2007-10-07 17:14:02 +05:30
|
|
|
/*
|
2021-12-05 21:05:27 +05:30
|
|
|
* SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh
|
|
|
|
|
* SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz
|
|
|
|
|
* SPDX-FileCopyrightText: 2000 - 2006, Tomasz Kłoczko
|
|
|
|
|
* SPDX-FileCopyrightText: 2007 - 2011, Nicolas François
|
2007-10-07 17:14:02 +05:30
|
|
|
*
|
2021-12-05 21:05:27 +05:30
|
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
2007-11-11 05:16:11 +05:30
|
|
|
#ident "$Id$"
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
#include <assert.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include <ctype.h>
|
2007-10-07 17:17:01 +05:30
|
|
|
#include <errno.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include <fcntl.h>
|
2007-10-07 17:17:11 +05:30
|
|
|
#include <getopt.h>
|
2007-10-07 17:17:01 +05:30
|
|
|
#include <grp.h>
|
|
|
|
|
#include <lastlog.h>
|
|
|
|
|
#include <pwd.h>
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#ifdef ACCT_TOOLS_SETUID
|
2007-10-07 17:14:38 +05:30
|
|
|
#ifdef USE_PAM
|
2007-10-07 17:17:11 +05:30
|
|
|
#include "pam_defs.h"
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* USE_PAM */
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#endif /* ACCT_TOOLS_SETUID */
|
2007-10-07 17:17:01 +05:30
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <time.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include "chkname.h"
|
2007-10-07 17:17:01 +05:30
|
|
|
#include "defines.h"
|
2007-10-07 17:14:02 +05:30
|
|
|
#include "faillog.h"
|
|
|
|
|
#include "getdef.h"
|
2007-10-07 17:16:34 +05:30
|
|
|
#include "groupio.h"
|
|
|
|
|
#include "nscd.h"
|
Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-12 17:52:11 +05:30
|
|
|
#include "sssd.h"
|
2007-10-07 17:17:01 +05:30
|
|
|
#include "prototypes.h"
|
|
|
|
|
#include "pwauth.h"
|
2007-10-07 17:16:34 +05:30
|
|
|
#include "pwio.h"
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
#include "sgroupio.h"
|
|
|
|
|
#endif
|
|
|
|
|
#include "shadowio.h"
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
#include "subordinateio.h"
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2021-04-09 21:50:41 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
#include <selinux/selinux.h>
|
|
|
|
|
#endif /* WITH_SELINUX */
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
#ifdef WITH_TCB
|
|
|
|
|
#include "tcbfuncs.h"
|
|
|
|
|
#endif
|
2021-11-29 05:07:53 +05:30
|
|
|
#include "shadowlog.h"
|
* src/newgrp.c, src/chfn.c, src/groupmems.c, src/usermod.c,
src/userdel.c, src/chpasswd.c, src/grpck.c, src/gpasswd.c,
src/groupdel.c, src/chgpasswd.c, src/vipw.c, src/useradd.c,
src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/faillog.c,
src/sulogin.c, src/chsh.c, src/pwconv.c: Added splint annotations.
* src/userdel.c, src/pwconv.c, src/lastlog.c, src/grpck.c,
src/vipw.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/login.c,
src/sulogin.c, src/usermod.c: Use return instead of exit at the
end of main().
* src/gpasswd.c, src/passwd.c, src/faillog.c: Use the exitcodes.h
exit codes.
* src/chpasswd.c: Added missing ||.
* src/nologin.c: Do not include exitcodes.h.
* src/nologin.c: Added brackets.
* src/nologin.c: Avoid assignments in comparisons.
2009-05-01 03:09:38 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* exit status values
|
|
|
|
|
* for E_GRP_UPDATE and E_NOSPACE (not used yet), other update requests
|
|
|
|
|
* will be implemented (as documented in the Solaris 2.x man page).
|
|
|
|
|
*/
|
* src/newgrp.c, src/chfn.c, src/groupmems.c, src/usermod.c,
src/userdel.c, src/chpasswd.c, src/grpck.c, src/gpasswd.c,
src/groupdel.c, src/chgpasswd.c, src/vipw.c, src/useradd.c,
src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/faillog.c,
src/sulogin.c, src/chsh.c, src/pwconv.c: Added splint annotations.
* src/userdel.c, src/pwconv.c, src/lastlog.c, src/grpck.c,
src/vipw.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/login.c,
src/sulogin.c, src/usermod.c: Use return instead of exit at the
end of main().
* src/gpasswd.c, src/passwd.c, src/faillog.c: Use the exitcodes.h
exit codes.
* src/chpasswd.c: Added missing ||.
* src/nologin.c: Do not include exitcodes.h.
* src/nologin.c: Added brackets.
* src/nologin.c: Avoid assignments in comparisons.
2009-05-01 03:09:38 +05:30
|
|
|
/*@-exitarg@*/
|
2007-10-07 17:14:02 +05:30
|
|
|
#define E_SUCCESS 0 /* success */
|
|
|
|
|
#define E_PW_UPDATE 1 /* can't update password file */
|
|
|
|
|
#define E_USAGE 2 /* invalid command syntax */
|
|
|
|
|
#define E_BAD_ARG 3 /* invalid argument to option */
|
2007-10-07 17:16:25 +05:30
|
|
|
#define E_UID_IN_USE 4 /* UID already in use (and no -o) */
|
2007-10-07 17:17:57 +05:30
|
|
|
/* #define E_BAD_PWFILE 5 passwd file contains errors */
|
2007-10-07 17:14:02 +05:30
|
|
|
#define E_NOTFOUND 6 /* specified user/group doesn't exist */
|
|
|
|
|
#define E_USER_BUSY 8 /* user to modify is logged in */
|
2022-07-27 23:32:12 +05:30
|
|
|
#define E_NAME_IN_USE 9 /* username or group name already in use */
|
2007-10-07 17:14:02 +05:30
|
|
|
#define E_GRP_UPDATE 10 /* can't update group file */
|
2007-10-07 17:17:57 +05:30
|
|
|
/* #define E_NOSPACE 11 insufficient space to move home dir */
|
2007-10-07 17:14:02 +05:30
|
|
|
#define E_HOMEDIR 12 /* unable to complete home dir move */
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
|
|
|
|
#define E_SUB_GID_UPDATE 18 /* can't update the subordinate gid file */
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
|
2007-10-07 17:17:01 +05:30
|
|
|
/*
|
|
|
|
|
* Global variables
|
|
|
|
|
*/
|
* src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/pwconv.c, src/chpasswd.c, src/logoutd.c,
src/chfn.c, src/groupmems.c, src/usermod.c, src/pwunconv.c,
src/expiry.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c,
src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/chage.c,
src/groupadd.c, src/login.c, src/grpconv.c, src/groups.c,
src/grpunconv.c, src/chsh.c: Prog changed to a constant string.
2010-08-23 01:06:09 +05:30
|
|
|
const char *Prog;
|
* src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/pwconv.c, src/chpasswd.c, src/logoutd.c,
src/chfn.c, src/groupmems.c, src/usermod.c, src/pwunconv.c,
src/expiry.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c,
src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/grpconv.c,
src/groups.c, src/grpunconv.c, src/chsh.c: Prog is now global (not
static to the file) so that it can be used by the helper functions
of libmisc.
* lib/prototypes.h: Added extern char *Prog.
* libmisc/find_new_gid.c, libmisc/find_new_uid.c: Indicate the
program name with the warning.
2008-09-06 18:21:53 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
static char *user_name;
|
2011-08-15 15:26:43 +05:30
|
|
|
static char *user_newname;
|
2007-10-07 17:14:02 +05:30
|
|
|
static char *user_pass;
|
|
|
|
|
static uid_t user_id;
|
|
|
|
|
static uid_t user_newid;
|
|
|
|
|
static gid_t user_gid;
|
|
|
|
|
static gid_t user_newgid;
|
|
|
|
|
static char *user_comment;
|
2011-08-15 15:26:43 +05:30
|
|
|
static char *user_newcomment;
|
2007-10-07 17:14:02 +05:30
|
|
|
static char *user_home;
|
2011-08-15 15:26:43 +05:30
|
|
|
static char *user_newhome;
|
2007-10-07 17:14:02 +05:30
|
|
|
static char *user_shell;
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
static const char *user_selinux = "";
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_SELINUX */
|
2011-08-15 15:26:43 +05:30
|
|
|
static char *user_newshell;
|
2007-10-07 17:14:02 +05:30
|
|
|
static long user_expire;
|
2008-01-24 02:49:08 +05:30
|
|
|
static long user_newexpire;
|
2007-10-07 17:14:02 +05:30
|
|
|
static long user_inactive;
|
2008-01-24 02:49:08 +05:30
|
|
|
static long user_newinactive;
|
2007-10-07 17:14:51 +05:30
|
|
|
static long sys_ngroups;
|
2007-10-07 17:14:59 +05:30
|
|
|
static char **user_groups; /* NULL-terminated list */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
static const char* prefix = "";
|
|
|
|
|
static char* prefix_user_home = NULL;
|
|
|
|
|
static char* prefix_user_newhome = NULL;
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
static bool
|
|
|
|
|
aflg = false, /* append to existing secondary group set */
|
|
|
|
|
cflg = false, /* new comment (GECOS) field */
|
|
|
|
|
dflg = false, /* new home directory */
|
|
|
|
|
eflg = false, /* days since 1970-01-01 when account becomes expired */
|
|
|
|
|
fflg = false, /* days until account with expired password is locked */
|
|
|
|
|
gflg = false, /* new primary group ID */
|
|
|
|
|
Gflg = false, /* new secondary group set */
|
|
|
|
|
Lflg = false, /* lock the password */
|
|
|
|
|
lflg = false, /* new user name */
|
|
|
|
|
mflg = false, /* create user's home directory if it doesn't exist */
|
|
|
|
|
oflg = false, /* permit non-unique user ID to be specified with -u */
|
|
|
|
|
pflg = false, /* new encrypted password */
|
2021-09-23 08:59:09 +05:30
|
|
|
rflg = false, /* remove a user from a single group */
|
2008-06-10 01:47:48 +05:30
|
|
|
sflg = false, /* new shell program */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
Zflg = false, /* new selinux user */
|
|
|
|
|
#endif
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
vflg = false, /* add subordinate uids */
|
|
|
|
|
Vflg = false, /* delete subordinate uids */
|
|
|
|
|
wflg = false, /* add subordinate gids */
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
Wflg = false, /* delete subordinate gids */
|
|
|
|
|
#endif /* ENABLE_SUBIDS */
|
|
|
|
|
uflg = false, /* specify new user ID */
|
|
|
|
|
Uflg = false; /* unlock the password */
|
2008-06-10 01:47:48 +05:30
|
|
|
|
|
|
|
|
static bool is_shadow_pwd;
|
2007-10-07 17:16:25 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef SHADOWGRP
|
2008-06-10 01:47:48 +05:30
|
|
|
static bool is_shadow_grp;
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
|
|
|
|
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
static bool is_sub_uid = false;
|
|
|
|
|
static bool is_sub_gid = false;
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2013-01-22 14:48:24 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
static bool pw_locked = false;
|
|
|
|
|
static bool spw_locked = false;
|
|
|
|
|
static bool gr_locked = false;
|
2007-11-17 17:12:47 +05:30
|
|
|
#ifdef SHADOWGRP
|
2008-06-10 01:47:48 +05:30
|
|
|
static bool sgr_locked = false;
|
2007-11-17 17:12:47 +05:30
|
|
|
#endif
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
static bool sub_uid_locked = false;
|
|
|
|
|
static bool sub_gid_locked = false;
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-11-17 17:12:47 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/* local function prototypes */
|
2007-10-07 17:14:59 +05:30
|
|
|
static int get_groups (char *);
|
2023-02-08 00:20:36 +05:30
|
|
|
NORETURN static void usage (int status);
|
2007-10-07 17:14:59 +05:30
|
|
|
static void new_pwent (struct passwd *);
|
|
|
|
|
static void new_spent (struct spwd *);
|
2023-02-08 00:20:36 +05:30
|
|
|
NORETURN static void fail_exit (int);
|
2007-11-17 17:12:47 +05:30
|
|
|
static void update_group (void);
|
2007-10-07 17:14:59 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef SHADOWGRP
|
2007-11-17 17:12:47 +05:30
|
|
|
static void update_gshadow (void);
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
2007-11-17 17:12:47 +05:30
|
|
|
static void grp_update (void);
|
2007-10-07 17:14:59 +05:30
|
|
|
|
|
|
|
|
static void process_flags (int, char **);
|
|
|
|
|
static void close_files (void);
|
|
|
|
|
static void open_files (void);
|
|
|
|
|
static void usr_update (void);
|
|
|
|
|
static void move_home (void);
|
2008-07-12 02:22:44 +05:30
|
|
|
static void update_lastlog (void);
|
|
|
|
|
static void update_faillog (void);
|
2007-10-07 17:14:59 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifndef NO_MOVE_MAILBOX
|
2007-10-07 17:14:59 +05:30
|
|
|
static void move_mailbox (void);
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
|
|
|
|
|
2019-08-24 02:12:37 +05:30
|
|
|
extern int allow_bad_names;
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* get_groups - convert a list of group names to an array of group IDs
|
|
|
|
|
*
|
|
|
|
|
* get_groups() takes a comma-separated list of group names and
|
2007-10-07 17:14:59 +05:30
|
|
|
* converts it to a NULL-terminated array. Any unknown group names are
|
|
|
|
|
* reported as errors.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static int get_groups (char *list)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
|
char *cp;
|
2023-02-01 18:20:48 +05:30
|
|
|
struct group *grp;
|
2007-10-07 17:14:02 +05:30
|
|
|
int errors = 0;
|
|
|
|
|
int ngroups = 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize the list to be empty
|
|
|
|
|
*/
|
2023-02-01 07:20:14 +05:30
|
|
|
user_groups[0] = NULL;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if ('\0' == *list) {
|
2007-10-07 17:14:02 +05:30
|
|
|
return 0;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* So long as there is some data to be converted, strip off each
|
|
|
|
|
* name and look it up. A mix of numerical and string values for
|
|
|
|
|
* group identifiers is permitted.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
|
|
|
|
do {
|
|
|
|
|
/*
|
|
|
|
|
* Strip off a single name from the list
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
cp = strchr (list, ',');
|
|
|
|
|
if (NULL != cp) {
|
|
|
|
|
*cp = '\0';
|
|
|
|
|
cp++;
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Names starting with digits are treated as numerical GID
|
|
|
|
|
* values, otherwise the string is looked up as is.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2021-08-03 12:27:20 +05:30
|
|
|
grp = prefix_getgr_nam_gid (list);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* There must be a match, either by GID value or by
|
|
|
|
|
* string name.
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == grp) {
|
2008-08-30 23:57:59 +05:30
|
|
|
fprintf (stderr, _("%s: group '%s' does not exist\n"),
|
|
|
|
|
Prog, list);
|
2007-10-07 17:14:02 +05:30
|
|
|
errors++;
|
|
|
|
|
}
|
|
|
|
|
list = cp;
|
|
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* If the group doesn't exist, don't dump core. Instead,
|
|
|
|
|
* try the next one. --marekm
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == grp) {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
#ifdef USE_NIS
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Don't add this group if they are an NIS group. Tell the
|
|
|
|
|
* user to go to the server for this group.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
|
|
|
|
if (__isgrNIS ()) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: group '%s' is a NIS group.\n"),
|
|
|
|
|
Prog, grp->gr_name);
|
2023-02-01 18:20:48 +05:30
|
|
|
gr_free (grp);
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-10-07 17:14:51 +05:30
|
|
|
if (ngroups == sys_ngroups) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: too many groups specified (max %d).\n"),
|
|
|
|
|
Prog, ngroups);
|
2023-02-01 18:20:48 +05:30
|
|
|
gr_free (grp);
|
2007-10-07 17:14:02 +05:30
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Add the group name to the user's list of groups.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
user_groups[ngroups++] = xstrdup (grp->gr_name);
|
2023-02-01 18:20:48 +05:30
|
|
|
gr_free (grp);
|
2008-06-10 01:47:48 +05:30
|
|
|
} while (NULL != list);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2023-02-01 07:20:14 +05:30
|
|
|
user_groups[ngroups] = NULL;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Any errors in finding group names are fatal
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
if (0 != errors) {
|
2007-10-07 17:14:02 +05:30
|
|
|
return -1;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
struct ulong_range
|
|
|
|
|
{
|
|
|
|
|
unsigned long first;
|
|
|
|
|
unsigned long last;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct ulong_range getulong_range(const char *str)
|
|
|
|
|
{
|
|
|
|
|
struct ulong_range result = { .first = ULONG_MAX, .last = 0 };
|
2013-08-15 20:37:04 +05:30
|
|
|
long long first, last;
|
2013-01-22 14:48:24 +05:30
|
|
|
char *pos;
|
|
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
first = strtoll(str, &pos, 10);
|
|
|
|
|
if (('\0' == *str) || ('-' != *pos ) || (ERANGE == errno) ||
|
|
|
|
|
(first != (unsigned long int)first))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
errno = 0;
|
2013-08-15 20:37:04 +05:30
|
|
|
last = strtoll(pos + 1, &pos, 10);
|
2013-01-22 14:48:24 +05:30
|
|
|
if (('\0' != *pos ) || (ERANGE == errno) ||
|
|
|
|
|
(last != (unsigned long int)last))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
if (first > last)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
result.first = (unsigned long int)first;
|
|
|
|
|
result.last = (unsigned long int)last;
|
|
|
|
|
out:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct ulong_range_list_entry {
|
|
|
|
|
struct ulong_range_list_entry *next;
|
|
|
|
|
struct ulong_range range;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct ulong_range_list_entry *add_sub_uids = NULL, *del_sub_uids = NULL;
|
|
|
|
|
static struct ulong_range_list_entry *add_sub_gids = NULL, *del_sub_gids = NULL;
|
|
|
|
|
|
|
|
|
|
static int prepend_range(const char *str, struct ulong_range_list_entry **head)
|
|
|
|
|
{
|
|
|
|
|
struct ulong_range range;
|
|
|
|
|
struct ulong_range_list_entry *entry;
|
|
|
|
|
range = getulong_range(str);
|
|
|
|
|
if (range.first > range.last)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
entry = malloc(sizeof(*entry));
|
|
|
|
|
if (!entry) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to allocate memory: %s\n"),
|
|
|
|
|
Prog, strerror (errno));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
entry->next = *head;
|
|
|
|
|
entry->range = range;
|
|
|
|
|
*head = entry;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2013-01-22 14:48:24 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* usage - display usage message and exit
|
|
|
|
|
*/
|
2023-02-08 00:20:36 +05:30
|
|
|
NORETURN
|
|
|
|
|
static void
|
|
|
|
|
usage (int status)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2011-11-07 00:07:39 +05:30
|
|
|
FILE *usageout = (E_SUCCESS != status) ? stderr : stdout;
|
|
|
|
|
(void) fprintf (usageout,
|
|
|
|
|
_("Usage: %s [options] LOGIN\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"Options:\n"),
|
|
|
|
|
Prog);
|
2022-04-25 00:46:58 +05:30
|
|
|
(void) fputs (_(" -a, --append append the user to the supplemental GROUPS\n"
|
|
|
|
|
" mentioned by the -G option without removing\n"
|
|
|
|
|
" the user from other groups\n"), usageout);
|
2022-05-04 13:03:59 +05:30
|
|
|
(void) fputs (_(" -b, --badname allow bad names\n"), usageout);
|
2011-11-07 00:07:39 +05:30
|
|
|
(void) fputs (_(" -c, --comment COMMENT new value of the GECOS field\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -d, --home HOME_DIR new home directory for the user account\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -f, --inactive INACTIVE set password inactive after expiration\n"
|
|
|
|
|
" to INACTIVE\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -g, --gid GROUP force use GROUP as new primary group\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -G, --groups GROUPS new list of supplementary GROUPS\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -h, --help display this help message and exit\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -l, --login NEW_LOGIN new value of the login name\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -L, --lock lock the user account\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -m, --move-home move contents of the home directory to the\n"
|
|
|
|
|
" new location (use only with -d)\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -o, --non-unique allow using duplicate (non-unique) UID\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -p, --password PASSWORD use encrypted password for the new password\n"), usageout);
|
2016-05-15 19:19:39 +05:30
|
|
|
(void) fputs (_(" -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files\n"), usageout);
|
2022-04-25 00:46:58 +05:30
|
|
|
(void) fputs (_(" -r, --remove remove the user from only the supplemental GROUPS\n"
|
|
|
|
|
" mentioned by the -G option without removing\n"
|
|
|
|
|
" the user from other groups\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -R, --root CHROOT_DIR directory to chroot into\n"), usageout);
|
2011-11-07 00:07:39 +05:30
|
|
|
(void) fputs (_(" -s, --shell SHELL new login shell for the user account\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -u, --uid UID new UID for the user account\n"), usageout);
|
|
|
|
|
(void) fputs (_(" -U, --unlock unlock the user account\n"), usageout);
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
(void) fputs (_(" -v, --add-subuids FIRST-LAST add range of subordinate uids\n"), usageout);
|
2013-08-07 01:59:40 +05:30
|
|
|
(void) fputs (_(" -V, --del-subuids FIRST-LAST remove range of subordinate uids\n"), usageout);
|
2013-01-22 14:48:24 +05:30
|
|
|
(void) fputs (_(" -w, --add-subgids FIRST-LAST add range of subordinate gids\n"), usageout);
|
2013-08-07 01:59:40 +05:30
|
|
|
(void) fputs (_(" -W, --del-subgids FIRST-LAST remove range of subordinate gids\n"), usageout);
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
(void) fputs (_(" -Z, --selinux-user SEUSER new SELinux user mapping for the user account\n"), usageout);
|
|
|
|
|
#endif /* WITH_SELINUX */
|
2011-11-07 00:07:39 +05:30
|
|
|
(void) fputs ("\n", usageout);
|
* NEWS, src/userdel.c, src/lastlog.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/groupmems.c, src/usermod.c,
src/chgpasswd.c, src/vipw.c, src/su.c, src/useradd.c,
src/groupmod.c, src/passwd.c, src/groupadd.c, src/chage.c,
src/faillog.c, src/chsh.c: If someone uses the -h/--help options,
the usage should not go to stderr nor should the utility exit with
non-zero status. All of the shadow utils do just this
unfortunately, so convert them over to sanity.
* man/groupmems.8.xml, man/gpasswd.1.xml: Added option -h/--help.
2009-09-05 04:32:33 +05:30
|
|
|
exit (status);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
/*
|
|
|
|
|
* update encrypted password string (for both shadow and non-shadow
|
|
|
|
|
* passwords)
|
|
|
|
|
*/
|
2008-01-06 18:20:22 +05:30
|
|
|
static char *new_pw_passwd (char *pw_pass)
|
2007-10-07 17:14:32 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
if (Lflg && ('!' != pw_pass[0])) {
|
2007-10-07 17:14:59 +05:30
|
|
|
char *buf = xmalloc (strlen (pw_pass) + 2);
|
2007-10-07 17:14:32 +05:30
|
|
|
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"updating passwd", user_newname, user_newid, 0);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
* src/chfn.c, src/chsh.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/login.c, src/logoutd.c,
src/newgrp.c, src/newusers.c, src/passwd.c, src/pwck.c,
src/suauth.c, src/useradd.c, src/userdel.c, src/usermod.c,
src/vipw.c: Complete the switch from the `' quotation style to ''.
Do it also in SYSLOG messages. Quote some parameters. All this
permits to merge some messages.
2008-08-06 21:21:52 +05:30
|
|
|
SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname));
|
2007-10-07 17:14:59 +05:30
|
|
|
strcpy (buf, "!");
|
|
|
|
|
strcat (buf, pw_pass);
|
2007-10-07 17:14:32 +05:30
|
|
|
pw_pass = buf;
|
|
|
|
|
} else if (Uflg && pw_pass[0] == '!') {
|
|
|
|
|
char *s;
|
|
|
|
|
|
2007-11-18 03:32:22 +05:30
|
|
|
if (pw_pass[1] == '\0') {
|
|
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: unlocking the user's password would result in a passwordless account.\n"
|
|
|
|
|
"You should set a password with usermod -p to unlock this user's password.\n"),
|
|
|
|
|
Prog);
|
2007-11-18 03:32:22 +05:30
|
|
|
return pw_pass;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"updating password", user_newname, user_newid, 0);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
* src/chfn.c, src/chsh.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/login.c, src/logoutd.c,
src/newgrp.c, src/newusers.c, src/passwd.c, src/pwck.c,
src/suauth.c, src/useradd.c, src/userdel.c, src/usermod.c,
src/vipw.c: Complete the switch from the `' quotation style to ''.
Do it also in SYSLOG messages. Quote some parameters. All this
permits to merge some messages.
2008-08-06 21:21:52 +05:30
|
|
|
SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
|
2007-10-07 17:14:32 +05:30
|
|
|
s = pw_pass;
|
2008-06-10 01:47:48 +05:30
|
|
|
while ('\0' != *s) {
|
2007-10-07 17:14:32 +05:30
|
|
|
*s = *(s + 1);
|
|
|
|
|
s++;
|
|
|
|
|
}
|
|
|
|
|
} else if (pflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"changing password", user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
* src/chfn.c, src/chsh.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/login.c, src/logoutd.c,
src/newgrp.c, src/newusers.c, src/passwd.c, src/pwck.c,
src/suauth.c, src/useradd.c, src/userdel.c, src/usermod.c,
src/vipw.c: Complete the switch from the `' quotation style to ''.
Do it also in SYSLOG messages. Quote some parameters. All this
permits to merge some messages.
2008-08-06 21:21:52 +05:30
|
|
|
SYSLOG ((LOG_INFO, "change user '%s' password", user_newname));
|
2007-10-07 17:14:59 +05:30
|
|
|
pw_pass = xstrdup (user_pass);
|
2007-10-07 17:14:32 +05:30
|
|
|
}
|
|
|
|
|
return pw_pass;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* new_pwent - initialize the values in a password file entry
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* new_pwent() takes all of the values that have been entered and fills
|
|
|
|
|
* in a (struct passwd) with them.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void new_pwent (struct passwd *pwent)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
|
if (lflg) {
|
2009-03-16 03:04:20 +05:30
|
|
|
if (pw_locate (user_newname) != NULL) {
|
2011-07-14 18:59:48 +05:30
|
|
|
/* This should never happen.
|
|
|
|
|
* It was already checked that the user doesn't
|
|
|
|
|
* exist on the system.
|
|
|
|
|
*/
|
2009-03-16 03:04:20 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user '%s' already exists in %s\n"),
|
|
|
|
|
Prog, user_newname, pw_dbname ());
|
|
|
|
|
fail_exit (E_NAME_IN_USE);
|
|
|
|
|
}
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"changing name", user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2009-04-11 04:03:43 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
|
|
|
|
"change user name '%s' to '%s'",
|
|
|
|
|
pwent->pw_name, user_newname));
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent->pw_name = xstrdup (user_newname);
|
|
|
|
|
}
|
2011-07-14 18:59:37 +05:30
|
|
|
/* Update the password in passwd if there is no shadow file or if
|
|
|
|
|
* the password is currently in passwd (pw_passwd != "x").
|
|
|
|
|
* We do not force the usage of shadow passwords if they are not
|
|
|
|
|
* used for this account.
