1#!@perlbin@
2#
3# Licensed to the Apache Software Foundation (ASF) under one or more
4# contributor license agreements.  See the NOTICE file distributed with
5# this work for additional information regarding copyright ownership.
6# The ASF licenses this file to You under the Apache License, Version 2.0
7# (the "License"); you may not use this file except in compliance with
8# the License.  You may obtain a copy of the License at
9#
10#     http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS,
14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15# See the License for the specific language governing permissions and
16# limitations under the License.
17
18#for more functionality see the HTTPD::UserAdmin module:
19# http://www.perl.com/CPAN/modules/by-module/HTTPD/HTTPD-Tools-x.xx.tar.gz
20#
21# usage: dbmmanage <DBMfile> <command> <user> <password> <groups> <comment>
22
23package dbmmanage;
24#                               -ldb    -lndbm    -lgdbm    -lsdbm
25BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) }
26use strict;
27use Fcntl;
28use AnyDBM_File ();
29
30sub usage {
31    my $cmds = join "|", sort keys %dbmc::;
32    die <<SYNTAX;
33Usage: dbmmanage [enc] dbname command [username [pw [group[,group] [comment]]]]
34
35    where enc is  -d for crypt encryption (default except on Win32, Netware)
36                  -m for MD5 encryption (default on Win32, Netware)
37                  -s for SHA1 encryption
38                  -p for plaintext
39
40    command is one of: $cmds
41
42    pw of . for update command retains the old password
43    pw of - (or blank) for update command prompts for the password
44
45    groups or comment of . (or blank) for update command retains old values
46    groups or comment of - for update command clears the existing value
47    groups or comment of - for add and adduser commands is the empty value
48SYNTAX
49}
50
51sub need_sha1_crypt {
52    if (!eval ('require "Digest/SHA1.pm";')) {
53        print STDERR <<SHAERR;
54dbmmanage SHA1 passwords require the interface or the module Digest::SHA1
55available from CPAN:
56
57    http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz
58
59Please install Digest::SHA1 and try again, or use a different crypt option:
60
61SHAERR
62        usage();
63    }
64}
65
66sub need_md5_crypt {
67    if (!eval ('require "Crypt/PasswdMD5.pm";')) {
68        print STDERR <<MD5ERR;
69dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN
70
71    http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz
72
73Please install Crypt::PasswdMD5 and try again, or use a different crypt option:
74
75MD5ERR
76        usage();
77    }
78}
79
80# if your osname is in $newstyle_salt, then use new style salt (starts with '_' and contains
81# four bytes of iteration count and four bytes of salt).  Otherwise, just use
82# the traditional two-byte salt.
83# see the man page on your system to decide if you have a newer crypt() lib.
84# I believe that 4.4BSD derived systems do (at least BSD/OS 2.0 does).
85# The new style crypt() allows up to 20 characters of the password to be
86# significant rather than only 8.
87#
88my $newstyle_salt_platforms = join '|', qw{bsdos}; #others?
89my $newstyle_salt = $^O =~ /(?:$newstyle_salt_platforms)/;
90
91# Some platforms just can't crypt() for Apache
92#
93my $crypt_not_supported_platforms = join '|', qw{MSWin32 NetWare}; #others?
94my $crypt_not_supported = $^O =~ /(?:$crypt_not_supported_platforms)/;
95
96my $crypt_method = "crypt";
97
98if ($crypt_not_supported) {
99    $crypt_method = "md5";
100}
101
102# Some platforms won't jump through our favorite hoops
103#
104my $not_unix_platforms = join '|', qw{MSWin32 NetWare}; #others?
105my $not_unix = $^O =~ /(?:$not_unix_platforms)/;
106
107if ($crypt_not_supported) {
108    $crypt_method = "md5";
109}
110
111if (@ARGV[0] eq "-d") {
112    shift @ARGV;
113    if ($crypt_not_supported) {
114        print STDERR
115              "Warning: Apache/$^O does not support crypt()ed passwords!\n\n";
116    }
117    $crypt_method = "crypt";
118}
119
120if (@ARGV[0] eq "-m") {
121    shift @ARGV;
122    $crypt_method = "md5";
123}
124
125if (@ARGV[0] eq "-p") {
126    shift @ARGV;
127    if (!$crypt_not_supported) {
128        print STDERR
129              "Warning: Apache/$^O does not support plaintext passwords!\n\n";
130    }
131    $crypt_method = "plain";
132}
133
134if (@ARGV[0] eq "-s") {
135    shift @ARGV;
136    need_sha1_crypt();
137    $crypt_method = "sha1";
138}
139
140if ($crypt_method eq "md5") {
141    need_md5_crypt();
142}
143
144my($file,$command,$key,$crypted_pwd,$groups,$comment) = @ARGV;
145
146usage() unless $file and $command and defined &{$dbmc::{$command}};
147
148# remove extension if any
149my $chop = join '|', qw{db.? pag dir};
150$file =~ s/\.($chop)$//;
151
152my $is_update = $command eq "update";
153my %DB = ();
154my @range = ();
155my($mode, $flags) = $command =~
156    /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT);
157
158tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!";
159dbmc->$command();
160untie %DB;
161
162
163my $x;
164sub genseed {
165    my $psf;
166    if ($not_unix) {
167        srand (time ^ $$ or time ^ ($$ + ($$ << 15)));
168    }
169    else {
170        for (qw(-xlwwa -le)) {
171            `ps $_ 2>/dev/null`;
172            $psf = $_, last unless $?;
173        }
174        srand (time ^ $$ ^ unpack("%L*", `ps $psf | gzip -f`));
175    }
176    @range = (qw(. /), '0'..'9','a'..'z','A'..'Z');
177    $x = int scalar @range;
178}
179
180sub randchar {
181    join '', map $range[rand $x], 1..shift||1;
182}
183
184sub saltpw_crypt {
185    genseed() unless @range;
186    return $newstyle_salt ?
