Add -s flag to only update secure .db file (/etc/spwd.db). Can be

used in conjunction with -u user when only the password has changed.

2 files changed, 52 insertions, 29 deletions

diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.8 b/usr.sbin/pwd_mkdb/pwd_mkdb.8
index c790c85f97c..9d36183562b 100644
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.8
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pwd_mkdb.8,v 1.13 2001/06/08 04:23:25 aaron Exp $
+.\"	$OpenBSD: pwd_mkdb.8,v 1.14 2001/08/16 18:22:04 millert Exp $
 .\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -42,7 +42,7 @@
 .Sh SYNOPSIS
 .Nm pwd_mkdb
 .Op Fl c
-.Op Fl p
+.Op Fl p | Fl s
 .Op Fl d Ar directory
 .Op Fl u Ar username
 .Ar file
@@ -71,6 +71,16 @@ Do not change, add, or remove any files.
 .It Fl p
 Create a Version 7 style password file and install it into
 .Pa /etc/passwd .
+.It Fl s
+Only update the secure version of the database.
+This is most commonly used in conjunction with the
+.Fl u
+flag during a password change.
+Because the insecure database doesn't contain the password there
+is no reason to update it if the only change is in the password field.
+Cannot be used in conjunction with the
+.Fl p
+flag.
 .It Fl d Ar directory
 Operate in a base directory other than the default of
 .Pa /etc .
diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c
index f8b1eb27519..fe0b85921d7 100644
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.c
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pwd_mkdb.c,v 1.24 2001/06/07 16:21:49 millert Exp $	*/
+/*	$OpenBSD: pwd_mkdb.c,v 1.25 2001/08/16 18:22:04 millert Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993, 1994
@@ -45,7 +45,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "from: @(#)pwd_mkdb.c	8.5 (Berkeley) 4/20/94";
 #else
-static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.24 2001/06/07 16:21:49 millert Exp $";
+static char *rcsid = "$OpenBSD: pwd_mkdb.c,v 1.25 2001/08/16 18:22:04 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -110,12 +110,12 @@ main(argc, argv)
 	struct passwd pwd;
 	sigset_t set;
 	uid_t olduid;
-	int ch, tfd, makeold, flags = 0, checkonly = 0;
+	int ch, tfd, makeold, secureonly, flags, checkonly;
 	char *username, buf[MAX(MAXPATHLEN, LINE_MAX * 2)];
 
-	makeold = 0;
+	flags = checkonly = makeold = secureonly = 0;
 	username = NULL;
-	while ((ch = getopt(argc, argv, "cd:pu:v")) != -1)
+	while ((ch = getopt(argc, argv, "cd:psu:v")) != -1)
 		switch(ch) {
 		case 'c':			/* verify only */
 			checkonly = 1;
@@ -128,6 +128,9 @@ main(argc, argv)
 		case 'p':			/* create V7 "file.orig" */
 			makeold = 1;
 			break;
+		case 's':			/* only update spwd.db */
+			secureonly = 1;
+			break;
 		case 'u':			/* only update this record */
 			username = optarg;
 			break;
@@ -140,7 +143,8 @@ main(argc, argv)
 	argc -= optind;
 	argv += optind;
 
-	if (argc != 1 || (username && (*username == '+' || *username == '-')))
+	if (argc != 1 || (makeold && secureonly) ||
+	    (username && (*username == '+' || *username == '-')))
 		usage();
 
 	/*
@@ -221,19 +225,22 @@ main(argc, argv)
 	clean |= FILE_SECURE;
 
 	/* Open the temporary insecure password database. */
-	(void)snprintf(buf, sizeof(buf), "%s.tmp",
-	    changedir(_PATH_MP_DB, basedir));
-	if (username) {
-		cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
-		dp = dbopen(buf,
-		    O_RDWR, PERM_INSECURE, DB_HASH, &openinfo);
-	} else {
-		dp = dbopen(buf,
-		    O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE, DB_HASH, &openinfo);
-	}
-	if (dp == NULL)
-		error(buf);
-	clean |= FILE_INSECURE;
+	if (!secureonly) {
+		(void)snprintf(buf, sizeof(buf), "%s.tmp",
+		    changedir(_PATH_MP_DB, basedir));
+		if (username) {
+			cp(changedir(_PATH_MP_DB, basedir), buf, PERM_INSECURE);
+			dp = dbopen(buf, O_RDWR, PERM_INSECURE, DB_HASH,
+			    &openinfo);
+		} else {
+			dp = dbopen(buf, O_RDWR|O_CREAT|O_EXCL, PERM_INSECURE,
+			    DB_HASH, &openinfo);
+		}
+		if (dp == NULL)
+			error(buf);
+		clean |= FILE_INSECURE;
+	} else
+		dp = NULL;
 
 	/*
 	 * Open file for old password file.  Minor trickiness -- don't want to
@@ -287,16 +294,16 @@ main(argc, argv)
 
 		if ((edp->put)(edp, &key, &data, R_NOOVERWRITE) == -1)
 			error("put");
-		if ((dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
+
+		if (dp && (dp->put)(dp, &key, &data, R_NOOVERWRITE) == -1)
 			error("put");
 	}
 
 	if ((edp->close)(edp))
 		error("close edp");
-	if ((dp->close)(dp))
+	if (dp && (dp->close)(dp))
 		error("close dp");
 	if (makeold) {
-		(void)fflush(oldfp);
 		if (fclose(oldfp) == EOF)
 			error("close old");
 	}
@@ -307,9 +314,11 @@ main(argc, argv)
 		error("fclose");
 
 	/* Install as the real password files. */
-	(void)snprintf(buf, sizeof(buf), "%s.tmp",
-	    changedir(_PATH_MP_DB, basedir));
-	mv(buf, changedir(_PATH_MP_DB, basedir));
+	if (!secureonly) {
+		(void)snprintf(buf, sizeof(buf), "%s.tmp",
+		    changedir(_PATH_MP_DB, basedir));
+		mv(buf, changedir(_PATH_MP_DB, basedir));
+	}
 	(void)snprintf(buf, sizeof(buf), "%s.tmp",
 	    changedir(_PATH_SMP_DB, basedir));
 	mv(buf, changedir(_PATH_SMP_DB, basedir));
@@ -454,7 +463,7 @@ usage()
 {
 
 	(void)fprintf(stderr,
-	    "usage: pwd_mkdb [-cp] [-d basedir] [-u username] file\n");
+	    "usage: pwd_mkdb [-c] [-p | -s] [-d basedir] [-u username] file\n");
 	exit(1);
 }
 
@@ -539,7 +548,8 @@ db_store(fp, oldfp, edp, dp, pw, keytype, username, olduid)
 				memcpy(tbuf + 1, &olduid, sizeof(olduid));
 				key.size = sizeof(olduid) + 1;
 				(edp->del)(edp, &key, 0);
-				(dp->del)(dp, &key, 0);
+				if (dp)
+					(dp->del)(dp, &key, 0);
 			}
 			/* XXX - should check to see if line number changed. */
 		}
@@ -589,6 +599,9 @@ db_store(fp, oldfp, edp, dp, pw, keytype, username, olduid)
 		if ((edp->put)(edp, &key, &data, dbmode) == -1)
 			error("put");
 
+		if (dp == NULL)
+			continue;
+
 		/* Star out password to make insecure record. */
 		p = buf + strlen(pw->pw_name) + 1;	/* skip pw_name */
 		len = strlen(pw->pw_passwd);