leadley@uhura.cc.rochester.edu (Scott Leadley) (06/03/90)
This has already been posted to Sun-Spots and is reposted here for
the benefit of those without FTP access. I know that it's source. I know that
it's already been posted to comp.sys.sun. I thought it was important enough
to ruffle feathers. If you disagree, my e-mail address is:
leadley@cc.rochester.edu -or- ...!rochester!ur-cc!leadley
---
Message-ID: <7110@brazos.Rice.edu>
Date: 26 Apr 90 20:13:10 GMT
X-Sun-Spots-Digest: Volume 9, Issue 129, message 10
A little shove for those people who aren't using the SunOS 4.0 shadow
password file yet. If there are any obvious errors I'd like to know. I'm
not going to improve it though.
Scott Leadley - leadley@cc.rochester.edu
[[Ed's Note: Placed in titan archives. -bdg]]
FTP: Hostname : titan.rice.edu (128.42.1.30)
Directory: sun-source
Filename : mkshadow
Archive Server Address: archive-server@rice.edu
Archive Server Command: send sun-source mkshadow
---
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of shell archive."
# Contents: mkshadow
# Wrapped by leadley@uhura.cc.rochester.edu on Fri Apr 27 10:13:13 1990
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'mkshadow' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'mkshadow'\"
else
echo shar: Extracting \"'mkshadow'\" \(5028 characters\)
sed "s/^X//" >'mkshadow' <<'END_OF_FILE'
X#!/bin/sh
X#
X# Usage: mkshadow [-f]
X#
X# -f (force) skip the sanity check
X#
X# Start using the SunOS 4.n shadow password file without bothering with
X# the C2 auditing. This script is a little more paranoid that the Sun
X# supplied C2conv:
X#
X# C2conv mkshadow
X# ------ --------
X# /etc/passwd.bak owner ?previous owner? root
X# group ?previous group? wheel
X# mode ?previous mode? 400
X# /etc/security/ owner root root
X# group usually staff wheel
X# mode 2711 or 711 2711
X# /etc/security/passwd.adjunct owner root root
X# group usually staff wheel
X# mode 640 600
X#
X# It wouldn't be terrible to make the mode of /etc/security/ 2700, but that
X# would break issecure(3) for ordinary folks.
X#
X# C2conv also sets up a shadow password file for /etc/group, but why
X# bother? If you are feeling energetic and want to maintain two group files,
X# read group.adjunct(5).
X#
X# Caveat emptor. READ THE SCRIPT. If you trust me to have figured out
X# all the ways you could have screwed things up, you're crazy. Use at your
X# own risk. Lawyers will be shot on sight. Etcetera.
X#
X# Scott Leadley, University of Rochester, 4/24/90
X#
X# PS Why doesn't lockscreen work with a shadow password file?
XPATH=/usr/bin:/usr/ucb:/usr/etc
Xexport PATH
X
Xusage() {
X echo "usage: $1 [-f]"
X}
X
Xfail() {
X echo "$1" 1>&2
X echo "Shadow password file creation failed." 1>&2
X exit 1
X}
X
XFALSE=1
XTRUE=0
X#
X#
Xcase $# in
X0) ;;
X1) if [ "$1" != "-f" ]; then
X fail "`usage $0`"
X fi
X ;;
X*) fail "`usage $0`"
X ;;
Xesac
X#
X# You must do this as root.
Xif [ `whoami` != root ]; then
X fail "Root must run this program."
Xfi
X#
X# The C2 security package must be installed (or at least rpc.pwdauthd).
Xif [ ! -f /usr/etc/rpc.pwdauthd ]; then
X fail "The C2 security package is not installed. It is a prerequisite."
Xfi
X#
X# Minor sanity check: is the current password file secure enough for
X# the shadow password file to do any good? I'm not your Mom, so don't expect
X# this check to be very thorough.
Xif [ "$1" != "-f" ]; then
X # Check that, at the very least, /, /etc and /etc/passwd aren't
X # writeable by everyone.
X if ls -lgd / | awk '{if($1~/-.$/) exit 1;}'; then
X fail "Anyone can write to /. Fix this more basic security problem first."
