static bool ChangePassword(const char *puser, const char *password, PasswordFormat format) { if (format == PASSWORD_FORMAT_PLAINTEXT) { return ChangePlaintextPasswordUsingLibPam(puser, password); } assert(format == PASSWORD_FORMAT_HASH); #ifdef HAVE_CHPASSWD struct stat statbuf; if (stat(CHPASSWD, &statbuf) != -1 && SupportsOption(CHPASSWD, "-e")) { return ChangePasswordHashUsingChpasswd(puser, password); } else #endif #if defined(HAVE_LCKPWDF) && defined(HAVE_ULCKPWDF) { return ChangePasswordHashUsingLckpwdf(puser, password); } #elif defined(HAVE_CHPASSWD) { Log(LOG_LEVEL_ERR, "No means to set password for user '%s' was found. Tried using the '%s' tool with no luck.", puser, CHPASSWD); return false; } #else { Log(LOG_LEVEL_WARNING, "Setting hashed password or locking user '%s' not supported on this platform.", puser); return false; } #endif }
static bool DoCreateUser(const char *puser, const User *u, enum cfopaction action, EvalContext *ctx, const Attributes *a, const Promise *pp) { assert(u != NULL); char cmd[CF_BUFSIZE]; char sec_group_args[CF_BUFSIZE]; if (puser == NULL || !strcmp (puser, "")) { return false; } strcpy (cmd, USERADD); if (u->uid != NULL && strcmp (u->uid, "")) { StringAppend(cmd, " -u \"", sizeof(cmd)); StringAppend(cmd, u->uid, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u->description != NULL) { StringAppend(cmd, " -c \"", sizeof(cmd)); StringAppend(cmd, u->description, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u->group_primary != NULL && strcmp (u->group_primary, "")) { // TODO: Should check that group exists StringAppend(cmd, " -g \"", sizeof(cmd)); StringAppend(cmd, u->group_primary, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u->groups_secondary_given) { // TODO: Should check that groups exist strlcpy(sec_group_args, " -G \"", sizeof(sec_group_args)); char sep[2] = { '\0', '\0' }; for (Rlist *i = u->groups_secondary; i; i = i->next) { StringAppend(sec_group_args, sep, sizeof(sec_group_args)); StringAppend(sec_group_args, RvalScalarValue(i->val), sizeof(sec_group_args)); sep[0] = ','; } StringAppend(sec_group_args, "\"", sizeof(sec_group_args)); StringAppend(cmd, sec_group_args, sizeof(cmd)); } if (u->home_dir != NULL && strcmp (u->home_dir, "")) { StringAppend(cmd, " -d \"", sizeof(cmd)); StringAppend(cmd, u->home_dir, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u->shell != NULL && strcmp (u->shell, "")) { StringAppend(cmd, " -s \"", sizeof(cmd)); StringAppend(cmd, u->shell, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } #ifndef __hpux // HP-UX has two variants of useradd, the normal one which does // not support -M and one variant to modify default values which // does take -M and yes or no // Since both are output with -h SupportOption incorrectly reports // -M as supported if (SupportsOption(USERADD, "-M")) { // Prevents creation of home_dir. // We want home_bundle to do that. StringAppend(cmd, " -M", sizeof(cmd)); } #endif StringAppend(cmd, " ", sizeof(cmd)); StringAppend(cmd, puser, sizeof(cmd)); if (action == cfa_warn || DONTDO) { Log(LOG_LEVEL_WARNING, "Need to create user '%s'.", puser); return false; } else { if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "creating", "Creating")) { return false; } if (u->groups_secondary_given) { // Work around issue on AIX. Always set secondary groups a second time, because AIX // likes to assign the primary group as the secondary group as well, even if we didn't // ask for