Editing the password file for BSD 4.3 system managers

The following explains how to change entries in the password file and how to administer passwords on AIX® in a BSD 4.3 manner.

1. Put a BSD 4.3 password file in the /etc/shadow file.
2. Change the permissions to the file by entering:

   chmod 000 /etc/shadow

3. Place the following vipw shell script in the /etc directory:

   -----------------------------------------------------
   ----
   #!/bin/bsh
   #
   # vipw. Uses pwdck for now. May use usrck someday
   #
   PATH=/bin:/usr/bin:/etc:/usr/ucb # Add to this if your editor is
                                    # some place else
   if [ -f /etc/ptmp ] ; then
                    echo "/etc/ptmp exists. Is someone else using vipw?"
           exit 1
   fi
   if [ ! -f /`which "$EDITOR" | awk '{ print $1 }'` ] ; then
           EDITOR=vi
   fi
   cp /etc/shadow /etc/ptmp
   if (cmp /etc/shadow /etc/ptmp) ; then
           $EDITOR /etc/ptmp
   else
           echo cannot copy shadow to ptmp
           exit 1
   fi
   if (egrep "^root:" /etc/ptmp >/dev/null) ; then
           cp /etc/ptmp /etc/shadow ; cp /etc/ptmp /etc/passwd
           chmod 000 /etc/passwd /etc/shadow
           pwdck -y ALL 2>1 >/dev/null # return code 114 may change
                   rc=$?
           if [ $rc -eq 114 ]; then
                   chmod 644 /etc/passwd
                           rm -f /etc/passwd.dir /etc/passwd.pag
                   mkpasswd /etc/passwd
                           # update /etc/security/limits, or ftp
                           # will fail
                   else
                            pwdck -y ALL
                   fi
   else
           echo bad entry for root in ptmp
   fi
   rm /etc/ptmp
   -----------------------------------------------------------

4. If you use the vipw shell script or the mkpasswd command, be aware that SMIT, and the mkuser, chuser, and rmuser commands do not use the mkpasswd command. You must run:

   mkpasswd /etc/passwd

   to update the /etc/passwd.dir and /etc/passwd.pag files.

   Attention: Initialization of the IFS variable and the trap statements guard against some of the common methods used to exploit security holes inherent in the setuid feature. However, the vipw and passwd shell scripts are intended for relatively open environments where compatibility is an important consideration. If you want a more secure environment, use only the standard commands for AIX.
5. Put the following passwd shell script in the /usr/ucb directory:

   -----------------------------------------------------
   #!/bin/ksh
   #
   # matches changes to /etc/security/passwd file with changes to
   #/etc/shadow
   #
   IFS=" "
   PATH=/bin
   trap "exit 2" 1 2 3 4 5 6 7 8 10 12 13 14 15 16 17 18 21 22 \
           23 24 25 27 28 29 30 31 32 33 34 35 36 60 61 62
   if [ -n "$1" ]; then
           USERNAME=$1
   else
           USERNAME=$LOGNAME
   fi
   if [ -f /etc/ptmp ]; then
           echo password file busy
           exit 1
   fi
           trap "rm /etc/ptmp; exit 3" 1 2 3 4 5 6 7 8 10 12 13 \
                   14 15 16 17 18 21 22 23 24 25 27 28 29 30 31 \
                   32 33 34 35 36 60 61 62
   if (cp /etc/security/passwd /etc/ptmp) ; then
           chmod 000 /etc/ptmp else
           rm -f /etc/ptmp exit 1
   fi
   if ( /bin/passwd $USERNAME ) ; then
           PW=` awk ' BEGIN { RS = "" }
                   $1 == user { print $4 } ' user="$USERNAME:" \
   /etc/security/passwd `
   else
           rm -f /etc/ptmp
           exit 1
   fi
   rm -f /etc/ptmp
   awk -F: '$1 == user { print $1":"pw":"$3 ":"$4":"$5":"$6":"$7 }
           $1 != user { print $0 }' user="$USERNAME" pw="$PW" \
                   /etc/shadow > /etc/ptmp
   chmod 000 /etc/ptmp
   mv -f /etc/ptmp /etc/shadow
   ---------------------------------------------------------

6. Change the permissions to the passwd script by entering:

   chmod 4711 /usr/ucb/passwd

7. Ensure that each user PATH environmental variable specifies that the /usr/ucb directory be searched before the /bin directory.