/*
* close_files - close and unlock the group databases
*/
static void close_files (void)
{
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
fail_exit (1);
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
sgr_locked = false;
}
#endif
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (1);
}
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
gr_locked = false;
}
/*
* fail_exit - undo as much as possible
*/
static void fail_exit (int code)
{
if (spw_locked) {
if (spw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
/* continue */
}
}
if (pw_locked) {
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
/* continue */
}
}
if (gr_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
}
#ifdef SHADOWGRP
if (sgr_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
}
#endif
exit (code);
}
/*
* open_files - open the accounts databases
*
* open_files() opens the group, gshadow, and passwd databases.
*/
static void open_files (void)
{
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
if (gflg) {
if (pw_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, pw_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_GRP_UPDATE);
}
}
}
/*
* fail_exit - exit with a failure code after unlocking the files
*/
static void fail_exit (int code)
{
if (pw_locked) {
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
/* continue */
}
}
if (gr_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
}
if (spw_locked) {
if (spw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
/* continue */
}
}
#ifdef SHADOWGRP
if (sgr_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
}
#endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (sub_uid_locked) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
/* continue */
}
}
if (sub_gid_locked) {
if (sub_gid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
/* continue */
}
}
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"deleting user",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
exit (code);
}
/*
* close_files - close all of the files that were opened
*
* close_files() closes all of the files that were opened for this new
* group. This causes any modified entries to be written out.
*/
static void close_files (void)
{
/* First, write the changes in the regular group database */
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_GROUP, Prog,
"adding group to /etc/group",
group_name, (unsigned int) group_id,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u",
gr_dbname (), group_name, (unsigned int) group_id));
del_cleanup (cleanup_report_add_group_group);
cleanup_unlock_group (NULL);
del_cleanup (cleanup_unlock_group);
/* Now, write the changes in the shadow database */
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_GROUP, Prog,
"adding group to /etc/gshadow",
group_name, (unsigned int) group_id,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO, "group added to %s: name=%s",
sgr_dbname (), group_name));
del_cleanup (cleanup_report_add_group_gshadow);
cleanup_unlock_gshadow (NULL);
del_cleanup (cleanup_unlock_gshadow);
}
#endif /* SHADOWGRP */
/* Report success at the system level */
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_GROUP, Prog,
"",
group_name, (unsigned int) group_id,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u",
group_name, (unsigned int) group_id));
del_cleanup (cleanup_report_add_group);
}
/*
* open_files - lock and open the group databases
*
* It will call exit in case of error.
*/
static void open_files (void)
{
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_NOPERM);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_NOPERM);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif /* SHADOWGRP */
add_cleanup (log_gpasswd_failure_system, NULL);
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_NOPERM);
}
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_NOPERM);
}
add_cleanup (log_gpasswd_failure_gshadow, NULL);
}
#endif /* SHADOWGRP */
add_cleanup (log_gpasswd_failure_group, NULL);
del_cleanup (log_gpasswd_failure_system);
}
/*
* open_files - lock and open the group files
*
* open_files() opens the two group files.
*/
static void open_files (void)
{
/* First, lock the databases */
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif
/*
* Now, if the group is not removed, it's our fault.
* Make sure failures will be reported.
*/
add_cleanup (cleanup_report_del_group, group_name);
/* An now open the databases */
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
/*
* lock_files - lock the accounts databases
*
* lock_files() locks the group, gshadow, and passwd databases.
*/
static void lock_files (void)
{
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif
if (gflg) {
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_passwd, NULL);
}
}
static void log_gpasswd_success_group (unused void *arg)
{
char buf[1024];
snprintf (buf, 1023, " in %s", gr_dbname ());
buf[1023] = '\0';
log_gpasswd_success (buf);
}
/*
* close_files - close and unlock the group databases
*
* This cause any changes in the databases to be committed.
*
* It will call exit in case of error.
*/
static void close_files (void)
{
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
exit (E_NOPERM);
}
add_cleanup (log_gpasswd_success_group, NULL);
del_cleanup (log_gpasswd_failure_group);
cleanup_unlock_group (NULL);
del_cleanup (cleanup_unlock_group);
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
exit (E_NOPERM);
}
del_cleanup (log_gpasswd_failure_gshadow);
cleanup_unlock_gshadow (NULL);
del_cleanup (cleanup_unlock_gshadow);
}
#endif /* SHADOWGRP */
log_gpasswd_success_system (NULL);
del_cleanup (log_gpasswd_success_group);
}
/*
* close_files - close and unlock the group/gshadow databases
*
* If changed is not set, the databases are not closed, and no
* changes are committed in the databases. The databases are
* unlocked anyway.
*/
static void close_files (bool changed)
{
/*
* All done. If there were no change we can just abandon any
* changes to the files.
*/
if (changed) {
if (gr_close () == 0) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"),
Prog, grp_file);
fail_exit (E_CANT_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow && (sgr_close () == 0)) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"),
Prog, sgr_file);
fail_exit (E_CANT_UPDATE);
}
#endif
}
/*
* Don't be anti-social - unlock the files when you're done.
*/
#ifdef SHADOWGRP
if (sgr_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
sgr_locked = false;
}
#endif
if (gr_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
gr_locked = false;
}
}
static void fail_exit (int status)
{
if (gr_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
}
if (sgr_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
}
exit (status);
}
/*
* grp_update - add new group file entries
*
* grp_update() writes the new records to the group files.
*/
static void grp_update (void)
{
struct group grp;
#ifdef SHADOWGRP
struct sgrp sgrp;
#endif /* SHADOWGRP */
/*
* To add the group, we need to update /etc/group.
* Make sure failures will be reported.
*/
add_cleanup (cleanup_report_add_group_group, group_name);
#ifdef SHADOWGRP
if (is_shadow_grp) {
/* We also need to update /etc/gshadow */
add_cleanup (cleanup_report_add_group_gshadow, group_name);
}
#endif
/*
* Create the initial entries for this new group.
*/
new_grent (&grp);
#ifdef SHADOWGRP
new_sgent (&sgrp);
if (is_shadow_grp && pflg) {
grp.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
}
#endif /* SHADOWGRP */
/*
* Write out the new group file entry.
*/
if (gr_update (&grp) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grp.gr_name);
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
/*
* Write out the new shadow group entries as well.
*/
if (is_shadow_grp && (sgr_update (&sgrp) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sgrp.sg_name);
exit (E_GRP_UPDATE);
}
#endif /* SHADOWGRP */
}
/*
* open_files - lock and open the group databases
*/
static void open_files (void)
{
/*
* Lock the group file and open it for reading and writing. This will
* bring all of the entries into memory where they may be updated.
*/
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (1);
}
gr_locked = true;
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (1);
}
#ifdef SHADOWGRP
/* Do the same for the shadowed database, if it exist */
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (1);
}
sgr_locked = true;
if (sgr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"),
Prog, sgr_dbname ());
fail_exit (1);
}
}
#endif
}
/*
* fail_exit - exit with an error code after unlocking files
*/
static void fail_exit (int status)
{
if (gr_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
}
#ifdef SHADOWGRP
if (sgr_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
}
#endif
closelog ();
exit (status);
}
static void update_group (struct group *gr)
#endif
{
if (gr_update (gr) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), gr->gr_name);
exit (1);
}
#ifdef SHADOWGRP
if (is_shadowgrp && (sgr_update (sg) == 0)) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sg->sg_name);
exit (1);
}
#endif /* SHADOWGRP */
}
/*
* grp_update - update group file entries
*
* grp_update() writes the new records to the group files.
*/
static void grp_update (void)
{
/*
* To add the group, we need to update /etc/group.
* Make sure failures will be reported.
*/
add_cleanup (cleanup_report_del_group_group, group_name);
#ifdef SHADOWGRP
if (is_shadow_grp) {
/* We also need to update /etc/gshadow */
add_cleanup (cleanup_report_del_group_gshadow, group_name);
}
#endif
/*
* Delete the group entry.
*/
if (gr_remove (group_name) == 0) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, group_name, gr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
/*
* Delete the shadow group entries as well.
*/
if (is_shadow_grp && (sgr_locate (group_name) != NULL)) {
if (sgr_remove (group_name) == 0) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, group_name, sgr_dbname ());
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
static void open_files (void)
{
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
pw_locked = true;
if (pw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, pw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
if (is_shadow_pwd) {
if (spw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, spw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking shadow password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
spw_locked = true;
if (spw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, spw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening shadow password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
gr_locked = true;
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking shadow group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
sgr_locked= true;
if (sgr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"),
Prog, sgr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening shadow group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_uid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking subordinate user file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_UID_UPDATE);
}
sub_uid_locked = true;
if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening subordinate user file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_UID_UPDATE);
}
}
if (is_sub_gid) {
if (sub_gid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_gid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking subordinate group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_GID_UPDATE);
}
sub_gid_locked = true;
if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening subordinate group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_GID_UPDATE);
}
}
#endif /* ENABLE_SUBIDS */
}
int main (int argc, char **argv)
{
char buf[BUFSIZ];
char *name;
char *newpwd;
char *cp;
#ifdef SHADOWGRP
const struct sgrp *sg;
struct sgrp newsg;
#endif
const struct group *gr;
struct group newgr;
int errors = 0;
int line = 0;
Prog = Basename (argv[0]);
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
process_flags (argc, argv);
OPENLOG ("chgpasswd");
check_perms ();
#ifdef SHADOWGRP
is_shadow_grp = sgr_file_present ();
#endif
open_files ();
/*
* Read each line, separating the group name from the password. The
* group entry for each group will be looked up in the appropriate
* file (gshadow or group) and the password changed.
*/
while (fgets (buf, (int) sizeof buf, stdin) != (char *) 0) {
line++;
cp = strrchr (buf, '\n');
if (NULL != cp) {
*cp = '\0';
} else {
fprintf (stderr, _("%s: line %d: line too long\n"),
Prog, line);
errors++;
continue;
}
/*
* The group's name is the first field. It is separated from
* the password with a ":" character which is replaced with a
* NUL to give the new password. The new password will then
* be encrypted in the normal fashion with a new salt
* generated, unless the '-e' is given, in which case it is
* assumed to already be encrypted.
*/
name = buf;
cp = strchr (name, ':');
if (NULL != cp) {
*cp = '\0';
cp++;
} else {
fprintf (stderr,
_("%s: line %d: missing new password\n"),
Prog, line);
errors++;
continue;
}
newpwd = cp;
if ( (!eflg)
&& ( (NULL == crypt_method)
|| (0 != strcmp (crypt_method, "NONE")))) {
void *arg = NULL;
const char *salt;
if (md5flg) {
crypt_method = "MD5";
}
#ifdef USE_SHA_CRYPT
if (sflg) {
arg = &sha_rounds;
}
#endif
salt = crypt_make_salt (crypt_method, arg);
cp = pw_encrypt (newpwd, salt);
if (NULL == cp) {
fprintf (stderr,
_("%s: failed to crypt password with salt '%s': %s\n"),
Prog, salt, strerror (errno));
fail_exit (1);
}
}
/*
* Get the group file entry for this group. The group must
* already exist.
*/
gr = gr_locate (name);
if (NULL == gr) {
fprintf (stderr,
_("%s: line %d: group '%s' does not exist\n"), Prog,
line, name);
errors++;
continue;
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
/* The gshadow entry should be updated if the
* group entry has a password set to 'x'.
* But on the other hand, if there is already both
* a group and a gshadow password, it's preferable
* to update both.
*/
sg = sgr_locate (name);
if ( (NULL == sg)
&& (strcmp (gr->gr_passwd,
SHADOW_PASSWD_STRING) == 0)) {
static char *empty = NULL;
/* If the password is set to 'x' in
* group, but there are no entries in
* gshadow, create one.
*/
newsg.sg_name = name;
/* newsg.sg_passwd = NULL; will be set later */
newsg.sg_adm = ∅
newsg.sg_mem = dup_list (gr->gr_mem);
sg = &newsg;
}
} else {
sg = NULL;
}
#endif
/*
* The freshly encrypted new password is merged into the
* group's entry.
*/
#ifdef SHADOWGRP
if (NULL != sg) {
newsg = *sg;
newsg.sg_passwd = cp;
}
if ( (NULL == sg)
|| (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) != 0))
#endif
{
newgr = *gr;
newgr.gr_passwd = cp;
}
/*
* The updated group file entry is then put back and will
* be written to the group file later, after all the
* other entries have been updated as well.
*/
#ifdef SHADOWGRP
if (NULL != sg) {
if (sgr_update (&newsg) == 0) {
fprintf (stderr,
_("%s: line %d: failed to prepare the new %s entry '%s'\n"),
Prog, line, sgr_dbname (), newsg.sg_name);
errors++;
continue;
}
}
if ( (NULL == sg)
|| (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) != 0))
#endif
{
if (gr_update (&newgr) == 0) {
fprintf (stderr,
_("%s: line %d: failed to prepare the new %s entry '%s'\n"),
Prog, line, gr_dbname (), newgr.gr_name);
errors++;
continue;
}
}
}
/*
* Any detected errors will cause the entire set of changes to be
* aborted. Unlocking the group file will cause all of the
* changes to be ignored. Otherwise the file is closed, causing the
* changes to be written out all at once, and then unlocked
* afterwards.
*/
if (0 != errors) {
fprintf (stderr,
_("%s: error detected, changes ignored\n"), Prog);
fail_exit (1);
}
close_files ();
nscd_flush_cache ("group");
return (0);
}
/*
* close_files - close and unlock the password, group and shadow databases
*/
static void close_files (void)
{
if (pw_close () == 0) {
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ()));
fail_exit (EXIT_FAILURE);
}
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
/* continue */
}
pw_locked = false;
if (is_shadow) {
if (spw_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, spw_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
fail_exit (EXIT_FAILURE);
}
if (spw_unlock () == 0) {
fprintf (stderr,
_("%s: failed to unlock %s\n"),
Prog, spw_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
/* continue */
}
spw_locked = false;
}
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (EXIT_FAILURE);
}
#ifdef ENABLE_SUBIDS
if (is_sub_uid && (sub_uid_close () == 0)) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
fail_exit (EXIT_FAILURE);
}
if (is_sub_gid && (sub_gid_close () == 0)) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
fail_exit (EXIT_FAILURE);
}
#endif /* ENABLE_SUBIDS */
if (gr_unlock () == 0) {
fprintf (stderr,
_("%s: failed to unlock %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
gr_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
fail_exit (EXIT_FAILURE);
}
if (sgr_unlock () == 0) {
fprintf (stderr,
_("%s: failed to unlock %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
sgr_locked = false;
}
#endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
/* continue */
}
sub_uid_locked = false;
}
if (is_sub_gid) {
if (sub_gid_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
/* continue */
}
sub_gid_locked = false;
}
#endif /* ENABLE_SUBIDS */
}
int main (int argc, char **argv)
{
bool editshadow = false;
char *a;
bool do_vipw;
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
progname = ((a = strrchr (*argv, '/')) ? a + 1 : *argv);
do_vipw = (strcmp (progname, "vigr") != 0);
OPENLOG (do_vipw ? "vipw" : "vigr");
{
/*
* Parse the command line options.
