On Mon, Sep 10, 2012 at 05:01:13PM +0200, Antoine Jacoutot wrote:
> Hi.
> 
> This diff adds 2 new options to usermod(8):
> -U to unlock a user's password
> -Z to lock a user's password
> 
> In effect locking/unlocking the password means to add a '!' in front of
> the encrypted entry in master.passwd.
> Note that this disable the _password_ not the account of course (you
> could still connect using ssh+key for e.g.).
> 
> That said, I have some use for it and would like to be able to have this
> if at all possible.
> Behavior is basically the same as Linux's usermod(8) except that I am
> using -Z for locking the password (-Z is for SElinux in Linux land and
> -L is used instead but we use it ourselves for the login class).

Ok new diff that does something slightly different.
Instead of putting a '!' in front of the password (which confused people), 
lock/unlock means appending/removing a dash to the user's login shell.
While this is non standard behavior (but as I mentionned in a previous mail, 
usermod(8) is already not standard accross unices) I think it is better because:
- account is locked, period (no local login, no remote login -- no surprise for 
tedu ;-) )
- no values are touched
  (e.g. one could disable an account by using 'usermod -e 1' but when he wants 
to re-enable the account he'll be forced to change the expiration time)

Thanks to Stuart for the idea.

Thoughts?




Index: user.c
===================================================================
RCS file: /cvs/src/usr.sbin/user/user.c,v
retrieving revision 1.90
diff -u -r1.90 user.c
--- user.c      29 Jan 2012 08:38:54 -0000      1.90
+++ user.c      11 Sep 2012 13:38:12 -0000
@@ -100,7 +100,9 @@
        F_UID           = 0x0400,
        F_USERNAME      = 0x0800,
        F_CLASS         = 0x1000,
-       F_SETSECGROUP   = 0x4000
+       F_SETSECGROUP   = 0x4000,
+       F_ACCTLOCK      = 0x8000,
+       F_ACCTUNLOCK    = 0x10000
 };
 
 #define CONFFILE       "/etc/usermgmt.conf"
@@ -1339,11 +1341,14 @@
        struct group    *grp;
        const char      *homedir;
        char            buf[LINE_MAX];
+       char            locked_str[] = "-";
+       char            shell_len[MaxShellNameLen];
        size_t          colonc, loginc;
        size_t          cc;
        FILE            *master;
        char            newdir[MaxFileNameLen];
        char            *colon;
+       char            *shell_tmp = NULL;
        int             len;
        int             masterfd;
        int             ptmpfd;
@@ -1359,6 +1364,10 @@
        if (!is_local(login_name, _PATH_MASTERPASSWD)) {
                errx(EXIT_FAILURE, "User `%s' must be a local user", 
login_name);
        }
+       if (up != NULL) {
+               if ((up->u_flags & (F_ACCTLOCK | F_ACCTUNLOCK)) && (login_name 
== 0))
+                       errx(EXIT_FAILURE, "(un)locking is not supported for 
the `%s' account", pwp->pw_name);
+       }
        /* keep dir name in case we need it for '-m' */
        homedir = pwp->pw_dir;
 
