static void open_files (void)
{
if (!gr_lock ()) {
fprintf (stderr, _("%s: unable to lock group file\n"),
Prog);
exit (E_GRP_UPDATE);
}
if (!gr_open (O_RDWR)) {
fprintf (stderr, _("%s: unable to open group file\n"),
Prog);
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp && !sgr_lock ()) {
fprintf (stderr,
_("%s: unable to lock shadow group file\n"),
Prog);
fail_exit (E_GRP_UPDATE);
}
if (is_shadow_grp && !sgr_open (O_RDWR)) {
fprintf (stderr,
_("%s: unable to open shadow group file\n"),
Prog);
fail_exit (E_GRP_UPDATE);
}
#endif /* SHADOWGRP */
}
/*
* lock_files - lock the accounts databases
*
* lock_files() locks the group, gshadow, and passwd databases.
*/
static void lock_files (void)
{
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if ( is_shadow_grp
&& (pflg || nflg)) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif
if (gflg) {
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_passwd, NULL);
}
}
static void
open_files(void)
{
if (!pw_lock()) {
fprintf(stderr, _("%s: unable to lock password file\n"), Prog);
exit(E_PW_UPDATE);
}
if (! pw_open (O_RDWR)) {
fprintf(stderr, _("%s: unable to open password file\n"), Prog);
fail_exit(E_PW_UPDATE);
}
#ifdef SHADOWPWD
if (is_shadow_pwd && ! spw_lock ()) {
fprintf(stderr, _("%s: cannot lock shadow password file\n"),
Prog);
fail_exit(E_PW_UPDATE);
}
if (is_shadow_pwd && ! spw_open (O_RDWR)) {
fprintf(stderr, _("%s: cannot open shadow password file\n"),
Prog);
fail_exit(E_PW_UPDATE);
}
#endif
#ifdef HAVE_TCFS
if (!tcfs_lock()) {
fprintf(stderr, _("%s: cannot lock TCFS key file\n"), Prog);
fail_exit(E_PW_UPDATE);
}
if (!tcfs_open(O_RDWR)) {
fprintf(stderr, _("%s: cannot open TCFS key file\n"), Prog);
fail_exit(E_PW_UPDATE);
}
#endif
if (! gr_lock ()) {
fprintf(stderr, _("%s: unable to lock group file\n"), Prog);
fail_exit(E_GRP_UPDATE);
}
if (! gr_open (O_RDWR)) {
fprintf(stderr, _("%s: cannot open group file\n"), Prog);
fail_exit(E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp && ! sgr_lock ()) {
fprintf(stderr, _("%s: unable to lock shadow group file\n"),
Prog);
fail_exit(E_GRP_UPDATE);
}
if (is_shadow_grp && ! sgr_open (O_RDWR)) {
fprintf(stderr, _("%s: cannot open shadow group file\n"),
Prog);
fail_exit(E_GRP_UPDATE);
}
#endif
}
/*
* open_files - open the shadow database
*
* In read-only mode, the databases are not locked and are opened
* only for reading.
*/
static void open_files (void)
{
/*
* Lock the files if we aren't in "read-only" mode
*/
if (!read_only) {
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, grp_file);
fail_exit (E_CANT_LOCK);
}
gr_locked = true;
#ifdef SHADOWGRP
if (is_shadow) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_file);
fail_exit (E_CANT_LOCK);
}
sgr_locked = true;
}
#endif
}
/*
* Open the files. Use O_RDONLY if we are in read_only mode,
* O_RDWR otherwise.
*/
if (gr_open (read_only ? O_RDONLY : O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog,
grp_file);
if (use_system_grp_file) {
SYSLOG ((LOG_WARN, "cannot open %s", grp_file));
}
fail_exit (E_CANT_OPEN);
}
#ifdef SHADOWGRP
if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_RDWR) == 0)) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog,
sgr_file);
if (use_system_sgr_file) {
SYSLOG ((LOG_WARN, "cannot open %s", sgr_file));
}
fail_exit (E_CANT_OPEN);
}
#endif
}
/*
* open_files - lock and open the group files
*
* open_files() opens the two group files.
