Initial import

Author: aqw

AUTHORS

@@ -0,0 +1,2 @@
+The primary author of pwfilter is Alex Waite <[email protected]>. See the
+commit log for additional author information.

LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2015, Alex Waite
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PORTABILITY

@@ -0,0 +1,56 @@
+pwfilter is written assuming a POSIX compliant Bourne shell with additional
+support for the keyword `local` for variable scoping. It also requires the
+POSIX utility `cat` and the non-POSIX /dev/stdin device file. Nearly all *nixes
+should have at least one shell that can run pwfilter.
+
+== Shells Known To Work
+- sh (some modern variants. e.g. FreeBSD's sh)
+- ash (including busybox's)
+- bash
+- dash
+- ksh88
+- lksh
+- mksh
+- pdksh
+- posh
+- zsh
+
+== Bourne Shells Known To Not Work
+- sh (the original AT&T sh)
+  - does not have support for the `local` keyword
+- ksh93
+  - does not have support for the `local` keyword. It /does/ support `typeset`,
+    but typeset does not scope variables locally unless functions are written as
+    "function foo { }" rather than "foo() { }". The former syntax is non-POSIX
+    and causes dash (and I assume other shells too) to choke. Thus, adjusting
+    the function declaration and a simple "alias local=typeset" will not work.
+
+== Shells Which Will Never Be Supported
+This should go without saying, but given that pwfilter is written using Bourne
+shell syntax, it will never be able to run in non-Bourne shells. This includes
+the C shell family (csh, tcsh) and any "exotic" shells like fish.
+
+== Operating System Notes
+Not sure which shell to use? Chances are good on a modern system that the
+default (/bin/sh) will point to a sane and compatible shell.
+
+  *BSD and Linux
+    - the default /bin/sh nearly always works
+    - dash is quite fast; if you have a choice, use it
+    - otherwise, there are many others available via the package manager
+  Solaris 10:
+    - /bin/ksh (which is ksh88) and /bin/bash will work
+  Solaris 11:
+    - /bin/bash (or ksh88 if installed, though it isn't available by default)
+  Other SunOS (Illumos, OmniOS, etc)
+    - /bin/bash or many others available via the package manager
+  OS X
+    - /bin/sh points to bash
+  HP-UX:
+    - does not provide /dev/stdin. Either create a named-pipe at that location
+      or avoid piping input into pwfilter.
+
+== Man Page
+pwfilter's man page is written using mdoc (which is largely based off of roff).
+Most modern unices, with the exception of Solaris, have support to correctly
+display mdoc man pages.