*/
int c;
static struct option long_options[] = {
{"group", no_argument, NULL, 'g'},
{"help", no_argument, NULL, 'h'},
{"passwd", no_argument, NULL, 'p'},
{"quiet", no_argument, NULL, 'q'},
{"shadow", no_argument, NULL, 's'},
#ifdef WITH_TCB
{"user", required_argument, NULL, 'u'},
#endif /* WITH_TCB */
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
#ifdef WITH_TCB
"ghpqsu:",
#else /* !WITH_TCB */
"ghpqs",
#endif /* !WITH_TCB */
long_options, NULL)) != -1) {
switch (c) {
case 'g':
do_vipw = false;
break;
case 'h':
usage (E_SUCCESS);
break;
case 'p':
do_vipw = true;
break;
case 'q':
quiet = true;
break;
case 's':
editshadow = true;
break;
#ifdef WITH_TCB
case 'u':
user = optarg;
break;
#endif /* WITH_TCB */
default:
usage (E_USAGE);
}
}
}
if (do_vipw) {
if (editshadow) {
#ifdef WITH_TCB
if (getdef_bool ("USE_TCB") && (NULL != user)) {
if (shadowtcb_set_user (user) == SHADOWTCB_FAILURE) {
fprintf (stderr,
_("%s: failed to find tcb directory for %s\n"),
progname, user);
return E_SHADOW_NOTFOUND;
}
tcb_mode = true;
}
#endif /* WITH_TCB */
vipwedit (spw_dbname (), spw_lock, spw_unlock);
printf (MSG_WARN_EDIT_OTHER_FILE,
spw_dbname (),
pw_dbname (),
"vipw");
} else {
vipwedit (pw_dbname (), pw_lock, pw_unlock);
if (spw_file_present ()) {
printf (MSG_WARN_EDIT_OTHER_FILE,
pw_dbname (),
spw_dbname (),
"vipw -s");
}
}
} else {
#ifdef SHADOWGRP
if (editshadow) {
vipwedit (sgr_dbname (), sgr_lock, sgr_unlock);
printf (MSG_WARN_EDIT_OTHER_FILE,
sgr_dbname (),
gr_dbname (),
"vigr");
} else {
#endif /* SHADOWGRP */
vipwedit (gr_dbname (), gr_lock, gr_unlock);
#ifdef SHADOWGRP
if (sgr_file_present ()) {
printf (MSG_WARN_EDIT_OTHER_FILE,
gr_dbname (),
sgr_dbname (),
"vigr -s");
}
}
#endif /* SHADOWGRP */
}
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
return E_SUCCESS;
}
/*
* remove_usergroup - delete the user's group if it is a usergroup
*
* An usergroup is removed if
* + it has the same name as the user
* + it is the primary group of the user
* + it has no other members
* + it is not the primary group of any other user
*/
static void remove_usergroup (void)
{
const struct group *grp;
const struct passwd *pwd = NULL;
grp = gr_locate (user_name);
if (NULL == grp) {
/* This user has no usergroup. */
return;
}
if (grp->gr_gid != user_gid) {
fprintf (stderr,
_("%s: group %s not removed because it is not the primary group of user %s.\n"),
Prog, grp->gr_name, user_name);
return;
}
if (NULL != grp->gr_mem[0]) {
/* The usergroup has other members. */
fprintf (stderr,
_("%s: group %s not removed because it has other members.\n"),
Prog, grp->gr_name);
return;
}
if (!fflg) {
/*
* Scan the passwd file to check if this group is still
* used as a primary group.
*/
setpwent ();
while ((pwd = getpwent ()) != NULL) {
if (strcmp (pwd->pw_name, user_name) == 0) {
continue;
}
if (pwd->pw_gid == grp->gr_gid) {
fprintf (stderr,
_("%s: group %s is the primary group of another user and is not removed.\n"),
Prog, grp->gr_name);
break;
}
}
endpwent ();
}
if (NULL == pwd) {
/*
* We can remove this group, it is not the primary
* group of any remaining user.
*/
if (gr_remove (user_name) == 0) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, user_name, gr_dbname ());
fail_exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_GROUP, Prog,
"deleting group",
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif /* WITH_AUDIT */
SYSLOG ((LOG_INFO,
"removed group '%s' owned by '%s'\n",
user_name, user_name));
#ifdef SHADOWGRP
if (sgr_locate (user_name) != NULL) {
if (sgr_remove (user_name) == 0) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, user_name, sgr_dbname ());
fail_exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_GROUP, Prog,
"deleting shadow group",
user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif /* WITH_AUDIT */
SYSLOG ((LOG_INFO,
"removed shadow group '%s' owned by '%s'\n",
user_name, user_name));
}
#endif /* SHADOWGRP */
}
}
static void get_group (struct group *gr)
#endif
{
struct group const*tmpgr = NULL;
#ifdef SHADOWGRP
struct sgrp const*tmpsg = NULL;
#endif
if (gr_open (O_RDONLY) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_NOPERM);
}
tmpgr = gr_locate (group);
if (NULL == tmpgr) {
fprintf (stderr,
_("%s: group '%s' does not exist in %s\n"),
Prog, group, gr_dbname ());
exit (E_BAD_ARG);
}
*gr = *tmpgr;
gr->gr_name = xstrdup (tmpgr->gr_name);
gr->gr_passwd = xstrdup (tmpgr->gr_passwd);
gr->gr_mem = dup_list (tmpgr->gr_mem);
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while closing read-only %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR,
"failure while closing read-only %s",
gr_dbname ()));
exit (E_NOPERM);
}
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_open (O_RDONLY) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_NOPERM);
}
tmpsg = sgr_locate (group);
if (NULL != tmpsg) {
*sg = *tmpsg;
sg->sg_name = xstrdup (tmpsg->sg_name);
sg->sg_passwd = xstrdup (tmpsg->sg_passwd);
sg->sg_mem = dup_list (tmpsg->sg_mem);
sg->sg_adm = dup_list (tmpsg->sg_adm);
} else {
sg->sg_name = xstrdup (group);
sg->sg_passwd = gr->gr_passwd;
gr->gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
sg->sg_mem = dup_list (gr->gr_mem);
sg->sg_adm = (char **) xmalloc (sizeof (char *) * 2);
#ifdef FIRST_MEMBER_IS_ADMIN
if (sg->sg_mem[0]) {
sg->sg_adm[0] = xstrdup (sg->sg_mem[0]);
sg->sg_adm[1] = NULL;
} else
#endif
{
sg->sg_adm[0] = NULL;
}
}
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while closing read-only %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_ERR,
"failure while closing read-only %s",
sgr_dbname ()));
exit (E_NOPERM);
}
}
#endif /* SHADOWGRP */
}
/*
* grp_update - update group file entries
*
* grp_update() updates the new records in the memory databases.
*/
static void grp_update (void)
{
struct group grp;
const struct group *ogrp;
#ifdef SHADOWGRP
struct sgrp sgrp;
const struct sgrp *osgrp = NULL;
#endif /* SHADOWGRP */
/*
* Get the current settings for this group.
*/
ogrp = gr_locate (group_name);
if (NULL == ogrp) {
fprintf (stderr,
_("%s: group '%s' does not exist in %s\n"),
Prog, group_name, gr_dbname ());
exit (E_GRP_UPDATE);
}
grp = *ogrp;
new_grent (&grp);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
osgrp = sgr_locate (group_name);
if (NULL != osgrp) {
sgrp = *osgrp;
new_sgent (&sgrp);
} else if ( pflg
&& (strcmp (grp.gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
static char *empty = NULL;
/* If there is a gshadow file with no entries for
* the group, but the group file indicates a
* shadowed password, we force the creation of a
* gshadow entry when a new password is requested.
*/
memset (&sgrp, 0, sizeof sgrp);
sgrp.sg_name = xstrdup (grp.gr_name);
sgrp.sg_passwd = xstrdup (grp.gr_passwd);
sgrp.sg_adm = ∅
sgrp.sg_mem = dup_list (grp.gr_mem);
new_sgent (&sgrp);
osgrp = &sgrp; /* entry needs to be committed */
}
}
#endif /* SHADOWGRP */
if (gflg) {
update_primary_groups (ogrp->gr_gid, group_newid);
}
/*
* Write out the new group file entry.
*/
if (gr_update (&grp) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grp.gr_name);
exit (E_GRP_UPDATE);
}
if (nflg && (gr_remove (group_name) == 0)) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, grp.gr_name, gr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
/*
* Make sure there was a shadow entry to begin with.
*/
if (NULL != osgrp) {
/*
* Write out the new shadow group entries as well.
