michael@300: #!@l_bash@
michael@300: ##
michael@300: ## pg_passwd -- PostgreSQL Database Password Changing Utility
michael@300: ## Copyright (c) 2007 OpenPKG Foundation e.V.
michael@300: ## Copyright (c) 2007 Ralf S. Engelschall
michael@300: ##
michael@300: ## Permission to use, copy, modify, and distribute this software for
michael@300: ## any purpose with or without fee is hereby granted, provided that
michael@300: ## the above copyright notice and this permission notice appear in all
michael@300: ## copies.
michael@300: ##
michael@300: ## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
michael@300: ## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
michael@300: ## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
michael@300: ## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
michael@300: ## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
michael@300: ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
michael@300: ## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
michael@300: ## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
michael@300: ## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
michael@300: ## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
michael@300: ## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
michael@300: ## SUCH DAMAGE.
michael@300: ##
michael@300:
michael@300: # determine system username
michael@300: system_username="`(id -un) 2>/dev/null`"
michael@300: if [ ".$system_username" = . ]; then
michael@300: str="`(id) 2>/dev/null`"
michael@300: if [ ".`echo $str | grep '^uid[ ]*=[ ]*[0-9]*('`" != . ]; then
michael@300: system_username=`echo $str | sed -e 's/^uid[ ]*=[ ]*[0-9]*(//' -e 's/).*$//'`
michael@300: fi
michael@300: if [ ".$system_username" = . ]; then
michael@300: system_username="$LOGNAME"
michael@300: if [ ".$system_username" = . ]; then
michael@300: system_username="$USER"
michael@300: if [ ".$system_username" = . ]; then
michael@300: system_username="`(whoami) 2>/dev/null | awk '{ printf("%s", $1); }'`"
michael@300: if [ ".$system_username" = . ]; then
michael@300: system_username="`(who am i) 2>/dev/null | awk '{ printf("%s", $1); }'`"
michael@300: fi
michael@300: fi
michael@300: fi
michael@300: fi
michael@300: fi
michael@300:
michael@300: # determine database superuser username, password and database
michael@300: superuser_username=""
michael@300: superuser_password=""
michael@300: superuser_database=""
michael@300: superuser_config_file="@l_prefix@/var/postgresql/db/pg_superuser.conf"
michael@300: if [ -r $superuser_config_file ]; then
michael@300: # read information
michael@300: eval `. $superuser_config_file; \
michael@300: echo superuser_database=\"$superuser_database\"; \
michael@300: echo superuser_username=\"$superuser_username\"; \
michael@300: echo superuser_password=\"$superuser_password\"`
michael@300: else
michael@300: # guess information
michael@300: superuser_username="postgresql"
michael@300: superuser_database="template1"
michael@300: fi
michael@300:
michael@300: # determine requested username, database and hostname
michael@300: username="$1"
michael@300: database="$2"
michael@300: hostname="$3"
michael@300: if [ ".$username" = . ]; then
michael@300: if [ ".$system_username" = ".root" -o ".$system_username" = ".@l_rusr@" ]; then
michael@300: username="$superuser_username"
michael@300: else
michael@300: username="$system_username"
michael@300: fi
michael@300: fi
michael@300: if [ ".$database" = . ]; then
michael@300: if [ ".$username" = ".$superuser_username" ]; then
michael@300: database="$superuser_database"
michael@300: else
michael@300: database="$username"
michael@300: fi
michael@300: fi
michael@300: if [ ".$hostname" = . ]; then
michael@300: hostname="localhost"
michael@300: fi
michael@300:
michael@300: # make sure that the PostgreSQL super-user password
michael@300: # can be kept in sync with the external storage
michael@300: if [ ".$username" = ".$superuser_username" -a \
