[Libguestfs] [PATCH 5/5] customize: use augeas to change passwords

Richard W.M. Jones rjones at redhat.com
Fri Sep 5 12:13:59 UTC 2014 

On Thu, Sep 04, 2014 at 05:18:31PM +0200, Pino Toscano wrote:
> Make use of augeas to load and edit /etc/shadow, now that we have
> (either from upstream or by ourselves) a lens handling it.
> ---
>  customize/password.ml | 64 +++++++++++++++++++++++----------------------------
>  1 file changed, 29 insertions(+), 35 deletions(-)
> 
> diff --git a/customize/password.ml b/customize/password.ml
> index 84af0c3..3437bf0 100644
> --- a/customize/password.ml
> +++ b/customize/password.ml
> @@ -87,42 +87,36 @@ let rec set_linux_passwords ~prog ?password_crypto g root passwords =
>      | None -> default_crypto ~prog g root
>      | Some c -> c in
>  
> -  (* XXX Would like to use Augeas here, but Augeas doesn't support
> -   * /etc/shadow (as of 1.1.0).
> -   *)
> +  g#aug_init "/" 0;
> +  let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
> +  List.iter (
> +    fun userpath ->
> +      let user =
> +        let i = String.rindex userpath '/' in
> +        String.sub userpath (i+1) (String.length userpath -i-1) in
> +      try
> +        (* Each line is: "user:[!!]password:..."
> +         * !! at the front of the password field means the account is locked.
> +         *)
> +        let selector = Hashtbl.find passwords user in
> +        let pwfield =
> +          match selector with
> +          | { pw_locked = locked;
> +              pw_password = Password password } ->
> +            (if locked then "!!" else "") ^ encrypt password crypto
> +          | { pw_locked = locked;
> +              pw_password = Random_password } ->
> +            let password = make_random_password () in
> +            printf (f_"Setting random password of %s to %s\n%!")
> +              user password;
> +            (if locked then "!!" else "") ^ encrypt password crypto
> +          | { pw_locked = true; pw_password = Disabled_password } -> "!!*"
> +          | { pw_locked = false; pw_password = Disabled_password } -> "*" in
> +        g#aug_set (userpath ^ "/password") pwfield
> +      with Not_found -> ()
> +  ) users;
> +  g#aug_save ();

So in fact Augeas doesn't model the '!!' (locked) field, it just
includes it in the /files/etc/shadow/<user>/password?

ACK.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

More information about the Libguestfs mailing list