*/
static void open_files (void)
{
/* First, lock the databases */
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_GRP_UPDATE);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif
/*
* Now, if the group is not removed, it's our fault.
* Make sure failures will be reported.
*/
add_cleanup (cleanup_report_del_group, group_name);
/* An now open the databases */
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
/*
* open_files - lock and open the group databases
*
* It will call exit in case of error.
*/
static void open_files (void)
{
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
exit (E_NOPERM);
}
add_cleanup (cleanup_unlock_group, NULL);
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
exit (E_NOPERM);
}
add_cleanup (cleanup_unlock_gshadow, NULL);
}
#endif /* SHADOWGRP */
add_cleanup (log_gpasswd_failure_system, NULL);
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
exit (E_NOPERM);
}
#ifdef SHADOWGRP
if (is_shadowgrp) {
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
exit (E_NOPERM);
}
add_cleanup (log_gpasswd_failure_gshadow, NULL);
}
#endif /* SHADOWGRP */
add_cleanup (log_gpasswd_failure_group, NULL);
del_cleanup (log_gpasswd_failure_system);
}
static int
gr_update(struct group * grp, char const * group)
{
int pfd, tfd;
struct group *gr = NULL;
struct group *old_gr = NULL;
if (grp != NULL)
gr = gr_dup(grp);
if (group != NULL)
old_gr = GETGRNAM(group);
if (gr_init(conf.etcpath, NULL))
err(1, "gr_init()");
if ((pfd = gr_lock()) == -1) {
gr_fini();
err(1, "gr_lock()");
}
if ((tfd = gr_tmp(-1)) == -1) {
gr_fini();
err(1, "gr_tmp()");
}
if (gr_copy(pfd, tfd, gr, old_gr) == -1) {
gr_fini();
close(tfd);
err(1, "gr_copy()");
}
fsync(tfd);
close(tfd);
if (gr_mkdb() == -1) {
gr_fini();
err(1, "gr_mkdb()");
}
free(gr);
gr_fini();
return 0;
}
/*
* open_files - lock and open the group databases
*/
static void open_files (void)
{
/*
* Lock the group file and open it for reading and writing. This will
* bring all of the entries into memory where they may be updated.
*/
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (1);
}
gr_locked = true;
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (1);
}
#ifdef SHADOWGRP
/* Do the same for the shadowed database, if it exist */
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (1);
}
sgr_locked = true;
if (sgr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"),
Prog, sgr_dbname ());
fail_exit (1);
}
}
#endif
}
int main (int argc, char **argv)
{
const struct group *gr;
struct group grent;
const struct sgrp *sg;
Prog = Basename (argv[0]);
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
OPENLOG ("grpunconv");
process_flags (argc, argv);
if (sgr_file_present () == 0) {
exit (0); /* no /etc/gshadow, nothing to do */
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (5);
}
gr_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (1);
}
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (5);
}
sgr_locked = true;
if (sgr_open (O_RDONLY) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sgr_dbname ());
fail_exit (1);
}
/*
* Update group passwords if non-shadow password is "x".
*/
(void) gr_rewind ();
while ((gr = gr_next ()) != NULL) {
sg = sgr_locate (gr->gr_name);
if ( (NULL != sg)
&& (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
/* add password to /etc/group */
grent = *gr;
grent.gr_passwd = sg->sg_passwd;
if (gr_update (&grent) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grent.gr_name);
fail_exit (3);
}
}
}
(void) sgr_close (); /* was only open O_RDONLY */
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (3);
}
if (unlink (SGROUP_FILE) != 0) {
fprintf (stderr,
_("%s: cannot delete %s\n"),
Prog, SGROUP_FILE);
SYSLOG ((LOG_ERR, "cannot delete %s", SGROUP_FILE));
fail_exit (3);
}
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
nscd_flush_cache ("group");
return 0;
}
/*
* open_files - lock and open the password, group and shadow databases
*/
static void open_files (void)
{
/*
* Lock the password files and open them for update. This will bring
* all of the entries into memory where they may be searched for an
* modified, or new entries added. The password file is the key - if
* it gets locked, assume the others can be locked right away.
