You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brian Behlendorf <br...@organic.com> on 1997/07/17 05:32:48 UTC

Fwd: My htpasswd extentions

My first thought was to respond with, "we don't need no steekin' setuid
script", but then I thought maybe there's be an appropriate place for him
to put it.  Any ideas?

	Brian

>To: brian@organic.com
>Cc: detlef@rto.dec.com
>Subject: My htpasswd extentions
>Date: Mon, 14 Jul 97 16:34:35 +0200
>From: "\"\"Detlef Schmier --- Hit me with your sticky bit.\"\""
<de...@rto.dec.com>
>X-Mts: smtp
>
>
>Hi Brian,
>
>I don't know if you are the right person to submit this, but I have
>extended htpasswd to use a default filename
>("/usr/local/etc/httpd/conf/htpasswd") and to let every user change his
>password without having superuser permissions.
>
>The file protection should be 4751 (-rwsr-x--x, Owner=root,
>Group=system).
>
>Let me know what do you think about it.
>
>Detlef.
>
>+-----------------------------------+----------------------------------+
>| Detlef Schmier @RTO               | Digital Equipment GmbH           |
>| SBU, OEM/GY                       | Freischuetzstrasse 91            |
>| Field Application Engineer        | D-81927 Muenchen                 |
>| Pub.Tel. +49-(0)89-9591 2752      | DTN 865-2752                     |
>| Mobile   +49-(0)171-3357582       |                                  |
>| Fax #    +49-(0)89-9591 1278      | DTN 865-1278                     |
>+-----------------------------------+----------------------------------+
>| eMail    : detlef@digital.de        detlef@rto.dec.com               |
>| URL      : http://www.digital.de/infocenter/toem-gy/detlef.html      |
>+----------------------------------------------------------------------+
>
>/*
> * htpasswd.c: simple program for manipulating password file for NCSA httpd
> * 
> * Rob McCool
> */
>
>#include <stdio.h>
>#include <unistd.h>
>#include <stdlib.h>
>#include <string.h>
>#include <time.h>
>#include <pwd.h>
>#include <sys/signal.h>
>#include <sys/types.h>
>
>#define LF 10
>#define CR 13
>#define True 1
>#define False 0
>
>#define MAX_STRING_LEN 256
>#define DEFAULTFILENAME	"/usr/local/etc/httpd/conf/htpasswd"
>
>char               *tn;
>
>char               *strd (char *s)
>{
>    char               *d;
>
>    d = (char *) malloc (strlen (s) + 1);
>    strcpy (d, s);
>    return (d);
>}
>
>void                getword (char *word, char *line, char stop)
>{
>    int                 x = 0,
>                        y;
>
>    for (x = 0; ((line[x]) && (line[x] != stop)); x++)
>	word[x] = line[x];
>
>    word[x] = '\0';
>    if (line[x])
>	++x;
>    y = 0;
>
>    while ((line[y++] = line[x++]));
>}
>
>int                 getline (char *s, int n, FILE * f)
>{
>    register int        i = 0;
>
>    while (1) {
>	s[i] = (char) fgetc (f);
>
>	if (s[i] == CR)
>	    s[i] = fgetc (f);
>
>	if ((s[i] == 0x4) || (s[i] == LF) || (i == (n - 1))) {
>	    s[i] = '\0';
>	    return (feof (f) ? 1 : 0);
>	}
>	++i;
>    }
>}
>
>void                putline (FILE * f, char *l)
>{
>    int                 x;
>
>    for (x = 0; l[x]; x++)
>	fputc (l[x], f);
>    fputc ('\n', f);
>}
>
>
>/*
>   From local_passwd.c (C) Regents of Univ. of California blah blah 
> */
>static unsigned char itoa64[] =	/*
>				   0 ... 63 => ascii - 64 
>				 */
>"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
>
>void                to64 (register char *s, register long v, register int n)
>{
>    while (--n >= 0) {
>	*s++ = itoa64[v & 0x3f];
>	v >>= 6;
>    }
>}
>
>void                add_password (char *user, FILE * f)
>{
>    char               *pw,
>                       *cpw,
>                        salt[3];
>
>    pw = strd ((char *) getpass ("New password:"));
>    if (strcmp (pw, (char *) getpass ("Re-type new password:"))) {
>	fprintf (stderr, "They don't match, sorry.\n");
>	if (tn)
>	    unlink (tn);
>	exit (1);
>    }
>    (void) srand ((int) time ((time_t *) NULL));
>    to64 (&salt[0], rand (), 2);
>    cpw = crypt (pw, salt);
>    free (pw);
>    fprintf (f, "%s:%s\n", user, cpw);
>}
>
>void                usage ()
>{
>    fprintf (stderr, "Usage: htpasswd [-c] [-f passwordfile] [username]\n");
>    fprintf (stderr, "The -c flag creates a new file.\n");
>    exit (1);
>}
>
>void                interrupted ()
>{
>    fprintf (stderr, "Interrupted.\n");
>    if (tn)
>	unlink (tn);
>    exit (1);
>}
>
>void                main (int argc,
>			  char *argv[])
>{
>    FILE               *tfp,
>                       *f;
>    struct passwd      *pwent;
>    char                user[MAX_STRING_LEN],
>                        line[MAX_STRING_LEN],
>                        filename[BUFSIZ],
>                        l[MAX_STRING_LEN],
>                        w[MAX_STRING_LEN],
>                        command[MAX_STRING_LEN];
>    int                 create = False,
>                        found,
>                        i;
>
>    tn = NULL;
>    signal (SIGINT, (void (*)()) interrupted);
>
>    user[0] = '\0';
>    strcpy (filename, DEFAULTFILENAME);
>
>    for (i = 1; i < argc; i++) {
>	if (argv[i][0] == '-') {
>	    if (argv[i][1] == 'c')
>		create = True;
>	    else {
>		if (argv[i][1] == 'f' && (i + 1) < argc) {
>		    strcpy (filename, argv[i + 1]);
>		    i++;
>		} else
>		    usage ();
>	    }
>	} else
>	    strcpy (user, argv[i]);
>    }
>
>    if ((pwent = getpwuid (getuid ())) == NULL) {
>	fprintf (stderr,
>		 "Can't get passwd entry for uid=%d !!!\n",
>		 getuid ());
>	exit (1);
>    }
>    if (!user[0]) {
>	strcpy (user, pwent->pw_name);
>    } else {
>	if (getuid () != 0 && strcmp (user, pwent->pw_name) != 0) {
>	    fprintf (stderr, "Permission denied.\n");
>	    exit (1);
>	}
>    }
>
>    if (setreuid (0, 0)) {
>	fprintf (stderr, "Permission denied.\nsetreuid failed.\n");
>	exit (1);
>    }
>    if (create) {
>	if (!(tfp = fopen (filename, "w"))) {
>	    fprintf (stderr,
>		     "Could not open passwd file %s for writing.\n",
>		     filename);
>	    perror ("fopen");
>	    exit (1);
>	}
>	printf ("Adding password for %s.\n", user);
>	add_password (user, tfp);
>	fclose (tfp);
>	exit (0);
>    }
>    tn = tmpnam (NULL);
>    if (!(tfp = fopen (tn, "w"))) {
>	fprintf (stderr, "Could not open temp file.\n");
>	exit (1);
>    }
>    if (!(f = fopen (filename, "r"))) {
>	fprintf (stderr,
>		 "Could not open passwd file %s for reading.\n", argv[1]);
>	fprintf (stderr, "Use -c option to create new one.\n");
>	exit (1);
>    }
>    found = 0;
>    while (!(getline (line, MAX_STRING_LEN, f))) {
>	if (found || (line[0] == '#') || (!line[0])) {
>	    putline (tfp, line);
>	    continue;
>	}
>	strcpy (l, line);
>	getword (w, l, ':');
>	if (strcmp (user, w)) {
>	    putline (tfp, line);
>	    continue;
>	} else {
>	    printf ("Changing password for user %s\n", user);
>	    add_password (user, tfp);
>	    found = 1;
>	}
>    }
>    if (!found) {
>	printf ("Adding user %s\n", user);
>	add_password (user, tfp);
>    }
>    fclose (f);
>    fclose (tfp);
>    sprintf (command, "cp %s %s", tn, filename);
>    system (command);
>    unlink (tn);
>}
>
>                +++ This message was sent by Webmail +++
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL           brian@organic.com - hyperreal.org - apache.org

Re: Fwd: My htpasswd extentions

Posted by Dean Gaudet <dg...@arctic.org>.

Uh, this lets you overwrite any file.  It still respects the -f and -c
options.  So that's a big -1.  In any event, we don't need to include this
functionality imho. 

Dean

On Wed, 16 Jul 1997, Brian Behlendorf wrote:

> 
> My first thought was to respond with, "we don't need no steekin' setuid
> script", but then I thought maybe there's be an appropriate place for him
> to put it.  Any ideas?