/* * close_files - close and unlock the group databases */ static void close_files (void) { #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ())); fail_exit (1); } if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } sgr_locked = false; } #endif if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); fail_exit (1); } if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } gr_locked = false; }
/* * fail_exit - undo as much as possible */ static void fail_exit (int code) { if (spw_locked) { if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ } } if (pw_locked) { if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); /* continue */ } } if (gr_locked) { if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } } #ifdef SHADOWGRP if (sgr_locked) { if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } } #endif exit (code); }
/* * open_files - open the accounts databases * * open_files() opens the group, gshadow, and passwd databases. */ static void open_files (void) { if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { if (sgr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ if (gflg) { if (pw_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_GRP_UPDATE); } } }
/* * fail_exit - exit with a failure code after unlocking the files */ static void fail_exit (int code) { if (pw_locked) { if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); /* continue */ } } if (gr_locked) { if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } } if (spw_locked) { if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ } } #ifdef SHADOWGRP if (sgr_locked) { if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } } #endif /* SHADOWGRP */ #ifdef ENABLE_SUBIDS if (sub_uid_locked) { if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); /* continue */ } } if (sub_gid_locked) { if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); /* continue */ } } #endif /* ENABLE_SUBIDS */ #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "deleting user", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ exit (code); }
/* * close_files - close all of the files that were opened * * close_files() closes all of the files that were opened for this new * group. This causes any modified entries to be written out. */ static void close_files (void) { /* First, write the changes in the regular group database */ if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, "adding group to /etc/group", group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u", gr_dbname (), group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group_group); cleanup_unlock_group (NULL); del_cleanup (cleanup_unlock_group); /* Now, write the changes in the shadow database */ #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, "adding group to /etc/gshadow", group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "group added to %s: name=%s", sgr_dbname (), group_name)); del_cleanup (cleanup_report_add_group_gshadow); cleanup_unlock_gshadow (NULL); del_cleanup (cleanup_unlock_gshadow); } #endif /* SHADOWGRP */ /* Report success at the system level */ #ifdef WITH_AUDIT audit_logger (AUDIT_ADD_GROUP, Prog, "", group_name, (unsigned int) group_id, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", group_name, (unsigned int) group_id)); del_cleanup (cleanup_report_add_group); }
/* * open_files - lock and open the group databases * * It will call exit in case of error. */ static void open_files (void) { if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); exit (E_NOPERM); } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP if (is_shadowgrp) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); exit (E_NOPERM); } add_cleanup (cleanup_unlock_gshadow, NULL); } #endif /* SHADOWGRP */ add_cleanup (log_gpasswd_failure_system, NULL); if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_NOPERM); } #ifdef SHADOWGRP if (is_shadowgrp) { if (sgr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); exit (E_NOPERM); } add_cleanup (log_gpasswd_failure_gshadow, NULL); } #endif /* SHADOWGRP */ add_cleanup (log_gpasswd_failure_group, NULL); del_cleanup (log_gpasswd_failure_system); }
/* * open_files - lock and open the group files * * open_files() opens the two group files. */ static void open_files (void) { /* First, lock the databases */ if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); exit (E_GRP_UPDATE); } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); exit (E_GRP_UPDATE); } add_cleanup (cleanup_unlock_gshadow, NULL); } #endif /* * Now, if the group is not removed, it's our fault. * Make sure failures will be reported. */ add_cleanup (cleanup_report_del_group, group_name); /* An now open the databases */ if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ }
/* * lock_files - lock the accounts databases * * lock_files() locks the group, gshadow, and passwd databases. */ static void lock_files (void) { if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); exit (E_GRP_UPDATE); } add_cleanup (cleanup_unlock_group, NULL); #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); exit (E_GRP_UPDATE); } add_cleanup (cleanup_unlock_gshadow, NULL); } #endif if (gflg) { if (pw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); exit (E_GRP_UPDATE); } add_cleanup (cleanup_unlock_passwd, NULL); } }
static void log_gpasswd_success_group (unused void *arg) { char buf[1024]; snprintf (buf, 1023, " in %s", gr_dbname ()); buf[1023] = '\0'; log_gpasswd_success (buf); }
/* * close_files - close and unlock the group databases * * This cause any changes in the databases to be committed. * * It will call exit in case of error. */ static void close_files (void) { if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); exit (E_NOPERM); } add_cleanup (log_gpasswd_success_group, NULL); del_cleanup (log_gpasswd_failure_group); cleanup_unlock_group (NULL); del_cleanup (cleanup_unlock_group); #ifdef SHADOWGRP if (is_shadowgrp) { if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); exit (E_NOPERM); } del_cleanup (log_gpasswd_failure_gshadow); cleanup_unlock_gshadow (NULL); del_cleanup (cleanup_unlock_gshadow); } #endif /* SHADOWGRP */ log_gpasswd_success_system (NULL); del_cleanup (log_gpasswd_success_group); }
/* * close_files - close and unlock the group/gshadow databases * * If changed is not set, the databases are not closed, and no * changes are committed in the databases. The databases are * unlocked anyway. */ static void close_files (bool changed) { /* * All done. If there were no change we can just abandon any * changes to the files. */ if (changed) { if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, grp_file); fail_exit (E_CANT_UPDATE); } #ifdef SHADOWGRP if (is_shadow && (sgr_close () == 0)) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_file); fail_exit (E_CANT_UPDATE); } #endif } /* * Don't be anti-social - unlock the files when you're done. */ #ifdef SHADOWGRP if (sgr_locked) { if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } sgr_locked = false; } #endif if (gr_locked) { if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } gr_locked = false; } }
static void fail_exit (int status) { if (gr_locked) { if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } } if (sgr_locked) { if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } } exit (status); }
/* * grp_update - add new group file entries * * grp_update() writes the new records to the group files. */ static void grp_update (void) { struct group grp; #ifdef SHADOWGRP struct sgrp sgrp; #endif /* SHADOWGRP */ /* * To add the group, we need to update /etc/group. * Make sure failures will be reported. */ add_cleanup (cleanup_report_add_group_group, group_name); #ifdef SHADOWGRP if (is_shadow_grp) { /* We also need to update /etc/gshadow */ add_cleanup (cleanup_report_add_group_gshadow, group_name); } #endif /* * Create the initial entries for this new group. */ new_grent (&grp); #ifdef SHADOWGRP new_sgent (&sgrp); if (is_shadow_grp && pflg) { grp.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */ } #endif /* SHADOWGRP */ /* * Write out the new group file entry. */ if (gr_update (&grp) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP /* * Write out the new shadow group entries as well. */ if (is_shadow_grp && (sgr_update (&sgrp) == 0)) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); exit (E_GRP_UPDATE); } #endif /* SHADOWGRP */ }
/* * open_files - lock and open the group databases */ static void open_files (void) { /* * Lock the group file and open it for reading and writing. This will * bring all of the entries into memory where they may be updated. */ if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); fail_exit (1); } gr_locked = true; if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (1); } #ifdef SHADOWGRP /* Do the same for the shadowed database, if it exist */ if (is_shadow_grp) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); fail_exit (1); } sgr_locked = true; if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (1); } } #endif }
/* * fail_exit - exit with an error code after unlocking files */ static void fail_exit (int status) { if (gr_locked) { if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } } #ifdef SHADOWGRP if (sgr_locked) { if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } } #endif closelog (); exit (status); }
static void update_group (struct group *gr) #endif { if (gr_update (gr) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), gr->gr_name); exit (1); } #ifdef SHADOWGRP if (is_shadowgrp && (sgr_update (sg) == 0)) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sg->sg_name); exit (1); } #endif /* SHADOWGRP */ }