|
|
|
|
|
*/
|
|
|
|
|
if ( (!is_shadow_pwd)
|
|
|
|
|
|| (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
|
2009-03-16 03:04:20 +05:30
|
|
|
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:32 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
if (uflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"changing uid", user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change user '%s' UID from '%d' to '%d'",
|
|
|
|
|
pwent->pw_name, pwent->pw_uid, user_newid));
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent->pw_uid = user_newid;
|
|
|
|
|
}
|
|
|
|
|
if (gflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing primary group",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change user '%s' GID from '%d' to '%d'",
|
|
|
|
|
pwent->pw_name, pwent->pw_gid, user_newgid));
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent->pw_gid = user_newgid;
|
|
|
|
|
}
|
2007-10-07 17:17:01 +05:30
|
|
|
if (cflg) {
|
|
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2023-02-01 18:20:48 +05:30
|
|
|
"changing comment", user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2008-01-24 02:49:08 +05:30
|
|
|
pwent->pw_gecos = user_newcomment;
|
2007-10-07 17:17:01 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
if (dflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing home directory",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change user '%s' home from '%s' to '%s'",
|
|
|
|
|
pwent->pw_name, pwent->pw_dir, user_newhome));
|
2021-12-17 17:00:57 +05:30
|
|
|
|
|
|
|
|
if (strlen(user_newhome) > 1
|
|
|
|
|
&& '/' == user_newhome[strlen(user_newhome)-1]) {
|
|
|
|
|
user_newhome[strlen(user_newhome)-1]='\0';
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent->pw_dir = user_newhome;
|
|
|
|
|
}
|
|
|
|
|
if (sflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"changing user shell",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2008-01-24 02:49:08 +05:30
|
|
|
#endif
|
2009-04-11 04:03:43 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
|
|
|
|
"change user '%s' shell from '%s' to '%s'",
|
|
|
|
|
pwent->pw_name, pwent->pw_shell, user_newshell));
|
2007-10-07 17:17:01 +05:30
|
|
|
pwent->pw_shell = user_newshell;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* new_spent - initialize the values in a shadow password file entry
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* new_spent() takes all of the values that have been entered and fills
|
|
|
|
|
* in a (struct spwd) with them.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void new_spent (struct spwd *spent)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
if (lflg) {
|
2009-03-16 03:04:20 +05:30
|
|
|
if (spw_locate (user_newname) != NULL) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user '%s' already exists in %s\n"),
|
|
|
|
|
Prog, user_newname, spw_dbname ());
|
|
|
|
|
fail_exit (E_NAME_IN_USE);
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
spent->sp_namp = xstrdup (user_newname);
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
if (fflg) {
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing inactive days",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2008-01-24 02:49:08 +05:30
|
|
|
#endif
|
2007-10-07 17:17:01 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change user '%s' inactive from '%ld' to '%ld'",
|
|
|
|
|
spent->sp_namp, spent->sp_inact, user_newinactive));
|
2007-10-07 17:17:01 +05:30
|
|
|
spent->sp_inact = user_newinactive;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
if (eflg) {
|
2008-02-04 03:07:45 +05:30
|
|
|
/* log dates rather than numbers of days. */
|
|
|
|
|
char new_exp[16], old_exp[16];
|
2021-12-22 20:02:17 +05:30
|
|
|
date_to_str (sizeof(new_exp), new_exp, user_newexpire * DAY);
|
|
|
|
|
date_to_str (sizeof(old_exp), old_exp, user_expire * DAY);
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-02-04 03:10:01 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing expiration date",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2008-01-24 02:49:08 +05:30
|
|
|
#endif
|
2007-10-07 17:17:01 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change user '%s' expiration from '%s' to '%s'",
|
|
|
|
|
spent->sp_namp, old_exp, new_exp));
|
2007-10-07 17:17:01 +05:30
|
|
|
spent->sp_expire = user_newexpire;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2011-07-14 18:59:37 +05:30
|
|
|
|
|
|
|
|
/* Always update the shadowed password if there is a shadow entry
|
|
|
|
|
* (even if shadowed passwords might not be enabled for this
|
|
|
|
|
* account (pw_passwd != "x")).
|
|
|
|
|
* It seems better to update the password in both places in case a
|
|
|
|
|
* shadow and a non shadow entry exist.
|
|
|
|
|
* This might occur if:
|
|
|
|
|
* + there were already both entries
|
|
|
|
|
* + aging has been requested
|
|
|
|
|
*/
|
2008-01-06 18:20:22 +05:30
|
|
|
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
|
2011-07-14 18:59:37 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (pflg) {
|
2023-02-01 18:20:48 +05:30
|
|
|
spent->sp_lstchg = gettime () / SCALE;
|
* libmisc/pwd2spwd.c, src/chpasswd.c, src/newusers.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/useradd.c,
src/usermod.c: On Jan 01, 1970, do not set the sp_lstchg field to
0 (which means that the password shall be changed during the next
login), but use -1 (password aging disabled).
* src/passwd.c: Do not check sp_min if sp_lstchg is null or -1.
2009-04-06 02:53:27 +05:30
|
|
|
if (0 == spent->sp_lstchg) {
|
|
|
|
|
/* Better disable aging than requiring a password
|
2011-07-14 18:59:37 +05:30
|
|
|
* change. */
|
* libmisc/pwd2spwd.c, src/chpasswd.c, src/newusers.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/useradd.c,
src/usermod.c: On Jan 01, 1970, do not set the sp_lstchg field to
0 (which means that the password shall be changed during the next
login), but use -1 (password aging disabled).
* src/passwd.c: Do not check sp_min if sp_lstchg is null or -1.
2009-04-06 02:53:27 +05:30
|
|
|
spent->sp_lstchg = -1;
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* fail_exit - exit with an error code after unlocking files
|
|
|
|
|
*/
|
2023-02-08 00:20:36 +05:30
|
|
|
NORETURN
|
|
|
|
|
static void
|
|
|
|
|
fail_exit (int code)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
if (gr_locked) {
|
2008-08-07 13:33:38 +05:30
|
|
|
if (gr_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef SHADOWGRP
|
2008-06-10 01:47:48 +05:30
|
|
|
if (sgr_locked) {
|
2008-08-07 13:33:38 +05:30
|
|
|
if (sgr_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
2008-06-10 01:47:48 +05:30
|
|
|
if (spw_locked) {
|
2008-08-07 13:33:38 +05:30
|
|
|
if (spw_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
|
|
|
|
if (pw_locked) {
|
2008-08-07 13:33:38 +05:30
|
|
|
if (pw_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
if (sub_uid_locked) {
|
|
|
|
|
if (sub_uid_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (sub_gid_locked) {
|
|
|
|
|
if (sub_gid_unlock () == 0) {
|
|
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-11-17 17:12:47 +05:30
|
|
|
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2008-06-14 02:10:04 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"modifying account",
|
|
|
|
|
user_name, AUDIT_NO_ID, 0);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (code);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-11-17 17:12:47 +05:30
|
|
|
static void update_group (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
bool is_member;
|
|
|
|
|
bool was_member;
|
|
|
|
|
bool changed;
|
2007-10-07 17:14:02 +05:30
|
|
|
const struct group *grp;
|
|
|
|
|
struct group *ngrp;
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = false;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Scan through the entire group file looking for the groups that
|
|
|
|
|
* the user is a member of.
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
while ((grp = gr_next ()) != NULL) {
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* See if the user specified this group as one of their
|
|
|
|
|
* concurrent groups.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
was_member = is_on_list (grp->gr_mem, user_name);
|
2008-02-11 01:55:39 +05:30
|
|
|
is_member = Gflg && ( (was_member && aflg)
|
|
|
|
|
|| is_on_list (user_groups, grp->gr_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (!was_member && !is_member) {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2021-09-23 08:59:09 +05:30
|
|
|
/*
|
|
|
|
|
* If rflg+Gflg is passed in AKA -rG invert is_member flag, which removes
|
|
|
|
|
* mentioned groups while leaving the others.
|
|
|
|
|
*/
|
2022-08-27 07:53:13 +05:30
|
|
|
if (Gflg && rflg) {
|
2021-09-23 08:59:09 +05:30
|
|
|
is_member = !is_member;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
ngrp = __gr_dup (grp);
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == ngrp) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: Out of memory. Cannot update %s.\n"),
|
|
|
|
|
Prog, gr_dbname ());
|
2007-11-17 17:12:47 +05:30
|
|
|
fail_exit (E_GRP_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
2011-07-14 18:59:32 +05:30
|
|
|
if (was_member) {
|
|
|
|
|
if ((!Gflg) || is_member) {
|
|
|
|
|
/* User was a member and is still a member
|
|
|
|
|
* of this group.
|
|
|
|
|
* But the user might have been renamed.
|
|
|
|
|
*/
|
|
|
|
|
if (lflg) {
|
|
|
|
|
ngrp->gr_mem = del_list (ngrp->gr_mem,
|
|
|
|
|
user_name);
|
|
|
|
|
ngrp->gr_mem = add_list (ngrp->gr_mem,
|
|
|
|
|
user_newname);
|
|
|
|
|
changed = true;
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"changing group member",
|
|
|
|
|
user_newname, AUDIT_NO_ID, 1);
|
|
|
|
|
#endif
|
|
|
|
|
SYSLOG ((LOG_INFO,
|
|
|
|
|
"change '%s' to '%s' in group '%s'",
|
|
|
|
|
user_name, user_newname,
|
|
|
|
|
ngrp->gr_name));
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* User was a member but is no more a
|
|
|
|
|
* member of this group.
|
|
|
|
|
*/
|
|
|
|
|
ngrp->gr_mem = del_list (ngrp->gr_mem, user_name);
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = true;
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2011-07-14 18:59:32 +05:30
|
|
|
"removing group member",
|
|
|
|
|
user_name, AUDIT_NO_ID, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2011-07-14 18:59:32 +05:30
|
|
|
"delete '%s' from group '%s'",
|
|
|
|
|
user_name, ngrp->gr_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2022-08-27 07:53:13 +05:30
|
|
|
} else if (is_member) {
|
2011-07-14 18:59:32 +05:30
|
|
|
/* User was not a member but is now a member this
|
|
|
|
|
* group.
|
|
|
|
|
*/
|
2008-01-24 02:49:08 +05:30
|
|
|
ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname);
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = true;
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"adding user to group",
|
|
|
|
|
user_name, AUDIT_NO_ID, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
* src/chfn.c, src/chsh.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/login.c, src/logoutd.c,
src/newgrp.c, src/newusers.c, src/passwd.c, src/pwck.c,
src/suauth.c, src/useradd.c, src/userdel.c, src/usermod.c,
src/vipw.c: Complete the switch from the `' quotation style to ''.
Do it also in SYSLOG messages. Quote some parameters. All this
permits to merge some messages.
2008-08-06 21:21:52 +05:30
|
|
|
SYSLOG ((LOG_INFO, "add '%s' to group '%s'",
|
2008-01-24 02:49:08 +05:30
|
|
|
user_newname, ngrp->gr_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-07-12 02:22:44 +05:30
|
|
|
if (!changed) {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2008-07-12 02:22:44 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = false;
|
|
|
|
|
if (gr_update (ngrp) == 0) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* src/groupmems.c: Check the return value of gr_update().
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/pwunconv.c,
src/useradd.c, src/userdel.c, src/usermod.c: Harmonize the error
message sent to stderr in case of *_update () failure.
* src/chage.c, src/chsh.c, src/groupadd.c, src/passwd.c: Do not
log to syslog when pw_update() or spw_update() fail.
* src/newusers.c: Do not log specific error message to stderr when
sgr_update() fails.
* src/pwconv.c: Remove duplicated definition of Prog.
2008-08-30 23:57:34 +05:30
|
|
|
_("%s: failed to prepare the new %s entry '%s'\n"),
|
|
|
|
|
Prog, gr_dbname (), ngrp->gr_name);
|
|
|
|
|
SYSLOG ((LOG_WARN, "failed to prepare the new %s entry '%s'", gr_dbname (), ngrp->gr_name));
|
2007-11-17 17:12:47 +05:30
|
|
|
fail_exit (E_GRP_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2021-06-11 15:20:49 +05:30
|
|
|
|
|
|
|
|
gr_free(ngrp);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef SHADOWGRP
|
2007-11-17 17:12:47 +05:30
|
|
|
static void update_gshadow (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
bool is_member;
|
|
|
|
|
bool was_member;
|
|
|
|
|
bool was_admin;
|
|
|
|
|
bool changed;
|
2007-10-07 17:14:02 +05:30
|
|
|
const struct sgrp *sgrp;
|
|
|
|
|
struct sgrp *nsgrp;
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = false;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Scan through the entire shadow group file looking for the groups
|
|
|
|
|
* that the user is a member of.
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
while ((sgrp = sgr_next ()) != NULL) {
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* See if the user was a member of this group
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
was_member = is_on_list (sgrp->sg_mem, user_name);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* See if the user was an administrator of this group
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
was_admin = is_on_list (sgrp->sg_adm, user_name);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* See if the user specified this group as one of their
|
|
|
|
|
* concurrent groups.
|
|
|
|
|
*/
|
2008-02-11 01:55:39 +05:30
|
|
|
is_member = Gflg && ( (was_member && aflg)
|
|
|
|
|
|| is_on_list (user_groups, sgrp->sg_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (!was_member && !was_admin && !is_member) {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2021-09-23 08:59:09 +05:30
|
|
|
/*
|
|
|
|
|
* If rflg+Gflg is passed in AKA -rG invert is_member, to remove targeted
|
|
|
|
|
* groups while leaving the user apart of groups not mentioned
|
|
|
|
|
*/
|
2022-08-27 07:53:13 +05:30
|
|
|
if (Gflg && rflg) {
|
2021-09-23 08:59:09 +05:30
|
|
|
is_member = !is_member;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
nsgrp = __sgr_dup (sgrp);
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == nsgrp) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: Out of memory. Cannot update %s.\n"),
|
|
|
|
|
Prog, sgr_dbname ());
|
2007-11-17 17:12:47 +05:30
|
|
|
fail_exit (E_GRP_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (was_admin && lflg) {
|
2011-07-14 18:59:32 +05:30
|
|
|
/* User was an admin of this group but the user
|
|
|
|
|
* has been renamed.
|
|
|
|
|
*/
|
2007-10-07 17:16:07 +05:30
|
|
|
nsgrp->sg_adm = del_list (nsgrp->sg_adm, user_name);
|
|
|
|
|
nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname);
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = true;
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing admin name in shadow group",
|
|
|
|
|
user_name, AUDIT_NO_ID, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2009-04-11 04:03:43 +05:30
|
|
|
"change admin '%s' to '%s' in shadow group '%s'",
|
|
|
|
|
user_name, user_newname, nsgrp->sg_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2011-07-14 18:59:32 +05:30
|
|
|
|
|
|
|
|
if (was_member) {
|
|
|
|
|
if ((!Gflg) || is_member) {
|
|
|
|
|
/* User was a member and is still a member
|
|
|
|
|
* of this group.
|
|
|
|
|
* But the user might have been renamed.
|
|
|
|
|
*/
|
|
|
|
|
if (lflg) {
|
|
|
|
|
nsgrp->sg_mem = del_list (nsgrp->sg_mem,
|
|
|
|
|
user_name);
|
|
|
|
|
nsgrp->sg_mem = add_list (nsgrp->sg_mem,
|
|
|
|
|
user_newname);
|
|
|
|
|
changed = true;
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"changing member in shadow group",
|
|
|
|
|
user_name, AUDIT_NO_ID, 1);
|
|
|
|
|
#endif
|
|
|
|
|
SYSLOG ((LOG_INFO,
|
|
|
|
|
"change '%s' to '%s' in shadow group '%s'",
|
|
|
|
|
user_name, user_newname,
|
|
|
|
|
nsgrp->sg_name));
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* User was a member but is no more a
|
|
|
|
|
* member of this group.
|
|
|
|
|
*/
|
|
|
|
|
nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name);
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = true;
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2011-07-14 18:59:32 +05:30
|
|
|
"removing user from shadow group",
|
2008-06-14 02:10:04 +05:30
|
|
|
user_name, AUDIT_NO_ID, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_INFO,
|
2011-07-14 18:59:32 +05:30
|
|
|
"delete '%s' from shadow group '%s'",
|
|
|
|
|
user_name, nsgrp->sg_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2011-07-14 18:59:32 +05:30
|
|
|
} else if (is_member) {
|
|
|
|
|
/* User was not a member but is now a member this
|
|
|
|
|
* group.
|
|
|
|
|
*/
|
2008-01-24 02:49:08 +05:30
|
|
|
nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname);
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = true;
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"adding user to shadow group",
|
|
|
|
|
user_newname, AUDIT_NO_ID, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
* src/chfn.c, src/chsh.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/login.c, src/logoutd.c,
src/newgrp.c, src/newusers.c, src/passwd.c, src/pwck.c,
src/suauth.c, src/useradd.c, src/userdel.c, src/usermod.c,
src/vipw.c: Complete the switch from the `' quotation style to ''.
