aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--qga/commands-posix.c110
-rw-r--r--qga/commands-win32.c9
-rw-r--r--qga/qapi-schema.json27
3 files changed, 146 insertions, 0 deletions
diff --git a/qga/commands-posix.c b/qga/commands-posix.c
index f6f3e3cd8e..57409d0ea6 100644
--- a/qga/commands-posix.c
+++ b/qga/commands-posix.c
@@ -1875,6 +1875,108 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorList *vcpus, Error **errp)
return processed;
}
+void qmp_guest_set_user_password(const char *username,
+ const char *password,
+ bool crypted,
+ Error **errp)
+{
+ Error *local_err = NULL;
+ char *passwd_path = NULL;
+ pid_t pid;
+ int status;
+ int datafd[2] = { -1, -1 };
+ char *rawpasswddata = NULL;
+ size_t rawpasswdlen;
+ char *chpasswddata = NULL;
+ size_t chpasswdlen;
+
+ rawpasswddata = (char *)g_base64_decode(password, &rawpasswdlen);
+ rawpasswddata = g_renew(char, rawpasswddata, rawpasswdlen + 1);
+ rawpasswddata[rawpasswdlen] = '\0';
+
+ if (strchr(rawpasswddata, '\n')) {
+ error_setg(errp, "forbidden characters in raw password");
+ goto out;
+ }
+
+ if (strchr(username, '\n') ||
+ strchr(username, ':')) {
+ error_setg(errp, "forbidden characters in username");
+ goto out;
+ }
+
+ chpasswddata = g_strdup_printf("%s:%s\n", username, rawpasswddata);
+ chpasswdlen = strlen(chpasswddata);
+
+ passwd_path = g_find_program_in_path("chpasswd");
+
+ if (!passwd_path) {
+ error_setg(errp, "cannot find 'passwd' program in PATH");
+ goto out;
+ }
+
+ if (pipe(datafd) < 0) {
+ error_setg(errp, "cannot create pipe FDs");
+ goto out;
+ }
+
+ pid = fork();
+ if (pid == 0) {
+ close(datafd[1]);
+ /* child */
+ setsid();
+ dup2(datafd[0], 0);
+ reopen_fd_to_null(1);
+ reopen_fd_to_null(2);
+
+ if (crypted) {
+ execle(passwd_path, "chpasswd", "-e", NULL, environ);
+ } else {
+ execle(passwd_path, "chpasswd", NULL, environ);
+ }
+ _exit(EXIT_FAILURE);
+ } else if (pid < 0) {
+ error_setg_errno(errp, errno, "failed to create child process");
+ goto out;
+ }
+ close(datafd[0]);
+ datafd[0] = -1;
+
+ if (qemu_write_full(datafd[1], chpasswddata, chpasswdlen) != chpasswdlen) {
+ error_setg_errno(errp, errno, "cannot write new account password");
+ goto out;
+ }
+ close(datafd[1]);
+ datafd[1] = -1;
+
+ ga_wait_child(pid, &status, &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto out;
+ }
+
+ if (!WIFEXITED(status)) {
+ error_setg(errp, "child process has terminated abnormally");
+ goto out;
+ }
+
+ if (WEXITSTATUS(status)) {
+ error_setg(errp, "child process has failed to set user password");
+ goto out;
+ }
+
+out:
+ g_free(chpasswddata);
+ g_free(rawpasswddata);
+ g_free(passwd_path);
+ if (datafd[0] != -1) {
+ close(datafd[0]);
+ }
+ if (datafd[1] != -1) {
+ close(datafd[1]);
+ }
+}
+
#else /* defined(__linux__) */
void qmp_guest_suspend_disk(Error **errp)
@@ -1910,6 +2012,14 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorList *vcpus, Error **errp)
return -1;
}
+void qmp_guest_set_user_password(const char *username,
+ const char *password,
+ bool crypted,
+ Error **errp)
+{
+ error_set(errp, QERR_UNSUPPORTED);
+}
+
#endif
#if !defined(CONFIG_FSFREEZE)
diff --git a/qga/commands-win32.c b/qga/commands-win32.c
index 3bcbeae8ff..11876f6846 100644
--- a/qga/commands-win32.c
+++ b/qga/commands-win32.c
@@ -446,6 +446,14 @@ int64_t qmp_guest_set_vcpus(GuestLogicalProcessorList *vcpus, Error **errp)
return -1;
}
+void qmp_guest_set_user_password(const char *username,
+ const char *password,
+ bool crypted,
+ Error **errp)
+{
+ error_set(errp, QERR_UNSUPPORTED);
+}
+
/* add unsupported commands to the blacklist */
GList *ga_command_blacklist_init(GList *blacklist)
{
@@ -454,6 +462,7 @@ GList *ga_command_blacklist_init(GList *blacklist)
"guest-file-write", "guest-file-seek", "guest-file-flush",
"guest-suspend-hybrid", "guest-network-get-interfaces",
"guest-get-vcpus", "guest-set-vcpus",
+ "guest-set-user-password",
"guest-fsfreeze-freeze-list", "guest-get-fsinfo",
"guest-fstrim", NULL};
char **p = (char **)list_unsupported;
diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index 376e79f583..5117b65b26 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -738,3 +738,30 @@
##
{ 'command': 'guest-get-fsinfo',
'returns': ['GuestFilesystemInfo'] }
+
+##
+# @guest-set-user-password
+#
+# @username: the user account whose password to change
+# @password: the new password entry string, base64 encoded
+# @crypted: true if password is already crypt()d, false if raw
+#
+# If the @crypted flag is true, it is the caller's responsibility
+# to ensure the correct crypt() encryption scheme is used. This
+# command does not attempt to interpret or report on the encryption
+# scheme. Refer to the documentation of the guest operating system
+# in question to determine what is supported.
+#
+# Note all guest operating systems will support use of the
+# @crypted flag, as they may require the clear-text password
+#
+# The @password parameter must always be base64 encoded before
+# transmission, even if already crypt()d, to ensure it is 8-bit
+# safe when passed as JSON.
+#
+# Returns: Nothing on success.
+#
+# Since 2.3
+##
+{ 'command': 'guest-set-user-password',
+ 'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool' } }