/* * grp_update - update group file entries * * grp_update() writes the new records to the group files. */ static void grp_update (void) { /* * To add the group, we need to update /etc/group. * Make sure failures will be reported. */ add_cleanup (cleanup_report_del_group_group, group_name); #ifdef SHADOWGRP if (is_shadow_grp) { /* We also need to update /etc/gshadow */ add_cleanup (cleanup_report_del_group_gshadow, group_name); } #endif /* * Delete the group entry. */ if (gr_remove (group_name) == 0) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, gr_dbname ()); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP /* * Delete the shadow group entries as well. */ if (is_shadow_grp && (sgr_locate (group_name) != NULL)) { if (sgr_remove (group_name) == 0) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ }
static void open_files (void) { if (pw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking password file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } pw_locked = true; if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening password file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } if (is_shadow_pwd) { if (spw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking shadow password file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } spw_locked = true; if (spw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening shadow password file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_PW_UPDATE); } } if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } gr_locked = true; if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking shadow group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } sgr_locked= true; if (sgr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening shadow group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ #ifdef ENABLE_SUBIDS if (is_sub_uid) { if (sub_uid_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking subordinate user file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_SUB_UID_UPDATE); } sub_uid_locked = true; if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening subordinate user file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_SUB_UID_UPDATE); } } if (is_sub_gid) { if (sub_gid_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "locking subordinate group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_SUB_GID_UPDATE); } sub_gid_locked = true; if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog, "opening subordinate group file", user_name, (unsigned int) user_id, SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ fail_exit (E_SUB_GID_UPDATE); } } #endif /* ENABLE_SUBIDS */ }
int main (int argc, char **argv) { char buf[BUFSIZ]; char *name; char *newpwd; char *cp; #ifdef SHADOWGRP const struct sgrp *sg; struct sgrp newsg; #endif const struct group *gr; struct group newgr; int errors = 0; int line = 0; Prog = Basename (argv[0]); (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); process_root_flag ("-R", argc, argv); process_flags (argc, argv); OPENLOG ("chgpasswd"); check_perms (); #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif open_files (); /* * Read each line, separating the group name from the password. The * group entry for each group will be looked up in the appropriate * file (gshadow or group) and the password changed. */ while (fgets (buf, (int) sizeof buf, stdin) != (char *) 0) { line++; cp = strrchr (buf, '\n'); if (NULL != cp) { *cp = '\0'; } else { fprintf (stderr, _("%s: line %d: line too long\n"), Prog, line); errors++; continue; } /* * The group's name is the first field. It is separated from * the password with a ":" character which is replaced with a * NUL to give the new password. The new password will then * be encrypted in the normal fashion with a new salt * generated, unless the '-e' is given, in which case it is * assumed to already be encrypted. */ name = buf; cp = strchr (name, ':'); if (NULL != cp) { *cp = '\0'; cp++; } else { fprintf (stderr, _("%s: line %d: missing new password\n"), Prog, line); errors++; continue; } newpwd = cp; if ( (!eflg) && ( (NULL == crypt_method) || (0 != strcmp (crypt_method, "NONE")))) { void *arg = NULL; const char *salt; if (md5flg) { crypt_method = "MD5"; } #ifdef USE_SHA_CRYPT if (sflg) { arg = &sha_rounds; } #endif salt = crypt_make_salt (crypt_method, arg); cp = pw_encrypt (newpwd, salt); if (NULL == cp) { fprintf (stderr, _("%s: failed to crypt password with salt '%s': %s\n"), Prog, salt, strerror (errno)); fail_exit (1); } } /* * Get the group file entry for this group. The group must * already exist. */ gr = gr_locate (name); if (NULL == gr) { fprintf (stderr, _("%s: line %d: group '%s' does not exist\n"), Prog, line, name); errors++; continue; } #ifdef SHADOWGRP if (is_shadow_grp) { /* The gshadow entry should be updated if the * group entry has a password set to 'x'. * But on the other hand, if there is already both * a group and a gshadow password, it's preferable * to update both. */ sg = sgr_locate (name); if ( (NULL == sg) && (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) == 0)) { static char *empty = NULL; /* If the password is set to 'x' in * group, but there are no entries in * gshadow, create