*/
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
fail_exit (EXIT_FAILURE);
}
pw_locked = true;
if (is_shadow) {
if (spw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, spw_dbname ());
fail_exit (EXIT_FAILURE);
}
spw_locked = true;
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (EXIT_FAILURE);
}
gr_locked = true;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (EXIT_FAILURE);
}
sgr_locked = true;
}
#endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_uid_dbname ());
fail_exit (EXIT_FAILURE);
}
sub_uid_locked = true;
}
if (is_sub_gid) {
if (sub_gid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_gid_dbname ());
fail_exit (EXIT_FAILURE);
}
sub_gid_locked = true;
}
#endif /* ENABLE_SUBIDS */
if (pw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, pw_dbname ());
fail_exit (EXIT_FAILURE);
}
if (is_shadow && (spw_open (O_CREAT | O_RDWR) == 0)) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, spw_dbname ());
fail_exit (EXIT_FAILURE);
}
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (EXIT_FAILURE);
}
#ifdef SHADOWGRP
if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ());
fail_exit (EXIT_FAILURE);
}
#endif
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sub_uid_dbname ());
fail_exit (EXIT_FAILURE);
}
}
if (is_sub_gid) {
if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, sub_gid_dbname ());
fail_exit (EXIT_FAILURE);
}
}
#endif /* ENABLE_SUBIDS */
}
static int update_group (void)
{
int is_member;
int was_member;
int changed;
const struct group *grp;
struct group *ngrp;
/*
* Lock and open the group file. This will load all of the group
* entries.
*/
if (!gr_lock ()) {
fprintf (stderr, _("%s: error locking group file\n"),
Prog);
SYSLOG ((LOG_ERR, "error locking group file"));
return -1;
}
if (!gr_open (O_RDWR)) {
fprintf (stderr, _("%s: error opening group file\n"),
Prog);
SYSLOG ((LOG_ERR, "error opening group file"));
gr_unlock ();
return -1;
}
changed = 0;
/*
* Scan through the entire group file looking for the groups that
* the user is a member of.
*/
while ((grp = gr_next ())) {
/*
* See if the user specified this group as one of their
* concurrent groups.
*/
was_member = is_on_list (grp->gr_mem, user_name);
is_member = Gflg && is_on_list (user_groups, grp->gr_name);
if (!was_member && !is_member)
continue;
ngrp = __gr_dup (grp);
if (!ngrp) {
fprintf (stderr,
_("%s: out of memory in update_group\n"),
Prog);
gr_unlock ();
return -1;
}
if (was_member && (!Gflg || is_member)) {
if (lflg) {
ngrp->gr_mem = del_list (ngrp->gr_mem,
user_name);
ngrp->gr_mem = add_list (ngrp->gr_mem,
user_newname);
changed = 1;
SYSLOG ((LOG_INFO,
"change `%s' to `%s' in group `%s'",
user_name, user_newname,
ngrp->gr_name));
}
} else if (was_member && Gflg && !is_member) {
ngrp->gr_mem = del_list (ngrp->gr_mem, user_name);
changed = 1;
SYSLOG ((LOG_INFO, "delete `%s' from group `%s'",
user_name, ngrp->gr_name));
} else if (!was_member && Gflg && is_member) {
ngrp->gr_mem = add_list (ngrp->gr_mem,
lflg ? user_newname :
user_name);
changed = 1;
SYSLOG ((LOG_INFO, "add `%s' to group `%s'",
lflg ? user_newname : user_name,
ngrp->gr_name));
}
if (!changed)
continue;
changed = 0;
if (!gr_update (ngrp)) {
fprintf (stderr,
_("%s: error adding new group entry\n"),
Prog);
SYSLOG ((LOG_ERR, "error adding group entry"));
gr_unlock ();
return -1;
}
#ifdef NDBM
/*
* Update the DBM group file with the new entry as well.
