From ef2e7b3f9d264ec146d4dae257b1e295ab3b462a Mon Sep 17 00:00:00 2001 From: Hugues Hiegel Date: Tue, 21 Apr 2015 12:45:58 +0200 Subject: updates - plugins as a separate git folder --- plugins/password/helpers/chgdbmailusers.c | 47 ----- plugins/password/helpers/chgsaslpasswd.c | 29 --- plugins/password/helpers/chgvirtualminpasswd.c | 28 --- plugins/password/helpers/chpass-wrapper.py | 32 --- plugins/password/helpers/dovecot_hmacmd5.php | 191 ------------------ plugins/password/helpers/passwd-expect | 267 ------------------------- 6 files changed, 594 deletions(-) delete mode 100644 plugins/password/helpers/chgdbmailusers.c delete mode 100644 plugins/password/helpers/chgsaslpasswd.c delete mode 100644 plugins/password/helpers/chgvirtualminpasswd.c delete mode 100644 plugins/password/helpers/chpass-wrapper.py delete mode 100644 plugins/password/helpers/dovecot_hmacmd5.php delete mode 100644 plugins/password/helpers/passwd-expect (limited to 'plugins/password/helpers') diff --git a/plugins/password/helpers/chgdbmailusers.c b/plugins/password/helpers/chgdbmailusers.c deleted file mode 100644 index be237556e..000000000 --- a/plugins/password/helpers/chgdbmailusers.c +++ /dev/null @@ -1,47 +0,0 @@ -#include -#include -#include - -// set the UID this script will run as (root user) -#define UID 0 -#define CMD "/usr/sbin/dbmail-users" - -/* INSTALLING: - gcc -o chgdbmailusers chgdbmailusers.c - chown root.apache chgdbmailusers - strip chgdbmailusers - chmod 4550 chgdbmailusers -*/ - -main(int argc, char *argv[]) -{ - int cnt,rc,cc; - char cmnd[1024]; - - strcpy(cmnd, CMD); - - if (argc > 1) - { - for (cnt = 1; cnt < argc; cnt++) - { - strcat(cmnd, " "); - strcat(cmnd, argv[cnt]); - } - } - else - { - fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); - return 255; - } - - cc = setuid(UID); - rc = system(cmnd); - - if ((rc != 0) || (cc != 0)) - { - fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); - return 1; - } - - return 0; -} diff --git a/plugins/password/helpers/chgsaslpasswd.c b/plugins/password/helpers/chgsaslpasswd.c deleted file mode 100644 index bcdcb2e0d..000000000 --- a/plugins/password/helpers/chgsaslpasswd.c +++ /dev/null @@ -1,29 +0,0 @@ -#include -#include - -// set the UID this script will run as (cyrus user) -#define UID 96 -// set the path to saslpasswd or saslpasswd2 -#define CMD "/usr/sbin/saslpasswd2" - -/* INSTALLING: - gcc -o chgsaslpasswd chgsaslpasswd.c - chown cyrus.apache chgsaslpasswd - strip chgsaslpasswd - chmod 4550 chgsaslpasswd -*/ - -main(int argc, char *argv[]) -{ - int rc,cc; - - cc = setuid(UID); - rc = execvp(CMD, argv); - if ((rc != 0) || (cc != 0)) - { - fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); - return 1; - } - - return 0; -} diff --git a/plugins/password/helpers/chgvirtualminpasswd.c b/plugins/password/helpers/chgvirtualminpasswd.c deleted file mode 100644 index 4e2299c66..000000000 --- a/plugins/password/helpers/chgvirtualminpasswd.c +++ /dev/null @@ -1,28 +0,0 @@ -#include -#include - -// set the UID this script will run as (root user) -#define UID 0 -#define CMD "/usr/sbin/virtualmin" - -/* INSTALLING: - gcc -o chgvirtualminpasswd chgvirtualminpasswd.c - chown root.apache chgvirtualminpasswd - strip chgvirtualminpasswd - chmod 4550 chgvirtualminpasswd -*/ - -main(int argc, char *argv[]) -{ - int rc,cc; - - cc = setuid(UID); - rc = execvp(CMD, argv); - if ((rc != 0) || (cc != 0)) - { - fprintf(stderr, "__ %s: failed %d %d\n", argv[0], rc, cc); - return 1; - } - - return 0; -} diff --git a/plugins/password/helpers/chpass-wrapper.py b/plugins/password/helpers/chpass-wrapper.py deleted file mode 100644 index 61bba849e..000000000 --- a/plugins/password/helpers/chpass-wrapper.py +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env python - -import sys -import pwd -import subprocess - -BLACKLIST = ( - # add blacklisted users here - #'user1', -) - -try: - username, password = sys.stdin.readline().split(':', 1) -except ValueError, e: - sys.exit('Malformed input') - -try: - user = pwd.getpwnam(username) -except KeyError, e: - sys.exit('No such user: %s' % username) - -if user.pw_uid < 1000: - sys.exit('Changing the password for user id < 1000 is forbidden') - -if username in BLACKLIST: - sys.exit('Changing password for user %s is forbidden (user blacklisted)' % - username) - -handle = subprocess.Popen('/usr/sbin/chpasswd', stdin = subprocess.PIPE) -handle.communicate('%s:%s' % (username, password)) - -sys.exit(handle.returncode) diff --git a/plugins/password/helpers/dovecot_hmacmd5.php b/plugins/password/helpers/dovecot_hmacmd5.php deleted file mode 100644 index 644b5377e..000000000 --- a/plugins/password/helpers/dovecot_hmacmd5.php +++ /dev/null @@ -1,191 +0,0 @@ -. - * - */ - -/* Convert a 32-bit number to a hex string with ls-byte first - */ - -function rhex($n) { - $hex_chr = "0123456789abcdef"; $r = ''; - for($j = 0; $j <= 3; $j++) - $r .= $hex_chr[($n >> ($j * 8 + 4)) & 0x0F] . $hex_chr[($n >> ($j * 8)) & 0x0F]; - return $r; -} - -/* zeroFill() is needed because PHP doesn't have a zero-fill - * right shift operator like JavaScript's >>> - */ - -function zeroFill($a, $b) { - $z = hexdec(80000000); - if ($z & $a) { - $a >>= 1; - $a &= (~$z); - $a |= 0x40000000; - $a >>= ($b-1); - } else { - $a >>= $b; - } - return $a; -} - -/* Bitwise rotate a 32-bit number to the left - */ - -function bit_rol($num, $cnt) { - return ($num << $cnt) | (zeroFill($num, (32 - $cnt))); -} - -/* Add integers, wrapping at 2^32 - */ - -function safe_add($x, $y) { - return (($x&0x7FFFFFFF) + ($y&0x7FFFFFFF)) ^ ($x&0x80000000) ^ ($y&0x80000000); -} - -/* These functions implement the four basic operations the algorithm uses. - */ - -function md5_cmn($q, $a, $b, $x, $s, $t) { - return safe_add(bit_rol(safe_add(safe_add($a, $q), safe_add($x, $t)), $s), $b); -} -function md5_ff($a, $b, $c, $d, $x, $s, $t) { - return md5_cmn(($b & $c) | ((~$b) & $d), $a, $b, $x, $s, $t); -} -function md5_gg($a, $b, $c, $d, $x, $s, $t) { - return md5_cmn(($b & $d) | ($c & (~$d)), $a, $b, $x, $s, $t); -} -function md5_hh($a, $b, $c, $d, $x, $s, $t) { - return md5_cmn($b ^ $c ^ $d, $a, $b, $x, $s, $t); -} -function md5_ii($a, $b, $c, $d, $x, $s, $t) { - return md5_cmn($c ^ ($b | (~$d)), $a, $b, $x, $s, $t); -} - -/* Calculate the first round of the MD5 algorithm - */ - -function md5_oneround($s, $io) { - - $s = str_pad($s, 64, chr(0x00)); - - $x = array_fill(0, 16, 0); - - for($i = 0; $i < 64; $i++) - $x[$i >> 2] |= (($io ? 