michael@300: ".$database" = ".$superuser_database" ]; then
michael@300: if [ ".$system_username" != ".root" -a ".$system_username" != ".@l_rusr@" ]; then
michael@300: echo "$0:ERROR: super-user account password can be changed by \"root\" and \"@l_rusr@\" only" 2>&1
michael@300: exit 1
michael@300: fi
michael@300: if [ -h $superuser_config_file ]; then
michael@300: echo "$0:ERROR: superuser config \"$superuser_config_file\": invalid (symbolic link)" 2>&1
michael@300: exit 1
michael@300: fi
michael@300: if [ ! -f $superuser_config_file ]; then
michael@300: echo "$0:WARNING: superuser config \"$superuser_config_file\": not existing" 2>&1
michael@300: exit 1
michael@300: elif [ ! -w $superuser_password_file ]; then
michael@300: echo "$0:ERROR: superuser config \"$superuser_config_file\": permission denied (not writeable)" 2>&1
michael@300: exit 1
michael@300: fi
michael@300: fi
michael@300:
michael@300: # request old and new password
michael@300: password_old=""
michael@300: password_new=""
michael@300: password_new_verify=""
michael@300: if [ ".$username" = ".$superuser_username" -a \
michael@300: ".$database" = ".$superuser_database" ]; then
michael@300: password_old="$superuser_password"
michael@300: fi
michael@300: while [ ".$password_old" = . ]; do
michael@300: read -s -p "$username:$database:$hostname OLD password: " password_old
michael@300: echo ""
michael@300: done
michael@300: while [ ".$password_new" = . ]; do
michael@300: read -s -p "$username:$database:$hostname NEW password: " password_new
michael@300: echo ""
michael@300: done
michael@300: while [ ".$password_new_verify" = . ]; do
michael@300: read -s -p "$username:$database:$hostname NEW password (retype to verify): " password_new_verify
michael@300: echo ""
michael@300: done
michael@300: if [ ".$password_new" != ".$password_new_verify" ]; then
michael@300: echo "$0:ERROR: mismatch on NEW password" 1>&2
michael@300: exit 1
michael@300: fi
michael@300:
michael@300: # change the password
michael@300: echo "ALTER ROLE $username WITH PASSWORD '$password_new'" | \
michael@300: PGPASSWORD="$password_old" @l_prefix@/bin/psql \
michael@300: -q -U $username -d $database -h $hostname -f- || exit $?
michael@300:
michael@300: # update superuser configuration
michael@300: if [ ".$username" = ".$superuser_username" -a \
michael@300: ".$database" = ".$superuser_database" ]; then
michael@300: ( umask 077
michael@300: sed -e "s;.*\(superuser_password=\"\).*\(\"\).*;\1$password_new\2;" \
michael@300: <$superuser_config_file >$superuser_config_file.new || exit $?
michael@300: cp $superuser_config_file.new $superuser_config_file || exit $?
michael@300: rm -f $superuser_config_file.new || exit $?
michael@300: exit 0
michael@300: ) || {
michael@300: echo "$0:ERROR: \"$superuser_config_file\": failed to update content" 1>&2
michael@300: rm -f $superuser_config_file.new || true
michael@300: exit $?
michael@300: }
michael@300: ( superuser_database_old="$superuser_database"
michael@300: superuser_username_old="$superuser_username"
michael@300: superuser_password_old="$superuser_password"
michael@300: . $superuser_config_file
michael@300: [ ".$superuser_database" != ".$superuser_database_old" ] && exit 1
michael@300: [ ".$superuser_username" != ".$superuser_username_old" ] && exit 1
michael@300: [ ".$superuser_password" = ".$superuser_password_old" ] && exit 1
michael@300: [ ".$superuser_password" != ".$password_new" ] && exit 1
michael@300: exit 0
michael@300: ) || {
michael@300: echo "$0:ERROR: \"$superuser_config_file\": unexpected updated content" 1>&2
michael@300: exit $?
michael@300: }
michael@300: ( if [ ".$system_username" = ".root" ]; then
michael@300: chown @l_rusr@:@l_rgrp@ $superuser_config_file || exit $?
michael@300: fi
michael@300: chmod 600 $superuser_config_file || exit $?
michael@300: exit 0
michael@300: ) || {
michael@300: echo "$0:ERROR: \"$superuser_config_file\": failed to fixate attributes" 1>&2
michael@300: exit $?
michael@300: }
michael@300: fi
michael@300: