You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1997/07/17 05:32:48 UTC
Fwd: My htpasswd extentions
My first thought was to respond with, "we don't need no steekin' setuid
script", but then I thought maybe there's be an appropriate place for him
to put it. Any ideas?
Brian
>To: brian@organic.com
>Cc: detlef@rto.dec.com
>Subject: My htpasswd extentions
>Date: Mon, 14 Jul 97 16:34:35 +0200
>From: "\"\"Detlef Schmier --- Hit me with your sticky bit.\"\""
<de...@rto.dec.com>
>X-Mts: smtp
>
>
>Hi Brian,
>
>I don't know if you are the right person to submit this, but I have
>extended htpasswd to use a default filename
>("/usr/local/etc/httpd/conf/htpasswd") and to let every user change his
>password without having superuser permissions.
>
>The file protection should be 4751 (-rwsr-x--x, Owner=root,
>Group=system).
>
>Let me know what do you think about it.
>
>Detlef.
>
>+-----------------------------------+----------------------------------+
>| Detlef Schmier @RTO | Digital Equipment GmbH |
>| SBU, OEM/GY | Freischuetzstrasse 91 |
>| Field Application Engineer | D-81927 Muenchen |
>| Pub.Tel. +49-(0)89-9591 2752 | DTN 865-2752 |
>| Mobile +49-(0)171-3357582 | |
>| Fax # +49-(0)89-9591 1278 | DTN 865-1278 |
>+-----------------------------------+----------------------------------+
>| eMail : detlef@digital.de detlef@rto.dec.com |
>| URL : http://www.digital.de/infocenter/toem-gy/detlef.html |
>+----------------------------------------------------------------------+
>
>/*
> * htpasswd.c: simple program for manipulating password file for NCSA httpd
> *
> * Rob McCool
> */
>
>#include <stdio.h>
>#include <unistd.h>
>#include <stdlib.h>
>#include <string.h>
>#include <time.h>
>#include <pwd.h>
>#include <sys/signal.h>
>#include <sys/types.h>
>
>#define LF 10
>#define CR 13
>#define True 1
>#define False 0
>
>#define MAX_STRING_LEN 256
>#define DEFAULTFILENAME "/usr/local/etc/httpd/conf/htpasswd"
>
>char *tn;
>
>char *strd (char *s)
>{
> char *d;
>
> d = (char *) malloc (strlen (s) + 1);
> strcpy (d, s);
> return (d);
>}
>
>void getword (char *word, char *line, char stop)
>{
> int x = 0,
> y;
>
> for (x = 0; ((line[x]) && (line[x] != stop)); x++)
> word[x] = line[x];
>
> word[x] = '\0';
> if (line[x])
> ++x;
> y = 0;
>
> while ((line[y++] = line[x++]));
>}
>
>int getline (char *s, int n, FILE * f)
>{
> register int i = 0;
>
> while (1) {
> s[i] = (char) fgetc (f);
>
> if (s[i] == CR)
> s[i] = fgetc (f);
>
> if ((s[i] == 0x4) || (s[i] == LF) || (i == (n - 1))) {
> s[i] = '\0';
> return (feof (f) ? 1 : 0);
> }
> ++i;
> }
>}
>
>void putline (FILE * f, char *l)
>{
> int x;
>
> for (x = 0; l[x]; x++)
> fputc (l[x], f);
> fputc ('\n', f);
>}
>
>
>/*
> From local_passwd.c (C) Regents of Univ. of California blah blah
> */
>static unsigned char itoa64[] = /*
> 0 ... 63 => ascii - 64
> */
>"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
>
>void to64 (register char *s, register long v, register int n)
>{
> while (--n >= 0) {
> *s++ = itoa64[v & 0x3f];
> v >>= 6;
> }
>}
>
>void add_password (char *user, FILE * f)
>{
> char *pw,
> *cpw,
> salt[3];
>
> pw = strd ((char *) getpass ("New password:"));
> if (strcmp (pw, (char *) getpass ("Re-type new password:"))) {
> fprintf (stderr, "They don't match, sorry.\n");
> if (tn)
> unlink (tn);
