Subject: Adding support for commented-out password entries
To: None <tech-userlevel@netbsd.org>
From: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
List: tech-userlevel
Date: 10/06/2002 21:25:49
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Attached are modifications that add support for commented-out
entries in master.passwd. With these changes applied, entries
in master.passwd can be safely commented out by prepending '#:#',
leaving all other fields (including password and shell field)
unchanged.
Using '#:#' as comment token is a safeguard against the safety
problems that would result if an admin would move a master.passwd
from a system supporting commented-out entries to a system not
supporting them. On a non-supporting system, commented-out entries
are invalid (and thus generate errors).
The footprint of the changes is rather small: a check for
commented out entries has been added to pw_scan. Two additional
flags for pw_scan have been defined in pwd.h:
_PASSWORD_CMNT: set in 'flag' if an entry is a comment
_PASSWORD_ALLOWCMNT: if pw_scan is called with this flag set,
pw_scan does not return an error of a comment
is detected (else an error is returned)
That way most applications using pw_scan need not be changed.
pwd_mkdb has been changed to (actively) ignore commented-out
entries.
Applications like "passwd", "chpass", "user" do not require
modifications (tested). Visual inspection shows that libhack
should also continue to work without modifications. Also, Yellow
Pages support need no modifications (Makefile.yp already strips
comments from master.passwd)
Please review.
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-pwdcmnt
--- src/include/pwd.h.old Wed Sep 25 10:48:12 2002
+++ src/include/pwd.h Sun Oct 6 12:41:59 2002
@@ -78,6 +78,8 @@
#define _PASSWORD_OLDFMT 0x10 /* flag to expect an old style entry */
#define _PASSWORD_NOWARN 0x20 /* no warnings for bad entries */
+#define _PASSWORD_ALLOWCMNT 0x40 /* allow commented out entries */
+#define _PASSWORD_CMNT 0x80 /* entry commented out */
#define _PASSWORD_WARNDAYS 14 /* days to warn about expiry */
#define _PASSWORD_CHGNOW -1 /* special day to force password
--- src/lib/libc/gen/pw_scan.c.old Sun Aug 25 21:16:54 2002
+++ src/lib/libc/gen/pw_scan.c Sun Oct 6 12:47:51 2002
@@ -85,6 +85,17 @@
*flags = 0;
}
+ if (strncmp(bp, "#:#", 3) == 0) { /* commented out */
+ *flags |= _PASSWORD_CMNT;
+ if (inflags & _PASSWORD_ALLOWCMNT)
+ return (1);
+ else {
+ if (!(inflags & _PASSWORD_NOWARN))
+ warnx("commented-out entry unexpected");
+ return (0);
+ }
+ }
+
if (!(pw->pw_name = strsep(&bp, ":"))) /* login */
goto fmt;
root = !strcmp(pw->pw_name, "root");
--- src/lib/libutil/pw_init.3.old Thu Sep 26 13:47:35 2002
+++ src/lib/libutil/pw_init.3 Sun Oct 6 13:14:19 2002
@@ -140,7 +140,7 @@
.Fa flags
is non-null, it should be cleared and the following options
enabled if required:
-.Bl -tag -offset indent -width _PASSWORD_OLDFMT
+.Bl -tag -offset indent -width _PASSWORD_ALLOWCMNT
.It Dv _PASSWORD_NOWARN
Don't print warnings.
.It Dv _PASSWORD_OLDFMT
@@ -148,6 +148,9 @@
.Fa bp
as an old format entry as found in
.Pa /etc/passwd .
+.It Dv _PASSWORD_ALLOWCMNT
+Do not return an error if a commented out password entry is encountered.
+.FA bp
.El
.Pp
Upon return it is cleared, and filled in with the following flags:
@@ -168,6 +171,8 @@
The expire field of
.Fa bp
is empty.
+.It Dv _PASSWORD_CMNT
+The password entry is commented out.
.El
.Pp
The
--- src/usr.sbin/pwd_mkdb/pwd_mkdb.c.old Wed Sep 25 10:55:23 2002
+++ src/usr.sbin/pwd_mkdb/pwd_mkdb.c Sun Oct 6 13:27:28 2002
@@ -286,7 +286,14 @@
* pointer record, which if YP is enabled in the C lib, will speed
* things up.
*/
- for (lineno = 0; scan(fp, &pwd, &flags, &lineno);) {
+ lineno = 0;
+ while (flags = _PASSWORD_ALLOWCMNT, scan(fp, &pwd, &flags, &lineno)) {
+ /*
+ * Check if the entry is commented out first.
+ */
+ if ((flags & _PASSWORD_CMNT) == _PASSWORD_CMNT)
+ continue;
+
/*
* Create original format password file entry.
*/
@@ -397,9 +404,14 @@
*/
if (username == NULL) {
rewind(fp);
- for (lineno = 0; scan(fp, &pwd, &flags, &lineno);)
+ lineno = 0;
+ while (flags = _PASSWORD_ALLOWCMNT,
+ scan(fp, &pwd, &flags, &lineno)) {
+ if ((flags & _PASSWORD_CMNT) == _PASSWORD_CMNT)
+ continue;
putdbents(edp, &pwd, pwd.pw_passwd, flags, pwd_Sdb_tmp,
lineno, dbflg, uid_dbflg);
+ }
/* Store YP token if needed. */
if (hasyp)
@@ -449,7 +461,6 @@
{
static char line[LINE_MAX];
char *p;
- int oflags;
if (fgets(line, sizeof(line), fp) == NULL)
return (0);
@@ -468,13 +479,11 @@
*p = '\0';
if (strcmp(line, "+") == 0)
strcpy(line, "+:::::::::"); /* pw_scan() can't handle "+" */
- oflags = 0;
- if (!pw_scan(line, pw, &oflags)) {
+ if (!pw_scan(line, pw, flags)) {
warnx("at line #%d", *lineno);
errno = EFTYPE; /* XXX */
error(pname);
}
- *flags = oflags;
return (1);
}
--- src/etc/master.passwd.old Sun Oct 6 13:35:49 2002
+++ src/etc/master.passwd Sun Oct 6 13:36:58 2002
@@ -3,6 +3,7 @@
daemon:*:1:31::0:0:The devil himself:/:/sbin/nologin
operator:*:2:5::0:0:System &:/usr/guest/operator:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin
+#:#news:*:6:8::0:0:Network News:/var/spool/news:/sbin/nologin
games:*:7:13::0:0:& pseudo-user:/usr/games:/sbin/nologin
postfix:*:12:12::0:0:& pseudo-user:/var/spool/postfix:/sbin/nologin
named:*:14:14::0:0:& pseudo-user:/var/chroot/named:/sbin/nologin
@@ -10,4 +11,6 @@
sshd:*:16:16::0:0:& pseudo-user:/var/chroot/sshd:/sbin/nologin
smmsp:*:17:17::0:0:Sendmail Message Submission Program:/nonexistent:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico
+#:#ingres:*:267:74::0:0:& Group:/usr/ingres:/sbin/nologin
+#:#falken:*:32766:31::0:0:Prof. Stephen &:/usr/games:/usr/games/wargames
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
--sdtB3X0nJg68CQEu--