*/
if (sgr_update (&sgrp) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sgrp.sg_name);
exit (E_GRP_UPDATE);
}
if (nflg && (sgr_remove (group_name) == 0)) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, group_name, sgr_dbname ());
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
/*
* open_files - lock and open the password, group and shadow databases
*/
static void open_files (void)
{
/*
* Lock the password files and open them for update. This will bring
* all of the entries into memory where they may be searched for an
* modified, or new entries added. The password file is the key - if
* it gets locked, assume the others can be locked right away.
*/
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
fail_exit (EXIT_FAILURE);
}
pw_locked = true;
if (is_shadow) {
if (spw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, spw_dbname ());
fail_exit (EXIT_FAILURE);
}
spw_locked = true;
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (EXIT_FAILURE);
}
gr_locked = true;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (EXIT_FAILURE);
}
sgr_locked = true;
}
#endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_uid_dbname ());
fail_exit (EXIT_FAILURE);
}
sub_uid_locked = true;
}
if (is_sub_gid) {
if (sub_gid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_gid_dbname ());
fail_exit (EXIT_FAILURE);
}
sub_gid_locked = true;
}
#endif /* ENABLE_SUBIDS */
if (pw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
fail_exit (EXIT_FAILURE);
}
if (is_shadow && (spw_open (O_CREAT | O_RDWR) == 0)) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ());
fail_exit (EXIT_FAILURE);
}
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (EXIT_FAILURE);
}
#ifdef SHADOWGRP
if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ());
fail_exit (EXIT_FAILURE);
}
#endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sub_uid_dbname ());
fail_exit (EXIT_FAILURE);
}
}
if (is_sub_gid) {
if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sub_gid_dbname ());
fail_exit (EXIT_FAILURE);
}
}
#endif /* ENABLE_SUBIDS */
}
int main (int argc, char **argv)
{
const struct group *gr;
struct group grent;
const struct sgrp *sg;
Prog = Basename (argv[0]);
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
OPENLOG ("grpunconv");
process_flags (argc, argv);
if (sgr_file_present () == 0) {
exit (0); /* no /etc/gshadow, nothing to do */
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (5);
}
gr_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (1);
}
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (5);
}
sgr_locked = true;
if (sgr_open (O_RDONLY) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sgr_dbname ());
fail_exit (1);
}
/*
* Update group passwords if non-shadow password is "x".
*/
(void) gr_rewind ();
while ((gr = gr_next ()) != NULL) {
sg = sgr_locate (gr->gr_name);
if ( (NULL != sg)
&& (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
/* add password to /etc/group */
grent = *gr;
grent.gr_passwd = sg->sg_passwd;
if (gr_update (&grent) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grent.gr_name);
fail_exit (3);
}
}
}
(void) sgr_close (); /* was only open O_RDONLY */
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (3);
}
if (unlink (SGROUP_FILE) != 0) {
fprintf (stderr,
_("%s: cannot delete %s\n"),
Prog, SGROUP_FILE);
SYSLOG ((LOG_ERR, "cannot delete %s", SGROUP_FILE));
fail_exit (3);
}
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
nscd_flush_cache ("group");
return 0;
}
/*
* close_files - close all of the files that were opened
*
* close_files() closes all of the files that were opened for this new
* group. This causes any modified entries to be written out.
*/
static void close_files (void)
{
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_ACCT, Prog,
info_group.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO,
"group changed in %s (%s)",
gr_dbname (), info_group.action));
del_cleanup (cleanup_report_mod_group);
cleanup_unlock_group (NULL);
del_cleanup (cleanup_unlock_group);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_ACCT, Prog,
info_gshadow.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO,
"group changed in %s (%s)",
sgr_dbname (), info_gshadow.action));
del_cleanup (cleanup_report_mod_gshadow);
cleanup_unlock_gshadow (NULL);
del_cleanup (cleanup_unlock_gshadow);
}
#endif /* SHADOWGRP */
if (gflg) {
if (pw_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, pw_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_ACCT, Prog,
info_passwd.audit_msg,
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
SYSLOG ((LOG_INFO,
"group changed in %s (%s)",
pw_dbname (), info_passwd.action));
del_cleanup (cleanup_report_mod_passwd);
cleanup_unlock_passwd (NULL);
del_cleanup (cleanup_unlock_passwd);
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_ACCT, Prog,
"modifying group",
group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
}
/*
* check_grp_file - check the content of the group file
*/
static void check_grp_file (int *errors, bool *changed)
{
struct commonio_entry *gre, *tgre;
struct group *grp;
#ifdef SHADOWGRP
struct sgrp *sgr;
#endif
/*
* Loop through the entire group file.
*/
for (gre = __gr_get_head (); NULL != gre; gre = gre->next) {
/*
* Skip all NIS entries.