@@ -1410,6 +1419,35 @@
                                pwp->pw_passwd = up->u_password;
                        }
                }
+               if (up->u_flags & F_ACCTLOCK) {
+                       if (strncmp(pwp->pw_shell+strlen(pwp->pw_shell) - 1, 
locked_str+strlen(locked_str) - 1, sizeof(locked_str) - 1) == 0) {
+                                warnx("account '%s' is already locked", 
pwp->pw_name);
+                       } else {
+                               shell_tmp = malloc(strlen(pwp->pw_shell) + 
sizeof(locked_str));
+                               if (shell_tmp == NULL) {
+                                       (void) close(ptmpfd);
+                                       pw_abort();
+                                       errx(EXIT_FAILURE, "lock: cannot 
allocate memory");
+                               }
+                               strlcpy(shell_tmp, pwp->pw_shell, 
sizeof(shell_len));
+                               strlcat(shell_tmp, locked_str, 
sizeof(shell_len));
+                               pwp->pw_shell = shell_tmp;
+                       }
+               }
+               if (up->u_flags & F_ACCTUNLOCK) {
+                       if (strncmp(pwp->pw_shell+strlen(pwp->pw_shell) - 1, 
locked_str+strlen(locked_str) - 1, sizeof(locked_str) - 1) != 0) {
+                               warnx("account '%s' is not locked", 
pwp->pw_name);
+                       } else {
+                               shell_tmp = malloc(strlen(pwp->pw_shell) - 
sizeof(locked_str));
+                               if (shell_tmp == NULL) {
+                                       (void) close(ptmpfd);
+                                       pw_abort();
+                                       errx(EXIT_FAILURE, "unlock: cannot 
allocate memory");
+                               }
+                               strlcpy(shell_tmp, pwp->pw_shell, 
sizeof(shell_tmp) + 1);
+                               pwp->pw_shell = shell_tmp;
+                       }
+               }
                if (up->u_flags & F_UID) {
                        /* check uid isn't already allocated */
                        if (!(up->u_flags & F_DUPUID) && 
getpwuid((uid_t)(up->u_uid)) != NULL) {
@@ -1547,6 +1585,8 @@
                }
        }
        (void) close(ptmpfd);
+       if (shell_tmp)
+               FREE(shell_tmp);
        if (up != NULL && strcmp(login_name, newlogin) == 0)
                rval = pw_mkdb(login_name, 0);
        else
@@ -1617,7 +1657,7 @@
                    "[-p password] [-r low..high]\n"
                    "               [-s shell] [-u uid] user\n", prog);
        } else if (strcmp(prog, "usermod") == 0) {
-               (void) fprintf(stderr, "usage: %s [-mov] "
+               (void) fprintf(stderr, "usage: %s [-UZmov] "
                    "[-c comment] [-d home-directory] [-e expiry-time]\n"
                    "               [-f inactive-time] "
                    "[-G secondary-group[,group,...]]\n"
@@ -1788,7 +1828,7 @@
        free(u.u_primgrp);
        u.u_primgrp = NULL;
        have_new_user = 0;
-       while ((c = getopt(argc, argv, "G:L:S:c:d:e:f:g:l:mop:s:u:v")) != -1) {
+       while ((c = getopt(argc, argv, "G:L:S:UZc:d:e:f:g:l:mop:s:u:v")) != -1) 
{
                switch(c) {
                case 'G':
                        while ((u.u_groupv[u.u_groupc] = strsep(&optarg, ",")) 
!= NULL &&
@@ -1814,6 +1854,12 @@
                        }
                        u.u_flags |= F_SETSECGROUP;
                        break;
+               case 'U':
+                       u.u_flags |= F_ACCTUNLOCK;
+                       break;
+               case 'Z':
+                       u.u_flags |= F_ACCTLOCK;
+                       break;
                case 'c':
                        memsave(&u.u_comment, optarg, strlen(optarg));
                        u.u_flags |= F_COMMENT;
@@ -1883,6 +1929,8 @@
        }
        if ((u.u_flags & F_SECGROUP) && (u.u_flags & F_SETSECGROUP))
                errx(EXIT_FAILURE, "options 'G' and 'S' are mutually 
exclusive");
+       if ((u.u_flags & F_ACCTLOCK) && (u.u_flags & F_ACCTUNLOCK))
+               errx(EXIT_FAILURE, "options 'U' and 'Z' are mutually 
exclusive");
        argc -= optind;
        argv += optind;
        if (argc != 1) {
Index: usermod.8
===================================================================
RCS file: /cvs/src/usr.sbin/user/usermod.8,v
retrieving revision 1.28
diff -u -r1.28 usermod.8
--- usermod.8   28 Jan 2012 14:25:45 -0000      1.28
+++ usermod.8   11 Sep 2012 13:38:12 -0000
@@ -40,7 +40,7 @@
 .Sh SYNOPSIS
 .Nm usermod
 .Bk -words
-.Op Fl mov
+.Op Fl moUvZ
 .Op Fl c Ar comment
 .Op Fl d Ar home-directory
 .Op Fl e Ar expiry-time
@@ -199,6 +199,14 @@
 See
 .Xr usermgmt.conf 5
 for more details.
+.It Fl U
+Unlock the account by removing the
+.Ql \&-
+from the user's shell.
+.Fl U
+and
+.Fl Z
+are mutually exclusive.
 .It Fl u Ar uid
 Specifies a new UID for the user.
 Boundaries for this value can be preset for all users
@@ -212,6 +220,14 @@
 for more details.
 .It Fl v
 Enables verbose mode - explain the commands as they are executed.
+.It Fl Z
+Lock the account by appending a
+.Ql \&-
+to the user's shell.
+.Fl Z
+and
+.Fl U
+are mutually exclusive.
 .El
 .Pp
 Once the information has been verified,

Reply via email to