Do it also in SYSLOG messages. Quote some parameters. All this
permits to merge some messages.
2008-08-06 21:21:52 +05:30
|
|
|
SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'",
|
2008-01-24 02:49:08 +05:30
|
|
|
user_newname, nsgrp->sg_name));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (!changed) {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
changed = false;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2021-08-18 23:36:02 +05:30
|
|
|
/*
|
2007-10-07 17:14:02 +05:30
|
|
|
* Update the group entry to reflect the changes.
|
|
|
|
|
*/
|
2008-06-10 01:47:48 +05:30
|
|
|
if (sgr_update (nsgrp) == 0) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* src/groupmems.c: Check the return value of gr_update().
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/pwunconv.c,
src/useradd.c, src/userdel.c, src/usermod.c: Harmonize the error
message sent to stderr in case of *_update () failure.
* src/chage.c, src/chsh.c, src/groupadd.c, src/passwd.c: Do not
log to syslog when pw_update() or spw_update() fail.
* src/newusers.c: Do not log specific error message to stderr when
sgr_update() fails.
* src/pwconv.c: Remove duplicated definition of Prog.
2008-08-30 23:57:34 +05:30
|
|
|
_("%s: failed to prepare the new %s entry '%s'\n"),
|
|
|
|
|
Prog, sgr_dbname (), nsgrp->sg_name);
|
|
|
|
|
SYSLOG ((LOG_WARN, "failed to prepare the new %s entry '%s'",
|
|
|
|
|
sgr_dbname (), nsgrp->sg_name));
|
2007-11-17 17:12:47 +05:30
|
|
|
fail_exit (E_GRP_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2021-06-11 15:20:49 +05:30
|
|
|
|
|
|
|
|
free (nsgrp);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* SHADOWGRP */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* grp_update - add user to secondary group set
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* grp_update() takes the secondary group set given in user_groups and
|
|
|
|
|
* adds the user to each group given by that set.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-11-17 17:12:47 +05:30
|
|
|
static void grp_update (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-11-17 17:12:47 +05:30
|
|
|
update_group ();
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef SHADOWGRP
|
2008-06-10 01:47:48 +05:30
|
|
|
if (is_shadow_grp) {
|
2007-11-17 17:12:47 +05:30
|
|
|
update_gshadow ();
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* process_flags - perform command line argument setting
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* process_flags() interprets the command line arguments and sets the
|
|
|
|
|
* values that the user will be created with accordingly. The values
|
|
|
|
|
* are checked for sanity.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void process_flags (int argc, char **argv)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
|
const struct group *grp;
|
2021-02-07 23:56:55 +05:30
|
|
|
struct stat st;
|
2008-06-10 01:47:48 +05:30
|
|
|
bool anyflag = false;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Parse the command line options.
|
|
|
|
|
*/
|
|
|
|
|
int c;
|
|
|
|
|
static struct option long_options[] = {
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
src/usermod.c, src/vipw.c: Align and sort options.
2011-11-07 00:09:59 +05:30
|
|
|
{"append", no_argument, NULL, 'a'},
|
2019-08-24 02:12:37 +05:30
|
|
|
{"badnames", no_argument, NULL, 'b'},
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
src/usermod.c, src/vipw.c: Align and sort options.
2011-11-07 00:09:59 +05:30
|
|
|
{"comment", required_argument, NULL, 'c'},
|
|
|
|
|
{"home", required_argument, NULL, 'd'},
|
|
|
|
|
{"expiredate", required_argument, NULL, 'e'},
|
|
|
|
|
{"inactive", required_argument, NULL, 'f'},
|
|
|
|
|
{"gid", required_argument, NULL, 'g'},
|
|
|
|
|
{"groups", required_argument, NULL, 'G'},
|
|
|
|
|
{"help", no_argument, NULL, 'h'},
|
|
|
|
|
{"login", required_argument, NULL, 'l'},
|
|
|
|
|
{"lock", no_argument, NULL, 'L'},
|
|
|
|
|
{"move-home", no_argument, NULL, 'm'},
|
|
|
|
|
{"non-unique", no_argument, NULL, 'o'},
|
|
|
|
|
{"password", required_argument, NULL, 'p'},
|
2021-09-23 08:59:09 +05:30
|
|
|
{"remove", no_argument, NULL, 'r'},
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
src/usermod.c, src/vipw.c: Align and sort options.
2011-11-07 00:09:59 +05:30
|
|
|
{"root", required_argument, NULL, 'R'},
|
2016-05-15 19:19:39 +05:30
|
|
|
{"prefix", required_argument, NULL, 'P'},
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/faillog.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmems.c, src/groupmod.c, src/grpconv.c, src/grpunconv.c,
src/lastlog.c, src/newusers.c, src/passwd.c, src/pwconv.c,
src/pwunconv.c, src/su.c, src/useradd.c, src/userdel.c,
src/usermod.c, src/vipw.c: Align and sort options.
2011-11-07 00:09:59 +05:30
|
|
|
{"shell", required_argument, NULL, 's'},
|
|
|
|
|
{"uid", required_argument, NULL, 'u'},
|
|
|
|
|
{"unlock", no_argument, NULL, 'U'},
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
{"add-subuids", required_argument, NULL, 'v'},
|
|
|
|
|
{"del-subuids", required_argument, NULL, 'V'},
|
|
|
|
|
{"add-subgids", required_argument, NULL, 'w'},
|
|
|
|
|
{"del-subgids", required_argument, NULL, 'W'},
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
{"selinux-user", required_argument, NULL, 'Z'},
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_SELINUX */
|
2007-10-07 17:17:11 +05:30
|
|
|
{NULL, 0, NULL, '\0'}
|
|
|
|
|
};
|
2009-04-11 04:03:43 +05:30
|
|
|
while ((c = getopt_long (argc, argv,
|
2021-09-23 08:59:09 +05:30
|
|
|
"abc:d:e:f:g:G:hl:Lmop:rR:s:u:UP:"
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
|
"v:w:V:W:"
|
|
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
"Z:"
|
|
|
|
|
#endif /* WITH_SELINUX */
|
|
|
|
|
, long_options, NULL)) != -1) {
|
2007-10-07 17:17:11 +05:30
|
|
|
switch (c) {
|
|
|
|
|
case 'a':
|
2008-06-10 01:47:48 +05:30
|
|
|
aflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
2019-08-24 02:12:37 +05:30
|
|
|
case 'b':
|
|
|
|
|
allow_bad_names = true;
|
|
|
|
|
break;
|
2007-10-07 17:17:11 +05:30
|
|
|
case 'c':
|
|
|
|
|
if (!VALID (optarg)) {
|
|
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: invalid field '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
user_newcomment = optarg;
|
2008-06-10 01:47:48 +05:30
|
|
|
cflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'd':
|
|
|
|
|
if (!VALID (optarg)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: invalid field '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (E_BAD_ARG);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
dflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
user_newhome = optarg;
|
2021-06-02 08:41:37 +05:30
|
|
|
if (user_newhome[0] != '/') {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: homedir must be an absolute path\n"),
|
|
|
|
|
Prog);
|
|
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'e':
|
2021-12-14 17:10:06 +05:30
|
|
|
user_newexpire = strtoday (optarg);
|
|
|
|
|
if (user_newexpire < -1) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid date '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit (E_BAD_ARG);
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2021-12-14 17:10:06 +05:30
|
|
|
user_newexpire *= DAY / SCALE;
|
2008-06-10 01:47:48 +05:30
|
|
|
eflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'f':
|
2009-04-11 04:03:43 +05:30
|
|
|
if ( (getlong (optarg, &user_newinactive) == 0)
|
|
|
|
|
|| (user_newinactive < -1)) {
|
2009-03-16 03:04:20 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid numeric argument '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
2011-07-14 18:59:54 +05:30
|
|
|
exit (E_BAD_ARG);
|
2009-03-16 03:04:20 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
fflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'g':
|
|
|
|
|
grp = getgr_nam_gid (optarg);
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == grp) {
|
2007-10-07 17:17:11 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: group '%s' does not exist\n"),
|
|
|
|
|
Prog, optarg);
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_NOTFOUND);
|
|
|
|
|
}
|
|
|
|
|
user_newgid = grp->gr_gid;
|
2008-06-10 01:47:48 +05:30
|
|
|
gflg = true;
|
2021-06-11 15:20:49 +05:30
|
|
|
gr_free (grp);
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'G':
|
2008-06-10 01:47:48 +05:30
|
|
|
if (get_groups (optarg) != 0) {
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_NOTFOUND);
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
|
|
|
|
Gflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
* NEWS, src/userdel.c, src/lastlog.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/groupmems.c, src/usermod.c,
src/chgpasswd.c, src/vipw.c, src/su.c, src/useradd.c,
src/groupmod.c, src/passwd.c, src/groupadd.c, src/chage.c,
src/faillog.c, src/chsh.c: If someone uses the -h/--help options,
the usage should not go to stderr nor should the utility exit with
non-zero status. All of the shadow utils do just this
unfortunately, so convert them over to sanity.
* man/groupmems.8.xml, man/gpasswd.1.xml: Added option -h/--help.
2009-09-05 04:32:33 +05:30
|
|
|
case 'h':
|
|
|
|
|
usage (E_SUCCESS);
|
2011-07-30 07:11:03 +05:30
|
|
|
/*@notreached@*/break;
|
2007-10-07 17:17:11 +05:30
|
|
|
case 'l':
|
2008-05-26 02:28:16 +05:30
|
|
|
if (!is_valid_user_name (optarg)) {
|
2007-10-07 17:17:11 +05:30
|
|
|
fprintf (stderr,
|
2022-04-26 20:15:04 +05:30
|
|
|
_("%s: invalid user name '%s': use --badname to ignore\n"),
|
2009-04-11 04:03:43 +05:30
|
|
|
Prog, optarg);
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
lflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
user_newname = optarg;
|
|
|
|
|
break;
|
|
|
|
|
case 'L':
|
2008-06-10 01:47:48 +05:30
|
|
|
Lflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'm':
|
2008-06-10 01:47:48 +05:30
|
|
|
mflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'o':
|
2008-06-10 01:47:48 +05:30
|
|
|
oflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'p':
|
|
|
|
|
user_pass = optarg;
|
2008-06-10 01:47:48 +05:30
|
|
|
pflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
2021-09-23 08:59:09 +05:30
|
|
|
case 'r':
|
|
|
|
|
rflg = true;
|
|
|
|
|
break;
|
2011-11-07 00:07:39 +05:30
|
|
|
case 'R': /* no-op, handled in process_root_flag () */
|
|
|
|
|
break;
|
2016-05-15 19:19:39 +05:30
|
|
|
case 'P': /* no-op, handled in process_prefix_flag () */
|
|
|
|
|
break;
|
2007-10-07 17:17:11 +05:30
|
|
|
case 's':
|
2021-02-07 23:56:55 +05:30
|
|
|
if ( ( !VALID (optarg) )
|
|
|
|
|
|| ( ('\0' != optarg[0])
|
|
|
|
|
&& ('/' != optarg[0])
|
|
|
|
|
&& ('*' != optarg[0]) )) {
|
2007-10-07 17:17:11 +05:30
|
|
|
fprintf (stderr,
|
2021-02-07 23:56:55 +05:30
|
|
|
_("%s: invalid shell '%s'\n"),
|
2009-04-11 04:03:43 +05:30
|
|
|
Prog, optarg);
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
2021-02-07 23:56:55 +05:30
|
|
|
if ( '\0' != optarg[0]
|
|
|
|
|
&& '*' != optarg[0]
|
|
|
|
|
&& strcmp(optarg, "/sbin/nologin") != 0
|
|
|
|
|
&& ( stat(optarg, &st) != 0
|
|
|
|
|
|| S_ISDIR(st.st_mode)
|
|
|
|
|
|| access(optarg, X_OK) != 0)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: Warning: missing or non-executable shell '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
}
|
2007-10-07 17:17:11 +05:30
|
|
|
user_newshell = optarg;
|
2008-06-10 01:47:48 +05:30
|
|
|
sflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'u':
|
2009-03-09 02:13:15 +05:30
|
|
|
if ( (get_uid (optarg, &user_newid) ==0)
|
|
|
|
|
|| (user_newid == (uid_t)-1)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid user ID '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
uflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
|
|
|
|
case 'U':
|
2008-06-10 01:47:48 +05:30
|
|
|
Uflg = true;
|
2007-10-07 17:17:11 +05:30
|
|
|
break;
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
case 'v':
|
|
|
|
|
if (prepend_range (optarg, &add_sub_uids) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid subordinate uid range '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit(E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
vflg = true;
|
|
|
|
|
break;
|
|
|
|
|
case 'V':
|
|
|
|
|
if (prepend_range (optarg, &del_sub_uids) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid subordinate uid range '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit(E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
Vflg = true;
|
|
|
|
|
break;
|
|
|
|
|
case 'w':
|
|
|
|
|
if (prepend_range (optarg, &add_sub_gids) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid subordinate gid range '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit(E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
wflg = true;
|
2013-06-06 21:13:29 +05:30
|
|
|
break;
|
2013-01-22 14:48:24 +05:30
|
|
|
case 'W':
|
|
|
|
|
if (prepend_range (optarg, &del_sub_gids) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: invalid subordinate gid range '%s'\n"),
|
|
|
|
|
Prog, optarg);
|
|
|
|
|
exit(E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
Wflg = true;
|
|
|
|
|
break;
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
case 'Z':
|
2016-05-15 19:19:39 +05:30
|
|
|
if (prefix[0]) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: -Z cannot be used with --prefix\n"),
|
|
|
|
|
Prog);
|
|
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
2009-04-11 21:04:10 +05:30
|
|
|
if (is_selinux_enabled () > 0) {
|
|
|
|
|
user_selinux = optarg;
|
|
|
|
|
Zflg = true;
|
|
|
|
|
} else {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: -Z requires SELinux enabled kernel\n"),
|
|
|
|
|
Prog);
|
|
|
|
|
exit (E_BAD_ARG);
|
|
|
|
|
}
|
|
|
|
|
break;
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_SELINUX */
|
2007-10-07 17:17:11 +05:30
|
|
|
default:
|
* NEWS, src/userdel.c, src/lastlog.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/groupmems.c, src/usermod.c,
src/chgpasswd.c, src/vipw.c, src/su.c, src/useradd.c,
src/groupmod.c, src/passwd.c, src/groupadd.c, src/chage.c,
src/faillog.c, src/chsh.c: If someone uses the -h/--help options,
the usage should not go to stderr nor should the utility exit with
non-zero status. All of the shadow utils do just this
unfortunately, so convert them over to sanity.
