You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

173 lines
6.4 KiB

#!@l_bash@
##
## pg_passwd -- PostgreSQL Database Password Changing Utility
## Copyright (c) 2007-2018 Ralf S. Engelschall <http://engelschall.com/>
##
## Permission to use, copy, modify, and distribute this software for
## any purpose with or without fee is hereby granted, provided that
## the above copyright notice and this permission notice appear in all
## copies.
##
## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
## SUCH DAMAGE.
##
# determine system username
system_username="`(id -un) 2>/dev/null`"
if [ ".$system_username" = . ]; then
str="`(id) 2>/dev/null`"
if [ ".`echo $str | grep '^uid[ ]*=[ ]*[0-9]*('`" != . ]; then
system_username=`echo $str | sed -e 's/^uid[ ]*=[ ]*[0-9]*(//' -e 's/).*$//'`
fi
if [ ".$system_username" = . ]; then
system_username="$LOGNAME"
if [ ".$system_username" = . ]; then
system_username="$USER"
if [ ".$system_username" = . ]; then
system_username="`(whoami) 2>/dev/null | awk '{ printf("%s", $1); }'`"
if [ ".$system_username" = . ]; then
system_username="`(who am i) 2>/dev/null | awk '{ printf("%s", $1); }'`"
fi
fi
fi
fi
fi
# determine database superuser username, password and database
superuser_username=""
superuser_password=""
superuser_database=""
superuser_config_file="@l_prefix@/var/postgresql/db/pg_superuser.conf"
if [ -r $superuser_config_file ]; then
# read information
eval `. $superuser_config_file; \
echo superuser_database=\"$superuser_database\"; \
echo superuser_username=\"$superuser_username\"; \
echo superuser_password=\"$superuser_password\"`
else
# guess information
superuser_username="postgresql"
superuser_database="template1"
fi
# determine requested username, database and hostname
username="$1"
database="$2"
hostname="$3"
if [ ".$username" = . ]; then
if [ ".$system_username" = ".root" -o ".$system_username" = ".@l_rusr@" ]; then
username="$superuser_username"
else
username="$system_username"
fi
fi
if [ ".$database" = . ]; then
if [ ".$username" = ".$superuser_username" ]; then
database="$superuser_database"
else
database="$username"
fi
fi
if [ ".$hostname" = . ]; then
hostname="localhost"
fi
# make sure that the PostgreSQL super-user password
# can be kept in sync with the external storage
if [ ".$username" = ".$superuser_username" -a \
".$database" = ".$superuser_database" ]; then
if [ ".$system_username" != ".root" -a ".$system_username" != ".@l_rusr@" ]; then
echo "$0:ERROR: super-user account password can be changed by \"root\" and \"@l_rusr@\" only" 2>&1
exit 1
fi
if [ -h $superuser_config_file ]; then
echo "$0:ERROR: superuser config \"$superuser_config_file\": invalid (symbolic link)" 2>&1
exit 1
fi
if [ ! -f $superuser_config_file ]; then
echo "$0:WARNING: superuser config \"$superuser_config_file\": not existing" 2>&1
exit 1
elif [ ! -w $superuser_password_file ]; then
echo "$0:ERROR: superuser config \"$superuser_config_file\": permission denied (not writeable)" 2>&1
exit 1
fi
fi
# request old and new password
password_old=""
password_new=""
password_new_verify=""
if [ ".$username" = ".$superuser_username" -a \
".$database" = ".$superuser_database" ]; then
password_old="$superuser_password"
fi
while [ ".$password_old" = . ]; do
read -s -p "$username:$database:$hostname OLD password: " password_old
echo ""
done
while [ ".$password_new" = . ]; do
read -s -p "$username:$database:$hostname NEW password: " password_new
echo ""
done
while [ ".$password_new_verify" = . ]; do
read -s -p "$username:$database:$hostname NEW password (retype to verify): " password_new_verify
echo ""
done
if [ ".$password_new" != ".$password_new_verify" ]; then
echo "$0:ERROR: mismatch on NEW password" 1>&2
exit 1
fi
# change the password
echo "ALTER ROLE $username WITH PASSWORD '$password_new'" | \
PGPASSWORD="$password_old" @l_prefix@/bin/psql \
-q -U $username -d $database -h $hostname -f- || exit $?
# update superuser configuration
if [ ".$username" = ".$superuser_username" -a \
".$database" = ".$superuser_database" ]; then
( umask 077
sed -e "s;.*\(superuser_password=\"\).*\(\"\).*;\1$password_new\2;" \
<$superuser_config_file >$superuser_config_file.new || exit $?
cp $superuser_config_file.new $superuser_config_file || exit $?
rm -f $superuser_config_file.new || exit $?
exit 0
) || {
echo "$0:ERROR: \"$superuser_config_file\": failed to update content" 1>&2
rm -f $superuser_config_file.new || true
exit $?
}
( superuser_database_old="$superuser_database"
superuser_username_old="$superuser_username"
superuser_password_old="$superuser_password"
. $superuser_config_file
[ ".$superuser_database" != ".$superuser_database_old" ] && exit 1
[ ".$superuser_username" != ".$superuser_username_old" ] && exit 1
[ ".$superuser_password" = ".$superuser_password_old" ] && exit 1
[ ".$superuser_password" != ".$password_new" ] && exit 1
exit 0
) || {
echo "$0:ERROR: \"$superuser_config_file\": unexpected updated content" 1>&2
exit $?
}
( if [ ".$system_username" = ".root" ]; then
chown @l_rusr@:@l_rgrp@ $superuser_config_file || exit $?
fi
chmod 600 $superuser_config_file || exit $?
exit 0
) || {
echo "$0:ERROR: \"$superuser_config_file\": failed to fixate attributes" 1>&2
exit $?
}
fi