michael@300: #!@l_bash@ michael@300: ## michael@300: ## pg_passwd -- PostgreSQL Database Password Changing Utility michael@300: ## Copyright (c) 2007 OpenPKG Foundation e.V. michael@300: ## Copyright (c) 2007 Ralf S. Engelschall michael@300: ## michael@300: ## Permission to use, copy, modify, and distribute this software for michael@300: ## any purpose with or without fee is hereby granted, provided that michael@300: ## the above copyright notice and this permission notice appear in all michael@300: ## copies. michael@300: ## michael@300: ## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED michael@300: ## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF michael@300: ## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. michael@300: ## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR michael@300: ## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, michael@300: ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT michael@300: ## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF michael@300: ## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND michael@300: ## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, michael@300: ## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT michael@300: ## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF michael@300: ## SUCH DAMAGE. michael@300: ## michael@300: michael@300: # determine system username michael@300: system_username="`(id -un) 2>/dev/null`" michael@300: if [ ".$system_username" = . ]; then michael@300: str="`(id) 2>/dev/null`" michael@300: if [ ".`echo $str | grep '^uid[ ]*=[ ]*[0-9]*('`" != . ]; then michael@300: system_username=`echo $str | sed -e 's/^uid[ ]*=[ ]*[0-9]*(//' -e 's/).*$//'` michael@300: fi michael@300: if [ ".$system_username" = . ]; then michael@300: system_username="$LOGNAME" michael@300: if [ ".$system_username" = . ]; then michael@300: system_username="$USER" michael@300: if [ ".$system_username" = . ]; then michael@300: system_username="`(whoami) 2>/dev/null | awk '{ printf("%s", $1); }'`" michael@300: if [ ".$system_username" = . ]; then michael@300: system_username="`(who am i) 2>/dev/null | awk '{ printf("%s", $1); }'`" michael@300: fi michael@300: fi michael@300: fi michael@300: fi michael@300: fi michael@300: michael@300: # determine database superuser username, password and database michael@300: superuser_username="" michael@300: superuser_password="" michael@300: superuser_database="" michael@300: superuser_config_file="@l_prefix@/var/postgresql/db/pg_superuser.conf" michael@300: if [ -r $superuser_config_file ]; then michael@300: # read information michael@300: eval `. $superuser_config_file; \ michael@300: echo superuser_database=\"$superuser_database\"; \ michael@300: echo superuser_username=\"$superuser_username\"; \ michael@300: echo superuser_password=\"$superuser_password\"` michael@300: else michael@300: # guess information michael@300: superuser_username="postgresql" michael@300: superuser_database="template1" michael@300: fi michael@300: michael@300: # determine requested username, database and hostname michael@300: username="$1" michael@300: database="$2" michael@300: hostname="$3" michael@300: if [ ".$username" = . ]; then michael@300: if [ ".$system_username" = ".root" -o ".$system_username" = ".@l_rusr@" ]; then michael@300: username="$superuser_username" michael@300: else michael@300: username="$system_username" michael@300: fi michael@300: fi michael@300: if [ ".$database" = . ]; then michael@300: if [ ".$username" = ".$superuser_username" ]; then michael@300: database="$superuser_database" michael@300: else michael@300: database="$username" michael@300: fi michael@300: fi michael@300: if [ ".$hostname" = . ]; then michael@300: hostname="localhost" michael@300: fi michael@300: michael@300: # make sure that the PostgreSQL super-user password michael@300: # can be kept in sync with the external storage michael@300: if [ ".$username" = ".$superuser_username" -a \ michael@300: ".$database" = ".$superuser_database" ]; then michael@300: if [ ".$system_username" != ".root" -a ".$system_username" != ".@l_rusr@" ]; then michael@300: echo "$0:ERROR: super-user account password can be changed by \"root\" and \"@l_rusr@\" only" 2>&1 michael@300: exit 1 michael@300: fi michael@300: if [ -h $superuser_config_file ]; then michael@300: echo "$0:ERROR: superuser config \"$superuser_config_file\": invalid (symbolic link)" 2>&1 michael@300: exit 1 michael@300: fi michael@300: if [ ! -f $superuser_config_file ]; then michael@300: echo "$0:WARNING: superuser config \"$superuser_config_file\": not existing" 2>&1 michael@300: exit 1 michael@300: elif [ ! -w $superuser_password_file ]; then michael@300: echo "$0:ERROR: superuser config \"$superuser_config_file\": permission denied (not writeable)" 2>&1 michael@300: exit 1 michael@300: fi michael@300: fi michael@300: michael@300: # request old and new password michael@300: password_old="" michael@300: password_new="" michael@300: password_new_verify="" michael@300: if [ ".$username" = ".$superuser_username" -a \ michael@300: ".$database" = ".$superuser_database" ]; then michael@300: password_old="$superuser_password" michael@300: fi michael@300: while [ ".$password_old" = . ]; do michael@300: read -s -p "$username:$database:$hostname OLD password: " password_old michael@300: echo "" michael@300: done michael@300: while [ ".$password_new" = . ]; do michael@300: read -s -p "$username:$database:$hostname NEW password: " password_new michael@300: echo "" michael@300: done michael@300: while [ ".$password_new_verify" = . ]; do michael@300: read -s -p "$username:$database:$hostname NEW password (retype to verify): " password_new_verify michael@300: echo "" michael@300: done michael@300: if [ ".$password_new" != ".$password_new_verify" ]; then michael@300: echo "$0:ERROR: mismatch on NEW password" 1>&2 michael@300: exit 1 michael@300: fi michael@300: michael@300: # change the password michael@300: echo "ALTER ROLE $username WITH PASSWORD '$password_new'" | \ michael@300: PGPASSWORD="$password_old" @l_prefix@/bin/psql \ michael@300: -q -U $username -d $database -h $hostname -f- || exit $? michael@300: michael@300: # update superuser configuration michael@300: if [ ".$username" = ".$superuser_username" -a \ michael@300: ".$database" = ".$superuser_database" ]; then michael@300: ( umask 077 michael@300: sed -e "s;.*\(superuser_password=\"\).*\(\"\).*;\1$password_new\2;" \ michael@300: <$superuser_config_file >$superuser_config_file.new || exit $? michael@300: cp $superuser_config_file.new $superuser_config_file || exit $? michael@300: rm -f $superuser_config_file.new || exit $? michael@300: exit 0 michael@300: ) || { michael@300: echo "$0:ERROR: \"$superuser_config_file\": failed to update content" 1>&2 michael@300: rm -f $superuser_config_file.new || true michael@300: exit $? michael@300: } michael@300: ( superuser_database_old="$superuser_database" michael@300: superuser_username_old="$superuser_username" michael@300: superuser_password_old="$superuser_password" michael@300: . $superuser_config_file michael@300: [ ".$superuser_database" != ".$superuser_database_old" ] && exit 1 michael@300: [ ".$superuser_username" != ".$superuser_username_old" ] && exit 1 michael@300: [ ".$superuser_password" = ".$superuser_password_old" ] && exit 1 michael@300: [ ".$superuser_password" != ".$password_new" ] && exit 1 michael@300: exit 0 michael@300: ) || { michael@300: echo "$0:ERROR: \"$superuser_config_file\": unexpected updated content" 1>&2 michael@300: exit $? michael@300: } michael@300: ( if [ ".$system_username" = ".root" ]; then michael@300: chown @l_rusr@:@l_rgrp@ $superuser_config_file || exit $? michael@300: fi michael@300: chmod 600 $superuser_config_file || exit $? michael@300: exit 0 michael@300: ) || { michael@300: echo "$0:ERROR: \"$superuser_config_file\": failed to fixate attributes" 1>&2 michael@300: exit $? michael@300: } michael@300: fi michael@300: