toys/lsb/passwd.c - third_party/toybox - Git at Google

 /* passwd.c - Program to update user password.
  *
  * Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com>
  * Modified 2012 Jason Kyungwan Han <asura321@gmail.com>
  *
  * http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/passwd.html

 USE_PASSWD(NEWTOY(passwd, ">1a:dlu", TOYFLAG_STAYROOT|TOYFLAG_USR|TOYFLAG_BIN))

 config PASSWD
   bool "passwd"
   default y
   depends on TOYBOX_SHADOW
   help
     usage: passwd [-a ALGO] [-dlu] <account name>

     update user's authentication tokens. Default : current user

     -a ALGO	Encryption method (des, md5, sha256, sha512) default: des
     -d		Set password to ''
     -l		Lock (disable) account
     -u		Unlock (enable) account

 config PASSWD_SAD
   bool "Add sad password checking heuristics"
   default n
   depends on PASSWD
   help
     Password changes are checked to make sure they don't include the entire
     username (but not a subset of it), and the entire previous password
     (but changing password1, password2, password3 is fine). This heuristic
     accepts "aaaaaa" as a password.
 */

 #define FOR_passwd
 #include "toys.h"

 GLOBALS(
   char *algo;
 )

 static int str_check(char *s, char *p)
 {
   if (strnstr(s, p) || strnstr(p, s)) return 1;
   return 0;
 }

 // Insane heuristic won't find password1 password2 password3...?
 static void strength_check(char *newp, char *oldp, char *user)
 {
   char *msg = NULL;

   if (strlen(newp) < 6) { //Min passwd len
     msg = "too short";
     xprintf("BAD PASSWORD: %s\n",msg);
   }
   if (!newp[0]) return; //passwd is empty

   if (str_check(newp, user)) {
     msg = "user based password";
     xprintf("BAD PASSWORD: %s\n",msg);
   }

   if (oldp[0] && str_check(newp, oldp)) {
     msg = "based on old passwd";
     xprintf("BAD PASSWORD: %s\n",msg);
   }
 }

 static int verify_passwd(char * pwd)
 {
   char * pass;

   if (!pwd) return 1;
   if (pwd[0] == '!' || pwd[0] == '*') return 1;

   pass = crypt(toybuf, pwd);
   if (pass  && !strcmp(pass, pwd)) return 0;

   return 1;
 }

 static char *new_password(char *oldp, char *user)
 {
   char *newp = NULL;

   if (read_password(toybuf, sizeof(toybuf), "New password:"))
     return NULL; //may be due to Ctrl-C

   newp = xstrdup(toybuf);
   if (CFG_PASSWD_SAD) strength_check(newp, oldp, user);
   if (read_password(toybuf, sizeof(toybuf), "Retype password:")) {
     free(newp);
     return NULL; //may be due to Ctrl-C
   }

   if (!strcmp(newp, toybuf)) return newp;
   else error_msg("Passwords do not match.\n");
   // Failure Case
   free(newp);
   return NULL;
 }

 void passwd_main(void)
 {
   uid_t myuid;
   struct passwd *pw;
   struct spwd *sp;
   char *name = NULL, *pass = NULL, *encrypted = NULL, *newp = NULL,
        *orig = (char *)"", salt[MAX_SALT_LEN];
   int ret = -1;

   myuid = getuid();
   if (myuid && (toys.optflags & (FLAG_l | FLAG_u | FLAG_d)))
     error_exit("Not root");

   pw = xgetpwuid(myuid);

   if (*toys.optargs) name = toys.optargs[0];
   else name = xstrdup(pw->pw_name);

   pw = xgetpwnam(name);

   if (myuid && (myuid != pw->pw_uid)) error_exit("Not root");

   pass = pw->pw_passwd;
   if (pw->pw_passwd[0] == 'x') {
     //get shadow passwd
     sp = getspnam(name);
     if (sp) pass = sp->sp_pwdp;
   }


