static bool ChangePassword(const char *puser, const char *password, PasswordFormat format)
{
if (format == PASSWORD_FORMAT_PLAINTEXT)
{
return ChangePlaintextPasswordUsingLibPam(puser, password);
}
assert(format == PASSWORD_FORMAT_HASH);
#ifdef HAVE_CHPASSWD
struct stat statbuf;
if (stat(CHPASSWD, &statbuf) != -1 && SupportsOption(CHPASSWD, "-e"))
{
return ChangePasswordHashUsingChpasswd(puser, password);
}
else
#endif
#if defined(HAVE_LCKPWDF) && defined(HAVE_ULCKPWDF)
{
return ChangePasswordHashUsingLckpwdf(puser, password);
}
#elif defined(HAVE_CHPASSWD)
{
Log(LOG_LEVEL_ERR, "No means to set password for user '%s' was found. Tried using the '%s' tool with no luck.",
puser, CHPASSWD);
return false;
}
#else
{
Log(LOG_LEVEL_WARNING, "Setting hashed password or locking user '%s' not supported on this platform.", puser);
return false;
}
#endif
}
static bool DoCreateUser(const char *puser, const User *u, enum cfopaction action,
EvalContext *ctx, const Attributes *a, const Promise *pp)
{
assert(u != NULL);
char cmd[CF_BUFSIZE];
char sec_group_args[CF_BUFSIZE];
if (puser == NULL || !strcmp (puser, ""))
{
return false;
}
strcpy (cmd, USERADD);
if (u->uid != NULL && strcmp (u->uid, ""))
{
StringAppend(cmd, " -u \"", sizeof(cmd));
StringAppend(cmd, u->uid, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u->description != NULL)
{
StringAppend(cmd, " -c \"", sizeof(cmd));
StringAppend(cmd, u->description, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u->group_primary != NULL && strcmp (u->group_primary, ""))
{
// TODO: Should check that group exists
StringAppend(cmd, " -g \"", sizeof(cmd));
StringAppend(cmd, u->group_primary, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u->groups_secondary_given)
{
// TODO: Should check that groups exist
strlcpy(sec_group_args, " -G \"", sizeof(sec_group_args));
char sep[2] = { '\0', '\0' };
for (Rlist *i = u->groups_secondary; i; i = i->next)
{
StringAppend(sec_group_args, sep, sizeof(sec_group_args));
StringAppend(sec_group_args, RvalScalarValue(i->val), sizeof(sec_group_args));
sep[0] = ',';
}
StringAppend(sec_group_args, "\"", sizeof(sec_group_args));
StringAppend(cmd, sec_group_args, sizeof(cmd));
}
if (u->home_dir != NULL && strcmp (u->home_dir, ""))
{
StringAppend(cmd, " -d \"", sizeof(cmd));
StringAppend(cmd, u->home_dir, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u->shell != NULL && strcmp (u->shell, ""))
{
StringAppend(cmd, " -s \"", sizeof(cmd));
StringAppend(cmd, u->shell, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
#ifndef __hpux
// HP-UX has two variants of useradd, the normal one which does
// not support -M and one variant to modify default values which
// does take -M and yes or no
// Since both are output with -h SupportOption incorrectly reports
// -M as supported
if (SupportsOption(USERADD, "-M"))
{
// Prevents creation of home_dir.
// We want home_bundle to do that.
StringAppend(cmd, " -M", sizeof(cmd));
}
#endif
StringAppend(cmd, " ", sizeof(cmd));
StringAppend(cmd, puser, sizeof(cmd));
if (action == cfa_warn || DONTDO)
{
Log(LOG_LEVEL_WARNING, "Need to create user '%s'.", puser);
return false;
}
else
{
if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "creating", "Creating"))
{
return false;
}
if (u->groups_secondary_given)
{
// Work around issue on AIX. Always set secondary groups a second time, because AIX
// likes to assign the primary group as the secondary group as well, even if we didn't
// ask for it.