187        join '', "_", randchar, "a..", randchar(4) :
188        randchar(2);
189}
190
191sub cryptpw_crypt {
192    my ($pw, $salt) = @_;
193    $salt = saltpw_crypt unless $salt;
194    crypt $pw, $salt;
195}
196
197sub saltpw_md5 {
198    genseed() unless @range;
199    randchar(8);
200}
201
202sub cryptpw_md5 {
203    my($pw, $salt) = @_;
204    $salt = saltpw_md5 unless $salt;
205    Crypt::PasswdMD5::apache_md5_crypt($pw, $salt);
206}
207
208sub cryptpw_sha1 {
209    my($pw, $salt) = @_;
210    '{SHA}' . Digest::SHA1::sha1_base64($pw) . "=";
211}
212
213sub cryptpw {
214    if ($crypt_method eq "md5") {
215        return cryptpw_md5(@_);
216    } elsif ($crypt_method eq "sha1") {
217        return cryptpw_sha1(@_);
218    } elsif ($crypt_method eq "crypt") {
219        return cryptpw_crypt(@_);
220    }
221    @_[0]; # otherwise return plaintext
222}
223
224sub getpass {
225    my $prompt = shift || "Enter password:";
226
227    unless($not_unix) {
228        open STDIN, "/dev/tty" or warn "couldn't open /dev/tty $!\n";
229        system "stty -echo;";
230    }
231
232    my($c,$pwd);
233    print STDERR $prompt;
234    while (($c = getc(STDIN)) ne '' and $c ne "\n" and $c ne "\r") {
235        $pwd .= $c;
236    }
237
238    system "stty echo" unless $not_unix;
239    print STDERR "\n";
240    die "Can't use empty password!\n" unless length $pwd;
241    return $pwd;
242}
243
244sub dbmc::update {
245    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
246    $crypted_pwd = (split /:/, $DB{$key}, 3)[0] if $crypted_pwd eq '.';
247    $groups = (split /:/, $DB{$key}, 3)[1] if !$groups || $groups eq '.';
248    $comment = (split /:/, $DB{$key}, 3)[2] if !$comment || $comment eq '.';
249    if (!$crypted_pwd || $crypted_pwd eq '-') {
250        dbmc->adduser;
251    }
252    else {
253        dbmc->add;
254    }
255}
256
257sub dbmc::add {
258    die "Can't use empty password!\n" unless $crypted_pwd;
259    unless($is_update) {
260        die "Sorry, user `$key' already exists!\n" if $DB{$key};
261    }
262    $groups = '' if $groups eq '-';
263    $comment = '' if $comment eq '-';
264    $groups .= ":" . $comment if $comment;
265    $crypted_pwd .= ":" . $groups if $groups;
266    $DB{$key} = $crypted_pwd;
267    my $action = $is_update ? "updated" : "added";
268    print "User $key $action with password encrypted to $DB{$key} using $crypt_method\n";
269}
270
271sub dbmc::adduser {
272    my $value = getpass "New password:";
273    die "They don't match, sorry.\n" unless getpass("Re-type new password:") eq $value;
274    $crypted_pwd = cryptpw $value;
275    dbmc->add;
276}
277
278sub dbmc::delete {
279    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
280    delete $DB{$key}, print "`$key' deleted\n";
281}
282
283sub dbmc::view {
284    print $key ? "$key:$DB{$key}\n" : map { "$_:$DB{$_}\n" if $DB{$_} } keys %DB;
285}
286
287sub dbmc::check {
288    die "Sorry, user `$key' doesn't exist!\n" unless $DB{$key};
289    my $chkpass = (split /:/, $DB{$key}, 3)[0];
290    my $testpass = getpass();
291    if (substr($chkpass, 0, 6) eq '$apr1$') {
292        need_md5_crypt;
293        $crypt_method = "md5";
294    } elsif (substr($chkpass, 0, 5) eq '{SHA}') {
295        need_sha1_crypt;
296        $crypt_method = "sha1";
297    } elsif (length($chkpass) == 13 && $chkpass ne $testpass) {
298        $crypt_method = "crypt";
299    } else {
300        $crypt_method = "plain";
301    }
302    print $crypt_method . (cryptpw($testpass, $chkpass) eq $chkpass
303                           ? " password ok\n" : " password mismatch\n");
304}
305
306sub dbmc::import {
307    while(defined($_ = <STDIN>) and chomp) {
308        ($key,$crypted_pwd,$groups,$comment) = split /:/, $_, 4;
309        dbmc->add;
310    }
311}
312
313