Author: asomers
Date: Mon Sep 12 17:35:45 2016
New Revision: 305750
URL: https://svnweb.freebsd.org/changeset/base/305750
Log:
MFC r302778
pw should sanitize the argument of -w.
Otherwise, it will silently disable the login for the selected account if
the argument is unrecognizable.
usr.sbin/pw/pw.h
usr.sbin/pw/pw_conf.c
usr.sbin/pw/pw_user.c
Use separate rules to validate boolean parameters and passwd
parameters. Error out if a password parameter cannot be parsed.
usr.sbin/pw/tests/Makefile
usr.sbin/pw/tests/crypt.c
usr.sbin/pw/tests/pw_useradd.sh
usr.sbin/pw/tests/pw_usermod.sh
Add tests for the validation. Also, enhance existing
password-related tests to actually validate that the correct hash is
written to master.passwd.
Added:
stable/10/usr.sbin/pw/tests/crypt.c
- copied unchanged from r302778, head/usr.sbin/pw/tests/crypt.c
Modified:
stable/10/usr.sbin/pw/pw.h
stable/10/usr.sbin/pw/pw_conf.c
stable/10/usr.sbin/pw/pw_user.c
stable/10/usr.sbin/pw/tests/Makefile
stable/10/usr.sbin/pw/tests/pw_useradd.sh
stable/10/usr.sbin/pw/tests/pw_usermod.sh
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/usr.sbin/pw/pw.h
==============================================================================
--- stable/10/usr.sbin/pw/pw.h Mon Sep 12 17:29:20 2016 (r305749)
+++ stable/10/usr.sbin/pw/pw.h Mon Sep 12 17:35:45 2016 (r305750)
@@ -93,6 +93,7 @@ int groupadd(struct userconf *, char *na
int nis_update(void);
int boolean_val(char const * str, int dflt);
+int passwd_val(char const * str, int dflt);
char const *boolean_str(int val);
char *newstr(char const * p);
Modified: stable/10/usr.sbin/pw/pw_conf.c
==============================================================================
--- stable/10/usr.sbin/pw/pw_conf.c Mon Sep 12 17:29:20 2016
(r305749)
+++ stable/10/usr.sbin/pw/pw_conf.c Mon Sep 12 17:35:45 2016
(r305750)
@@ -186,6 +186,22 @@ boolean_val(char const * str, int dflt)
for (i = 0; boolfalse[i]; i++)
if (strcmp(str, boolfalse[i]) == 0)
return 0;
+ }
+ return dflt;
+}
+
+int
+passwd_val(char const * str, int dflt)
+{
+ if ((str = unquote(str)) != NULL) {
+ int i;
+
+ for (i = 0; booltrue[i]; i++)
+ if (strcmp(str, booltrue[i]) == 0)
+ return 1;
+ for (i = 0; boolfalse[i]; i++)
+ if (strcmp(str, boolfalse[i]) == 0)
+ return 0;
/*
* Special cases for defaultpassword
@@ -194,6 +210,8 @@ boolean_val(char const * str, int dflt)
return -1;
if (strcmp(str, "none") == 0)
return -2;
+
+ errx(1, "Invalid value for default password");
}
return dflt;
}
@@ -258,7 +276,7 @@ read_userconfig(char const * file)
#endif
switch (i) {
case _UC_DEFAULTPWD:
- config.default_password = boolean_val(q, 1);
+ config.default_password = passwd_val(q, 1);
break;
case _UC_REUSEUID:
config.reuse_uids = boolean_val(q, 0);
Modified: stable/10/usr.sbin/pw/pw_user.c
==============================================================================
--- stable/10/usr.sbin/pw/pw_user.c Mon Sep 12 17:29:20 2016
(r305749)
+++ stable/10/usr.sbin/pw/pw_user.c Mon Sep 12 17:35:45 2016
(r305750)
@@ -1317,7 +1317,7 @@ pw_user_add(int argc, char **argv, char
mix_config(cmdcnf, cnf);
if (default_passwd)
- cmdcnf->default_password = boolean_val(default_passwd,
