[Libguestfs] [PATCH 5/5] customize: use augeas to change passwords

Fri Sep 5 12:18:21 UTC 2014

On Friday 05 September 2014 13:13:59 Richard W.M. Jones wrote:
> On Thu, Sep 04, 2014 at 05:18:31PM +0200, Pino Toscano wrote:
> > Make use of augeas to load and edit /etc/shadow, now that we have
> > (either from upstream or by ourselves) a lens handling it.
> > ---
> > 
> >  customize/password.ml | 64
> >  +++++++++++++++++++++++---------------------------- 1 file
> >  changed, 29 insertions(+), 35 deletions(-)
> > 
> > diff --git a/customize/password.ml b/customize/password.ml
> > index 84af0c3..3437bf0 100644
> > --- a/customize/password.ml
> > +++ b/customize/password.ml
> > @@ -87,42 +87,36 @@ let rec set_linux_passwords ~prog
> > ?password_crypto g root passwords => 
> >      | None -> default_crypto ~prog g root
> >      | Some c -> c in
> > 
> > -  (* XXX Would like to use Augeas here, but Augeas doesn't support
> > -   * /etc/shadow (as of 1.1.0).
> > -   *)
> > +  g#aug_init "/" 0;
> > +  let users = Array.to_list (g#aug_ls "/files/etc/shadow") in
> > +  List.iter (
> > +    fun userpath ->
> > +      let user =
> > +        let i = String.rindex userpath '/' in
> > +        String.sub userpath (i+1) (String.length userpath -i-1) in
> > +      try
> > +        (* Each line is: "user:[!!]password:..."
> > +         * !! at the front of the password field means the account
> > is locked. +         *)
> > +        let selector = Hashtbl.find passwords user in
> > +        let pwfield =
> > +          match selector with
> > +          | { pw_locked = locked;
> > +              pw_password = Password password } ->
> > +            (if locked then "!!" else "") ^ encrypt password crypto
> > +          | { pw_locked = locked;
> > +              pw_password = Random_password } ->
> > +            let password = make_random_password () in
> > +            printf (f_"Setting random password of %s to %s\n%!")
> > +              user password;
> > +            (if locked then "!!" else "") ^ encrypt password crypto
> > +          | { pw_locked = true; pw_password = Disabled_password }
> > -> "!!*" +          | { pw_locked = false; pw_password =
> > Disabled_password } -> "*" in +        g#aug_set (userpath ^
> > "/password") pwfield
> > +      with Not_found -> ()
> > +  ) users;
> > +  g#aug_save ();
> 
> So in fact Augeas doesn't model the '!!' (locked) field, it just
> includes it in the /files/etc/shadow/<user>/password?

Yes, the shadow lens (and the passwd one too) doesn't do any particular 
handling of the fields, other than just splitting them from the lines 
(taking them as integer when they are known to be that way).

-- 
Pino Toscano