* man/groupmems.8.xml, man/gpasswd.1.xml: Added option -h/--help.
2009-09-05 04:32:33 +05:30
|
|
|
usage (E_USAGE);
|
2007-10-07 17:17:11 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
anyflag = true;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
2007-10-07 17:17:11 +05:30
|
|
|
|
2010-08-30 00:32:41 +05:30
|
|
|
if (optind != argc - 1) {
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user_name = argv[argc - 1];
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const struct passwd *pwd;
|
|
|
|
|
/* local, no need for xgetpwnam */
|
2016-05-15 19:19:39 +05:30
|
|
|
pwd = prefix_getpwnam (user_name);
|
2010-08-30 00:32:41 +05:30
|
|
|
if (NULL == pwd) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user '%s' does not exist\n"),
|
|
|
|
|
Prog, user_name);
|
|
|
|
|
exit (E_NOTFOUND);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user_id = pwd->pw_uid;
|
|
|
|
|
user_gid = pwd->pw_gid;
|
|
|
|
|
user_comment = xstrdup (pwd->pw_gecos);
|
|
|
|
|
user_home = xstrdup (pwd->pw_dir);
|
|
|
|
|
user_shell = xstrdup (pwd->pw_shell);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* user_newname, user_newid, user_newgid can be used even when the
|
|
|
|
|
* options where not specified. */
|
|
|
|
|
if (!lflg) {
|
|
|
|
|
user_newname = user_name;
|
|
|
|
|
}
|
|
|
|
|
if (!uflg) {
|
|
|
|
|
user_newid = user_id;
|
|
|
|
|
}
|
|
|
|
|
if (!gflg) {
|
|
|
|
|
user_newgid = user_gid;
|
|
|
|
|
}
|
2021-08-18 23:36:02 +05:30
|
|
|
if (prefix[0]) {
|
2016-05-15 19:19:39 +05:30
|
|
|
size_t len = strlen(prefix) + strlen(user_home) + 2;
|
|
|
|
|
int wlen;
|
|
|
|
|
prefix_user_home = xmalloc(len);
|
|
|
|
|
wlen = snprintf(prefix_user_home, len, "%s/%s", prefix, user_home);
|
|
|
|
|
assert (wlen == (int) len -1);
|
2018-05-09 07:47:46 +05:30
|
|
|
if (user_newhome) {
|
|
|
|
|
len = strlen(prefix) + strlen(user_newhome) + 2;
|
|
|
|
|
prefix_user_newhome = xmalloc(len);
|
|
|
|
|
wlen = snprintf(prefix_user_newhome, len, "%s/%s", prefix, user_newhome);
|
|
|
|
|
assert (wlen == (int) len -1);
|
|
|
|
|
}
|
2016-05-15 19:19:39 +05:30
|
|
|
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
prefix_user_home = user_home;
|
|
|
|
|
prefix_user_newhome = user_newhome;
|
|
|
|
|
}
|
2010-08-30 00:32:41 +05:30
|
|
|
|
|
|
|
|
#ifdef USE_NIS
|
|
|
|
|
/*
|
|
|
|
|
* Now make sure it isn't an NIS user.
|
|
|
|
|
*/
|
|
|
|
|
if (__ispwNIS ()) {
|
|
|
|
|
char *nis_domain;
|
|
|
|
|
char *nis_master;
|
|
|
|
|
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user %s is a NIS user\n"),
|
|
|
|
|
Prog, user_name);
|
|
|
|
|
|
|
|
|
|
if ( !yp_get_default_domain (&nis_domain)
|
|
|
|
|
&& !yp_master (nis_domain, "passwd.byname", &nis_master)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s is the NIS master\n"),
|
|
|
|
|
Prog, nis_master);
|
|
|
|
|
}
|
|
|
|
|
exit (E_NOTFOUND);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const struct spwd *spwd = NULL;
|
|
|
|
|
/* local, no need for xgetspnam */
|
2016-05-15 19:19:39 +05:30
|
|
|
if (is_shadow_pwd && ((spwd = prefix_getspnam (user_name)) != NULL)) {
|
2010-08-30 00:32:41 +05:30
|
|
|
user_expire = spwd->sp_expire;
|
|
|
|
|
user_inactive = spwd->sp_inact;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (!anyflag) {
|
2011-07-14 18:59:10 +05:30
|
|
|
fprintf (stderr, _("%s: no options\n"), Prog);
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (aflg && (!Gflg)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s flag is only allowed with the %s flag\n"),
|
|
|
|
|
Prog, "-a", "-G");
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-23 08:59:09 +05:30
|
|
|
if (rflg && (!Gflg)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s flag is only allowed with the %s flag\n"),
|
|
|
|
|
Prog, "-r", "-G");
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rflg && aflg) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s and %s are mutually exclusive flags\n"),
|
|
|
|
|
Prog, "-r", "-a");
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-14 18:59:10 +05:30
|
|
|
if ((Lflg && (pflg || Uflg)) || (pflg && Uflg)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: the -L, -p, and -U flags are exclusive\n"),
|
|
|
|
|
Prog);
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (oflg && !uflg) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s flag is only allowed with the %s flag\n"),
|
|
|
|
|
Prog, "-o", "-u");
|
|
|
|
|
usage (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mflg && !dflg) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s flag is only allowed with the %s flag\n"),
|
|
|
|
|
Prog, "-m", "-d");
|
|
|
|
|
usage (E_USAGE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-01-24 03:20:27 +05:30
|
|
|
|
|
|
|
|
if (user_newid == user_id) {
|
2008-06-10 01:47:48 +05:30
|
|
|
uflg = false;
|
|
|
|
|
oflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
|
|
|
|
if (user_newgid == user_gid) {
|
2008-06-10 01:47:48 +05:30
|
|
|
gflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
2010-08-30 00:32:41 +05:30
|
|
|
if ( (NULL != user_newshell)
|
|
|
|
|
&& (strcmp (user_newshell, user_shell) == 0)) {
|
2008-06-10 01:47:48 +05:30
|
|
|
sflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
|
|
|
|
if (strcmp (user_newname, user_name) == 0) {
|
2008-06-10 01:47:48 +05:30
|
|
|
lflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
|
|
|
|
if (user_newinactive == user_inactive) {
|
2008-06-10 01:47:48 +05:30
|
|
|
fflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
|
|
|
|
if (user_newexpire == user_expire) {
|
2008-06-10 01:47:48 +05:30
|
|
|
eflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
2010-08-30 00:32:41 +05:30
|
|
|
if ( (NULL != user_newhome)
|
|
|
|
|
&& (strcmp (user_newhome, user_home) == 0)) {
|
2008-06-10 01:47:48 +05:30
|
|
|
dflg = false;
|
|
|
|
|
mflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
2010-08-30 00:32:41 +05:30
|
|
|
if ( (NULL != user_newcomment)
|
|
|
|
|
&& (strcmp (user_newcomment, user_comment) == 0)) {
|
2008-06-10 01:47:48 +05:30
|
|
|
cflg = false;
|
2008-01-24 03:20:27 +05:30
|
|
|
}
|
|
|
|
|
|
2011-07-14 18:59:16 +05:30
|
|
|
if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
|
2009-04-11 21:04:10 +05:30
|
|
|
lflg || Gflg || gflg || fflg || eflg || dflg || cflg
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
|| vflg || Vflg || wflg || Wflg
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
|
|| Zflg
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_SELINUX */
|
2009-04-11 21:04:10 +05:30
|
|
|
)) {
|
2019-04-22 03:58:12 +05:30
|
|
|
fprintf (stdout, _("%s: no changes\n"), Prog);
|
2008-01-24 03:20:27 +05:30
|
|
|
exit (E_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
if (!is_shadow_pwd && (eflg || fflg)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: shadow passwords required for -e and -f\n"),
|
|
|
|
|
Prog);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (E_USAGE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
/* local, no need for xgetpwnam */
|
2016-05-15 19:19:39 +05:30
|
|
|
if (lflg && (prefix_getpwnam (user_newname) != NULL)) {
|
2009-04-11 04:03:43 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user '%s' already exists\n"),
|
|
|
|
|
Prog, user_newname);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (E_NAME_IN_USE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
/* local, no need for xgetpwuid */
|
2016-05-15 19:19:39 +05:30
|
|
|
if (uflg && !oflg && (prefix_getpwuid (user_newid) != NULL)) {
|
2009-04-11 04:03:43 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: UID '%lu' already exists\n"),
|
|
|
|
|
Prog, (unsigned long) user_newid);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (E_UID_IN_USE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2013-01-22 14:48:24 +05:30
|
|
|
|
2014-08-23 14:16:38 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-08-15 20:39:38 +05:30
|
|
|
if ( (vflg || Vflg)
|
|
|
|
|
&& !is_sub_uid) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s does not exist, you cannot use the flags %s or %s\n"),
|
|
|
|
|
Prog, sub_uid_dbname (), "-v", "-V");
|
|
|
|
|
exit (E_USAGE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( (wflg || Wflg)
|
|
|
|
|
&& !is_sub_gid) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: %s does not exist, you cannot use the flags %s or %s\n"),
|
|
|
|
|
Prog, sub_gid_dbname (), "-w", "-W");
|
|
|
|
|
exit (E_USAGE);
|
|
|
|
|
}
|
2014-08-23 14:16:38 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* close_files - close all of the files that were opened
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* close_files() closes all of the files that were opened for this new
|
|
|
|
|
* user. This causes any modified entries to be written out.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void close_files (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
if (pw_close () == 0) {
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
fprintf (stderr,
|
2008-08-22 08:04:04 +05:30
|
|
|
_("%s: failure while writing changes to %s\n"),
|
|
|
|
|
Prog, pw_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ()));
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (is_shadow_pwd && (spw_close () == 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2008-08-22 08:04:04 +05:30
|
|
|
_("%s: failure while writing changes to %s\n"),
|
|
|
|
|
Prog, spw_dbname ());
|
2009-04-11 04:03:43 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failure while writing changes to %s",
|
|
|
|
|
spw_dbname ()));
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-11-17 17:12:47 +05:30
|
|
|
|
|
|
|
|
if (Gflg || lflg) {
|
2021-08-03 12:27:20 +05:30
|
|
|
if (gr_close () == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failure while writing changes to %s\n"),
|
|
|
|
|
Prog, gr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failure while writing changes to %s",
|
|
|
|
|
gr_dbname ()));
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
if (is_shadow_grp) {
|
|
|
|
|
if (sgr_close () == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failure while writing changes to %s\n"),
|
|
|
|
|
Prog, sgr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failure while writing changes to %s",
|
|
|
|
|
sgr_dbname ()));
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
if (is_shadow_grp) {
|
|
|
|
|
if (sgr_unlock () == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to unlock %s\n"),
|
|
|
|
|
Prog, sgr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failed to unlock %s",
|
|
|
|
|
sgr_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
if (gr_unlock () == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to unlock %s\n"),
|
|
|
|
|
Prog, gr_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failed to unlock %s",
|
|
|
|
|
gr_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
2007-11-17 17:12:47 +05:30
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (is_shadow_pwd) {
|
2008-08-07 13:33:38 +05:30
|
|
|
if (spw_unlock () == 0) {
|
2009-04-11 04:03:43 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to unlock %s\n"),
|
|
|
|
|
Prog, spw_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
|
"failed to unlock %s",
|
|
|
|
|
spw_dbname ()));
|
2008-08-07 13:33:38 +05:30
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (pw_unlock () == 0) {
|
2009-04-11 04:03:43 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to unlock %s\n"),
|
|
|
|
|
Prog, pw_dbname ());
|
2008-08-07 13:33:38 +05:30
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
|
|
|
|
|
/* continue */
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-11-17 17:12:47 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
pw_locked = false;
|
|
|
|
|
spw_locked = false;
|
|
|
|
|
gr_locked = false;
|
2008-01-26 23:11:20 +05:30
|
|
|
#ifdef SHADOWGRP
|
2008-06-10 01:47:48 +05:30
|
|
|
sgr_locked = false;
|
2008-01-26 23:11:20 +05:30
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
if (vflg || Vflg) {
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_uid_close () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_uid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_uid_dbname ()));
|
|
|
|
|
fail_exit (E_SUB_UID_UPDATE);
|
|
|
|
|
}
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_uid_unlock () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
sub_uid_locked = false;
|
|
|
|
|
}
|
|
|
|
|
if (wflg || Wflg) {
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_gid_close () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sub_gid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failure while writing changes to %s", sub_gid_dbname ()));
|
|
|
|
|
fail_exit (E_SUB_GID_UPDATE);
|
|
|
|
|
}
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_gid_unlock () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
|
|
|
|
|
SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
|
|
|
|
|
/* continue */
|
|
|
|
|
}
|
|
|
|
|
sub_gid_locked = false;
|
|
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2013-01-22 14:48:24 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* Close the DBM and/or flat files
|
|
|
|
|
*/
|
|
|
|
|
endpwent ();
|
|
|
|
|
endspent ();
|
|
|
|
|
endgrent ();
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
endsgent ();
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* open_files - lock and open the password files
|
|
|
|
|
*
|
|
|
|
|
* open_files() opens the two password files.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void open_files (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2008-06-10 01:47:48 +05:30
|
|
|
if (pw_lock () == 0) {
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
fprintf (stderr,
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/gpasswd.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c: In
case of a lock failure, indicate to the user that she can try
again later. Do not log to syslog.
2008-08-22 07:50:53 +05:30
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, pw_dbname ());
|
2007-11-17 17:12:47 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
pw_locked = true;
|
2015-02-27 18:47:25 +05:30
|
|
|
if (pw_open (O_CREAT | O_RDWR) == 0) {
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, pw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (is_shadow_pwd && (spw_lock () == 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* src/chage.c, src/chgpasswd.c, src/chpasswd.c, src/chsh.c,
src/gpasswd.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c: In
case of a lock failure, indicate to the user that she can try
again later. Do not log to syslog.