strlcpy(cmd, USERMOD, sizeof(cmd));
StringAppend(cmd, sec_group_args, sizeof(cmd));
StringAppend(cmd, " ", sizeof(cmd));
StringAppend(cmd, puser, sizeof(cmd));
if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "modifying", "Modifying"))
{
return false;
}
}
// Initially, "useradd" may set the password to '!', which confuses our detection for
// locked accounts. So reset it to 'x' hash instead, which will never match anything.
if (!ChangePassword(puser, "x", PASSWORD_FORMAT_HASH))
{
return false;
}
if (u->policy == USER_STATE_LOCKED)
{
if (!SetAccountLocked(puser, "x", true))
{
return false;
}
}
if (a->havebundle)
{
const Constraint *method_attrib = PromiseGetConstraint(pp, "home_bundle");
if (method_attrib == NULL)
{
Log(LOG_LEVEL_ERR, "Cannot create user (home_bundle not found)");
return false;
}
VerifyMethod(ctx, method_attrib->rval, a, pp);
}
if (u->policy != USER_STATE_LOCKED && u->password != NULL && strcmp (u->password, ""))
{
if (!ChangePassword(puser, u->password, u->password_format))
{
return false;
}
}
}
return true;
}
static bool DoCreateUser(const char *puser, User u, enum cfopaction action,
EvalContext *ctx, const Attributes *a, const Promise *pp)
{
char cmd[CF_BUFSIZE];
if (puser == NULL || !strcmp (puser, ""))
{
return false;
}
strcpy (cmd, USERADD);
if (u.uid != NULL && strcmp (u.uid, ""))
{
StringAppend(cmd, " -u \"", sizeof(cmd));
StringAppend(cmd, u.uid, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u.description != NULL)
{
StringAppend(cmd, " -c \"", sizeof(cmd));
StringAppend(cmd, u.description, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u.group_primary != NULL && strcmp (u.group_primary, ""))
{
// TODO: Should check that group exists
StringAppend(cmd, " -g \"", sizeof(cmd));
StringAppend(cmd, u.group_primary, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u.groups_secondary != NULL)
{
// TODO: Should check that groups exist
StringAppend(cmd, " -G \"", sizeof(cmd));
char sep[2] = { '\0', '\0' };
for (Rlist *i = u.groups_secondary; i; i = i->next)
{
if (strcmp(RvalScalarValue(i->val), CF_NULL_VALUE) != 0)
{
StringAppend(cmd, sep, sizeof(cmd));
StringAppend(cmd, RvalScalarValue(i->val), sizeof(cmd));
sep[0] = ',';
}
}
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u.home_dir != NULL && strcmp (u.home_dir, ""))
{
StringAppend(cmd, " -d \"", sizeof(cmd));
StringAppend(cmd, u.home_dir, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (u.shell != NULL && strcmp (u.shell, ""))
{
StringAppend(cmd, " -s \"", sizeof(cmd));
StringAppend(cmd, u.shell, sizeof(cmd));
StringAppend(cmd, "\"", sizeof(cmd));
}
if (SupportsOption(USERADD, "-M"))
{
// Prevents creation of home_dir.
// We want home_bundle to do that.
StringAppend(cmd, " -M", sizeof(cmd));
}
StringAppend(cmd, " ", sizeof(cmd));
StringAppend(cmd, puser, sizeof(cmd));
if (action == cfa_warn || DONTDO)
{
Log(LOG_LEVEL_NOTICE, "Need to create user '%s'.", puser);
return false;
}
else
{
if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "creating", "Creating"))
{
return false;
}
// Initially, "useradd" may set the password to '!', which confuses our detection for
// locked accounts. So reset it to 'x' hash instead, which will never match anything.
if (!ChangePassword(puser, "x", PASSWORD_FORMAT_HASH))
{
return false;
}
if (u.policy == USER_STATE_LOCKED)
{
if (!SetAccountLocked(puser, "", true))
{
return false;
}
}
if (a->havebundle)
{
const Constraint *method_attrib = PromiseGetConstraint(pp, "home_bundle");
VerifyMethod(ctx, method_attrib->rval, *a, pp);
}
if (u.policy != USER_STATE_LOCKED && u.password != NULL && strcmp (u.password, ""))
{
if (!ChangePassword(puser, u.password, u.password_format))
{
return false;
}
}
}
return true;
}
