setegid(0) < 0) {`
			`perror("setegid");`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`return 1;`
			`}`

passwd: Remove duplicate 'wpath' pledge 2021-01-21 16:28:54 +00:00			`if (pledge("stdio wpath rpath cpath fattr tty", nullptr) < 0) {`
passwd+LibCore: Make passwd replace /etc files atomically Before this patch, we had a nasty race condition when changing a user's password: there was a time window between truncating /etc/shadow and writing out its new contents, where you could simply "su" to root without using a password. Instead of writing directly to /etc/passwd and /etc/shadow, we now create temporary files in /etc and fill them with the new contents. Those files are then atomically renamed to /etc/passwd and /etc/shadow. Sadly, fixing this race requires giving the passwd program a lot more privileges. This is something we can and should improve upon. :^) 2021-01-21 09:58:31 +01:00			`perror("pledge");`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`return 1;`
			`}`

passwd+LibCore: Make passwd replace /etc files atomically Before this patch, we had a nasty race condition when changing a user's password: there was a time window between truncating /etc/shadow and writing out its new contents, where you could simply "su" to root without using a password. Instead of writing directly to /etc/passwd and /etc/shadow, we now create temporary files in /etc and fill them with the new contents. Those files are then atomically renamed to /etc/passwd and /etc/shadow. Sadly, fixing this race requires giving the passwd program a lot more privileges. This is something we can and should improve upon. :^) 2021-01-21 09:58:31 +01:00			`if (unveil("/etc", "rwc") < 0) {`
LibCore+passwd+su+Base: Add /etc/shadow to hide hashes from users :^) This patch moves the user account password hashes from /etc/passwd, where they were world-readable, to /etc/shadow, where only root can access them. The Core::Account class is extended to support both authentication against, and modification of /etc/shadow. The default password for "anon" as of this commit is "foo" :^) 2021-01-09 17:44:44 +01:00			`perror("unveil");`
			`return 1;`
			`}`

Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`unveil(nullptr, nullptr);`

			`bool del = false;`
			`bool lock = false;`
			`bool unlock = false;`
			`const char* username = nullptr;`

			`auto args_parser = Core::ArgsParser();`
Userland: Write some '--help' descriptions where appropriate 2020-12-05 16:22:58 +01:00			`args_parser.set_general_help("Modify an account password.");`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`args_parser.add_option(del, "Delete password", "delete", 'd');`
			`args_parser.add_option(lock, "Lock password", "lock", 'l');`
			`args_parser.add_option(unlock, "Unlock password", "unlock", 'u');`
			`args_parser.add_positional_argument(username, "Username", "username", Core::ArgsParser::Required::No);`

			`args_parser.parse(argc, argv);`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`uid_t current_uid = getuid();`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
LibCore+passwd+su+Base: Add /etc/shadow to hide hashes from users :^) This patch moves the user account password hashes from /etc/passwd, where they were world-readable, to /etc/shadow, where only root can access them. The Core::Account class is extended to support both authentication against, and modification of /etc/shadow. The default password for "anon" as of this commit is "foo" :^) 2021-01-09 17:44:44 +01:00			`auto account_or_error = (username)`
LibCore+su+passwd: Don't keep /etc/passwd and /etc/shadow open Now that we've moved to atomic replacement of these files when altering them, we don't need to keep them open for the lifetime of Core::Account so just simplify this and close them when they are not needed. 2021-01-21 11:17:06 +01:00			`? Core::Account::from_name(username)`
			`: Core::Account::from_uid(current_uid);`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00
			`if (account_or_error.is_error()) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-09 22:14:20 +01:00			`warnln("Core::Account::{}: {}", (username) ? "from_name" : "from_uid", account_or_error.error());`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`return 1;`
			`}`

passwd: Drop privileges after opening files for writing Once we have /etc/passwd and /etc/shadow open for writing, there's no need for passwd to continue running as root. We can also drop a bunch of pledge promises, further tightening things. 2021-01-09 17:46:30 +01:00			`setpwent();`