   if (!(toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) {

     if (!(toys.optflags & FLAG_a)) TT.algo = "des";
     if (get_salt(salt, TT.algo) == -1)
       error_exit("Error: Unkown encryption algorithm\n");

     printf("Changing password for %s\n",name);
     if (myuid && pass[0] == '!')
       error_exit("Can't change, password is locked for %s",name);
     if (myuid) {
       //Validate user

       if (read_password(toybuf, sizeof(toybuf), "Origial password:")) {
         if (!toys.optargs[0]) free(name);
         return;
       }
       orig = toybuf;
       if (verify_passwd(pass)) error_exit("Authentication failed\n");
     }

     orig = xstrdup(orig);

     // Get new password
     newp = new_password(orig, name);
     if (!newp) {
       free(orig);
       if (!toys.optargs[0]) free(name);
       return; //new password is not set well.
     }

     encrypted = crypt(newp, salt);
     free(newp);
     free(orig);
   } else if (toys.optflags & FLAG_l) {
     if (pass[0] == '!') error_exit("password is already locked for %s",name);
     printf("Locking password for %s\n",name);
     encrypted = xmprintf("!%s",pass);
   } else if (toys.optflags & FLAG_u) {
     if (pass[0] != '!') error_exit("password is already unlocked for %s",name);

     printf("Unlocking password for %s\n",name);
     encrypted = xstrdup(&pass[1]);
   } else if (toys.optflags & FLAG_d) {
     printf("Deleting password for %s\n",name);
     encrypted = xstrdup(""); //1 = "", 2 = '\0'
   }

   // Update the passwd
   if (pw->pw_passwd[0] == 'x')
     ret = update_password("/etc/shadow", name, encrypted);
   else ret = update_password("/etc/passwd", name, encrypted);

   if ((toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) free(encrypted);

   if (!toys.optargs[0]) free(name);
   if (!ret) error_msg("Success");
   else error_msg("Failure");
 }
	/* passwd.c - Program to update user password.
	*
	* Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com>
	* Modified 2012 Jason Kyungwan Han <asura321@gmail.com>
	*
	* http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/passwd.html

	USE_PASSWD(NEWTOY(passwd, ">1a:dlu", TOYFLAG_STAYROOT\|TOYFLAG_USR\|TOYFLAG_BIN))

	config PASSWD
	bool "passwd"
	default y
	depends on TOYBOX_SHADOW
	help
	usage: passwd [-a ALGO] [-dlu] <account name>

	update user's authentication tokens. Default : current user

	-a ALGO Encryption method (des, md5, sha256, sha512) default: des
	-d Set password to ''
	-l Lock (disable) account
	-u Unlock (enable) account

	config PASSWD_SAD
	bool "Add sad password checking heuristics"
	default n
	depends on PASSWD
	help
	Password changes are checked to make sure they don't include the entire
	username (but not a subset of it), and the entire previous password
	(but changing password1, password2, password3 is fine). This heuristic
	accepts "aaaaaa" as a password.
	*/

	#define FOR_passwd
	#include "toys.h"

	GLOBALS(
	char *algo;
	)

	static int str_check(char s, char p)
	{
	if (strnstr(s, p) \|\| strnstr(p, s)) return 1;
	return 0;
	}

	// Insane heuristic won't find password1 password2 password3...?
	static void strength_check(char newp, char oldp, char *user)
	{
	char *msg = NULL;

	if (strlen(newp) < 6) { //Min passwd len
	msg = "too short";
	xprintf("BAD PASSWORD: %s\n",msg);
	}
	if (!newp[0]) return; //passwd is empty

	if (str_check(newp, user)) {
	msg = "user based password";
	xprintf("BAD PASSWORD: %s\n",msg);
	}

	if (oldp[0] && str_check(newp, oldp)) {
	msg = "based on old passwd";
	xprintf("BAD PASSWORD: %s\n",msg);
	}
	}