*/
if (!gr_dbm_update (ngrp)) {
fprintf (stderr,
_("%s: cannot add new dbm group entry\n"),
Prog);
SYSLOG ((LOG_ERR, "error adding dbm group entry"));
gr_unlock ();
return -1;
}
#endif /* NDBM */
}
#ifdef NDBM
endgrent ();
#endif /* NDBM */
if (!gr_close ()) {
fprintf (stderr, _("%s: cannot rewrite group file\n"),
Prog);
gr_unlock ();
return -1;
}
gr_unlock ();
return 0;
}
static void open_files (void)
{
if (pw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, pw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
pw_locked = true;
if (pw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, pw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
if (is_shadow_pwd) {
if (spw_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, spw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking shadow password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
spw_locked = true;
if (spw_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"),
Prog, spw_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening shadow password file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_PW_UPDATE);
}
}
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
gr_locked = true;
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking shadow group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
sgr_locked= true;
if (sgr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"),
Prog, sgr_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening shadow group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
#ifdef ENABLE_SUBIDS
if (is_sub_uid) {
if (sub_uid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_uid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking subordinate user file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_UID_UPDATE);
}
sub_uid_locked = true;
if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening subordinate user file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_UID_UPDATE);
}
}
if (is_sub_gid) {
if (sub_gid_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sub_gid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"locking subordinate group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_GID_UPDATE);
}
sub_gid_locked = true;
if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
#ifdef WITH_AUDIT
audit_logger (AUDIT_DEL_USER, Prog,
"opening subordinate group file",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SUB_GID_UPDATE);
}
}
#endif /* ENABLE_SUBIDS */
}
int main (int argc, char **argv)
{
const struct group *gr;
struct group grent;
const struct sgrp *sg;
struct sgrp sgent;
Prog = Basename (argv[0]);
(void) setlocale (LC_ALL, "");
(void) bindtextdomain (PACKAGE, LOCALEDIR);
(void) textdomain (PACKAGE);
process_root_flag ("-R", argc, argv);
OPENLOG ("grpconv");
process_flags (argc, argv);
if (gr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, gr_dbname ());
fail_exit (5);
}
gr_locked = true;
if (gr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
fail_exit (1);
}
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock %s; try again later.\n"),
Prog, sgr_dbname ());
fail_exit (5);
}
sgr_locked = true;
if (sgr_open (O_CREAT | O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open %s\n"), Prog, sgr_dbname ());
fail_exit (1);
}
/*
* Remove /etc/gshadow entries for groups not in /etc/group.
*/
(void) sgr_rewind ();
while ((sg = sgr_next ()) != NULL) {
if (gr_locate (sg->sg_name) != NULL) {
continue;
}
if (sgr_remove (sg->sg_name) == 0) {
/*
* This shouldn't happen (the entry exists) but...
*/
fprintf (stderr,
_("%s: cannot remove entry '%s' from %s\n"),
Prog, sg->sg_name, sgr_dbname ());
fail_exit (3);
}
}
/*
* Update shadow group passwords if non-shadow password is not "x".
* Add any missing shadow group entries.
*/
(void) gr_rewind ();
while ((gr = gr_next ()) != NULL) {
sg = sgr_locate (gr->gr_name);
if (NULL != sg) {
/* update existing shadow group entry */
sgent = *sg;
if (strcmp (gr->gr_passwd, SHADOW_PASSWD_STRING) != 0)
sgent.sg_passwd = gr->gr_passwd;
} else {
static char *empty = 0;
/* add new shadow group entry */
memset (&sgent, 0, sizeof sgent);
sgent.sg_name = gr->gr_name;
sgent.sg_passwd = gr->gr_passwd;
sgent.sg_adm = ∅
}
/*
* XXX - sg_mem is redundant, it is currently always a copy
* of gr_mem. Very few programs actually use sg_mem, and all
* of them are in the shadow suite. Maybe this field could
* be used for something else? Any suggestions?