*/
if ((gre->line[0] == '+') || (gre->line[0] == '-')) {
continue;
}
/*
* Start with the entries that are completely corrupt. They
* have no (struct group) entry because they couldn't be
* parsed properly.
*/
if (NULL == gre->eptr) {
/*
* Tell the user this entire line is bogus and ask
* them to delete it.
*/
(void) puts (_("invalid group file entry"));
printf (_("delete line '%s'? "), gre->line);
*errors += 1;
/*
* prompt the user to delete the entry or not
*/
if (!yes_or_no (read_only)) {
continue;
}
/*
* All group file deletions wind up here. This code
* removes the current entry from the linked list.
* When done, it skips back to the top of the loop
* to try out the next list element.
*/
delete_gr:
SYSLOG ((LOG_INFO, "delete group line '%s'",
gre->line));
*changed = true;
__gr_del_entry (gre);
continue;
}
/*
* Group structure is good, start using it.
*/
grp = gre->eptr;
/*
* Make sure this entry has a unique name.
*/
for (tgre = __gr_get_head (); NULL != tgre; tgre = tgre->next) {
const struct group *ent = tgre->eptr;
/*
* Don't check this entry
*/
if (tgre == gre) {
continue;
}
/*
* Don't check invalid entries.
*/
if (NULL == ent) {
continue;
}
if (strcmp (grp->gr_name, ent->gr_name) != 0) {
continue;
}
/*
* Tell the user this entry is a duplicate of
* another and ask them to delete it.
*/
(void) puts (_("duplicate group entry"));
printf (_("delete line '%s'? "), gre->line);
*errors += 1;
/*
* prompt the user to delete the entry or not
*/
if (yes_or_no (read_only)) {
goto delete_gr;
}
}
/*
* Check for invalid group names. --marekm
*/
if (!is_valid_group_name (grp->gr_name)) {
*errors += 1;
printf (_("invalid group name '%s'\n"), grp->gr_name);
}
/*
* Check for invalid group ID.
*/
if (grp->gr_gid == (gid_t)-1) {
printf (_("invalid group ID '%lu'\n"), (long unsigned int)grp->gr_gid);
*errors += 1;
}
/*
* Workaround for a NYS libc 5.3.12 bug on RedHat 4.2 -
* groups with no members are returned as groups with one
* member "", causing grpck to fail. --marekm
*/
if ( (NULL != grp->gr_mem[0])
&& (NULL == grp->gr_mem[1])
&& ('\0' == grp->gr_mem[0][0])) {
grp->gr_mem[0] = NULL;
}
if (check_members (grp->gr_name, grp->gr_mem,
_("group %s: no user %s\n"),
_("delete member '%s'? "),
"delete member '%s' from group '%s'",
errors) == 1) {
*changed = true;
gre->changed = true;
__gr_set_changed ();
}
#ifdef SHADOWGRP
/*
* Make sure this entry exists in the /etc/gshadow file.
*/
if (is_shadow) {
sgr = (struct sgrp *) sgr_locate (grp->gr_name);
if (sgr == NULL) {
printf (_("no matching group file entry in %s\n"),
sgr_file);
printf (_("add group '%s' in %s? "),
grp->gr_name, sgr_file);
*errors += 1;
if (yes_or_no (read_only)) {
struct sgrp sg;
struct group gr;
static char *empty = NULL;
sg.sg_name = grp->gr_name;
sg.sg_passwd = grp->gr_passwd;
sg.sg_adm = ∅
sg.sg_mem = grp->gr_mem;
SYSLOG ((LOG_INFO,
"add group '%s' to '%s'",
grp->gr_name, sgr_file));
*changed = true;
if (sgr_update (&sg) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sg.sg_name);
fail_exit (E_CANT_UPDATE);
}
/* remove password from /etc/group */
gr = *grp;
gr.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
if (gr_update (&gr) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), gr.gr_name);
fail_exit (E_CANT_UPDATE);
}
}
} else {
/**
* Verify that all the members defined in /etc/group are also
* present in /etc/gshadow.
*/
compare_members_lists (grp->gr_name,
grp->gr_mem, sgr->sg_mem,
grp_file, sgr_file);
/* The group entry has a gshadow counterpart.
* Make sure no passwords are in group.
*/
if (strcmp (grp->gr_passwd, SHADOW_PASSWD_STRING) != 0) {
printf (_("group %s has an entry in %s, but its password field in %s is not set to 'x'\n"),
grp->gr_name, sgr_file, grp_file);
*errors += 1;
}
}
}
#endif
}
}
/*
* grp_update - update group file entries
*
* grp_update() updates the new records in the memory databases.
*/
static void grp_update (void)
{
struct group grp;
const struct group *ogrp;
#ifdef SHADOWGRP
struct sgrp sgrp;
const struct sgrp *osgrp = NULL;
#endif /* SHADOWGRP */
/*
* Get the current settings for this group.
