[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Concepts: Operating System and Devices

Passwords for BSD 4.3 System Managers

The following information details the differences between managing passwords in this operating system and 4.3 BSD systems.

Setting a User Password

When you use the /bin/passwd command for this operating system as the root user, you are prompted for the current root user password. An example of using the /bin/passwd command follows: 

# passwd cslater
Changing password for "cslater"
Enter root's Password or
cslater's Old password:
cslater's New password:
Re-enter cslater's
new password:
#

The 4.3 BSD version does not prompt for the current root user password. An example of the 4.3 BSD version follows: 

# passwd cslater
New password:
Retype new password:
#

Importing a 4.3 BSD Password File

You can import a 4.3 BSD password file by first copying it to the /etc/passwd file and entering: 

pwdck -y ALL

Then the /etc/security/limits file must be updated with a null stanza for any new users. The usrck command does this, but using the usrck command can cause problems unless the /etc/group file is imported with the /etc/passwd file.

Note: If the /etc/security/limits file is modified, the stack must not exceed 65,536 bytes. If it does, running the usrck command can cause problems. Change the stack size to 65,536 and run usrck command again.

Also run the grpck and usrck command to verify group and user attributes.

Editing the Password File

In this operating system, the lsuser, mkuser, chuser, and rmuser commands are provided for managing passwords. All of these commands can be used by running Web-based System Manager or SMIT. However, all of these commands deal with only one user at a time.

Note: Using an editor to change several user name entries at one time requires editing of several files simultaneously, because passwords are stored in /etc/security/passwd file, authorization information is stored in the /etc/security/user file, and the remaining user data is stored in the /etc/passwd file.

This operating system does not support the vipw command but does support the mkpasswd command. However, you can still administer passwords on this operating system in a 4.3 BSD manner. Use the following procedure:

  1. Put a 4.3 BSD password file in the /etc/shadow file.
  2. Change the permissions to the file by entering: 

    chmod 000 /etc/shadow
  3. Place the following vipw shell script in the /etc directory: 

    -----------------------------------------------------
----
#!/bin/bsh
#
# vipw. Uses pwdck for now. May use usrck someday
#
PATH=/bin:/usr/bin:/etc:/usr/ucb # Add to this if your editor is
                                 # some place else
if [ -f /etc/ptmp ] ; then
                 echo "/etc/ptmp exists. Is someone else using vipw?"
        exit 1
fi
if [ ! -f /`which "$EDITOR" | awk '{ print $1 }'` ] ; then
        EDITOR=vi
fi
cp /etc/shadow /etc/ptmp
if (cmp /etc/shadow /etc/ptmp) ; then
        $EDITOR /etc/ptmp
else
        echo cannot copy shadow to ptmp
        exit 1
fi
if (egrep "^root:" /etc/ptmp >/dev/null) ; then
        cp /etc/ptmp /etc/shadow ; cp /etc/ptmp /etc/passwd
        chmod 000 /etc/passwd /etc/shadow
        pwdck -y ALL 2>1 >/dev/null # return code 114 may change
                rc=$?
        if [ $rc -eq 114 ]; then
                chmod 644 /etc/passwd
                        rm -f /etc/passwd.dir /etc/passwd.pag
                mkpasswd /etc/passwd
                        # update /etc/security/limits, or ftp
                        # will fail
                else
                         pwdck -y ALL
                fi
else
        echo bad entry for root in ptmp
fi
rm /etc/ptmp
-----------------------------------------------------------
  4. If you use the vipw shell script or the mkpasswd command, be aware that Web-based System Manager, SMIT, and the mkuser, chuser, and rmuser commands, do not use the mkpasswd command. You must run: 

    mkpasswd /etc/passwd

    to update the /etc/passwd.dir and /etc/passwd.pag files.

    Attention: Initialization of the IFS variable and the trap statements guard against some of the common methods used to exploit security holes inherent in the setuid feature. However, the vipw and passwd shell scripts are intended for relatively open environments where compatibility is an important consideration. If you want a more secure environment, use only the standard commands fir this operating system.

  5. Put the following passwd shell script in the /usr/ucb directory: 

    -----------------------------------------------------
#!/bin/ksh
#
# matches changes to /etc/security/passwd file with changes to
#/etc/shadow
#
IFS=" "
PATH=/bin
trap "exit 2" 1 2 3 4 5 6 7 8 10 12 13 14 15 16 17 18 21 22 \
        23 24 25 27 28 29 30 31 32 33 34 35 36 60 61 62
if [ -n "$1" ]; then
        USERNAME=$1
else
        USERNAME=$LOGNAME
fi
if [ -f /etc/ptmp ]; then
        echo password file busy
        exit 1
fi
        trap "rm /etc/ptmp; exit 3" 1 2 3 4 5 6 7 8 10 12 13 \
                14 15 16 17 18 21 22 23 24 25 27 28 29 30 31 \
                32 33 34 35 36 60 61 62
if (cp /etc/security/passwd /etc/ptmp) ; then
        chmod 000 /etc/ptmp else
        rm -f /etc/ptmp exit 1
fi
if ( /bin/passwd $USERNAME ) ; then
        PW=` awk ' BEGIN { RS = "" }
                $1 == user { print $4 } ' user="$USERNAME:" \
/etc/security/passwd `
else
        rm -f /etc/ptmp
        exit 1
fi
rm -f /etc/ptmp
awk -F: '$1 == user { print $1":"pw":"$3 ":"$4":"$5":"$6":"$7 }
        $1 != user { print $0 }' user="$USERNAME" pw="$PW" \
                /etc/shadow > /etc/ptmp
chmod 000 /etc/ptmp
mv -f /etc/ptmp /etc/shadow
---------------------------------------------------------
  6. Change the permissions to the passwd script by entering: 

    chmod 4711 /usr/ucb/passwd
  7. Ensure that each user PATH environmental variable specifies that the /usr/ucb directory be searched before the /bin directory.

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]