+ cmdcnf->default_password = passwd_val(default_passwd,
cnf->default_password);
if (genconf) {
if (name != NULL)
@@ -1719,7 +1719,7 @@ pw_user_mod(int argc, char **argv, char
if (lc == NULL || login_setcryptfmt(lc, "sha512", NULL) == NULL)
warn("setting crypt(3) format");
login_close(lc);
- cnf->default_password = boolean_val(passwd,
+ cnf->default_password = passwd_val(passwd,
cnf->default_password);
pwd->pw_passwd = pw_password(cnf, pwd->pw_name, dryrun);
edited = true;
Modified: stable/10/usr.sbin/pw/tests/Makefile
==============================================================================
--- stable/10/usr.sbin/pw/tests/Makefile Mon Sep 12 17:29:20 2016
(r305749)
+++ stable/10/usr.sbin/pw/tests/Makefile Mon Sep 12 17:35:45 2016
(r305750)
@@ -2,6 +2,11 @@
TESTSDIR= ${TESTSBASE}/usr.sbin/pw
+BINDIR= ${TESTSDIR}
+
+PROGS+= crypt
+LDADD+= -lcrypt
+
ATF_TESTS_SH= pw_etcdir \
pw_lock \
pw_config \
Copied: stable/10/usr.sbin/pw/tests/crypt.c (from r302778,
head/usr.sbin/pw/tests/crypt.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ stable/10/usr.sbin/pw/tests/crypt.c Mon Sep 12 17:35:45 2016
(r305750, copy of r302778, head/usr.sbin/pw/tests/crypt.c)
@@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2016 Spectra Logic Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <err.h>
+#include <stdio.h>
+#include <unistd.h>
+
+int main(int argc, char** argv)
+{
+ char *salt, *pass, *hash;
+
+ if (argc < 3)
+ errx(1, "Usage: crypt <salt> <password>");
+ salt = argv[1];
+ pass = argv[2];
+
+ hash = crypt(pass, salt);
+ printf("%s", hash);
+ return (hash == NULL ? 1 : 0);
+}
Modified: stable/10/usr.sbin/pw/tests/pw_useradd.sh
==============================================================================
--- stable/10/usr.sbin/pw/tests/pw_useradd.sh Mon Sep 12 17:29:20 2016
(r305749)
+++ stable/10/usr.sbin/pw/tests/pw_useradd.sh Mon Sep 12 17:35:45 2016
(r305750)
@@ -235,9 +235,12 @@ atf_test_case user_add_password_from_h
user_add_password_from_h_body() {
populate_etc_skel
- atf_check -s exit:0 ${PW} useradd test -h 0 <<-EOF
- $(echo test)
+ atf_check -s exit:0 ${PW} useradd foo -h 0 <<-EOF
+ $(echo mypassword)
EOF
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "mypassword"
}
atf_test_case user_add_R
@@ -325,17 +328,47 @@ user_add_already_exists_body() {
${PW} useradd foo
}
+atf_test_case user_add_w_error
+user_add_w_error_body() {
+ populate_etc_skel
+
+ atf_check -s exit:1 -e match:"pw: Invalid value for default password" \
+ ${PW} useradd foo -w invalid_value
+}
+
+atf_test_case user_add_w_no
+user_add_w_no_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo -w no
+ atf_check -s exit:0 -o match:"^foo:\*" grep "^foo:" $HOME/master.passwd
+}
+
+atf_test_case user_add_w_none
+user_add_w_none_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo -w none
+ atf_check -s exit:0 -o match:"^foo::" grep "^foo:" $HOME/master.passwd
+}
+
+atf_test_case user_add_w_random
+user_add_w_random_body() {
+ populate_etc_skel
+
+ password=`${PW} useradd foo -w random | cat`
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "$password"
+}
+
atf_test_case user_add_w_yes
user_add_w_yes_body() {
populate_etc_skel