> exit (1);
> }
> (void) srand ((int) time ((time_t *) NULL));
> to64 (&salt[0], rand (), 2);
> cpw = crypt (pw, salt);
> free (pw);
> fprintf (f, "%s:%s\n", user, cpw);
>}
>
>void usage ()
>{
> fprintf (stderr, "Usage: htpasswd [-c] [-f passwordfile] [username]\n");
> fprintf (stderr, "The -c flag creates a new file.\n");
> exit (1);
>}
>
>void interrupted ()
>{
> fprintf (stderr, "Interrupted.\n");
> if (tn)
> unlink (tn);
> exit (1);
>}
>
>void main (int argc,
> char *argv[])
>{
> FILE *tfp,
> *f;
> struct passwd *pwent;
> char user[MAX_STRING_LEN],
> line[MAX_STRING_LEN],
> filename[BUFSIZ],
> l[MAX_STRING_LEN],
> w[MAX_STRING_LEN],
> command[MAX_STRING_LEN];
> int create = False,
> found,
> i;
>
> tn = NULL;
> signal (SIGINT, (void (*)()) interrupted);
>
> user[0] = '\0';
> strcpy (filename, DEFAULTFILENAME);
>
> for (i = 1; i < argc; i++) {
> if (argv[i][0] == '-') {
> if (argv[i][1] == 'c')
> create = True;
> else {
> if (argv[i][1] == 'f' && (i + 1) < argc) {
> strcpy (filename, argv[i + 1]);
> i++;
> } else
> usage ();
> }
> } else
> strcpy (user, argv[i]);
> }
>
> if ((pwent = getpwuid (getuid ())) == NULL) {
> fprintf (stderr,
> "Can't get passwd entry for uid=%d !!!\n",
> getuid ());
> exit (1);
> }
> if (!user[0]) {
> strcpy (user, pwent->pw_name);
> } else {
> if (getuid () != 0 && strcmp (user, pwent->pw_name) != 0) {
> fprintf (stderr, "Permission denied.\n");
> exit (1);
> }
> }
>
> if (setreuid (0, 0)) {
> fprintf (stderr, "Permission denied.\nsetreuid failed.\n");
> exit (1);
> }
> if (create) {
> if (!(tfp = fopen (filename, "w"))) {
> fprintf (stderr,
> "Could not open passwd file %s for writing.\n",
> filename);
> perror ("fopen");
> exit (1);
> }
> printf ("Adding password for %s.\n", user);
> add_password (user, tfp);
> fclose (tfp);
> exit (0);
> }
> tn = tmpnam (NULL);
> if (!(tfp = fopen (tn, "w"))) {
> fprintf (stderr, "Could not open temp file.\n");
> exit (1);
> }
> if (!(f = fopen (filename, "r"))) {
> fprintf (stderr,
> "Could not open passwd file %s for reading.\n", argv[1]);
> fprintf (stderr, "Use -c option to create new one.\n");
> exit (1);
> }
> found = 0;
> while (!(getline (line, MAX_STRING_LEN, f))) {
> if (found || (line[0] == '#') || (!line[0])) {
> putline (tfp, line);
> continue;
> }
> strcpy (l, line);
> getword (w, l, ':');
> if (strcmp (user, w)) {
> putline (tfp, line);
> continue;
> } else {
> printf ("Changing password for user %s\n", user);
> add_password (user, tfp);
> found = 1;
> }
> }
> if (!found) {
> printf ("Adding user %s\n", user);
> add_password (user, tfp);
> }
> fclose (f);
> fclose (tfp);
> sprintf (command, "cp %s %s", tn, filename);
> system (command);
> unlink (tn);
>}
>
> +++ This message was sent by Webmail +++
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL brian@organic.com - hyperreal.org - apache.org
Re: Fwd: My htpasswd extentions
Posted by Dean Gaudet <dg...@arctic.org>.
Uh, this lets you overwrite any file. It still respects the -f and -c
options. So that's a big -1. In any event, we don't need to include this
functionality imho.
Dean
On Wed, 16 Jul 1997, Brian Behlendorf wrote:
>
> My first thought was to respond with, "we don't need no steekin' setuid
> script", but then I thought maybe there's be an appropriate place for him
> to put it. Any ideas?