grpfilter

@@ -0,0 +1 @@
+pwfilter

pwfilter

@@ -0,0 +1,219 @@
+#!/bin/sh
+#
+# This file is licensed under the BSD-3-Clause license.
+# See the AUTHORS and LICENSE files for more information.
+
+############
+## Variables
+############
+readonly VERSION=0.3
+readonly SCRIPT_NAME=${0##*/}
+
+# Overriding IFS is the only way to handle spaces in the files without resorting
+# to spawning subshells :-/
+readonly NEWLINE='
+'
+readonly ORIG_IFS=$IFS
+IFS=$NEWLINE
+
+INCLUDE_RANGE=''
+INCLUDE=''
+EXCLUDE=''
+EXCLUDE_RANGE=''
+
+readonly GROUP_FILE='/etc/group'
+readonly PASSWD_FILE='/etc/passwd'
+readonly SHADOW_FILE='/etc/shadow'
+FILE_TO_PARSE=''
+FILE_CONTENTS=''
+SHADOW_TO_PARSE=''
+SHADOW_CONTENTS=''
+
+############
+## FUNCTIONS
+############
+
+Help() {
+    cat << EOF
+$SCRIPT_NAME v${VERSION}
+
+Syntax:
+$SCRIPT_NAME [-h] [-V] |
+             [-e ID ...] [-E ID ID] [-f filename [filename]] [-i ID ...]
+             [-I ID ID] ...
+
+OPTIONS:
+  -e, --exclude ID ...           = Exclude these specific ID(s)
+  -E, --exclude-range ID ID      = Exclude this range of IDs
+  -f, --file filename [filename] = File to parse rather than system default.
+                                   shdwfilter requires both passwd and shadow.
+  -h, --help                     = Print this help and exit
+  -i, --include ID ...           = Include these Specific ID(s)
+  -I, --range ID ID              = Include this range of IDs
+  -V, --version                  = Print the version number and exit
+
+EOF
+}
+
+# return 0 if a desired ID, otherwise 1
+#   - individuals always win over ranges
+#   - when in conflict, exclude wins over include
+#   - ranges are inclusive
+DesiredID() {
+    local uid=$1
+    # TODO: check if int?
+
+    # specified IDs
+    local i
+    for i in $EXCLUDE; do # exclude
+        [ $uid -eq $i ] && return 1
+    done
+    for i in $INCLUDE; do # include
+        [ $uid -eq $i ] && return 0
+    done
+
+    # ranges
+    for i in $EXCLUDE_RANGE; do # exclude
+        [ $uid -ge ${i%-*} ] && [ $uid -le ${i#*-} ] && return 1
+    done
+    for i in $INCLUDE_RANGE; do # include
+        [ $uid -ge ${i%-*} ] && [ $uid -le ${i#*-} ] && return 0
+    done
+
+    # if nothing matches, reject
+    return 1
+}
+
+# print message to stderr and exit 1
+Fatal() {
+    printf '%s\n' "$*" >&2
+    exit 1
+}
+
+# return 0 if argument is an integer; 1 if not
+IsInt() {
+    [ -z "${1##*[!0-9]*}" ] && return 1 || return 0
+}
+
+#######
+## MAIN
+#######
+
+# functionality changes depending on how the script is called (typically via symlinks)
+case "$SCRIPT_NAME" in
+    grpfilter*)
+        FILE_TO_PARSE=$GROUP_FILE
+        ;;
+    pwfilter*)
+        FILE_TO_PARSE=$PASSWD_FILE
+        ;;
+    shdwfilter*)
+        FILE_TO_PARSE=$PASSWD_FILE
+        SHADOW_TO_PARSE=$SHADOW_FILE
+        ;;
+    *)
+        Fatal "'$SCRIPT_NAME' is an unsupported script name for the pwfilter suite."
+        ;;
+esac
+
+# help out if there are no arguments
+[ -n "$1" ] || { Help; exit 1; }
+
+# parse options and arguments
+while [ -n "$1" ]; do
+    case "$1" in
+        '-h'|'--help'|'')
+            Help
+            exit 0
+            ;;
+        '-V'|'--version')
+            printf '%s v%s\n' "$SCRIPT_NAME" "$VERSION"
+            exit 0
+            ;;
+        '-I'|'--range'|'-E'|'--exclude-range')
+            [ -n "$2" ] && [ -n "$3" ] || Fatal "'$1' requires two arguments."
+            IsInt "$2" && IsInt "$3" || Fatal "Both '$2' and '$3' must be integers."
+            [ $2 -le $3 ] || Fatal "'$2' must be <= '$3'."
+
+            if [ "$1" = '--range' ] || [ "$1" = '-I' ] ; then # include range
+                INCLUDE_RANGE="${INCLUDE_RANGE:+${INCLUDE_RANGE}${NEWLINE}}${2}-${3}"
+            else # exclude range
+                EXCLUDE_RANGE="${EXCLUDE_RANGE:+${EXCLUDE_RANGE}${NEWLINE}}${2}-${3}"
+            fi
+            shift 2
+            ;;
+        '-i'|'--include'|[!-]*) # specific IDs to include
+            while IsInt "$1"; do
+                INCLUDE="${INCLUDE:+${INCLUDE}${NEWLINE}}$1"
+                shift 1
+            done
+            ;;
+        '-e'|'--exclude') # specific IDs to exclude
+            [ -n "$2" ] || Fatal "'$1' requires an argument."
+            while IsInt "$2"; do
+                EXCLUDE="${EXCLUDE:+${EXCLUDE}${NEWLINE}}$2"
+                shift 1
+            done
+            ;;
+        '-f'|'--file') # file to parse
+            [ -n "$2" ] || Fatal "'$1' requires an argument."
+            FILE_TO_PARSE=$2 && shift 1
+
+            # shdwfilter needs both passwd and shadow files
+            if [ -z "${SCRIPT_NAME##shdwfilter*}" ]; then
+                [ -n "$2" ] || Fatal "'$1' requires both passwd and shadow files."
+                SHADOW_TO_PARSE=$2 && shift 1
+            fi
+            ;;
+        -*)
+            Fatal "'$1' is not a valid '$SCRIPT_NAME' option.";;
+    esac
+    [ -n "$1" ] && shift 1 # only shift if there's anything left to shift
+done
+
+#
+# populate *_CONTENTS, either from piped input or file(s)
+#
+# TODO: if -f was set, no piped input should be parsed
+if [ -p /dev/stdin ]; then # piped input
+    [ -z "${SCRIPT_NAME##shdwfilter*}" ] && Fatal "'shdwfilter' cannot handle piped input."
+    while read P_LINE; do
+        FILE_CONTENTS="${FILE_CONTENTS:+${FILE_CONTENTS}${NEWLINE}}${P_LINE}"
+    done
+else # read in the appropriate file(s)
+    [ -r "$FILE_TO_PARSE" ] || Fatal "'$FILE_TO_PARSE' is not readable!"
+    FILE_CONTENTS=`cat "$FILE_TO_PARSE"` || Fatal "Failed to 'cat' file: '$FILE_TO_PARSE'"
+
+    if [ -z "${SCRIPT_NAME##shdwfilter*}" ]; then
+        [ -r "$SHADOW_TO_PARSE" ] || Fatal "'$SHADOW_TO_PARSE' is not readable!"
+        SHADOW_CONTENTS=`cat "$SHADOW_TO_PARSE"` || Fatal "Failed to 'cat' shadow file: '$SHADOW_TO_PARSE'"
+    fi
+fi
+
+#
+# loop over and parse *_CONTENTS;
+# print desirable IDs
+#
+for F_LINE in $FILE_CONTENTS; do
+    # get the third item (UID/GID) in the line
+    first_three=${F_LINE#*:*:}
+    the_id=${first_three%%:*}
+
+    IsInt "$the_id" || Fatal "'$the_id' is not a valid id number."
+    DesiredID "$the_id" || continue
+
+    if [ -z "${SCRIPT_NAME##shdwfilter*}" ]; then
+        user_name=${F_LINE%%:*} # first item (user name) in the passwd line
+        for S_LINE in $SHADOW_CONTENTS; do
+            [ "$user_name" = ${S_LINE%%:*} ] && printf '%s\n' "$S_LINE" && break
+            # believe it or not, the above is actually ~1.4x faster than:
+            # [ -z "${S_LINE##${user_name}:*}" ]
+        done
+        # TODO: If no match, error?
+    else # password- or group-filter
+        printf '%s\n' "$F_LINE"
+    fi
+done
+
+# restore original IFS
+IFS=$ORIG_IFS