0x36 : 0x5c) ^ ord($s[$i])) << (($i % 4) * 8); - - $a = $olda = 1732584193; - $b = $oldb = -271733879; - $c = $oldc = -1732584194; - $d = $oldd = 271733878; - - $a = md5_ff($a, $b, $c, $d, $x[ 0], 7 , -680876936); - $d = md5_ff($d, $a, $b, $c, $x[ 1], 12, -389564586); - $c = md5_ff($c, $d, $a, $b, $x[ 2], 17, 606105819); - $b = md5_ff($b, $c, $d, $a, $x[ 3], 22, -1044525330); - $a = md5_ff($a, $b, $c, $d, $x[ 4], 7 , -176418897); - $d = md5_ff($d, $a, $b, $c, $x[ 5], 12, 1200080426); - $c = md5_ff($c, $d, $a, $b, $x[ 6], 17, -1473231341); - $b = md5_ff($b, $c, $d, $a, $x[ 7], 22, -45705983); - $a = md5_ff($a, $b, $c, $d, $x[ 8], 7 , 1770035416); - $d = md5_ff($d, $a, $b, $c, $x[ 9], 12, -1958414417); - $c = md5_ff($c, $d, $a, $b, $x[10], 17, -42063); - $b = md5_ff($b, $c, $d, $a, $x[11], 22, -1990404162); - $a = md5_ff($a, $b, $c, $d, $x[12], 7 , 1804603682); - $d = md5_ff($d, $a, $b, $c, $x[13], 12, -40341101); - $c = md5_ff($c, $d, $a, $b, $x[14], 17, -1502002290); - $b = md5_ff($b, $c, $d, $a, $x[15], 22, 1236535329); - - $a = md5_gg($a, $b, $c, $d, $x[ 1], 5 , -165796510); - $d = md5_gg($d, $a, $b, $c, $x[ 6], 9 , -1069501632); - $c = md5_gg($c, $d, $a, $b, $x[11], 14, 643717713); - $b = md5_gg($b, $c, $d, $a, $x[ 0], 20, -373897302); - $a = md5_gg($a, $b, $c, $d, $x[ 5], 5 , -701558691); - $d = md5_gg($d, $a, $b, $c, $x[10], 9 , 38016083); - $c = md5_gg($c, $d, $a, $b, $x[15], 14, -660478335); - $b = md5_gg($b, $c, $d, $a, $x[ 4], 20, -405537848); - $a = md5_gg($a, $b, $c, $d, $x[ 9], 5 , 568446438); - $d = md5_gg($d, $a, $b, $c, $x[14], 9 , -1019803690); - $c = md5_gg($c, $d, $a, $b, $x[ 3], 14, -187363961); - $b = md5_gg($b, $c, $d, $a, $x[ 8], 20, 1163531501); - $a = md5_gg($a, $b, $c, $d, $x[13], 5 , -1444681467); - $d = md5_gg($d, $a, $b, $c, $x[ 2], 9 , -51403784); - $c = md5_gg($c, $d, $a, $b, $x[ 7], 14, 1735328473); - $b = md5_gg($b, $c, $d, $a, $x[12], 20, -1926607734); - - $a = md5_hh($a, $b, $c, $d, $x[ 5], 4 , -378558); - $d = md5_hh($d, $a, $b, $c, $x[ 8], 11, -2022574463); - $c = md5_hh($c, $d, $a, $b, $x[11], 16, 1839030562); - $b = md5_hh($b, $c, $d, $a, $x[14], 23, -35309556); - $a = md5_hh($a, $b, $c, $d, $x[ 1], 4 , -1530992060); - $d = md5_hh($d, $a, $b, $c, $x[ 4], 11, 1272893353); - $c = md5_hh($c, $d, $a, $b, $x[ 7], 16, -155497632); - $b = md5_hh($b, $c, $d, $a, $x[10], 23, -1094730640); - $a = md5_hh($a, $b, $c, $d, $x[13], 4 , 681279174); - $d = md5_hh($d, $a, $b, $c, $x[ 0], 11, -358537222); - $c = md5_hh($c, $d, $a, $b, $x[ 3], 16, -722521979); - $b = md5_hh($b, $c, $d, $a, $x[ 6], 23, 76029189); - $a = md5_hh($a, $b, $c, $d, $x[ 9], 4 , -640364487); - $d = md5_hh($d, $a, $b, $c, $x[12], 11, -421815835); - $c = md5_hh($c, $d, $a, $b, $x[15], 16, 530742520); - $b = md5_hh($b, $c, $d, $a, $x[ 2], 23, -995338651); - - $a = md5_ii($a, $b, $c, $d, $x[ 0], 6 , -198630844); - $d = md5_ii($d, $a, $b, $c, $x[ 7], 10, 1126891415); - $c = md5_ii($c, $d, $a, $b, $x[14], 15, -1416354905); - $b = md5_ii($b, $c, $d, $a, $x[ 5], 21, -57434055); - $a = md5_ii($a, $b, $c, $d, $x[12], 6 , 1700485571); - $d = md5_ii($d, $a, $b, $c, $x[ 3], 10, -1894986606); - $c = md5_ii($c, $d, $a, $b, $x[10], 15, -1051523); - $b = md5_ii($b, $c, $d, $a, $x[ 1], 21, -2054922799); - $a = md5_ii($a, $b, $c, $d, $x[ 8], 6 , 1873313359); - $d = md5_ii($d, $a, $b, $c, $x[15], 10, -30611744); - $c = md5_ii($c, $d, $a, $b, $x[ 6], 15, -1560198380); - $b = md5_ii($b, $c, $d, $a, $x[13], 21, 1309151649); - $a = md5_ii($a, $b, $c, $d, $x[ 4], 6 , -145523070); - $d = md5_ii($d, $a, $b, $c, $x[11], 10, -1120210379); - $c = md5_ii($c, $d, $a, $b, $x[ 2], 15, 718787259); - $b = md5_ii($b, $c, $d, $a, $x[ 9], 21, -343485551); - - $a = safe_add($a, $olda); - $b = safe_add($b, $oldb); - $c = safe_add($c, $oldc); - $d = safe_add($d, $oldd); - - return rhex($a) . rhex($b) . rhex($c) . rhex($d); -} - -function dovecot_hmacmd5 ($s) { - if (strlen($s) > 