X fi
X if ls -lgd /etc | awk '{if($1~/-.$/) exit 1;}'; then
X fail "Anyone can write to /etc. Fix this more basic security problem first."
X fi
X if ls -lgd /etc/passwd | awk '{if($1~/-.$/) exit 1;}'; then
X fail "Anyone can write to /etc/passwd. Fix this more basic security problem first."
X fi
Xfi
X
X#
X# There must be a /etc/security directory to put passwd.adjunct in.
Xpwdauthd_started_by_hand=$FALSE
Xif [ ! -d /etc/security ]; then
X mkdir /etc/security
X # The SunOS 4.0.3 supplied /etc/rc.local starts rpc.pwdauthd only
X # if /etc/security/passwd.adjunct exists.
X ( cd /; rpc.pwdauthd & )
X pwdauthd_started_by_hand=$TRUE
X echo "rpc.pwdauthd started. Started by /etc/rc.local from now on."
Xfi
X#
X# The idly curious are denied satisfaction.
Xchown root.wheel /etc/security
Xchmod 711 /etc/security; chmod g+s /etc/security
X#
X# Create a null /etc/security/passwd.adjunct file.
Xif [ ! -d /etc/security/passwd.adjunct ]; then
X touch /etc/security/passwd.adjunct
X if [ $pwdauthd_started_by_hand -eq $FALSE ]; then
X # /etc/security/ existed, but passwd.adjunct didn't ...
X # interesting.
X ( cd /; rpc.pwdauthd & )
X pwdauthd_started_by_hand=$TRUE
X echo "rpc.pwdauthd started. Started by /etc/rc.local from now on."
X fi
Xelse
X fail "/etc/security/passwd.adjunct already exists!"
Xfi
X#
X# It should be impervious to inspection by anyone but root (I wish).
Xchown root.wheel /etc/security/passwd.adjunct
Xchmod 600 /etc/security/passwd.adjunct
X#
X# The old password file (with passwords still in it) should be locked up.
Xcp /etc/passwd /etc/passwd.bak
Xif [ $? -ne $TRUE ]; then
X fail "Couldn't create /etc/passwd.bak. Too dangerous to proceed."
Xfi
Xchown root.wheel /etc/passwd.bak
Xchmod 400 /etc/passwd.bak
X#
X# Assume that whatever owner, group and mode are current on /etc/passwd
X# make you happy and leave it alone.
X#
X# Split up the old password file. One twist (I don't know why, but just
X# to be consistent with C2conv) is that "audit:*:::::all" is the first line in
X# the passwd.adjunct file. Dealing with NIS (YP) passwd entries and determining
X# if NIS is actually running is just too damn complicated, so punt. NIS
X# passwd entries are left as is.
XEDITOR=ex
Xexport EDITOR
Xvipw >/dev/null <<EOF
X1,\$! awk -F: '{printf "\%s:\%s:::::\n", \$1, \$2;}'
X/^audit:/d
X1put
X1d
X1put
X1s/\$/all/
Xg/^+/d
Xw! /etc/security/passwd.adjunct
Xe!
X1,\$! awk -F: '{if(\$1~/^+/)print;else printf "\%s:\#\#\%s:\%s:\%s:\%s:\%s:\%s\n", \$1, \$1, \$3, \$4, \$5, \$6, \$7;}'
Xw!
Xq
XEOF
Xegrep '^\+' /etc/passwd >/dev/null
Xif [ $? -eq $TRUE ]; then
X echo "NIS (YP) passwd entries need to be added to the shadow password file by hand."
Xfi
X#
X# Reminder to comment out the auditd startup in /etc/rc.local.
Xecho "Remember to comment out or delete the auditd startup in /etc/rc.local:"
Xecho
Xsed -n "/auditd/,/fi/s/^/ /p" /etc/rc.local
END_OF_FILE
if test 5028 -ne `wc -c <'mkshadow'`; then
echo shar: \"'mkshadow'\" unpacked with wrong size!
fi
chmod +x 'mkshadow'
# end of 'mkshadow'
fi
echo shar: End of shell archive.
exit 0
--
Scott Leadley - leadley@cc.rochester.edu