mirror of
https://github.com/openbsd/src.git
synced 2024-12-22 16:42:56 -08:00
o perl5'ified
o We now lock the skeys database as we ought to avoid problems. o Safe temp file handling o Weed out bogus records instead of ignoring them o Add a hash type to old md4 entries w/o a hash type listed
This commit is contained in:
parent
f33ddb5145
commit
feac1c08c8
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: skeyprune.8,v 1.5 2000/03/23 21:10:18 aaron Exp $
|
||||
.\" $OpenBSD: skeyprune.8,v 1.6 2001/06/20 22:19:58 millert Exp $
|
||||
.\"
|
||||
.\"
|
||||
.Dd September 27, 1996
|
||||
@ -12,16 +12,17 @@
|
||||
.Op Ar days
|
||||
.Sh DESCRIPTION
|
||||
.Nm skeyprune
|
||||
searches through the file
|
||||
.Dq Pa /etc/skeykeys
|
||||
and prunes out users who have zeroed their entries via
|
||||
.Xr skeyinit 1
|
||||
searches through the S/Key database,
|
||||
.Dq Pa /etc/skeykeys ,
|
||||
and prunes out invalid entries (including users who have zeroed out their)
|
||||
entries via
|
||||
.Xr skeyinit 1 )
|
||||
as well as entries that have not been modified in
|
||||
.Ar days
|
||||
days.
|
||||
If
|
||||
.Ar days
|
||||
is not specified only commented out entries are pruned.
|
||||
is not specified, only invalid entries are pruned.
|
||||
.Sh FILES
|
||||
.Bl -tag -width /etc/skeykeys -compact
|
||||
.It Pa /etc/skeykeys
|
||||
@ -30,12 +31,3 @@ S/Key key information database
|
||||
.Sh SEE ALSO
|
||||
.Xr skey 1 ,
|
||||
.Xr skeyinit 1
|
||||
.Sh BUGS
|
||||
Since
|
||||
.Nm skeyprune
|
||||
rewrites
|
||||
.Dq Pa /etc/skeykeys ,
|
||||
there is a window where S/Key changes could get lost.
|
||||
It is therefore suggested that
|
||||
.Nm skeyprune
|
||||
be run at a time when users are unlikely to be active.
|
||||
|
@ -1,21 +1,47 @@
|
||||
#!/usr/bin/perl
|
||||
#!/usr/bin/perl -w
|
||||
#
|
||||
# Prune commented out and crufty entries from skeykeys
|
||||
# Copyright (c) 1996, 2001 Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
# 3. The name of the author may not be used to endorse or promote products
|
||||
# derived from this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
||||
# THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
||||
# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
||||
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
||||
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#
|
||||
# Prune commented out, bogus, and crufty entries from /etc/skeykeys
|
||||
# Usage: skeyprune [days]
|
||||
#
|
||||
# Todd C. Miller <Todd.Miller@courtesan.com>
|
||||
# $OpenBSD: skeyprune.pl,v 1.1 1996/09/28 00:00:41 millert Exp $
|
||||
# $OpenBSD: skeyprune.pl,v 1.2 2001/06/20 22:19:58 millert Exp $
|
||||
#
|
||||
|
||||
# We need to be able convert to time_t
|
||||
require 'timelocal.pl';
|
||||
use File::Temp qw(:mktemp);
|
||||
use Fcntl qw(:DEFAULT :flock);
|
||||
use Time::Local;
|
||||
|
||||
# Keep out the stupid
|
||||
die "Only root may run $0.\n" if $>;
|
||||
die "Usage: $0 [days]\n" if $#ARGC > 0;
|
||||
die "Usage: $0 [days]\n" if $#ARGV > 0;
|
||||
|
||||
# Pathnames
|
||||
$keyfile = '/etc/skeykeys';
|
||||
$temp = "$keyfile.tmp$$";
|
||||
$template = "$keyfile.XXXXXXXX";
|
||||
|
||||
# Quick mapping of month name -> number
|
||||
%months = ('Jan', 0, 'Feb', 1, 'Mar', 2, 'Apr', 3, 'May', 4, 'Jun', 5,
|
||||
@ -24,65 +50,79 @@ $temp = "$keyfile.tmp$$";
|
||||
# Remove entries that haven't been modified in this many days.
|
||||
$days_old = $ARGV[0] || -1;
|
||||
|
||||
# Open current key file
|
||||
# Safe umask
|
||||
umask(077);
|
||||
|
||||
# Open and lock the current key file
|
||||
open(OLD, $keyfile) || die "$0: Can't open $keyfile: $!\n";
|
||||
flock(OLD, LOCK_EX) || die "$0: Can't lock $keyfile: $!\n";
|
||||
|
||||
# Safely open temp file
|
||||
umask(077);
|
||||
unlink($temp);
|
||||
open(NEW, ">$temp") || die "$0: Can't open tempfile $temp: $!\n";
|
||||
($NEW, $temp) = mkstemp($template);
|
||||
die "$0: Can't open tempfile $template: $!\n" unless $temp;