	static int verify_passwd(char * pwd)
	{
	char * pass;

	if (!pwd) return 1;
	if (pwd[0] == '!' \|\| pwd[0] == '*') return 1;

	pass = crypt(toybuf, pwd);
	if (pass && !strcmp(pass, pwd)) return 0;

	return 1;
	}

	static char new_password(char oldp, char *user)
	{
	char *newp = NULL;

	if (read_password(toybuf, sizeof(toybuf), "New password:"))
	return NULL; //may be due to Ctrl-C

	newp = xstrdup(toybuf);
	if (CFG_PASSWD_SAD) strength_check(newp, oldp, user);
	if (read_password(toybuf, sizeof(toybuf), "Retype password:")) {
	free(newp);
	return NULL; //may be due to Ctrl-C
	}

	if (!strcmp(newp, toybuf)) return newp;
	else error_msg("Passwords do not match.\n");
	// Failure Case
	free(newp);
	return NULL;
	}

	void passwd_main(void)
	{
	uid_t myuid;
	struct passwd *pw;
	struct spwd *sp;
	char name = NULL, pass = NULL, encrypted = NULL, newp = NULL,
	orig = (char )"", salt[MAX_SALT_LEN];
	int ret = -1;

	myuid = getuid();
	if (myuid && (toys.optflags & (FLAG_l \| FLAG_u \| FLAG_d)))
	error_exit("Not root");

	pw = xgetpwuid(myuid);

	if (*toys.optargs) name = toys.optargs[0];
	else name = xstrdup(pw->pw_name);

	pw = xgetpwnam(name);

	if (myuid && (myuid != pw->pw_uid)) error_exit("Not root");

	pass = pw->pw_passwd;
	if (pw->pw_passwd[0] == 'x') {
	//get shadow passwd
	sp = getspnam(name);
	if (sp) pass = sp->sp_pwdp;
	}


	if (!(toys.optflags & (FLAG_l \| FLAG_u \| FLAG_d))) {

	if (!(toys.optflags & FLAG_a)) TT.algo = "des";
	if (get_salt(salt, TT.algo) == -1)
	error_exit("Error: Unkown encryption algorithm\n");

	printf("Changing password for %s\n",name);
	if (myuid && pass[0] == '!')
	error_exit("Can't change, password is locked for %s",name);
	if (myuid) {
	//Validate user

	if (read_password(toybuf, sizeof(toybuf), "Origial password:")) {
	if (!toys.optargs[0]) free(name);
	return;
	}
	orig = toybuf;
	if (verify_passwd(pass)) error_exit("Authentication failed\n");
	}

	orig = xstrdup(orig);

	// Get new password
	newp = new_password(orig, name);
	if (!newp) {
	free(orig);
	if (!toys.optargs[0]) free(name);
	return; //new password is not set well.
	}

	encrypted = crypt(newp, salt);
	free(newp);
	free(orig);
	} else if (toys.optflags & FLAG_l) {
	if (pass[0] == '!') error_exit("password is already locked for %s",name);
	printf("Locking password for %s\n",name);
	encrypted = xmprintf("!%s",pass);
	} else if (toys.optflags & FLAG_u) {
	if (pass[0] != '!') error_exit("password is already unlocked for %s",name);

	printf("Unlocking password for %s\n",name);
	encrypted = xstrdup(&pass[1]);
	} else if (toys.optflags & FLAG_d) {
	printf("Deleting password for %s\n",name);
	encrypted = xstrdup(""); //1 = "", 2 = '\0'
	}

	// Update the passwd
	if (pw->pw_passwd[0] == 'x')
	ret = update_password("/etc/shadow", name, encrypted);
	else ret = update_password("/etc/passwd", name, encrypted);

	if ((toys.optflags & (FLAG_l \| FLAG_u \| FLAG_d))) free(encrypted);

	if (!toys.optargs[0]) free(name);
	if (!ret) error_msg("Success");
	else error_msg("Failure");
	}