From 65662db674cb3529331dc5db83be9bd9220f072d Mon Sep 17 00:00:00 2001
From: John Klug <john.klug@multitech.com>
Date: Tue, 10 Dec 2019 13:41:57 -0600
Subject: Read password from stdin

---
 src/ubpasswd.sh | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

(limited to 'src/ubpasswd.sh')

diff --git a/src/ubpasswd.sh b/src/ubpasswd.sh
index 98347fb..e3509ab 100755
--- a/src/ubpasswd.sh
+++ b/src/ubpasswd.sh
@@ -11,6 +11,11 @@
 # user list.  The first user in this list that is found in
 # /etc/shadow is changed. root is only changed if mtadm
 # or admin is not found.
+#
+# -p option (pass password through stdin) is more secure
+# because another user on the system could use ps to acquire
+# the password.
+#
 ADMINLIST="mtadm admin"
 MTS=/sys/devices/platform/mts-io
 
@@ -24,7 +29,7 @@ if ! [[ -x /sbin/mts-hashpwd ]] ; then
   exit 1
 fi
 usage() {
-  echo "mts-ubpasswd [-c] [-d] [-n] [-i] [-m] [-u] [-r] [-f] [-s salt] [password]"
+  echo "mts-ubpasswd [-c] [-d] [-n] [-i] [-m] [-u] [-r] [-f] [-p] [-s salt] [password]"
   echo "  -c        clear the U-Boot password"
   echo "  -d        debug"
   echo "  -n        dryrun for setting password"
@@ -35,6 +40,7 @@ usage() {
   echo "            is currently required"
   echo "  -f        returns true if U-Boot password"
   echo "            feature is available."
+  echo "  -p        read password from standard input"
   echo "  -s        salt is user supplied salt"
   echo "  password  is a user supplied password"
   echo "A salt not supplied is generated."
@@ -50,7 +56,8 @@ usage() {
 ((debug=0))
 ((upwd=0))
 ((dryrun=0))
-while getopts ":cdfimnrs:u" opt; do
+((stdp=0))
+while getopts ":cdfimnprs:u" opt; do
   case $opt in
     c)
       u-boot setenv mtsp
@@ -93,6 +100,9 @@ while getopts ":cdfimnrs:u" opt; do
     n)
       ((dryrun=1))
       ;;
+    p)
+      ((stdp=1))
+      ;;
     u)
       ((ubonly=1))
       ;;
@@ -119,10 +129,17 @@ done
 ((debug)) && echo OPTIND is $OPTIND
 ((sc=OPTIND-1))
 shift $sc
+if (($# == 1)) && ((stdp == 1)) ; then
+    "Cannot use -p option with password on the command line"
+    usage
+fi
 if (($# == 1)) ; then
   ((debug)) && echo "User set password is \"$1\""
   ((upwd = 1))
   pass="$1"
+elif ((stdp == 1)) ; then
+  ((upwd = 1))
+  read -r pass
 fi
 
 ((debug)) && echo hassalt is $hassalt, salt is \"$salt\"
@@ -204,7 +221,7 @@ if ((upwd == 0)) ; then
   fi
   result=$(/sbin/mts-hashpwd ${pwdsrc} ${salt})
 else
-  result=$(/sbin/mts-hashpwd -p "${pass}" ${salt})
+  result=$(echo -n "$pass" | /sbin/mts-hashpwd -i ${salt})
 fi
 if ! [[ $result =~ ^pass=([^$'\n']+)$'\n'password_hash=([^$'\n']+) ]] ; then
   echo "/sbin/mts-hashpwd failed: ${result}"
-- 
cgit v1.2.3