LibC: Implement support for getspnam() and friends 2021-05-01 11:43:38 +02:00			`if (pledge("stdio wpath rpath cpath fattr tty", nullptr) < 0) {`
passwd: Drop privileges after opening files for writing Once we have /etc/passwd and /etc/shadow open for writing, there's no need for passwd to continue running as root. We can also drop a bunch of pledge promises, further tightening things. 2021-01-09 17:46:30 +01:00			`perror("pledge");`
			`return 1;`
			`}`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`// target_account is the account we are changing the password of.`
su+passwd: Don't copy Core::Account unnecessarily 2021-01-09 17:54:09 +01:00			`auto& target_account = account_or_error.value();`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00
			`if (current_uid != 0 && current_uid != target_account.uid()) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-09 22:14:20 +01:00			`warnln("You can't modify passwd for {}", username);`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`return 1;`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`}`

			`if (del) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.delete_password();`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else if (lock) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.set_password_enabled(false);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else if (unlock) {`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.set_password_enabled(true);`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`} else {`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00			`if (current_uid != 0) {`
			`auto current_password = Core::get_password("Current password: ");`
			`if (current_password.is_error()) {`
			`warnln("{}", current_password.error());`
			`return 1;`
			`}`

			`if (!target_account.authenticate(current_password.value().characters())) {`
			`warnln("Incorrect or disabled password.");`
passwd: Provide more verbose output regarding status of changed passwd passwd should explicitly indicate the status of the password change. 2021-05-24 16:27:35 -04:00			`warnln("Password for user {} unchanged.", target_account.username());`
passwd: Prompt for the current password before setting new password This changes passwd to authenticate non-root users before prompting for new password. 2021-05-23 23:08:18 -04:00			`return 1;`
			`}`
			`}`

Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`auto new_password = Core::get_password("New password: ");`
			`if (new_password.is_error()) {`
LibCore: Use OSError in get_password() return type 2021-01-10 13:48:05 +01:00			`warnln("{}", new_password.error());`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`return 1;`
			`}`

passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00			`auto new_password_retype = Core::get_password("Retype new password: ");`
			`if (new_password_retype.is_error()) {`
			`warnln("{}", new_password_retype.error());`
			`return 1;`
			`}`

passwd: Do not allow empty passwords The user should use the delete flag when wanting to issue an empty password. passwd should return an error after receiving empty input. 2021-05-24 16:41:36 -04:00			`if (new_password.value().is_empty() && new_password_retype.value().is_empty()) {`
			`warnln("No password supplied.");`
			`warnln("Password for user {} unchanged.", target_account.username());`
			`return 1;`
			`}`

passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00			`if (new_password.value() != new_password_retype.value()) {`
			`warnln("Sorry, passwords don't match.");`
passwd: Provide more verbose output regarding status of changed passwd passwd should explicitly indicate the status of the password change. 2021-05-24 16:27:35 -04:00			`warnln("Password for user {} unchanged.", target_account.username());`
passwd: Retype password to confirm Previously passwd would accept the first password input by the user. It should ask the user to re-type the password to check for mismatches and prevent typos in the password. 2021-05-24 15:50:56 -04:00			`return 1;`
			`}`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`target_account.set_password(new_password.value().characters());`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00			`}`

LibC: Implement support for getspnam() and friends 2021-05-01 11:43:38 +02:00			`if (pledge("stdio wpath rpath cpath fattr", nullptr) < 0) {`
passwd: Drop "tty" pledge promise after getting password from user This leaves us with a total pledge of "stdio" when writing to /etc/passwd and /etc/shadow which is kinda neat. :^) 2021-01-09 22:22:07 +01:00			`perror("pledge");`
			`return 1;`
			`}`

Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`if (!target_account.sync()) {`
			`perror("Core::Account::Sync");`
passwd: Provide more verbose output regarding status of changed passwd passwd should explicitly indicate the status of the password change. 2021-05-24 16:27:35 -04:00			`} else {`
			`outln("Password for user {} successfully updated.", target_account.username());`
Userland: Convert passwd(1) to use Core::Account this fixes the passwd issues discovered in #3296 2020-09-04 12:01:48 -07:00			`}`
Userland: Add passwd utility 2020-07-25 16:08:55 -06:00
			`return 0;`
			`}`