one. */ newsg.sg_name = name; /* newsg.sg_passwd = NULL; will be set later */ newsg.sg_adm = ∅ newsg.sg_mem = dup_list (gr->gr_mem); sg = &newsg; } } else { sg = NULL; } #endif /* * The freshly encrypted new password is merged into the * group's entry. */ #ifdef SHADOWGRP if (NULL != sg) { newsg = *sg; newsg.sg_passwd = cp; } if ( (NULL == sg) || (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) != 0)) #endif { newgr = *gr; newgr.gr_passwd = cp; } /* * The updated group file entry is then put back and will * be written to the group file later, after all the * other entries have been updated as well. */ #ifdef SHADOWGRP if (NULL != sg) { if (sgr_update (&newsg) == 0) { fprintf (stderr, _("%s: line %d: failed to prepare the new %s entry '%s'\n"), Prog, line, sgr_dbname (), newsg.sg_name); errors++; continue; } } if ( (NULL == sg) || (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) != 0)) #endif { if (gr_update (&newgr) == 0) { fprintf (stderr, _("%s: line %d: failed to prepare the new %s entry '%s'\n"), Prog, line, gr_dbname (), newgr.gr_name); errors++; continue; } } } /* * Any detected errors will cause the entire set of changes to be * aborted. Unlocking the group file will cause all of the * changes to be ignored. Otherwise the file is closed, causing the * changes to be written out all at once, and then unlocked * afterwards. */ if (0 != errors) { fprintf (stderr, _("%s: error detected, changes ignored\n"), Prog); fail_exit (1); } close_files (); nscd_flush_cache ("group"); return (0); }
/* * close_files - close and unlock the password, group and shadow databases */ static void close_files (void) { if (pw_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); fail_exit (EXIT_FAILURE); } if (pw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ())); /* continue */ } pw_locked = false; if (is_shadow) { if (spw_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ())); fail_exit (EXIT_FAILURE); } if (spw_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ } spw_locked = false; } if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); fail_exit (EXIT_FAILURE); } #ifdef ENABLE_SUBIDS if (is_sub_uid && (sub_uid_close () == 0)) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ())); fail_exit (EXIT_FAILURE); } if (is_sub_gid && (sub_gid_close () == 0)) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ())); fail_exit (EXIT_FAILURE); } #endif /* ENABLE_SUBIDS */ if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } gr_locked = false; #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ())); fail_exit (EXIT_FAILURE); } if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } sgr_locked = false; } #endif #ifdef ENABLE_SUBIDS if (is_sub_uid) { if (sub_uid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ())); /* continue */ } sub_uid_locked = false; } if (is_sub_gid) { if (sub_gid_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ())); /* continue */ } sub_gid_locked = false; } #endif /* ENABLE_SUBIDS */ }
int main (int argc, char **argv) { bool editshadow = false; char *a; bool do_vipw; (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); progname = ((a = strrchr (*argv, '/')) ? a + 1 : *argv); do_vipw = (strcmp (progname, "vigr") != 0); OPENLOG (do_vipw ? "vipw" : "vigr"); { /* * Parse the command line options. */ int c; static struct option long_options[] = { {"group", no_argument, NULL, 'g'}, {"help", no_argument, NULL, 'h'}, {"passwd", no_argument, NULL, 'p'}, {"quiet", no_argument, NULL, 'q'}, {"shadow", no_argument, NULL, 's'}, #ifdef WITH_TCB {"user", required_argument, NULL, 'u'}, #endif /* WITH_TCB */ {NULL, 0, NULL, '\0'} }; while ((c = getopt_long (argc, argv, #ifdef WITH_TCB "ghpqsu:", #else /* !WITH_TCB */ "ghpqs", #endif /* !WITH_TCB */ long_options, NULL)) != -1) { switch (c) { case 'g': do_vipw = false; break; case 'h': usage (E_SUCCESS); break; case 'p': do_vipw = true; break; case 'q': quiet = true; break; case 's': editshadow = true; break; #ifdef WITH_TCB case 'u': user = optarg; break; #endif /* WITH_TCB */ default: usage (E_USAGE); } } } if (do_vipw) { if (editshadow) { #ifdef WITH_TCB if (getdef_bool ("USE_TCB") && (NULL != user)) { if (shadowtcb_set_user (user) == SHADOWTCB_FAILURE) { fprintf (stderr, _("%s: failed to find tcb directory for %s\n"), progname, user); return E_SHADOW_NOTFOUND; } tcb_mode = true; } #endif /* WITH_TCB */ vipwedit (spw_dbname (), spw_lock, spw_unlock); printf (MSG_WARN_EDIT_OTHER_FILE, spw_dbname (), pw_dbname (), "vipw"); } else { vipwedit (pw_dbname (), pw_lock, pw_unlock); if (spw_file_present ()) { printf (MSG_WARN_EDIT_OTHER_FILE, pw_dbname (), spw_dbname (), "vipw -s"); } } } else { #ifdef SHADOWGRP if (editshadow) { vipwedit (sgr_dbname (), sgr_lock, sgr_unlock); printf (MSG_WARN_EDIT_OTHER_FILE, sgr_dbname (), gr_dbname (), "vigr"); } else { #endif /* SHADOWGRP */ vipwedit (gr_dbname (), gr_lock, gr_unlock); #ifdef SHADOWGRP if (sgr_file_present ()) { printf (MSG_WARN_EDIT_OTHER_FILE, gr_dbname (), sgr_dbname (), "vigr -s"); } } #endif /* SHADOWGRP */ } nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); return E_SUCCESS; }