|
||||
|
||||
# We need to be extra speedy to close the window where someone can hose us.
|
||||
# Run at a high priority so we don't keep things locked for too long
|
||||
setpriority(0, 0, -4);
|
||||
|
||||
while (<OLD>) {
|
||||
# Ignore commented out entries
|
||||
if ( ! /^#[^\s#]+\s+(MD[0-9]+\s+)?[0-9]+\s+[A-z0-9_-]+\s+[a-f0-9]+\s+(Jan|Feb|Mar|Apr|May|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+[0-9]+,\s*[0-9]+\s+[0-9]+:[0-9]+:[0-9]+$/ ) {
|
||||
/((Jan|Feb|Mar|Apr|May|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+[0-9]+,\s*[0-9]+\s+[0-9]+:[0-9]+:[0-9]+)$/;
|
||||
chomp();
|
||||
|
||||
# Prune out old entries if asked to
|
||||
if ($days_old > 0) {
|
||||
# build up time based on date string
|
||||
@date = split(/[\s,:]/, $1);
|
||||
$sec = $date[5];
|
||||
$min = $date[4];
|
||||
$hours = $date[3];
|
||||
$mday = $date[1] - 1;
|
||||
$mon = $months{$date[0]};
|
||||
$year = $date[2] - 1900;
|
||||
# Valid entry: 'username hash seq seed key date"
|
||||
if ( /^[^\s#]+\s+(\S+\s+)?[0-9]+\s+[A-z0-9]+\s+[a-f0-9]+\s+(Jan|Feb|Mar|Apr|May|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+[0-9]+,\s*[0-9]+\s+[0-9]+:[0-9]+:[0-9]+$/ ) {
|
||||
|
||||
$now = time();
|
||||
$then = &timelocal($sec,$min,$hours,$mday,$mon,$year);
|
||||
if (($now - $then) / (60 * 60 * 24) - 1 <= $days_old) {
|
||||
print NEW $_ || do {
|
||||
warn "Can't write to $temp: $!\n";
|
||||
unlink($temp);
|
||||
@entry = split(/[\s,:]+/, $_);
|
||||
# Prune out old entries if asked to
|
||||
if ($days_old > 0) {
|
||||
# build up time based on date string
|
||||
$sec = $date[10];
|
||||
$min = $date[9];
|
||||
$hours = $date[8];
|
||||
$mday = $date[6] - 1;
|
||||
$mon = $months{$date[5]};
|
||||
$year = $date[7] - 1900;
|
||||
|
||||
$now = time();
|
||||
$then = timelocal($sec,$min,$hours,$mday,$mon,$year);
|
||||
if (($now - $then) / (60 * 60 * 24) - 1 > $days_old) {
|
||||
next; # too old
|
||||
}
|
||||
}
|
||||
|
||||
# Missing hash type? Must be md4...
|
||||
if ($entry[1] =~ /^\d/) {
|
||||
splice(@entry, 1, 0, "md4");
|
||||
}
|
||||
|
||||
printf $NEW "%s %s %04d %-16s %s %4s %02d,%-4d %02d:%02d:%02d\n",
|
||||
$entry[0], $entry[1], $entry[2], $entry[3], $entry[4],
|
||||
$entry[5], $entry[6], $entry[7], $entry[8], $entry[9],
|
||||
$entry[10] || do {
|
||||
warn "Can't write to $temp: $!\n";
|
||||
unlink($temp);
|
||||
exit(1);
|
||||
};
|
||||
}
|
||||
} else {
|
||||
print NEW $_ || do {
|
||||
warn "Can't write to $temp: $!\n";
|
||||
unlink($temp);
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
close(OLD);
|
||||
close(NEW);
|
||||
close($NEW);
|
||||
|
||||
# Set owner/group/mode on tempfile and move to real location.
|
||||
($mode, $nlink, $uid, $gid) = (stat($keyfile))[2..5];
|
||||
if (!defined($mode)) {
|
||||
unlink($temp);
|
||||
die "$0: Unable to stat $keyfile: $!\n";
|
||||
unlink($temp);
|
||||
die "$0: Unable to stat $keyfile: $!\n";
|
||||
}
|
||||
if (!chmod($mode, $temp)) {
|
||||
unlink($temp);
|
||||
die "$0: Unable to set mode of $temp to $mode: $!\n";
|
||||
unlink($temp);
|
||||
die "$0: Unable to set mode of $temp to $mode: $!\n";
|
||||
}
|
||||
if (!chown($uid, $gid, $temp)) {
|
||||
unlink($temp);
|
||||
die "$0: Unable to set owner of $temp to ($uid, $gid): $!\n";
|
||||
unlink($temp);
|
||||
die "$0: Unable to set owner of $temp to ($uid, $gid): $!\n";
|
||||
}
|
||||
if ($nlink != 1) {
|
||||
$nlink--;
|
||||
warn "$0: Old $keyfile had $nlink hard links, those will be broken\n";
|
||||
}
|
||||
# Leave temp file in place if rename fails. Might help in debugging.
|
||||
rename($temp, $keyfile) || die "$0: Unable to rename $temp to $keyfile: $!\n";
|
||||
|
Loading…
Reference in New Issue
Block a user