it. strlcpy(cmd, USERMOD, sizeof(cmd)); StringAppend(cmd, sec_group_args, sizeof(cmd)); StringAppend(cmd, " ", sizeof(cmd)); StringAppend(cmd, puser, sizeof(cmd)); if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "modifying", "Modifying")) { return false; } } // Initially, "useradd" may set the password to '!', which confuses our detection for // locked accounts. So reset it to 'x' hash instead, which will never match anything. if (!ChangePassword(puser, "x", PASSWORD_FORMAT_HASH)) { return false; } if (u->policy == USER_STATE_LOCKED) { if (!SetAccountLocked(puser, "x", true)) { return false; } } if (a->havebundle) { const Constraint *method_attrib = PromiseGetConstraint(pp, "home_bundle"); if (method_attrib == NULL) { Log(LOG_LEVEL_ERR, "Cannot create user (home_bundle not found)"); return false; } VerifyMethod(ctx, method_attrib->rval, a, pp); } if (u->policy != USER_STATE_LOCKED && u->password != NULL && strcmp (u->password, "")) { if (!ChangePassword(puser, u->password, u->password_format)) { return false; } } } return true; }
static bool DoCreateUser(const char *puser, User u, enum cfopaction action, EvalContext *ctx, const Attributes *a, const Promise *pp) { char cmd[CF_BUFSIZE]; if (puser == NULL || !strcmp (puser, "")) { return false; } strcpy (cmd, USERADD); if (u.uid != NULL && strcmp (u.uid, "")) { StringAppend(cmd, " -u \"", sizeof(cmd)); StringAppend(cmd, u.uid, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u.description != NULL) { StringAppend(cmd, " -c \"", sizeof(cmd)); StringAppend(cmd, u.description, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u.group_primary != NULL && strcmp (u.group_primary, "")) { // TODO: Should check that group exists StringAppend(cmd, " -g \"", sizeof(cmd)); StringAppend(cmd, u.group_primary, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u.groups_secondary != NULL) { // TODO: Should check that groups exist StringAppend(cmd, " -G \"", sizeof(cmd)); char sep[2] = { '\0', '\0' }; for (Rlist *i = u.groups_secondary; i; i = i->next) { if (strcmp(RvalScalarValue(i->val), CF_NULL_VALUE) != 0) { StringAppend(cmd, sep, sizeof(cmd)); StringAppend(cmd, RvalScalarValue(i->val), sizeof(cmd)); sep[0] = ','; } } StringAppend(cmd, "\"", sizeof(cmd)); } if (u.home_dir != NULL && strcmp (u.home_dir, "")) { StringAppend(cmd, " -d \"", sizeof(cmd)); StringAppend(cmd, u.home_dir, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (u.shell != NULL && strcmp (u.shell, "")) { StringAppend(cmd, " -s \"", sizeof(cmd)); StringAppend(cmd, u.shell, sizeof(cmd)); StringAppend(cmd, "\"", sizeof(cmd)); } if (SupportsOption(USERADD, "-M")) { // Prevents creation of home_dir. // We want home_bundle to do that. StringAppend(cmd, " -M", sizeof(cmd)); } StringAppend(cmd, " ", sizeof(cmd)); StringAppend(cmd, puser, sizeof(cmd)); if (action == cfa_warn || DONTDO) { Log(LOG_LEVEL_NOTICE, "Need to create user '%s'.", puser); return false; } else { if (!ExecuteUserCommand(puser, cmd, sizeof(cmd), "creating", "Creating")) { return false; } // Initially, "useradd" may set the password to '!', which confuses our detection for // locked accounts. So reset it to 'x' hash instead, which will never match anything. if (!ChangePassword(puser, "x", PASSWORD_FORMAT_HASH)) { return false; } if (u.policy == USER_STATE_LOCKED) { if (!SetAccountLocked(puser, "", true)) { return false; } } if (a->havebundle) { const Constraint *method_attrib = PromiseGetConstraint(pp, "home_bundle"); VerifyMethod(ctx, method_attrib->rval, *a, pp); } if (u.policy != USER_STATE_LOCKED && u.password != NULL && strcmp (u.password, "")) { if (!ChangePassword(puser, u.password, u.password_format)) { return false; } } } return true; }