2008-08-22 07:50:53 +05:30
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, spw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
spw_locked = true;
|
2015-02-27 18:47:25 +05:30
|
|
|
if (is_shadow_pwd && (spw_open (O_CREAT | O_RDWR) == 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, spw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-11-17 17:12:47 +05:30
|
|
|
|
|
|
|
|
if (Gflg || lflg) {
|
2021-08-03 12:27:20 +05:30
|
|
|
/*
|
|
|
|
|
* Lock and open the group file. This will load all of the
|
|
|
|
|
* group entries.
|
|
|
|
|
*/
|
|
|
|
|
if (gr_lock () == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, gr_dbname ());
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
gr_locked = true;
|
|
|
|
|
if (gr_open (O_CREAT | O_RDWR) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, gr_dbname ());
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
if (is_shadow_grp && (sgr_lock () == 0)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, sgr_dbname ());
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
sgr_locked = true;
|
|
|
|
|
if (is_shadow_grp && (sgr_open (O_CREAT | O_RDWR) == 0)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, sgr_dbname ());
|
|
|
|
|
fail_exit (E_GRP_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2007-11-17 17:12:47 +05:30
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
if (vflg || Vflg) {
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_uid_lock () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, sub_uid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_UID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
sub_uid_locked = true;
|
2015-02-27 18:47:25 +05:30
|
|
|
if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, sub_uid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_UID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (wflg || Wflg) {
|
2013-08-15 20:39:38 +05:30
|
|
|
if (sub_gid_lock () == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot lock %s; try again later.\n"),
|
|
|
|
|
Prog, sub_gid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_GID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
sub_gid_locked = true;
|
2015-02-27 18:47:25 +05:30
|
|
|
if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
|
2013-01-22 14:48:24 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: cannot open %s\n"),
|
|
|
|
|
Prog, sub_gid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_GID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* usr_update - create the user entries
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* usr_update() creates the password file entries for this user and
|
|
|
|
|
* will update the group entries if required.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void usr_update (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
|
struct passwd pwent;
|
|
|
|
|
const struct passwd *pwd;
|
2007-10-07 17:14:59 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
struct spwd spent;
|
|
|
|
|
const struct spwd *spwd = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Locate the entry in /etc/passwd, which MUST exist.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
pwd = pw_locate (user_name);
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == pwd) {
|
2009-04-11 04:03:43 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: user '%s' does not exist in %s\n"),
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
Prog, user_name, pw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_NOTFOUND);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
pwent = *pwd;
|
|
|
|
|
new_pwent (&pwent);
|
|
|
|
|
|
|
|
|
|
|
2011-07-14 18:59:37 +05:30
|
|
|
/* If the shadow file does not exist, it won't be created */
|
|
|
|
|
if (is_shadow_pwd) {
|
|
|
|
|
spwd = spw_locate (user_name);
|
|
|
|
|
if (NULL != spwd) {
|
|
|
|
|
/* Update the shadow entry if it exists */
|
|
|
|
|
spent = *spwd;
|
|
|
|
|
new_spent (&spent);
|
|
|
|
|
} else if ( ( pflg
|
|
|
|
|
&& (strcmp (pwent.pw_passwd, SHADOW_PASSWD_STRING) == 0))
|
|
|
|
|
|| eflg || fflg) {
|
|
|
|
|
/* In some cases, we force the creation of a
|
|
|
|
|
* shadow entry:
|
|
|
|
|
* + new password requested and passwd indicates
|
|
|
|
|
* a shadowed password
|
|
|
|
|
* + aging information is requested
|
|
|
|
|
*/
|
|
|
|
|
memset (&spent, 0, sizeof spent);
|
|
|
|
|
spent.sp_namp = user_name;
|
|
|
|
|
|
|
|
|
|
/* The user explicitly asked for a shadow feature.
|
|
|
|
|
* Enable shadowed passwords for this new account.
|
|
|
|
|
*/
|
|
|
|
|
spent.sp_pwdp = xstrdup (pwent.pw_passwd);
|
|
|
|
|
pwent.pw_passwd = xstrdup (SHADOW_PASSWD_STRING);
|
|
|
|
|
|
2023-02-01 18:20:48 +05:30
|
|
|
spent.sp_lstchg = gettime () / SCALE;
|
2011-07-14 18:59:37 +05:30
|
|
|
if (0 == spent.sp_lstchg) {
|
|
|
|
|
/* Better disable aging than
|
|
|
|
|
* requiring a password change */
|
|
|
|
|
spent.sp_lstchg = -1;
|
|
|
|
|
}
|
|
|
|
|
spent.sp_min = getdef_num ("PASS_MIN_DAYS", -1);
|
|
|
|
|
spent.sp_max = getdef_num ("PASS_MAX_DAYS", -1);
|
|
|
|
|
spent.sp_warn = getdef_num ("PASS_WARN_AGE", -1);
|
|
|
|
|
spent.sp_inact = -1;
|
|
|
|
|
spent.sp_expire = -1;
|
|
|
|
|
spent.sp_flag = SHADOW_SP_FLAG_UNSET;
|
|
|
|
|
new_spent (&spent);
|
|
|
|
|
spwd = &spent; /* entry needs to be committed */
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
if (lflg || uflg || gflg || cflg || dflg || sflg || pflg
|
2007-10-07 17:14:59 +05:30
|
|
|
|| Lflg || Uflg) {
|
2008-06-10 01:47:48 +05:30
|
|
|
if (pw_update (&pwent) == 0) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* src/groupmems.c: Check the return value of gr_update().
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/pwunconv.c,
src/useradd.c, src/userdel.c, src/usermod.c: Harmonize the error
message sent to stderr in case of *_update () failure.
* src/chage.c, src/chsh.c, src/groupadd.c, src/passwd.c: Do not
log to syslog when pw_update() or spw_update() fail.
* src/newusers.c: Do not log specific error message to stderr when
sgr_update() fails.
* src/pwconv.c: Remove duplicated definition of Prog.
2008-08-30 23:57:34 +05:30
|
|
|
_("%s: failed to prepare the new %s entry '%s'\n"),
|
|
|
|
|
Prog, pw_dbname (), pwent.pw_name);
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (lflg && (pw_remove (user_name) == 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: cannot remove entry '%s' from %s\n"),
|
|
|
|
|
Prog, user_name, pw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if ((NULL != spwd) && (lflg || eflg || fflg || pflg || Lflg || Uflg)) {
|
|
|
|
|
if (spw_update (&spent) == 0) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* src/groupmems.c: Check the return value of gr_update().
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupmems.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/passwd.c, src/pwck.c, src/pwconv.c, src/pwunconv.c,
src/useradd.c, src/userdel.c, src/usermod.c: Harmonize the error
message sent to stderr in case of *_update () failure.
* src/chage.c, src/chsh.c, src/groupadd.c, src/passwd.c: Do not
log to syslog when pw_update() or spw_update() fail.
* src/newusers.c: Do not log specific error message to stderr when
sgr_update() fails.
* src/pwconv.c: Remove duplicated definition of Prog.
2008-08-30 23:57:34 +05:30
|
|
|
_("%s: failed to prepare the new %s entry '%s'\n"),
|
|
|
|
|
Prog, spw_dbname (), spent.sp_namp);
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (lflg && (spw_remove (user_name) == 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: cannot remove entry '%s' from %s\n"),
|
|
|
|
|
Prog, user_name, spw_dbname ());
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_PW_UPDATE);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* move_home - move the user's home directory
|
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* move_home() moves the user's home directory to a new location. The
|
|
|
|
|
* files will be copied if the directory cannot simply be renamed.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void move_home (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:14:59 +05:30
|
|
|
struct stat sb;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
if (access (prefix_user_newhome, F_OK) == 0) {
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
2010-04-05 02:25:46 +05:30
|
|
|
* If the new home directory already exist, the user
|
|
|
|
|
* should not use -m.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2011-07-14 18:59:05 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: directory %s exists\n"),
|
|
|
|
|
Prog, user_newhome);
|
|
|
|
|
fail_exit (E_HOMEDIR);
|
|
|
|
|
}
|
2010-04-05 02:25:46 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
if (stat (prefix_user_home, &sb) == 0) {
|
2010-04-05 02:25:46 +05:30
|
|
|
/*
|
|
|
|
|
* Don't try to move it if it is not a directory
|
|
|
|
|
* (but /dev/null for example). --marekm
|
|
|
|
|
*/
|
|
|
|
|
if (!S_ISDIR (sb.st_mode)) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: The previous home directory (%s) was "
|
|
|
|
|
"not a directory. It is not removed and no "
|
|
|
|
|
"home directories are created.\n"),
|
|
|
|
|
Prog, user_home);
|
|
|
|
|
fail_exit (E_HOMEDIR);
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-15 20:33:40 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
if (uflg || gflg) {
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"changing home directory owner",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2016-11-15 20:33:40 +05:30
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
if (rename (prefix_user_home, prefix_user_newhome) == 0) {
|
2010-04-05 02:25:46 +05:30
|
|
|
/* FIXME: rename above may have broken symlinks
|
|
|
|
|
* pointing to the user's home directory
|
|
|
|
|
* with an absolute path. */
|
2016-05-15 19:19:39 +05:30
|
|
|
if (chown_tree (prefix_user_newhome,
|
2010-04-05 02:25:46 +05:30
|
|
|
user_id, uflg ? user_newid : (uid_t)-1,
|
|
|
|
|
user_gid, gflg ? user_newgid : (gid_t)-1) != 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: Failed to change ownership of the home directory"),
|
|
|
|
|
Prog);
|
|
|
|
|
fail_exit (E_HOMEDIR);
|
|
|
|
|
}
|
2011-08-15 15:26:43 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"moving home directory",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2011-08-15 15:26:43 +05:30
|
|
|
#endif
|
2010-04-05 02:25:46 +05:30
|
|
|
return;
|
|
|
|
|
} else {
|
|
|
|
|
if (EXDEV == errno) {
|
2019-01-23 20:47:05 +05:30
|
|
|
#ifdef WITH_BTRFS
|
2019-01-21 14:02:36 +05:30
|
|
|
if (btrfs_is_subvolume (prefix_user_home) > 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: error: cannot move subvolume from %s to %s - different device\n"),
|
|
|
|
|
Prog, prefix_user_home, prefix_user_newhome);
|
|
|
|
|
fail_exit (E_HOMEDIR);
|
|
|
|
|
}
|
2019-01-23 20:47:05 +05:30
|
|
|
#endif
|
2019-01-21 14:02:36 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
if (copy_tree (prefix_user_home, prefix_user_newhome, true,
|
2010-08-21 23:01:45 +05:30
|
|
|
true,
|
2010-04-05 02:25:46 +05:30
|
|
|
user_id,
|
|
|
|
|
uflg ? user_newid : (uid_t)-1,
|
|
|
|
|
user_gid,
|
|
|
|
|
gflg ? user_newgid : (gid_t)-1) == 0) {
|
2016-05-15 19:19:39 +05:30
|
|
|
if (remove_tree (prefix_user_home, true) != 0) {
|
2007-10-07 17:16:25 +05:30
|
|
|
fprintf (stderr,
|
2009-04-11 04:03:43 +05:30
|
|
|
_("%s: warning: failed to completely remove old home directory %s"),
|
2016-05-15 19:19:39 +05:30
|
|
|
Prog, prefix_user_home);
|
2008-05-24 21:05:15 +05:30
|
|
|
}
|
2007-10-07 17:17:01 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK,
|
2008-06-14 02:10:04 +05:30
|
|
|
Prog,
|
|
|
|
|
"moving home directory",
|
|
|
|
|
user_newname,
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newid,
|
2008-06-14 02:10:04 +05:30
|
|
|
1);
|
2007-10-07 17:17:01 +05:30
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
return;
|
2007-10-07 17:16:25 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2016-05-15 19:19:39 +05:30
|
|
|
(void) remove_tree (prefix_user_newhome, true);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
_("%s: cannot rename directory %s to %s\n"),
|
2016-05-15 19:19:39 +05:30
|
|
|
Prog, prefix_user_home, prefix_user_newhome);
|
2007-10-07 17:14:59 +05:30
|
|
|
fail_exit (E_HOMEDIR);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2022-10-05 18:50:43 +05:30
|
|
|
} else {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: The previous home directory (%s) does not "
|
|
|
|
|
"exist or is inaccessible. Move cannot be completed.\n"),
|
|
|
|
|
Prog, prefix_user_home);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2008-07-12 02:22:44 +05:30
|
|
|
* update_lastlog - update the lastlog file
|
|
|
|
|
*
|
|
|
|
|
* Relocate the "lastlog" entries for the user. The old entry is
|
|
|
|
|
* left alone in case the UID was shared. It doesn't hurt anything
|
|
|
|
|
* to just leave it be.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2008-07-12 02:22:44 +05:30
|
|
|
static void update_lastlog (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:14:59 +05:30
|
|
|
struct lastlog ll;
|
|
|
|
|
int fd;
|
2008-07-12 02:22:44 +05:30
|
|
|
off_t off_uid = (off_t) user_id * sizeof ll;
|
|
|
|
|
off_t off_newuid = (off_t) user_newid * sizeof ll;
|
2018-11-28 19:27:16 +05:30
|
|
|
uid_t max_uid;
|
2008-07-12 02:22:44 +05:30
|
|
|
|
|
|
|
|
if (access (LASTLOG_FILE, F_OK) != 0) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2023-02-01 18:20:48 +05:30
|
|
|
max_uid = getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL);
|
2018-11-28 19:27:16 +05:30
|
|
|
if (user_newid > max_uid) {
|
|
|
|
|
/* do not touch lastlog for large uids */
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
fd = open (LASTLOG_FILE, O_RDWR);
|
2008-07-12 02:22:44 +05:30
|
|
|
|
|
|
|
|
if (-1 == fd) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the lastlog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( (lseek (fd, off_uid, SEEK_SET) == off_uid)
|
|
|
|
|
&& (read (fd, &ll, sizeof ll) == (ssize_t) sizeof ll)) {
|
|
|
|
|
/* Copy the old entry to its new location */
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) != off_newuid)
|
|
|
|
|
|| (write (fd, &ll, sizeof ll) != (ssize_t) sizeof ll)
|
2021-06-11 15:20:49 +05:30
|
|
|
|| (fsync (fd) != 0)) {
|
2008-07-12 02:22:44 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the lastlog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2008-07-12 02:22:44 +05:30
|
|
|
} else {
|
|
|
|
|
/* Assume lseek or read failed because there is
|
|
|
|
|
* no entry for the old UID */
|
|
|
|
|
|
|
|
|
|
/* Check if the new UID already has an entry */
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) == off_newuid)
|
|
|
|
|
&& (read (fd, &ll, sizeof ll) == (ssize_t) sizeof ll)) {
|
|
|
|
|
/* Reset the new uid's lastlog entry */
|
|
|
|
|
memzero (&ll, sizeof (ll));
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) != off_newuid)
|
|
|
|
|
|| (write (fd, &ll, sizeof ll) != (ssize_t) sizeof ll)
|
2021-06-11 15:20:49 +05:30
|
|
|
|| (fsync (fd) != 0)) {
|
2008-07-12 02:22:44 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the lastlog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-06-11 15:20:49 +05:30
|
|
|
|
|
|
|
|
(void) close (fd);
|
2008-07-12 02:22:44 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* update_faillog - update the faillog file
|
|
|
|
|
*
|
|
|
|
|
* Relocate the "faillog" entries for the user. The old entry is
|
|
|
|
|
* left alone in case the UID was shared. It doesn't hurt anything
|
|
|
|
|
* to just leave it be.