*/
ogrp = gr_locate (group_name);
if (!ogrp) {
fprintf (stderr,
_("%s: group '%s' does not exist in %s\n"),
Prog, group_name, gr_dbname ());
exit (E_GRP_UPDATE);
}
grp = *ogrp;
new_grent (&grp);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
osgrp = sgr_locate (group_name);
if (NULL != osgrp) {
sgrp = *osgrp;
new_sgent (&sgrp);
if (pflg) {
grp.gr_passwd = SHADOW_PASSWD_STRING;
}
}
}
#endif /* SHADOWGRP */
if (gflg) {
update_primary_groups (ogrp->gr_gid, group_newid);
}
/*
* Write out the new group file entry.
*/
if (gr_update (&grp) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grp.gr_name);
exit (E_GRP_UPDATE);
}
if (nflg && (gr_remove (group_name) == 0)) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, grp.gr_name, gr_dbname ());
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
/*
* Make sure there was a shadow entry to begin with.
*/
if ( (NULL != osgrp)
&& (pflg || nflg)) {
/*
* Write out the new shadow group entries as well.
*/
if (sgr_update (&sgrp) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sgrp.sg_name);
exit (E_GRP_UPDATE);
}
if (nflg && (sgr_remove (group_name) == 0)) {
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, group_name, sgr_dbname ());
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
/*
* prepare_failure_reports - Prepare the cleanup_info structure for logging
* of success and failure to syslog or audit.
*/
static void prepare_failure_reports (void)
{
info_group.name = group_name;
#ifdef SHADOWGRP
info_gshadow.name = group_name;
#endif
info_passwd.name = group_name;
info_group.audit_msg = xmalloc (512);
#ifdef SHADOWGRP
info_gshadow.audit_msg = xmalloc (512);
#endif
info_passwd.audit_msg = xmalloc (512);
snprintf (info_group.audit_msg, 511,
"changing %s; ", gr_dbname ());
#ifdef SHADOWGRP
snprintf (info_gshadow.audit_msg, 511,
"changing %s; ", sgr_dbname ());
#endif
snprintf (info_passwd.audit_msg, 511,
"changing %s; ", pw_dbname ());
info_group.action = info_group.audit_msg
+ strlen (info_group.audit_msg);
#ifdef SHADOWGRP
info_gshadow.action = info_gshadow.audit_msg
+ strlen (info_gshadow.audit_msg);
#endif
info_passwd.action = info_passwd.audit_msg
+ strlen (info_passwd.audit_msg);
snprintf (info_group.action, 511 - strlen (info_group.audit_msg),
"group %s/%lu", group_name, (unsigned long int) group_id);
#ifdef SHADOWGRP
snprintf (info_gshadow.action, 511 - strlen (info_group.audit_msg),
"group %s", group_name);
#endif
snprintf (info_passwd.action, 511 - strlen (info_group.audit_msg),
"group %s/%lu", group_name, (unsigned long int) group_id);
if (nflg) {
strncat (info_group.action, ", new name: ",
511 - strlen (info_group.audit_msg));
strncat (info_group.action, group_newname,
511 - strlen (info_group.audit_msg));
#ifdef SHADOWGRP
strncat (info_gshadow.action, ", new name: ",
511 - strlen (info_gshadow.audit_msg));
strncat (info_gshadow.action, group_newname,
511 - strlen (info_gshadow.audit_msg));
#endif
strncat (info_passwd.action, ", new name: ",
511 - strlen (info_passwd.audit_msg));
strncat (info_passwd.action, group_newname,
511 - strlen (info_passwd.audit_msg));
}
if (pflg) {
strncat (info_group.action, ", new password",
511 - strlen (info_group.audit_msg));
#ifdef SHADOWGRP
strncat (info_gshadow.action, ", new password",
511 - strlen (info_gshadow.audit_msg));
#endif
}
if (gflg) {
strncat (info_group.action, ", new gid: ",
511 - strlen (info_group.audit_msg));
snprintf (info_group.action+strlen (info_group.action),
511 - strlen (info_group.audit_msg),
"%lu", (unsigned long int) group_newid);
strncat (info_passwd.action, ", new gid: ",
511 - strlen (info_passwd.audit_msg));
snprintf (info_passwd.action+strlen (info_passwd.action),
511 - strlen (info_passwd.audit_msg),
"%lu", (unsigned long int) group_newid);
}
info_group.audit_msg[511] = '\0';
#ifdef SHADOWGRP
info_gshadow.audit_msg[511] = '\0';
#endif
info_passwd.audit_msg[511] = '\0';
// FIXME: add a system cleanup
add_cleanup (cleanup_report_mod_group, &info_group);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
add_cleanup (cleanup_report_mod_gshadow, &info_gshadow);
}
#endif
if (gflg) {
add_cleanup (cleanup_report_mod_passwd, &info_passwd);
}
}