64) $s=pack("H*", md5($s)); - return "{CRAM-MD5}" . md5_oneround($s, 0) . md5_oneround($s, 1); -} diff --git a/plugins/password/helpers/passwd-expect b/plugins/password/helpers/passwd-expect deleted file mode 100644 index 7db21ad1f..000000000 --- a/plugins/password/helpers/passwd-expect +++ /dev/null @@ -1,267 +0,0 @@ -# -# This scripts changes a password on the local system or a remote host. -# Connections to the remote (this can also be localhost) are made by ssh, rsh, -# telnet or rlogin. - -# @author Gaudenz Steinlin - -# For sudo support alter sudoers (using visudo) so that it contains the -# following information (replace 'apache' if your webserver runs under another -# user): -# ----- -# # Needed for Horde's passwd module -# Runas_Alias REGULARUSERS = ALL, !root -# apache ALL=(REGULARUSERS) NOPASSWD:/usr/bin/passwd -# ----- - -# @stdin The username, oldpassword, newpassword (in this order) -# will be taken from stdin -# @param -prompt regexp for the shell prompt -# @param -password regexp password prompt -# @param -oldpassword regexp for the old password -# @param -newpassword regexp for the new password -# @param -verify regexp for verifying the password -# @param -success regexp for success changing the password -# @param -login regexp for the telnet prompt for the loginname -# @param -host hostname to be connected -# @param -timeout timeout for each step -# @param -log file for writing error messages -# @param -output file for loging the output -# @param -telnet use telnet -# @param -ssh use ssh (default) -# @param -rlogin use rlogin -# @param -slogin use slogin -# @param -sudo use sudo -# @param -program command for changing passwords -# -# @return 0 on success, 1 on failure -# - - -# default values -set host "localhost" -set login "ssh" -set program "passwd" -set prompt_string "(%|\\\$|>)" -set fingerprint_string "The authenticity of host.* can't be established.*\nRSA key fingerprint is.*\nAre you sure you want to continue connecting.*" -set password_string "(P|p)assword.*" -set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*" -set newpassword_string "(N|n)ew.* (P|p)assword.*" -set badoldpassword_string "(Authentication token manipulation error).*" -set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)" -set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*" -set success_string "((P|p)assword.* changed|successfully)" -set login_string "(((L|l)ogin|(U|u)sername).*)" -set timeout 20 -set log "/tmp/passwd.out" -set output false -set output_file "/tmp/passwd.log" - -# read input from stdin -fconfigure stdin -blocking 1 - -gets stdin user -gets stdin password(old) -gets stdin password(new) - -# alternative: read input from command line -#if {$argc < 3} { -# send_user "Too few arguments: Usage $argv0 username oldpass newpass" -# exit 1 -#} -#set user [lindex $argv 0] -#set password(old) [lindex $argv 1] -#set password(new) [lindex $argv 2] - -# no output to the user -log_user 0 - -# read in other options -for {set i 0} {$i<$argc} {incr i} { - set arg [lindex $argv $i] - switch -- $arg "-prompt" { - incr i - set prompt_string [lindex $argv $i] - continue - } "-password" { - incr i - set password_string [lindex $argv $i] - continue - } "-oldpassword" { - incr i - set oldpassword_string [lindex $argv $i] - continue - } "-newpassword" { - incr i - set newpassword_string [lindex $argv $i] - continue - } "-verify" { - incr i - set verify_string [lindex $argv $i] - continue - } "-success" { - incr