- atf_check -s exit:0 ${PW} useradd foo -w yes
- atf_check -s exit:0 \
- -o match:'^foo:\$.*' \
- grep "^foo" ${HOME}/master.passwd
- atf_check -s exit:0 ${PW} usermod foo -w yes
- atf_check -s exit:0 \
- -o match:'^foo:\$.*' \
- grep "^foo" ${HOME}/master.passwd
+ password=`${PW} useradd foo -w random | cat`
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "$password"
}
atf_test_case user_add_with_pw_conf
@@ -380,6 +413,10 @@ atf_init_test_cases() {
atf_add_test_case user_add_uid_too_large
atf_add_test_case user_add_bad_shell
atf_add_test_case user_add_already_exists
+ atf_add_test_case user_add_w_error
+ atf_add_test_case user_add_w_no
+ atf_add_test_case user_add_w_none
+ atf_add_test_case user_add_w_random
atf_add_test_case user_add_w_yes
atf_add_test_case user_add_with_pw_conf
}
Modified: stable/10/usr.sbin/pw/tests/pw_usermod.sh
==============================================================================
--- stable/10/usr.sbin/pw/tests/pw_usermod.sh Mon Sep 12 17:29:20 2016
(r305749)
+++ stable/10/usr.sbin/pw/tests/pw_usermod.sh Mon Sep 12 17:35:45 2016
(r305750)
@@ -157,8 +157,9 @@ user_mod_h_body() {
atf_check -s exit:0 ${PW} usermod foo -h 0 <<- EOF
$(echo a)
EOF
- atf_check -s exit:0 -o not-match:"^foo:\*:.*" \
- grep "^foo" ${HOME}/master.passwd
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "a"
atf_check -s exit:0 ${PW} usermod foo -h - <<- EOF
$(echo b)
EOF
@@ -203,6 +204,56 @@ user_mod_uid_body() {
atf_check -s exit:0 ${PW} usermod foo -u 5000
}
+atf_test_case user_mod_w_error
+user_mod_w_error_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo
+ atf_check -s exit:1 -e match:"pw: Invalid value for default password" \
+ ${PW} usermod foo -w invalid_value
+}
+
+atf_test_case user_mod_w_no
+user_mod_w_no_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo
+ atf_check -s exit:0 ${PW} usermod foo -w no
+ atf_check -s exit:0 -o match:"^foo:\*" grep "^foo:" $HOME/master.passwd
+}
+
+atf_test_case user_mod_w_none
+user_mod_w_none_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo
+ atf_check -s exit:0 ${PW} usermod foo -w none
+ atf_check -s exit:0 -o match:"^foo::" grep "^foo:" $HOME/master.passwd
+}
+
+atf_test_case user_mod_w_random
+user_mod_w_random_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo
+ password=`${PW} usermod foo -w random | cat`
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "$password"
+}
+
+atf_test_case user_mod_w_yes
+user_mod_w_yes_body() {
+ populate_etc_skel
+
+ atf_check -s exit:0 ${PW} useradd foo
+ atf_check -s exit:0 ${PW} usermod foo -w yes
+ passhash=`awk -F ':' '/^foo:/ {print $2}' $HOME/master.passwd`
+ atf_check -s exit:0 -o inline:$passhash \
+ $(atf_get_srcdir)/crypt $passhash "foo"
+}
+
+
atf_init_test_cases() {
atf_add_test_case user_mod
atf_add_test_case user_mod_noupdate
@@ -219,4 +270,9 @@ atf_init_test_cases() {
atf_add_test_case user_mod_H
atf_add_test_case user_mod_renamehome
atf_add_test_case user_mod_uid
+ atf_add_test_case user_mod_w_error
+ atf_add_test_case user_mod_w_no
+ atf_add_test_case user_mod_w_none
+ atf_add_test_case user_mod_w_random
+ atf_add_test_case user_mod_w_yes
}
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