|
|
|
|
|
*/
|
|
|
|
|
static void update_faillog (void)
|
|
|
|
|
{
|
|
|
|
|
struct faillog fl;
|
|
|
|
|
int fd;
|
|
|
|
|
off_t off_uid = (off_t) user_id * sizeof fl;
|
|
|
|
|
off_t off_newuid = (off_t) user_newid * sizeof fl;
|
|
|
|
|
|
|
|
|
|
if (access (FAILLOG_FILE, F_OK) != 0) {
|
|
|
|
|
return;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
fd = open (FAILLOG_FILE, O_RDWR);
|
2008-07-12 02:22:44 +05:30
|
|
|
|
|
|
|
|
if (-1 == fd) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the faillog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( (lseek (fd, off_uid, SEEK_SET) == off_uid)
|
2023-02-01 18:20:48 +05:30
|
|
|
&& (read (fd, &fl, sizeof fl) == (ssize_t) sizeof fl)) {
|
2008-07-12 02:22:44 +05:30
|
|
|
/* Copy the old entry to its new location */
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) != off_newuid)
|
|
|
|
|
|| (write (fd, &fl, sizeof fl) != (ssize_t) sizeof fl)
|
2021-06-11 15:20:49 +05:30
|
|
|
|| (fsync (fd) != 0)) {
|
2008-07-12 02:22:44 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the faillog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* Assume lseek or read failed because there is
|
|
|
|
|
* no entry for the old UID */
|
|
|
|
|
|
|
|
|
|
/* Check if the new UID already has an entry */
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) == off_newuid)
|
|
|
|
|
&& (read (fd, &fl, sizeof fl) == (ssize_t) sizeof fl)) {
|
2011-07-14 18:58:59 +05:30
|
|
|
/* Reset the new uid's faillog entry */
|
2008-07-12 02:22:44 +05:30
|
|
|
memzero (&fl, sizeof (fl));
|
|
|
|
|
if ( (lseek (fd, off_newuid, SEEK_SET) != off_newuid)
|
2021-06-11 15:20:49 +05:30
|
|
|
|| (write (fd, &fl, sizeof fl) != (ssize_t) sizeof fl)) {
|
2008-07-12 02:22:44 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to copy the faillog entry of user %lu to user %lu: %s\n"),
|
|
|
|
|
Prog, (unsigned long) user_id, (unsigned long) user_newid, strerror (errno));
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
2021-06-11 15:20:49 +05:30
|
|
|
|
|
|
|
|
(void) close (fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifndef NO_MOVE_MAILBOX
|
|
|
|
|
/*
|
|
|
|
|
* This is the new and improved code to carefully chown/rename the user's
|
2007-10-07 17:14:59 +05:30
|
|
|
* mailbox. Maybe I am too paranoid but the mail spool dir sometimes
|
2007-10-07 17:14:02 +05:30
|
|
|
* happens to be mode 1777 (this makes mail user agents work without
|
|
|
|
|
* being setgid mail, but is NOT recommended; they all should be fixed
|
|
|
|
|
* to use movemail). --marekm
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static void move_mailbox (void)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
|
const char *maildir;
|
2016-05-15 19:19:39 +05:30
|
|
|
char* mailfile;
|
|
|
|
|
char* newmailfile;
|
2007-10-07 17:14:02 +05:30
|
|
|
int fd;
|
|
|
|
|
struct stat st;
|
2016-05-15 19:19:39 +05:30
|
|
|
size_t len;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
maildir = getdef_str ("MAIL_DIR");
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef MAIL_SPOOL_DIR
|
2008-06-10 01:47:48 +05:30
|
|
|
if ((NULL == maildir) && (getdef_str ("MAIL_FILE") == NULL)) {
|
2007-10-07 17:14:02 +05:30
|
|
|
maildir = MAIL_SPOOL_DIR;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
2008-06-10 01:47:48 +05:30
|
|
|
if (NULL == maildir) {
|
2007-10-07 17:14:02 +05:30
|
|
|
return;
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2016-05-15 19:19:39 +05:30
|
|
|
len = strlen (prefix) + strlen (maildir) + strlen (user_name) + 2;
|
|
|
|
|
mailfile = alloca (len);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* O_NONBLOCK is to make sure open won't hang on mandatory locks.
|
|
|
|
|
* We do fstat/fchown to make sure there are no races (someone
|
|
|
|
|
* replacing /var/spool/mail/luser with a hard link to /etc/passwd
|
|
|
|
|
* between stat and chown). --marekm
|
|
|
|
|
*/
|
2016-05-15 19:19:39 +05:30
|
|
|
if (prefix[0]) {
|
|
|
|
|
(void) snprintf (mailfile, len, "%s/%s/%s",
|
|
|
|
|
prefix, maildir, user_name);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
(void) snprintf (mailfile, len, "%s/%s",
|
|
|
|
|
maildir, user_name);
|
|
|
|
|
}
|
|
|
|
|
mailfile[len-1] = '\0';
|
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
fd = open (mailfile, O_RDONLY | O_NONBLOCK, 0);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (fd < 0) {
|
|
|
|
|
/* no need for warnings if the mailbox doesn't exist */
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
if (errno != ENOENT) {
|
2007-10-07 17:14:59 +05:30
|
|
|
perror (mailfile);
|
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
Added *_dbname() functions to retrieve the name of the databases.
* lib/groupio.c, lib/groupio.h, lib/pwio.c, lib/pwio.h,
lib/sgroupio.c, lib/sgroupio.h, lib/shadowio.c, lib/shadowio.h:
*_name() functions renamed *setname().
* src/grpck.c, src/pwck.c: Likewise.
* lib/groupio.h, lib/pwio.h, lib/sgroupio.h, lib/shadowio.h: Added
the name of the arguments to the prototypes.
* src/chage, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/gpasswd.c, src/groupadd.c, src/groupdel.c,
src/groupmod.c, src/grpck.c, src/grpconv.c, src/grpunconv.c,
src/newusers.c, src/passwd.c, src/pwck.c, src/pwconv.c,
src/pwunconv.c, src/useradd.c, src/userdel.c, src/usermod.c:
Harmonize the erro & syslog messages in case of failure of the
*_lock(), *_open(), *_close(), *_unlock(), *_remove() functions.
* src/chgpasswd.c, src/chpasswd.c, src/usermod.c: Avoid
capitalized messages.
* src/chpasswd.c, src/useradd.c, src/usermod.c: Harmonize messages
in case of inexistent entries.
* src/usermod.c: Harmonize messages in case of already existing
entries.
* src/newusers.c, src/useradd.c: Simplify PAM error handling.
* src/useradd.c: Report failures to unlock files (stderr, syslog,
and audit). But do not fail (continue).
* src/useradd.c (open_files): Do not report to syslog & audit
failures to lock or open the databases. This might be harmless,
and the logs were not already informed that a change was
requested.
* src/usermod.c: It's not the account which is unlocked, but its
password.
2008-08-06 21:27:31 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
return;
|
|
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
if (fstat (fd, &st) < 0) {
|
|
|
|
|
perror ("fstat");
|
2011-08-15 15:26:43 +05:30
|
|
|
(void) close (fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (st.st_uid != user_id) {
|
|
|
|
|
/* better leave it alone */
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr, _("%s: warning: %s not owned by %s\n"),
|
2009-04-11 04:03:43 +05:30
|
|
|
Prog, mailfile, user_name);
|
2011-08-15 15:26:43 +05:30
|
|
|
(void) close (fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return;
|
|
|
|
|
}
|
2007-10-07 17:17:01 +05:30
|
|
|
if (uflg) {
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
if (fchown (fd, user_newid, (gid_t) -1) < 0) {
|
2007-10-07 17:17:01 +05:30
|
|
|
perror (_("failed to change mailbox owner"));
|
|
|
|
|
}
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
else {
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing mail file owner",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2011-08-15 15:26:43 +05:30
|
|
|
(void) close (fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
if (lflg) {
|
2016-05-15 19:19:39 +05:30
|
|
|
len = strlen (prefix) + strlen (maildir) + strlen (user_newname) + 2;
|
|
|
|
|
newmailfile = alloca(len);
|
|
|
|
|
if (prefix[0]) {
|
|
|
|
|
(void) snprintf (newmailfile, len, "%s/%s/%s",
|
|
|
|
|
prefix, maildir, user_newname);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
(void) snprintf (newmailfile, len, "%s/%s",
|
|
|
|
|
maildir, user_newname);
|
|
|
|
|
}
|
|
|
|
|
newmailfile[len - 1] = '\0';
|
2008-06-10 01:47:48 +05:30
|
|
|
if ( (link (mailfile, newmailfile) != 0)
|
|
|
|
|
|| (unlink (mailfile) != 0)) {
|
2007-10-07 17:14:59 +05:30
|
|
|
perror (_("failed to rename mailbox"));
|
2007-10-07 17:17:01 +05:30
|
|
|
}
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
else {
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
2008-06-14 02:10:04 +05:30
|
|
|
"changing mail file name",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2007-10-07 17:17:01 +05:30
|
|
|
}
|
|
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* main - usermod command
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
int main (int argc, char **argv)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#ifdef ACCT_TOOLS_SETUID
|
2007-10-07 17:14:38 +05:30
|
|
|
#ifdef USE_PAM
|
|
|
|
|
pam_handle_t *pamh = NULL;
|
|
|
|
|
int retval;
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#endif /* USE_PAM */
|
|
|
|
|
#endif /* ACCT_TOOLS_SETUID */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get my name so that I can use it to report errors.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
Prog = Basename (argv[0]);
|
2021-11-29 05:07:53 +05:30
|
|
|
log_set_progname(Prog);
|
|
|
|
|
log_set_logfd(stderr);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
(void) setlocale (LC_ALL, "");
|
|
|
|
|
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
|
|
|
|
(void) textdomain (PACKAGE);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2011-11-07 00:07:39 +05:30
|
|
|
process_root_flag ("-R", argc, argv);
|
2016-05-15 19:19:39 +05:30
|
|
|
prefix = process_prefix_flag ("-P", argc, argv);
|
2011-11-07 00:07:39 +05:30
|
|
|
|
|
|
|
|
OPENLOG ("usermod");
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_help_open ();
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-10-07 17:15:40 +05:30
|
|
|
sys_ngroups = sysconf (_SC_NGROUPS_MAX);
|
2008-06-14 02:10:04 +05:30
|
|
|
user_groups = (char **) malloc (sizeof (char *) * (1 + sys_ngroups));
|
2023-02-01 07:20:14 +05:30
|
|
|
user_groups[0] = NULL;
|
2007-10-07 17:15:40 +05:30
|
|
|
|
|
|
|
|
is_shadow_pwd = spw_file_present ();
|
|
|
|
|
#ifdef SHADOWGRP
|
|
|
|
|
is_shadow_grp = sgr_file_present ();
|
|
|
|
|
#endif
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
2013-01-22 14:48:24 +05:30
|
|
|
is_sub_uid = sub_uid_file_present ();
|
|
|
|
|
is_sub_gid = sub_gid_file_present ();
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-10-07 17:15:40 +05:30
|
|
|
|
|
|
|
|
process_flags (argc, argv);
|
|
|
|
|
|
2009-05-19 00:07:16 +05:30
|
|
|
/*
|
|
|
|
|
* The home directory, the username and the user's UID should not
|
|
|
|
|
* be changed while the user is logged in.
|
2016-05-15 19:19:39 +05:30
|
|
|
* Note: no need to check if a prefix is specified...
|
2009-05-19 00:07:16 +05:30
|
|
|
*/
|
2016-05-15 19:19:39 +05:30
|
|
|
if ( (prefix[0] == '\0') && (uflg || lflg || dflg
|
Allow disabling of subordinate IDs.
* configure.in: Add configure options --enable-subordinate-ids /
--disable-subordinate-ids. Enabled by default.
* lib/prototypes.h: Include <config.h> before using its macros.
* lib/commonio.h, lib/commonio.c: Define commonio_append only when
ENABLE_SUBIDS is defined.
* lib/prototypes.h, libmisc/find_new_sub_gids.c,
libmisc/find_new_sub_uids.c: Likewise.
* lib/subordinateio.h, lib/subordinateio.c: Likewise.
* libmisc/user_busy.c: Only check if subordinate IDs are in use if
ENABLE_SUBIDS is defined.
* src/Makefile.am: Create newgidmap and newuidmap only if
ENABLE_SUBIDS is defined.
* src/newusers.c: Check for ENABLE_SUBIDS to enable support for
subordinate IDs.
* src/useradd.c: Likewise.
* src/userdel.c: Likewise.
* src/usermod.c: Likewise.
* man/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 only if ENABLE_SUBIDS is defined.
* man/fr/Makefile.am: Install man1/newgidmap.1, man1/newuidmap.1,
man5/subgid.5, and man5/subuid.5 (not translated yet).
* man/generate_mans.mak: Add xsltproc conditionals
subids/no_subids.
* man/login.defs.d/SUB_GID_COUNT.xml: Add dependency on subids
condition.
* man/login.defs.d/SUB_UID_COUNT.xml: Likewise.
* man/usermod.8.xml: Document options for subordinate IDs and
reference subgid(5) / subuid(5) depending on the subids condition.
2013-08-11 18:24:22 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
|
|| Vflg || Wflg
|
|
|
|
|
#endif /* ENABLE_SUBIDS */
|
|
|
|
|
)
|
2009-05-19 00:07:16 +05:30
|
|
|
&& (user_busy (user_name, user_id) != 0)) {
|
|
|
|
|
exit (E_USER_BUSY);
|
|
|
|
|
}
|
|
|
|
|
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#ifdef ACCT_TOOLS_SETUID
|
2007-10-07 17:14:38 +05:30
|
|
|
#ifdef USE_PAM
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
{
|
|
|
|
|
struct passwd *pampw;
|
|
|
|
|
pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
|
|
|
|
|
if (pampw == NULL) {
|
Additional PAM cleanup:
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/chfn.c,
src/groupmems.c, src/usermod.c, src/groupdel.c, src/chgpasswd.c,
src/useradd.c, src/groupmod.c, src/groupadd.c, src/chage.c,
src/chsh.c: If the username cannot be determined, report it as
such (not a PAM authentication failure).