*/
sgent.sg_mem = gr->gr_mem;
if (sgr_update (&sgent) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, sgr_dbname (), sgent.sg_name);
fail_exit (3);
}
/* remove password from /etc/group */
grent = *gr;
grent.gr_passwd = SHADOW_PASSWD_STRING; /* XXX warning: const */
if (gr_update (&grent) == 0) {
fprintf (stderr,
_("%s: failed to prepare the new %s entry '%s'\n"),
Prog, gr_dbname (), grent.gr_name);
fail_exit (3);
}
}
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
fail_exit (3);
}
if (gr_close () == 0) {
fprintf (stderr,
_("%s: failure while writing changes to %s\n"),
Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
fail_exit (3);
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
/* continue */
}
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
/* continue */
}
nscd_flush_cache ("group");
return 0;
}
/*
* grpck - verify group file integrity
*/
int main (int argc, char **argv)
{
int arg;
int errors = 0;
int deleted = 0;
int i;
struct commonio_entry *gre, *tgre;
struct group *grp;
int sort_mode = 0;
#ifdef SHADOWGRP
struct commonio_entry *sge, *tsge;
struct sgrp *sgr;
int is_shadow = 0;
#endif
/*
* Get my name so that I can use it to report errors.
*/
Prog = Basename (argv[0]);
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
textdomain (PACKAGE);
OPENLOG ("grpck");
/*
* Parse the command line arguments
*/
while ((arg = getopt (argc, argv, "qrs")) != EOF) {
switch (arg) {
case 'q':
/* quiet - ignored for now */
break;
case 'r':
read_only = 1;
break;
case 's':
sort_mode = 1;
break;
default:
usage ();
}
}
if (sort_mode && read_only) {
fprintf (stderr, _("%s: -s and -r are incompatibile\n"), Prog);
exit (E_USAGE);
}
/*
* Make certain we have the right number of arguments
*/
#ifdef SHADOWGRP
if (optind != argc && optind + 1 != argc && optind + 2 != argc)
#else
if (optind != argc && optind + 1 != argc)
#endif
usage ();
/*
* If there are two left over filenames, use those as the group and
* group password filenames.
*/
if (optind != argc) {
grp_file = argv[optind];
gr_name (grp_file);
}
#ifdef SHADOWGRP
if (optind + 2 == argc) {
sgr_file = argv[optind + 1];
sgr_name (sgr_file);
is_shadow = 1;
} else if (optind == argc)
is_shadow = sgr_file_present ();
#endif
/*
* Lock the files if we aren't in "read-only" mode
*/
if (!read_only) {
if (!gr_lock ()) {
fprintf (stderr, _("%s: cannot lock file %s\n"),
Prog, grp_file);
if (optind == argc)
SYSLOG ((LOG_WARN, "cannot lock %s", grp_file));
closelog ();
exit (E_CANT_LOCK);
}
#ifdef SHADOWGRP
if (is_shadow && !sgr_lock ()) {
fprintf (stderr, _("%s: cannot lock file %s\n"),
Prog, sgr_file);
if (optind == argc)
SYSLOG ((LOG_WARN, "cannot lock %s", sgr_file));
closelog ();
exit (E_CANT_LOCK);
}
#endif
}
/*
* Open the files. Use O_RDONLY if we are in read_only mode,
* O_RDWR otherwise.
*/
if (!gr_open (read_only ? O_RDONLY : O_RDWR)) {
fprintf (stderr, _("%s: cannot open file %s\n"), Prog,
grp_file);
if (optind == argc)
SYSLOG ((LOG_WARN, "cannot open %s", grp_file));
closelog ();
exit (E_CANT_OPEN);
}
#ifdef SHADOWGRP
if (is_shadow && !sgr_open (read_only ? O_RDONLY : O_RDWR)) {
fprintf (stderr, _("%s: cannot open file %s\n"), Prog,
sgr_file);
if (optind == argc)
SYSLOG ((LOG_WARN, "cannot open %s", sgr_file));
closelog ();
exit (E_CANT_OPEN);
}
#endif
if (sort_mode) {
gr_sort ();
#ifdef SHADOWGRP
if (is_shadow)
sgr_sort ();
#endif
goto write_and_bye;
}
/*
* Loop through the entire group file.
