From a0488ccac2cf2761eb9437cfb18f91d2a481c60c Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Thu, 22 Nov 2007 21:55:12 +0000
Subject: [PATCH] * NEWS, src/gpasswd.c: Read the group and shadow groups using
   gr_locate and sgr_locate. gpasswd write in the file database. Thus   it
 should read information from the file database, not using   getgrnam. The
 change to sgr_locate is just for consistency. This   requires opening the
 group databases (read only) using   gr_open/sgr_open. * NEWS: Indicate that
 manpages should be re-generated if configure   option are changed, due to
 conditions.

---
 ChangeLog     | 11 +++++++++++
 NEWS          |  6 ++++++
 src/gpasswd.c | 49 +++++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 58 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1907f1f2..dc9674f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2007-11-22  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/gpasswd.c: Read the group and shadow groups using
+	gr_locate and sgr_locate. gpasswd write in the file database. Thus
+	it should read information from the file database, not using
+	getgrnam. The change to sgr_locate is just for consistency. This
+	requires opening the group databases (read only) using
+	gr_open/sgr_open.
+
 2007-11-22  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* configure.in: SHADOWGRP added to AM_CONDITIONAL for the
@@ -8,6 +17,8 @@
 	gshadow/no_gshadow condition.
 	* man/gpasswd.1.xml: Use the gshadow/no_gshadow condition to
 	change the manpage depending on the shadow group support.
+	* NEWS: Indicate that manpages should be re-generated if configure
+	option are changed, due to conditions.
 
 2007-11-22  Nicolas François  <nicolas.francois@centraliens.net>
 
diff --git a/NEWS b/NEWS
index ec519be6..5f2fbfc7 100644
--- a/NEWS
+++ b/NEWS
@@ -43,9 +43,15 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
   passwordless account.
 - Full review of the usage of getpwnam(), getpwuid(), getgrnam(),
   getgrgid(), and getspnam(). There should be no functional changes.
+- gpasswd: Only read information from the local file group database. It
+  writes the changes in /etc/group and/or /etc/gshadow, but used to read
+  information from getgrnam (hence possibly from another group database).
 
 *** documentation:
 - Generate the translated manpages from PO at build time.
+- The generated manpages will change depending on the configure options.
+  If you use different options than the one used for the distributed
+  archive, you should re-generate the manpages.
 
 shadow-4.0.18.1 -> shadow-4.0.18.2					28-10-2007
 
diff --git a/src/gpasswd.c b/src/gpasswd.c
index 861dca08..26b41b73 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -171,12 +171,12 @@ int main (int argc, char **argv)
 	char *cp;
 	int amroot;
 	int retries;
-	struct group *gr = NULL;
+	struct group const*gr = NULL;
 	struct group grent;
 	static char pass[BUFSIZ];
 
 #ifdef	SHADOWGRP
-	struct sgrp *sg = NULL;
+	struct sgrp const*sg = NULL;
 	struct sgrp sgent;
 	char *admins = NULL;
 #endif
@@ -314,14 +314,20 @@ int main (int argc, char **argv)
 	 * will be completely replicated so it may be modified later on.
 	 */
 
-	/*
-	 * XXX - should get the entry using gr_locate() and modify that,
-	 * getgrnam() could give us a NIS group.  --marekm
-	 */
 	if (!(group = argv[optind]))
 		usage ();
 
-	if (!(gr = getgrnam (group))) { /* dup, no need for xgetgrnam */
+	if (!gr_open (O_RDONLY)) {
+		fprintf (stderr, _("%s: can't open file\n"), Prog);
+		SYSLOG ((LOG_WARN, "cannot open /etc/group"));
+#ifdef WITH_AUDIT
+		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening /etc/group",
+			      group, -1, 0);
+#endif
+		exit (1);
+	}
+
+	if (!(gr = gr_locate (group))) {
 		fprintf (stderr, _("unknown group: %s\n"), group);
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "group lookup", group,
@@ -334,8 +340,26 @@ int main (int argc, char **argv)
 	grent.gr_passwd = xstrdup (gr->gr_passwd);
 
 	grent.gr_mem = dup_list (gr->gr_mem);
+	if (!gr_close ()) {
+		fprintf (stderr, _("%s: can't close file\n"), Prog);
+		SYSLOG ((LOG_WARN, "cannot close /etc/group"));
+#ifdef WITH_AUDIT
+		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+			      "closing /etc/group", group, -1, 0);
+#endif
+		exit (1);
+	}
 #ifdef	SHADOWGRP
-	if ((sg = getsgnam (group))) {
+	if (!sgr_open (O_RDONLY)) {
+		fprintf (stderr, _("%s: can't open shadow file\n"), Prog);
+		SYSLOG ((LOG_WARN, "cannot open /etc/gshadow"));
+#ifdef WITH_AUDIT
+		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+			      "opening /etc/gshadow", group, -1, 0);
+#endif
+		exit (1);
+	}
+	if ((sg = sgr_locate (group))) {
 		sgent = *sg;
 		sgent.sg_name = xstrdup (sg->sg_name);
 		sgent.sg_passwd = xstrdup (sg->sg_passwd);
@@ -360,6 +384,15 @@ int main (int argc, char **argv)
 
 		sg = &sgent;
 	}
+	if (!sgr_close ()) {
+		fprintf (stderr, _("%s: can't close shadow file\n"), Prog);
+		SYSLOG ((LOG_WARN, "cannot close /etc/gshadow"));
+#ifdef WITH_AUDIT
+		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+			      "closing /etc/gshadow", group, -1, 0);
+#endif
+		exit (1);
+	}
 
 	/*
 	 * The policy here for changing a group is that 1) you must be root