/* * remove_usergroup - delete the user's group if it is a usergroup * * An usergroup is removed if * + it has the same name as the user * + it is the primary group of the user * + it has no other members * + it is not the primary group of any other user */ static void remove_usergroup (void) { const struct group *grp; const struct passwd *pwd = NULL; grp = gr_locate (user_name); if (NULL == grp) { /* This user has no usergroup. */ return; } if (grp->gr_gid != user_gid) { fprintf (stderr, _("%s: group %s not removed because it is not the primary group of user %s.\n"), Prog, grp->gr_name, user_name); return; } if (NULL != grp->gr_mem[0]) { /* The usergroup has other members. */ fprintf (stderr, _("%s: group %s not removed because it has other members.\n"), Prog, grp->gr_name); return; } if (!fflg) { /* * Scan the passwd file to check if this group is still * used as a primary group. */ setpwent (); while ((pwd = getpwent ()) != NULL) { if (strcmp (pwd->pw_name, user_name) == 0) { continue; } if (pwd->pw_gid == grp->gr_gid) { fprintf (stderr, _("%s: group %s is the primary group of another user and is not removed.\n"), Prog, grp->gr_name); break; } } endpwent (); } if (NULL == pwd) { /* * We can remove this group, it is not the primary * group of any remaining user. */ if (gr_remove (user_name) == 0) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, user_name, gr_dbname ()); fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", user_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "removed group '%s' owned by '%s'\n", user_name, user_name)); #ifdef SHADOWGRP if (sgr_locate (user_name) != NULL) { if (sgr_remove (user_name) == 0) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, user_name, sgr_dbname ()); fail_exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_GROUP, Prog, "deleting shadow group", user_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif /* WITH_AUDIT */ SYSLOG ((LOG_INFO, "removed shadow group '%s' owned by '%s'\n", user_name, user_name)); } #endif /* SHADOWGRP */ } }
static void get_group (struct group *gr) #endif { struct group const*tmpgr = NULL; #ifdef SHADOWGRP struct sgrp const*tmpsg = NULL; #endif if (gr_open (O_RDONLY) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ())); exit (E_NOPERM); } tmpgr = gr_locate (group); if (NULL == tmpgr) { fprintf (stderr, _("%s: group '%s' does not exist in %s\n"), Prog, group, gr_dbname ()); exit (E_BAD_ARG); } *gr = *tmpgr; gr->gr_name = xstrdup (tmpgr->gr_name); gr->gr_passwd = xstrdup (tmpgr->gr_passwd); gr->gr_mem = dup_list (tmpgr->gr_mem); if (gr_close () == 0) { fprintf (stderr, _("%s: failure while closing read-only %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failure while closing read-only %s", gr_dbname ())); exit (E_NOPERM); } #ifdef SHADOWGRP if (is_shadowgrp) { if (sgr_open (O_RDONLY) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ())); exit (E_NOPERM); } tmpsg = sgr_locate (group); if (NULL != tmpsg) { *sg = *tmpsg; sg->sg_name = xstrdup (tmpsg->sg_name); sg->sg_passwd = xstrdup (tmpsg->sg_passwd); sg->sg_mem = dup_list (tmpsg->sg_mem); sg->sg_adm = dup_list (tmpsg->sg_adm); } else { sg->sg_name = xstrdup (group); sg->sg_passwd = gr->gr_passwd; gr->gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */ sg->sg_mem = dup_list (gr->gr_mem); sg->sg_adm = (char **) xmalloc (sizeof (char *) * 2); #ifdef FIRST_MEMBER_IS_ADMIN if (sg->sg_mem[0]) { sg->sg_adm[0] = xstrdup (sg->sg_mem[0]); sg->sg_adm[1] = NULL; } else #endif { sg->sg_adm[0] = NULL; } } if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while closing read-only %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failure while closing read-only %s", sgr_dbname ())); exit (E_NOPERM); } } #endif /* SHADOWGRP */ }
/* * grp_update - update group file entries * * grp_update() updates the new records in the memory databases. */ static void grp_update (void) { struct group grp; const struct group *ogrp; #ifdef SHADOWGRP struct sgrp sgrp; const struct sgrp *osgrp = NULL; #endif /* SHADOWGRP */ /* * Get the current settings for this group. */ ogrp = gr_locate (group_name); if (NULL == ogrp) { fprintf (stderr, _("%s: group '%s' does not exist in %s\n"), Prog, group_name, gr_dbname ()); exit (E_GRP_UPDATE); } grp = *ogrp; new_grent (&grp); #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { osgrp = sgr_locate (group_name); if (NULL != osgrp) { sgrp = *osgrp; new_sgent (&sgrp); } else if ( pflg && (strcmp (grp.gr_passwd, SHADOW_PASSWD_STRING) == 0)) { static char *empty = NULL; /* If there is a gshadow file with no entries for * the group, but the group file indicates a * shadowed password, we force the creation of a * gshadow entry when a new password is requested. */ memset (&sgrp, 0, sizeof sgrp); sgrp.sg_name = xstrdup (grp.gr_name); sgrp.sg_passwd = xstrdup (grp.gr_passwd); sgrp.sg_adm = ∅ sgrp.sg_mem = dup_list (grp.gr_mem); new_sgent (&sgrp); osgrp = &sgrp; /* entry needs to be committed */ } } #endif /* SHADOWGRP */ if (gflg) { update_primary_groups (ogrp->gr_gid, group_newid); } /* * Write out the new group file entry. */ if (gr_update (&grp) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); exit (E_GRP_UPDATE); } if (nflg && (gr_remove (group_name) == 0)) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, grp.gr_name, gr_dbname ()); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP /* * Make sure there was a shadow entry to begin with. */ if (NULL != osgrp) { /* * Write out the new shadow group entries as well. */ if (sgr_update (&sgrp) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); exit (E_GRP_UPDATE); } if (nflg && (sgr_remove (group_name) == 0)) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ }
/* * open_files - lock and open the password, group and shadow databases */ static void open_files (void) { /* * Lock the password files and open them for update. This will bring * all of the entries into memory where they may be searched for an * modified, or new entries added. The password file is the key - if * it gets locked, assume the others can be locked right away. */ if (pw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, pw_dbname ()); fail_exit (EXIT_FAILURE); } pw_locked = true; if (is_shadow) { if (spw_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, spw_dbname ()); fail_exit (EXIT_FAILURE); } spw_locked = true; } if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); fail_exit (EXIT_FAILURE); } gr_locked = true; #ifdef SHADOWGRP if (is_shadow_grp) { if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); fail_exit (EXIT_FAILURE); } sgr_locked = true; } #endif #ifdef ENABLE_SUBIDS if (is_sub_uid) { if (sub_uid_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_uid_dbname ()); fail_exit (EXIT_FAILURE); } sub_uid_locked = true; } if (is_sub_gid) { if (sub_gid_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sub_gid_dbname ()); fail_exit (EXIT_FAILURE); } sub_gid_locked = true; } #endif /* ENABLE_SUBIDS */ if (pw_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ()); fail_exit (EXIT_FAILURE); } if (is_shadow && (spw_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ()); fail_exit (EXIT_FAILURE); } if (gr_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (EXIT_FAILURE); } #ifdef SHADOWGRP if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (EXIT_FAILURE); } #endif #ifdef ENABLE_SUBIDS if (is_sub_uid) { if (sub_uid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_uid_dbname ()); fail_exit (EXIT_FAILURE); } } if (is_sub_gid) { if (sub_gid_open (O_CREAT | O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sub_gid_dbname ()); fail_exit (EXIT_FAILURE); } } #endif /* ENABLE_SUBIDS */ }
int main (int argc, char **argv) { const struct group *gr; struct group grent; const struct sgrp *sg; Prog = Basename (argv[0]); (void) setlocale (LC_ALL, ""); (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); process_root_flag ("-R", argc, argv); OPENLOG ("grpunconv"); process_flags (argc, argv); if (sgr_file_present () == 0) { exit (0); /* no /etc/gshadow, nothing to do */ } if (gr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, gr_dbname ()); fail_exit (5); } gr_locked = true; if (gr_open (O_RDWR) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ()); fail_exit (1); } if (sgr_lock () == 0) { fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_dbname ()); fail_exit (5); } sgr_locked = true; if (sgr_open (O_RDONLY) == 0) { fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ()); fail_exit (1); } /* * Update group passwords if non-shadow password is "x". */ (void) gr_rewind (); while ((gr = gr_next ()) != NULL) { sg = sgr_locate (gr->gr_name); if ( (NULL != sg) && (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) == 0)) { /* add password to /etc/group */ grent = *gr; grent.gr_passwd = sg->sg_passwd; if (gr_update (&grent) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grent.gr_name); fail_exit (3); } } } (void) sgr_close (); /* was only open O_RDONLY */ if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ())); fail_exit (3); } if (unlink (SGROUP_FILE) != 0) { fprintf (stderr, _("%s: cannot delete %s\n"), Prog, SGROUP_FILE); SYSLOG ((LOG_ERR, "cannot delete %s", SGROUP_FILE)); fail_exit (3); } if (gr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ } if (sgr_unlock () == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ } nscd_flush_cache ("group"); return 0; }