*/
for (gre = __gr_get_head (); gre; gre = gre->next) {
/*
* Skip all NIS entries.
*/
if (gre->line[0] == '+' || gre->line[0] == '-')
continue;
/*
* Start with the entries that are completely corrupt. They
* have no (struct group) entry because they couldn't be
* parsed properly.
*/
if (!gre->eptr) {
/*
* Tell the user this entire line is bogus and ask
* them to delete it.
*/
printf (_("invalid group file entry\n"));
printf (_("delete line `%s'? "), gre->line);
errors++;
/*
* prompt the user to delete the entry or not
*/
if (!yes_or_no ())
continue;
/*
* All group file deletions wind up here. This code
* removes the current entry from the linked list.
* When done, it skips back to the top of the loop
* to try out the next list element.
*/
delete_gr:
SYSLOG ((LOG_INFO, "delete group line `%s'",
gre->line));
deleted++;
__gr_del_entry (gre);
continue;
}
/*
* Group structure is good, start using it.
*/
grp = gre->eptr;
/*
* Make sure this entry has a unique name.
*/
for (tgre = __gr_get_head (); tgre; tgre = tgre->next) {
const struct group *ent = tgre->eptr;
/*
* Don't check this entry
*/
if (tgre == gre)
continue;
/*
* Don't check invalid entries.
*/
if (!ent)
continue;
if (strcmp (grp->gr_name, ent->gr_name) != 0)
continue;
/*
* Tell the user this entry is a duplicate of
* another and ask them to delete it.
*/
printf (_("duplicate group entry\n"));
printf (_("delete line `%s'? "), gre->line);
errors++;
/*
* prompt the user to delete the entry or not
*/
if (yes_or_no ())
goto delete_gr;
}
/*
* Check for invalid group names. --marekm
*/
if (!check_group_name (grp->gr_name)) {
errors++;
printf (_("invalid group name `%s'\n"), grp->gr_name);
}
/*
* Workaround for a NYS libc 5.3.12 bug on RedHat 4.2 -
* groups with no members are returned as groups with one
* member "", causing grpck to fail. --marekm
*/
if (grp->gr_mem[0] && !grp->gr_mem[1]
&& *(grp->gr_mem[0]) == '\0')
grp->gr_mem[0] = (char *) 0;
/*
* Make sure each member exists
*/
for (i = 0; grp->gr_mem[i]; i++) {
if (getpwnam (grp->gr_mem[i]))
continue;
/*
* Can't find this user. Remove them
* from the list.
*/
errors++;
printf (_("group %s: no user %s\n"),
grp->gr_name, grp->gr_mem[i]);
printf (_("delete member `%s'? "), grp->gr_mem[i]);
if (!yes_or_no ())
continue;
SYSLOG ((LOG_INFO, "delete member `%s' group `%s'",
grp->gr_mem[i], grp->gr_name));
deleted++;
delete_member (grp->gr_mem, grp->gr_mem[i]);
gre->changed = 1;
__gr_set_changed ();
}
}
#ifdef SHADOWGRP
if (!is_shadow)
goto shadow_done;
/*
* Loop through the entire shadow group file.
*/
for (sge = __sgr_get_head (); sge; sge = sge->next) {
/*
* Start with the entries that are completely corrupt. They
* have no (struct sgrp) entry because they couldn't be
* parsed properly.
*/
if (!sge->eptr) {
/*
* Tell the user this entire line is bogus and ask
* them to delete it.
*/
printf (_("invalid shadow group file entry\n"));
printf (_("delete line `%s'? "), sge->line);
errors++;
/*
* prompt the user to delete the entry or not
*/
if (!yes_or_no ())
continue;
/*
* All shadow group file deletions wind up here.
