Changeset 5927 in /cluster/svnroot


Ignore:
Timestamp:
Mar 20, 2017 11:19:59 PM (4 years ago)
Author:
skylar
Message:

allow running bccd-passwd-wrapper as root, but with safety features re #1000

Location:
bccd-ng/branches/skylar/bccd-3.4.0-build_ng/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • bccd-ng/branches/skylar/bccd-3.4.0-build_ng/src/bin/bccd-passwd-wrapper

    r5924 r5927  
    2929use POSIX;
    3030use UI::Dialog;
     31use English;
     32use File::Spec;
    3133
    3234# Return true if both STDIN and STDOUT are connected to a TTY, else undef
    33 sub test_tty() {
     35sub test_tty {
    3436    if(-t STDIN && -t STDOUT) {
    3537        return 1;
     
    3840}
    3941
     42# Returns true if the user's account is locked, undef otherwise.
     43sub user_locked {
     44    my($user) = @_;
     45    my($passwd_fd,$line);
     46    my @cmd = (
     47        File::Spec->catfile(File::Spec->rootdir(),'usr','bin','passwd',),
     48        '-S',
     49        $user,
     50    );
     51
     52    open($passwd_fd,'-|',@cmd) or die "Can't run @cmd: $!\n";
     53
     54    $line = <$passwd_fd>;
     55    chomp $line;
     56
     57    close($passwd_fd);
     58
     59    if((split(/\s+/,$line))[1] eq 'L') {
     60        return 1;
     61    }
     62
     63    return undef;
     64}
     65
    4066if(!defined($ARGV[0])) {
    4167        die "Supply username as first and only argument!\n";
    4268}
    4369
    44 my($Bccd,$user,$passwd,$CHVT,$am_tty);
     70my($Bccd,$user,$passwd,$CHVT,$am_tty,$user_pw_set_file,$user_pw_set_fd);
    4571
    4672# Change terminal to tty2 if no TTY is setup (i.e. during boot process)
     
    5682$Bccd = new Bccd();
    5783$user = $ARGV[0];
     84$user_pw_set_file = File::Spec->catfile(File::Spec->rootdir(),'etc','bccd',"$user-pw-set");
     85
     86# If run as root, and is the first boot (indicated by the lack of /etc/bccd/$user-pw-set),
     87# and user password is locked (indicated by a L in the second column of "passwd -S user"), then
     88# do not die
     89if($UID == 0
     90    && -f $user_pw_set_file
     91    && !user_locked($user)
     92) {
     93    die "Running as root: User $user already had a password set and is not locked\n";
     94}
    5895$passwd = $Bccd->read_passwd();
    5996
     
    85122    close($CHVT);
    86123}
     124
     125open($user_pw_set_fd,'>',$user_pw_set_file);
     126close($user_pw_set_fd);
  • bccd-ng/branches/skylar/bccd-3.4.0-build_ng/src/etc/sudoers

    r5745 r5927  
    2424bccd    ALL=(ALL) ALL, NOPASSWD: /sbin/shutdown *, \
    2525        /bin/bccd-sleep, \
    26         /usr/sbin/etherwake
     26        /usr/sbin/etherwake,
     27    /bin/bccd-passwd-wrapper bccd
Note: See TracChangeset for help on using the changeset viewer.