/* * close_files - close all of the files that were opened * * close_files() closes all of the files that were opened for this new * group. This causes any modified entries to be written out. */ static void close_files (void) { if (gr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, gr_dbname ()); exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_ACCT, Prog, info_group.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "group changed in %s (%s)", gr_dbname (), info_group.action)); del_cleanup (cleanup_report_mod_group); cleanup_unlock_group (NULL); del_cleanup (cleanup_unlock_group); #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { if (sgr_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_dbname ()); exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_ACCT, Prog, info_gshadow.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "group changed in %s (%s)", sgr_dbname (), info_gshadow.action)); del_cleanup (cleanup_report_mod_gshadow); cleanup_unlock_gshadow (NULL); del_cleanup (cleanup_unlock_gshadow); } #endif /* SHADOWGRP */ if (gflg) { if (pw_close () == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, pw_dbname ()); exit (E_GRP_UPDATE); } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_ACCT, Prog, info_passwd.audit_msg, group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif SYSLOG ((LOG_INFO, "group changed in %s (%s)", pw_dbname (), info_passwd.action)); del_cleanup (cleanup_report_mod_passwd); cleanup_unlock_passwd (NULL); del_cleanup (cleanup_unlock_passwd); } #ifdef WITH_AUDIT audit_logger (AUDIT_USER_ACCT, Prog, "modifying group", group_name, AUDIT_NO_ID, SHADOW_AUDIT_SUCCESS); #endif }
/* * check_grp_file - check the content of the group file */ static void check_grp_file (int *errors, bool *changed) { struct commonio_entry *gre, *tgre; struct group *grp; #ifdef SHADOWGRP struct sgrp *sgr; #endif /* * Loop through the entire group file. */ for (gre = __gr_get_head (); NULL != gre; gre = gre->next) { /* * Skip all NIS entries. */ if ((gre->line[0] == '+') || (gre->line[0] == '-')) { continue; } /* * Start with the entries that are completely corrupt. They * have no (struct group) entry because they couldn't be * parsed properly. */ if (NULL == gre->eptr) { /* * Tell the user this entire line is bogus and ask * them to delete it. */ (void) puts (_("invalid group file entry")); printf (_("delete line '%s'? "), gre->line); *errors += 1; /* * prompt the user to delete the entry or not */ if (!yes_or_no (read_only)) { continue; } /* * All group file deletions wind up here. This code * removes the current entry from the linked list. * When done, it skips back to the top of the loop * to try out the next list element. */ delete_gr: SYSLOG ((LOG_INFO, "delete group line '%s'", gre->line)); *changed = true; __gr_del_entry (gre); continue; } /* * Group structure is good, start using it. */ grp = gre->eptr; /* * Make sure this entry has a unique name. */ for (tgre = __gr_get_head (); NULL != tgre; tgre = tgre->next) { const struct group *ent = tgre->eptr; /* * Don't check this entry */ if (tgre == gre) { continue; } /* * Don't check invalid entries. */ if (NULL == ent) { continue; } if (strcmp (grp->gr_name, ent->gr_name) != 0) { continue; } /* * Tell the user this entry is a duplicate of * another and ask them to delete it. */ (void) puts (_("duplicate group entry")); printf (_("delete line '%s'? "), gre->line); *errors += 1; /* * prompt the user to delete the entry or not */ if (yes_or_no (read_only)) { goto delete_gr; } } /* * Check for invalid group names. --marekm */ if (!is_valid_group_name (grp->gr_name)) { *errors += 1; printf (_("invalid group name '%s'\n"), grp->gr_name); } /* * Check for invalid group ID. */ if (grp->gr_gid == (gid_t)-1) { printf (_("invalid group ID '%lu'\n"), (long unsigned int)grp->gr_gid); *errors += 1; } /* * Workaround for a NYS libc 5.3.12 bug on RedHat 4.2 - * groups with no members are returned as groups with one * member "", causing grpck to fail. --marekm */ if ( (NULL != grp->gr_mem[0]) && (NULL == grp->gr_mem[1]) && ('\0' == grp->gr_mem[0][0])) { grp->gr_mem[0] = NULL; } if (check_members (grp->gr_name, grp->gr_mem, _("group %s: no user %s\n"), _("delete member '%s'? "), "delete member '%s' from group '%s'", errors) == 1) { *changed = true; gre->changed = true; __gr_set_changed (); } #ifdef SHADOWGRP /* * Make sure this entry exists in the /etc/gshadow file. */ if (is_shadow) { sgr = (struct sgrp *) sgr_locate (grp->gr_name); if (sgr == NULL) { printf (_("no matching group file entry in %s\n"), sgr_file); printf (_("add group '%s' in %s? "), grp->gr_name, sgr_file); *errors += 1; if (yes_or_no (read_only)) { struct sgrp sg; struct group gr; static char *empty = NULL; sg.sg_name = grp->gr_name; sg.sg_passwd = grp->gr_passwd; sg.sg_adm = ∅ sg.sg_mem = grp->gr_mem; SYSLOG ((LOG_INFO, "add group '%s' to '%s'", grp->gr_name, sgr_file)); *changed = true; if (sgr_update (&sg) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sg.sg_name); fail_exit (E_CANT_UPDATE); } /* remove password from /etc/group */ gr = *grp; gr.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */ if (gr_update (&gr) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), gr.gr_name); fail_exit (E_CANT_UPDATE); } } } else { /** * Verify that all the members defined in /etc/group are also * present in /etc/gshadow. */ compare_members_lists (grp->gr_name, grp->gr_mem, sgr->sg_mem, grp_file, sgr_file); /* The group entry has a gshadow counterpart. * Make sure no passwords are in group. */ if (strcmp (grp->gr_passwd, SHADOW_PASSWD_STRING) != 0) { printf (_("group %s has an entry in %s, but its password field in %s is not set to 'x'\n"), grp->gr_name, sgr_file, grp_file); *errors += 1; } } } #endif } }