2008-09-07 05:16:44 +05:30
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: Cannot determine your user name.\n"),
|
|
|
|
|
Prog);
|
|
|
|
|
exit (1);
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
}
|
Additional PAM cleanup:
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/chfn.c,
src/groupmems.c, src/usermod.c, src/groupdel.c, src/chgpasswd.c,
src/useradd.c, src/groupmod.c, src/groupadd.c, src/chage.c,
src/chsh.c: If the username cannot be determined, report it as
such (not a PAM authentication failure).
2008-09-07 05:16:44 +05:30
|
|
|
|
|
|
|
|
retval = pam_start ("usermod", pampw->pw_name, &conv, &pamh);
|
2007-10-07 17:14:38 +05:30
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (PAM_SUCCESS == retval) {
|
2007-10-07 17:14:59 +05:30
|
|
|
retval = pam_authenticate (pamh, 0);
|
2007-10-07 17:14:38 +05:30
|
|
|
}
|
|
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (PAM_SUCCESS == retval) {
|
2007-10-07 17:14:59 +05:30
|
|
|
retval = pam_acct_mgmt (pamh, 0);
|
2007-10-07 17:14:38 +05:30
|
|
|
}
|
|
|
|
|
|
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/chfn.c,
src/groupmems.c, src/usermod.c, src/groupdel.c, src/chgpasswd.c,
src/useradd.c, src/groupmod.c, src/groupadd.c, src/chage.c,
src/chsh.c: Simplify the PAM error handling. Do not keep the pamh
handle, but terminate the PAM transaction as soon as possible if
there are no PAM session opened.
2008-09-06 18:58:02 +05:30
|
|
|
if (PAM_SUCCESS != retval) {
|
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
src/usermod.c: Provide the PAM error
message instead of our own, and log error to syslog.
* src/groupmems.c: Exit with exit rather than fail_exit in usage().
* src/newusers.c: Check the number of arguments.
* src/newusers.c: Do not create the home directory when it is not
changed.
* src/useradd.c: Set the group password to "!" rather "x" if there
are no gshadow file.
2011-11-13 21:54:57 +05:30
|
|
|
fprintf (stderr, _("%s: PAM: %s\n"),
|
|
|
|
|
Prog, pam_strerror (pamh, retval));
|
|
|
|
|
SYSLOG((LOG_ERR, "%s", pam_strerror (pamh, retval)));
|
|
|
|
|
if (NULL != pamh) {
|
|
|
|
|
(void) pam_end (pamh, retval);
|
|
|
|
|
}
|
2007-10-07 17:14:38 +05:30
|
|
|
exit (1);
|
|
|
|
|
}
|
* src/chage.c, src/chfn.c, src/chgpasswd.c, src/chpasswd.c,
src/chsh.c, src/groupadd.c, src/groupdel.c, src/groupmems.c,
src/groupmod.c, src/newusers.c, src/useradd.c, src/userdel.c,
src/usermod.c: Provide the PAM error
message instead of our own, and log error to syslog.
* src/groupmems.c: Exit with exit rather than fail_exit in usage().
* src/newusers.c: Check the number of arguments.
* src/newusers.c: Do not create the home directory when it is not
changed.
* src/useradd.c: Set the group password to "!" rather "x" if there
are no gshadow file.
2011-11-13 21:54:57 +05:30
|
|
|
(void) pam_end (pamh, retval);
|
2007-10-07 17:15:40 +05:30
|
|
|
#endif /* USE_PAM */
|
* configure.in: Added option --enable-account-tools-setuid to
enable/disable the usage of PAM to authenticate the callers of
account management tools: chage, chgpasswd, chpasswd, groupadd,
groupdel, groupmod, useradd, userdel, usermod.
* src/Makefile.am: Do not link the above tools with libpam if
account-tools-setuid is disabled.
* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
(--enable-account-tools-setuid).
* etc/pam.d/Makefile.am: Install the pam service file for the
above tools only when needed.
* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
needed to initialize retval to PAM_SUCCESS.
2008-09-07 03:05:37 +05:30
|
|
|
#endif /* ACCT_TOOLS_SETUID */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
#ifdef WITH_TCB
|
2010-03-18 14:51:27 +05:30
|
|
|
if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) {
|
2010-03-12 03:33:11 +05:30
|
|
|
exit (E_PW_UPDATE);
|
2010-03-18 14:51:27 +05:30
|
|
|
}
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
#endif
|
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
|
* Do the hard stuff - open the files, change the user entries,
|
|
|
|
|
* change the home directory, then close and update the files.
|
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
open_files ();
|
2008-07-12 03:20:05 +05:30
|
|
|
if ( cflg || dflg || eflg || fflg || gflg || Lflg || lflg || pflg
|
2015-07-20 22:44:26 +05:30
|
|
|
|| sflg || uflg || Uflg) {
|
2008-07-12 03:20:05 +05:30
|
|
|
usr_update ();
|
|
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
if (Gflg || lflg) {
|
2007-11-17 17:12:47 +05:30
|
|
|
grp_update ();
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2015-07-20 22:44:26 +05:30
|
|
|
#ifdef ENABLE_SUBIDS
|
|
|
|
|
if (Vflg) {
|
|
|
|
|
struct ulong_range_list_entry *ptr;
|
|
|
|
|
for (ptr = del_sub_uids; ptr != NULL; ptr = ptr->next) {
|
|
|
|
|
unsigned long count = ptr->range.last - ptr->range.first + 1;
|
|
|
|
|
if (sub_uid_remove(user_name, ptr->range.first, count) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to remove uid range %lu-%lu from '%s'\n"),
|
2021-08-18 23:36:02 +05:30
|
|
|
Prog, ptr->range.first, ptr->range.last,
|
2015-07-20 22:44:26 +05:30
|
|
|
sub_uid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_UID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (vflg) {
|
|
|
|
|
struct ulong_range_list_entry *ptr;
|
|
|
|
|
for (ptr = add_sub_uids; ptr != NULL; ptr = ptr->next) {
|
|
|
|
|
unsigned long count = ptr->range.last - ptr->range.first + 1;
|
|
|
|
|
if (sub_uid_add(user_name, ptr->range.first, count) == 0) {
|
|
|
|
|
fprintf (stderr,
|
2016-12-22 00:10:03 +05:30
|
|
|
_("%s: failed to add uid range %lu-%lu to '%s'\n"),
|
2021-08-18 23:36:02 +05:30
|
|
|
Prog, ptr->range.first, ptr->range.last,
|
2015-07-20 22:44:26 +05:30
|
|
|
sub_uid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_UID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (Wflg) {
|
|
|
|
|
struct ulong_range_list_entry *ptr;
|
|
|
|
|
for (ptr = del_sub_gids; ptr != NULL; ptr = ptr->next) {
|
|
|
|
|
unsigned long count = ptr->range.last - ptr->range.first + 1;
|
|
|
|
|
if (sub_gid_remove(user_name, ptr->range.first, count) == 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: failed to remove gid range %lu-%lu from '%s'\n"),
|
2021-08-18 23:36:02 +05:30
|
|
|
Prog, ptr->range.first, ptr->range.last,
|
2015-07-20 22:44:26 +05:30
|
|
|
sub_gid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_GID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (wflg) {
|
|
|
|
|
struct ulong_range_list_entry *ptr;
|
|
|
|
|
for (ptr = add_sub_gids; ptr != NULL; ptr = ptr->next) {
|
|
|
|
|
unsigned long count = ptr->range.last - ptr->range.first + 1;
|
|
|
|
|
if (sub_gid_add(user_name, ptr->range.first, count) == 0) {
|
|
|
|
|
fprintf (stderr,
|
2016-12-22 00:10:03 +05:30
|
|
|
_("%s: failed to add gid range %lu-%lu to '%s'\n"),
|
2021-08-18 23:36:02 +05:30
|
|
|
Prog, ptr->range.first, ptr->range.last,
|
2015-07-20 22:44:26 +05:30
|
|
|
sub_gid_dbname ());
|
|
|
|
|
fail_exit (E_SUB_GID_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif /* ENABLE_SUBIDS */
|
2007-11-17 17:12:47 +05:30
|
|
|
close_files ();
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
#ifdef WITH_TCB
|
2010-03-17 00:44:37 +05:30
|
|
|
if ( (lflg || uflg)
|
2010-03-18 14:51:27 +05:30
|
|
|
&& (shadowtcb_move (user_newname, user_newid) == SHADOWTCB_FAILURE) ) {
|
2010-03-12 03:33:11 +05:30
|
|
|
exit (E_PW_UPDATE);
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-11-17 04:59:41 +05:30
|
|
|
nscd_flush_cache ("passwd");
|
|
|
|
|
nscd_flush_cache ("group");
|
Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-12 17:52:11 +05:30
|
|
|
sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
|
2007-11-17 04:59:41 +05:30
|
|
|
|
2009-04-11 21:04:10 +05:30
|
|
|
#ifdef WITH_SELINUX
|
2011-11-22 03:32:15 +05:30
|
|
|
if (Zflg) {
|
|
|
|
|
if ('\0' != *user_selinux) {
|
|
|
|
|
if (set_seuser (user_name, user_selinux) != 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
|
|
|
|
Prog, user_name, user_selinux);
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#ifdef WITH_AUDIT
|
2011-11-22 03:32:15 +05:30
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"modifying User mapping ",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_name, user_id,
|
2011-11-22 03:32:15 +05:30
|
|
|
SHADOW_AUDIT_FAILURE);
|
|
|
|
|
#endif /* WITH_AUDIT */
|
|
|
|
|
fail_exit (E_SE_UPDATE);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (del_seuser (user_name) != 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
|
|
|
|
|
Prog, user_name);
|
|
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
audit_logger (AUDIT_ADD_USER, Prog,
|
|
|
|
|
"removing SELinux user mapping",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_name, user_id,
|
2011-11-22 03:32:15 +05:30
|
|
|
SHADOW_AUDIT_FAILURE);
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_AUDIT */
|
2011-11-22 03:32:15 +05:30
|
|
|
fail_exit (E_SE_UPDATE);
|
|
|
|
|
}
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
}
|
2009-04-11 22:17:32 +05:30
|
|
|
}
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* WITH_SELINUX */
|
2009-04-11 21:04:10 +05:30
|
|
|
|
2008-06-10 01:47:48 +05:30
|
|
|
if (mflg) {
|
2007-10-07 17:14:59 +05:30
|
|
|
move_home ();
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
|
#ifndef NO_MOVE_MAILBOX
|
2008-06-10 01:47:48 +05:30
|
|
|
if (lflg || uflg) {
|
2007-10-07 17:14:59 +05:30
|
|
|
move_mailbox ();
|
2008-06-10 01:47:48 +05:30
|
|
|
}
|
* NEWS, src/userdel.c, man/userdel.8.xml: Add option -Z/--selinux-user.
* libmisc/system.c, lib/prototypes.h, libmisc/Makefile.am: Removed
safe_system().
* lib/selinux.c, po/POTFILES.in, lib/prototypes.h,
lib/Makefile.am: Added helper functions for semanage.
* README, src/useradd.c, src/usermod.c, src/userdel.c,
configure.in: Use libsemanage instead of semanage.
2011-11-18 03:21:07 +05:30
|
|
|
#endif /* NO_MOVE_MAILBOX */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2010-04-05 02:25:46 +05:30
|
|
|
if (uflg) {
|
2008-07-12 02:22:44 +05:30
|
|
|
update_lastlog ();
|
|
|
|
|
update_faillog ();
|
2010-04-05 02:25:46 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2010-04-05 02:25:46 +05:30
|
|
|
if (!mflg && (uflg || gflg)) {
|
2018-12-18 21:02:13 +05:30
|
|
|
struct stat sb;
|
|
|
|
|
|
|
|
|
|
if (stat (dflg ? prefix_user_newhome : prefix_user_home, &sb) == 0 &&
|
|
|
|
|
((uflg && sb.st_uid == user_newid) || sb.st_uid == user_id)) {
|
2010-08-20 23:54:33 +05:30
|
|
|
/*
|
|
|
|
|
* Change the UID on all of the files owned by
|
|
|
|
|
* `user_id' to `user_newid' in the user's home
|
|
|
|
|
* directory.
|
|
|
|
|
*
|
|
|
|
|
* move_home() already takes care of changing the
|
|
|
|
|
* ownership.
|
|
|
|
|
*
|
|
|
|
|
*/
|
2016-11-15 20:33:40 +05:30
|
|
|
#ifdef WITH_AUDIT
|
|
|
|
|
if (uflg || gflg) {
|
|
|
|
|
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
|
|
"changing home directory owner",
|
2023-02-01 18:20:48 +05:30
|
|
|
user_newname, user_newid, 1);
|
2016-11-15 20:33:40 +05:30
|
|
|
}
|
|
|
|
|
#endif
|
2016-05-15 19:19:39 +05:30
|
|
|
if (chown_tree (dflg ? prefix_user_newhome : prefix_user_home,
|
2010-08-20 23:54:33 +05:30
|
|
|
user_id,
|
|
|
|
|
uflg ? user_newid : (uid_t)-1,
|
|
|
|
|
user_gid,
|
|
|
|
|
gflg ? user_newgid : (gid_t)-1) != 0) {
|
|
|
|
|
fprintf (stderr,
|
|
|
|
|
_("%s: Failed to change ownership of the home directory"),
|
|
|
|
|
Prog);
|
|
|
|
|
fail_exit (E_HOMEDIR);
|
|
|
|
|
}
|
2010-04-05 02:25:46 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
|
* src/newgrp.c, src/chfn.c, src/groupmems.c, src/usermod.c,
src/userdel.c, src/chpasswd.c, src/grpck.c, src/gpasswd.c,
src/groupdel.c, src/chgpasswd.c, src/vipw.c, src/useradd.c,
src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/faillog.c,
src/sulogin.c, src/chsh.c, src/pwconv.c: Added splint annotations.
* src/userdel.c, src/pwconv.c, src/lastlog.c, src/grpck.c,
src/vipw.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/login.c,
src/sulogin.c, src/usermod.c: Use return instead of exit at the
end of main().
* src/gpasswd.c, src/passwd.c, src/faillog.c: Use the exitcodes.h
exit codes.
* src/chpasswd.c: Added missing ||.
* src/nologin.c: Do not include exitcodes.h.
* src/nologin.c: Added brackets.
* src/nologin.c: Avoid assignments in comparisons.
2009-05-01 03:09:38 +05:30
|
|
|
return E_SUCCESS;
|
2007-10-07 17:15:23 +05:30
|
|
|
}
|
2008-06-10 01:47:48 +05:30
|
|
|
|