i - set success_string [lindex $argv $i] - continue - } "-login" { - incr i - set login_string [lindex $argv $i] - continue - } "-host" { - incr i - set host [lindex $argv $i] - continue - } "-timeout" { - incr i - set timeout [lindex $argv $i] - continue - } "-log" { - incr i - set log [lindex $argv $i] - continue - } "-output" { - incr i - set output_file [lindex $argv $i] - set output true - continue - } "-telnet" { - set login "telnet" - continue - } "-ssh" { - set login "ssh" - continue - } "-ssh-exec" { - set login "ssh-exec" - continue - } "-rlogin" { - set login "rlogin" - continue - } "-slogin" { - set login "slogin" - continue - } "-sudo" { - set login "sudo" - continue - } "-program" { - incr i - set program [lindex $argv $i] - continue - } -} - -# log session -if {$output} { - log_file $output_file -} - -set err [open $log "w" "0600"] - -# start remote session -if {[string match $login "rlogin"]} { - set pid [spawn rlogin $host -l $user] -} elseif {[string match $login "slogin"]} { - set pid [spawn slogin $host -l $user] -} elseif {[string match $login "ssh"]} { - set pid [spawn ssh $host -l $user] -} elseif {[string match $login "ssh-exec"]} { - set pid [spawn ssh $host -l $user $program] -} elseif {[string match $login "sudo"]} { - set pid [spawn sudo -u $user $program] -} elseif {[string match $login "telnet"]} { - set pid [spawn telnet $host] - expect -re $login_string { - sleep .5 - send "$user\r" - } -} else { - puts $err "Invalid login mode. Valid modes: rlogin, slogin, ssh, telnet, sudo\n" - close $err - exit 1 -} - -set old_password_notentered true - -if {![string match $login "sudo"]} { - # log in - expect { - -re $fingerprint_string {sleep .5 - send yes\r - exp_continue} - -re $password_string {sleep .5 - send $password(old)\r} - timeout {puts $err "Could not login to system (no password prompt)\n" - close $err - exit 1} - } - - # start password changing program - expect { - -re $prompt_string {sleep .5 - send $program\r} - # The following is for when passwd is the login shell or ssh-exec is used - -re $oldpassword_string {sleep .5 - send $password(old)\r - set old_password_notentered false} - timeout {puts $err "Could not login to system (bad old password?)\n" - close $err - exit 1} - } -} - -# send old password -if {$old_password_notentered} { - expect { - -re $oldpassword_string {sleep .5 - send $password(old)\r} - timeout {puts $err "Could not start passwd program (no old password prompt)\n" - close $err - exit 1} - } -} - -# send new password -expect { - -re $newpassword_string {sleep .5 - send $password(new)\r} - -re $badoldpassword_string {puts $err "Old password is incorrect\n" - close $err - exit 1} - timeout {puts "Could not change password (bad old password?)\n" - close $err - exit 1} -} - -# send new password again -expect { - -re $badpassword_string {puts $err "$expect_out(0,string)" - close $err - send \003 - sleep .5 - exit 1} - -re $verify_string {sleep .5 - send $password(new)\r} - timeout {puts $err "New password not valid (too short, bad password, too similar, ...)\n" - close $err - send \003 - sleep .5 - exit 1} -} - -# check response -expect { - -re $success_string {sleep .5 - send exit\r} - -re $badpassword_string {puts $err "$expect_out(0,string)" - close $err - exit 1} - timeout {puts $err "Could not change password.\n" - close $err - exit 1} -} - -# exit succsessfully -expect { - eof {close $err - exit 0} -} -close $err -- cgit v1.2.3