* This code removes the current entry from the
* linked list. When done, it skips back to the top
* of the loop to try out the next list element.
*/
delete_sg:
SYSLOG ((LOG_INFO, "delete shadow line `%s'",
sge->line));
deleted++;
__sgr_del_entry (sge);
continue;
}
/*
* Shadow group structure is good, start using it.
*/
sgr = sge->eptr;
/*
* Make sure this entry has a unique name.
*/
for (tsge = __sgr_get_head (); tsge; tsge = tsge->next) {
const struct sgrp *ent = tsge->eptr;
/*
* Don't check this entry
*/
if (tsge == sge)
continue;
/*
* Don't check invalid entries.
*/
if (!ent)
continue;
if (strcmp (sgr->sg_name, ent->sg_name) != 0)
continue;
/*
* Tell the user this entry is a duplicate of
* another and ask them to delete it.
*/
printf (_("duplicate shadow group entry\n"));
printf (_("delete line `%s'? "), sge->line);
errors++;
/*
* prompt the user to delete the entry or not
*/
if (yes_or_no ())
goto delete_sg;
}
/*
* Make sure this entry exists in the /etc/group file.
*/
if (!gr_locate (sgr->sg_name)) {
printf (_("no matching group file entry\n"));
printf (_("delete line `%s'? "), sge->line);
errors++;
if (yes_or_no ())
goto delete_sg;
}
/*
* Make sure each administrator exists
*/
for (i = 0; sgr->sg_adm[i]; i++) {
if (getpwnam (sgr->sg_adm[i]))
continue;
/*
* Can't find this user. Remove them
* from the list.
*/
errors++;
printf (_
("shadow group %s: no administrative user %s\n"),
sgr->sg_name, sgr->sg_adm[i]);
printf (_("delete administrative member `%s'? "),
sgr->sg_adm[i]);
if (!yes_or_no ())
continue;
SYSLOG ((LOG_INFO,
"delete admin `%s' from shadow group `%s'",
sgr->sg_adm[i], sgr->sg_name));
deleted++;
delete_member (sgr->sg_adm, sgr->sg_adm[i]);
sge->changed = 1;
__sgr_set_changed ();
}
/*
* Make sure each member exists
*/
for (i = 0; sgr->sg_mem[i]; i++) {
if (getpwnam (sgr->sg_mem[i]))
continue;
/*
* Can't find this user. Remove them from the list.
*/
errors++;
printf (_("shadow group %s: no user %s\n"),
sgr->sg_name, sgr->sg_mem[i]);
printf (_("delete member `%s'? "), sgr->sg_mem[i]);
if (!yes_or_no ())
continue;
SYSLOG ((LOG_INFO,
"delete member `%s' from shadow group `%s'",
sgr->sg_mem[i], sgr->sg_name));
deleted++;
delete_member (sgr->sg_mem, sgr->sg_mem[i]);
sge->changed = 1;
__sgr_set_changed ();
}
}
shadow_done:
#endif /* SHADOWGRP */
/*
* All done. If there were no deletions we can just abandon any
* changes to the files.
*/
if (deleted) {
write_and_bye:
if (!gr_close ()) {
fprintf (stderr, _("%s: cannot update file %s\n"),
Prog, grp_file);
exit (E_CANT_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow && !sgr_close ()) {
fprintf (stderr, _("%s: cannot update file %s\n"),
Prog, sgr_file);
exit (E_CANT_UPDATE);
}
#endif
}
/*
* Don't be anti-social - unlock the files when you're done.
*/
#ifdef SHADOWGRP
if (is_shadow)
sgr_unlock ();
#endif
(void) gr_unlock ();
nscd_flush_cache ("group");
/*
* Tell the user what we did and exit.
*/
if (errors)
printf (deleted ?
_("%s: the files have been updated\n") :
_("%s: no changes\n"), Prog);
exit (errors ? E_BAD_ENTRY : E_OKAY);
}