#!/usr/bin/perl

use strict;

# Scott Harrison
# October 27, 2000

# This script is a setuid script that should
# be run by user 'www'.

# Standard input usage
# First line is USERNAME
# Second line is CURRENT PASSWORD
# Third line is NEW PASSWORD

# Security
$ENV{'PATH'}=""; # Nullify path information.
$ENV{'BASH_ENV'}=""; # Nullify shell environment information.

open (IN, "</etc/passwd");
my @lines=<IN>;
close IN;
my $wwwid;
for my $l (@lines) {
    chop $l;
    my @F=split(/\:/,$l);
    if ($F[0] eq 'www') {$wwwid=$F[2];}
}
if ($wwwid!=$<) {
    print("User ID mismatch.  This program must be run as user 'www'\n");
    exit 0;
}
if (@ARGV) {
    print("Error. This program does not accept command-line arguments.\n");
    exit 0;
}

# Gather input from standard input.  Should only be 3 lines.
my @input=<>;
if (@input!=3) {
    print("Error. Three lines need to be entered into standard input.\n");
    exit 0;
}

# Handle case of another lcpasswd process
unless (&try_to_lock("/tmp/lock_lcpasswd")) {
    print "Error. Too many other simultaneous password change requests being made.\n";
    exit 0;
}

my ($username,$oldpwd,$newpwd)=map {chop; $_} @input;

# Grab the line corresponding to username
my ($userid,$useroldcryptpwd);
my @F; my @U;
for my $l (@lines) {
    @F=split(/\:/,$l);
    if ($F[0] eq $username) {($userid,$useroldcryptpwd)=($F[2],$F[1]); @U=@F;}
}

# Verify existence of user
if (!defined($userid)) {
    print "Error. User $username does not exist.\n";
    exit 0;
}

# Verify password entry
if (crypt($oldpwd,$useroldcryptpwd) ne $useroldcryptpwd) {
    print "Error. Invalid entry of current password.\n";
    exit 0;
}

# Construct new password entry
my $newcryptpwd=crypt($newpwd,$newpwd);
$U[1]=$newcryptpwd;
my $userline=join(":",@U);
print $newcryptpwd;
print $userline;
#my $rootid=&enable_root_capability;
#if ($rootid!=0) {
#    print "Error.  Root was not successfully enabled.\n";
#    exit 0;
#}
# open SAMBAPASSWORDFILE, ">/etc/smbpasswd";
	($<,$>)=($>,$<);
	($(,$))=($),$();
open PASSWORDFILE, "/tmp/passwd2" or die("Cannot open /etc/passwd!");
for my $l (@lines) {
    @F=split(/\:/,$l);
    if ($F[0] eq $username) {print PASSWORDFILE "$userline\n";}
    else {print PASSWORDFILE "$l\n";}
}
close PASSWORDFILE;
# close SAMBAPASSWORDFILE;
&disable_root_capability;
unlink("/tmp/lock_lcpasswd");

sub enable_root_capability {
    if ($wwwid==$<) {
	($<,$>)=($>,$<);
	($(,$))=($),$();
    }
    else {
	# root capability is already enabled
    }
    return $<;
}

sub disable_root_capability {
    if ($wwwid==$>) {
	($<,$>)=($>,$<);
	($(,$))=($),$();
    }
    else {
	# root capability is already disabled
    }
}

sub try_to_lock {
    my ($lockfile)=@_;
    my $currentpid;
    my $lastpid;
    for (0..10) {
	if (-e $lockfile) {
	    open(LOCK,"<$lockfile");
	    $currentpid=<LOCK>;
	    close LOCK;
	    if ($currentpid==$lastpid) {
		last;
	    }
	    sleep 3;
	    $lastpid=$currentpid;
	}
	else {
	    last;
	}
	if ($_==10) {
	    return 0;
	}
    }
    open(LOCK,">$lockfile");
    print LOCK $$;
    close LOCK;
    return 1;
}