/* * grp_update - update group file entries * * grp_update() updates the new records in the memory databases. */ static void grp_update (void) { struct group grp; const struct group *ogrp; #ifdef SHADOWGRP struct sgrp sgrp; const struct sgrp *osgrp = NULL; #endif /* SHADOWGRP */ /* * Get the current settings for this group. */ ogrp = gr_locate (group_name); if (!ogrp) { fprintf (stderr, _("%s: group '%s' does not exist in %s\n"), Prog, group_name, gr_dbname ()); exit (E_GRP_UPDATE); } grp = *ogrp; new_grent (&grp); #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { osgrp = sgr_locate (group_name); if (NULL != osgrp) { sgrp = *osgrp; new_sgent (&sgrp); if (pflg) { grp.gr_passwd = SHADOW_PASSWD_STRING; } } } #endif /* SHADOWGRP */ if (gflg) { update_primary_groups (ogrp->gr_gid, group_newid); } /* * Write out the new group file entry. */ if (gr_update (&grp) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), grp.gr_name); exit (E_GRP_UPDATE); } if (nflg && (gr_remove (group_name) == 0)) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, grp.gr_name, gr_dbname ()); exit (E_GRP_UPDATE); } #ifdef SHADOWGRP /* * Make sure there was a shadow entry to begin with. */ if ( (NULL != osgrp) && (pflg || nflg)) { /* * Write out the new shadow group entries as well. */ if (sgr_update (&sgrp) == 0) { fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sgrp.sg_name); exit (E_GRP_UPDATE); } if (nflg && (sgr_remove (group_name) == 0)) { fprintf (stderr, _("%s: cannot remove entry '%s' from %s\n"), Prog, group_name, sgr_dbname ()); exit (E_GRP_UPDATE); } } #endif /* SHADOWGRP */ }
/* * prepare_failure_reports - Prepare the cleanup_info structure for logging * of success and failure to syslog or audit. */ static void prepare_failure_reports (void) { info_group.name = group_name; #ifdef SHADOWGRP info_gshadow.name = group_name; #endif info_passwd.name = group_name; info_group.audit_msg = xmalloc (512); #ifdef SHADOWGRP info_gshadow.audit_msg = xmalloc (512); #endif info_passwd.audit_msg = xmalloc (512); snprintf (info_group.audit_msg, 511, "changing %s; ", gr_dbname ()); #ifdef SHADOWGRP snprintf (info_gshadow.audit_msg, 511, "changing %s; ", sgr_dbname ()); #endif snprintf (info_passwd.audit_msg, 511, "changing %s; ", pw_dbname ()); info_group.action = info_group.audit_msg + strlen (info_group.audit_msg); #ifdef SHADOWGRP info_gshadow.action = info_gshadow.audit_msg + strlen (info_gshadow.audit_msg); #endif info_passwd.action = info_passwd.audit_msg + strlen (info_passwd.audit_msg); snprintf (info_group.action, 511 - strlen (info_group.audit_msg), "group %s/%lu", group_name, (unsigned long int) group_id); #ifdef SHADOWGRP snprintf (info_gshadow.action, 511 - strlen (info_group.audit_msg), "group %s", group_name); #endif snprintf (info_passwd.action, 511 - strlen (info_group.audit_msg), "group %s/%lu", group_name, (unsigned long int) group_id); if (nflg) { strncat (info_group.action, ", new name: ", 511 - strlen (info_group.audit_msg)); strncat (info_group.action, group_newname, 511 - strlen (info_group.audit_msg)); #ifdef SHADOWGRP strncat (info_gshadow.action, ", new name: ", 511 - strlen (info_gshadow.audit_msg)); strncat (info_gshadow.action, group_newname, 511 - strlen (info_gshadow.audit_msg)); #endif strncat (info_passwd.action, ", new name: ", 511 - strlen (info_passwd.audit_msg)); strncat (info_passwd.action, group_newname, 511 - strlen (info_passwd.audit_msg)); } if (pflg) { strncat (info_group.action, ", new password", 511 - strlen (info_group.audit_msg)); #ifdef SHADOWGRP strncat (info_gshadow.action, ", new password", 511 - strlen (info_gshadow.audit_msg)); #endif } if (gflg) { strncat (info_group.action, ", new gid: ", 511 - strlen (info_group.audit_msg)); snprintf (info_group.action+strlen (info_group.action), 511 - strlen (info_group.audit_msg), "%lu", (unsigned long int) group_newid); strncat (info_passwd.action, ", new gid: ", 511 - strlen (info_passwd.audit_msg)); snprintf (info_passwd.action+strlen (info_passwd.action), 511 - strlen (info_passwd.audit_msg), "%lu", (unsigned long int) group_newid); } info_group.audit_msg[511] = '\0'; #ifdef SHADOWGRP info_gshadow.audit_msg[511] = '\0'; #endif info_passwd.audit_msg[511] = '\0'; // FIXME: add a system cleanup add_cleanup (cleanup_report_mod_group, &info_group); #ifdef SHADOWGRP if ( is_shadow_grp && (pflg || nflg)) { add_cleanup (cleanup_report_mod_gshadow, &info_gshadow); } #endif if (gflg) { add_cleanup (cleanup_report_mod_passwd, &info_passwd); } }