* src/groupadd.c: Only call gr_unlock() and sgr_unlock() in the

group or gshadow files were previously locked.
	* src/groupadd.c: Make sure failures are reported to syslog/audit
	after the change is mentioned.
	* src/groupmod.c: Add logging to syslog & audit on lock/unlock
	failures.
	* src/groupmod.c: Make sure issues are reported to syslog or audit
	after the change is mentioned.
	* src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
	group or gshadow files were previously locked.
	* src/groupdel.c: Simplify the handling of PAM errors.
This commit is contained in:
nekral-guest 2008-08-06 15:56:51 +00:00
parent 6461841ccd
commit b0fe7d3a0b
4 changed files with 221 additions and 70 deletions

View File

@ -1,11 +1,23 @@
2008-08-01 Nicolas François <nicolas.francois@centraliens.net>
2008-08-02 Nicolas François <nicolas.francois@centraliens.net>
* src/groupadd.c: Harmonize error & syslog messages.
* src/groupadd.c: Add logging to syslog in some error cases.
* src/groupadd.c: Add logging to syslog & audit on lock/unlock
failures.
* src/groupadd.c: Only call gr_unlock() and sgr_unlock() in the
group or gshadow files were previously locked.
* src/groupadd.c: Make sure failures are reported to syslog/audit
after the change is mentioned.
* src/groupmod.c: Harmonize error & syslog messages.
* src/groupmod.c: Add logging to syslog & audit on lock/unlock
failures.
* src/groupmod.c: Make sure issues are reported to syslog or audit
after the change is mentioned.
* src/groupdel.c: Harmonize error & syslog messages.
* src/groupdel.c: Add logging to syslog & audit on lock/unlock
failures.
* src/groupdel.c: Only call gr_unlock() and sgr_unlock() in the
group or gshadow files were previously locked.
* src/groupdel.c: Simplify the handling of PAM errors.
2008-08-01 Nicolas François <nicolas.francois@centraliens.net>

View File

@ -53,7 +53,6 @@
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
static bool is_shadow_grp;
#endif
/*
@ -82,6 +81,13 @@ static bool fflg = false; /* if group already exists, do nothing and exit(0) */
static bool rflg = false; /* create a system account */
static bool pflg = false; /* new encrypted password */
#ifdef SHADOWGRP
static bool is_shadow_grp;
static bool gshadow_locked = false;
#endif
static bool group_locked = false;
#ifdef USE_PAM
static pam_handle_t *pamh = NULL;
#endif
@ -250,16 +256,36 @@ static void close_files (void)
SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
gr_unlock ();
#ifdef SHADOWGRP
if (is_shadow_grp && (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
fail_exit (E_GRP_UPDATE);
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
group_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp) {
sgr_unlock ();
if (sgr_close () == 0) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
@ -279,8 +305,9 @@ static void open_files (void)
"locking group file",
group_name, AUDIT_NO_ID, 0);
#endif
exit (E_GRP_UPDATE);
fail_exit (E_GRP_UPDATE);
}
group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the group file"));
@ -292,17 +319,30 @@ static void open_files (void)
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
if (is_shadow_grp && (sgr_lock () == 0)) {
fprintf (stderr,
_("%s: cannot lock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
if (is_shadow_grp && (sgr_open (O_RDWR) == 0)) {
fprintf (stderr,
_("%s: cannot open the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
fail_exit (E_GRP_UPDATE);
if (is_shadow_grp) {
if (sgr_lock () == 0) {
fprintf (stderr,
_("%s: cannot lock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"locking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
fail_exit (E_GRP_UPDATE);
}
gshadow_locked = true;
if (sgr_open (O_RDWR) == 0) {
fprintf (stderr,
_("%s: cannot open the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"opening gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
fail_exit (E_GRP_UPDATE);
}
}
#endif /* SHADOWGRP */
}
@ -312,10 +352,30 @@ static void open_files (void)
*/
static void fail_exit (int code)
{
(void) gr_unlock ();
if (group_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
sgr_unlock ();
if (gshadow_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#endif
@ -470,7 +530,7 @@ static void check_flags (void)
/* OK, no need to do anything */
fail_exit (E_SUCCESS);
}
fprintf (stderr, _("%s: group %s exists\n"), Prog, group_name);
fprintf (stderr, _("%s: group '%s' already exists\n"), Prog, group_name);
fail_exit (E_NAME_IN_USE);
}
@ -487,7 +547,7 @@ static void check_flags (void)
/* Turn off -g, we can use any GID */
gflg = false;
} else {
fprintf (stderr, _("%s: GID %u is not unique\n"),
fprintf (stderr, _("%s: GID '%u' already exists\n"),
Prog, (unsigned int) group_id);
fail_exit (E_GID_IN_USE);
}

View File

@ -94,17 +94,20 @@ static void usage (void)
*/
static void fail_exit (int code)
{
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
if (group_locked) {
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (gshadow_locked) {
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
@ -113,6 +116,7 @@ static void fail_exit (int code)
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#endif
@ -170,6 +174,7 @@ static void close_files (void)
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
fail_exit (E_GRP_UPDATE);
}
if (gr_unlock () == 0) {
@ -180,12 +185,15 @@ static void close_files (void)
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
group_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp) {
if (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
if (sgr_unlock () == 0) {
@ -196,7 +204,9 @@ static void close_files (void)
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
gshadow_locked = false;
}
#endif /* SHADOWGRP */
}
@ -331,19 +341,14 @@ int main (int argc, char **argv)
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
}
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
}
}
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
exit (1);
}
@ -416,9 +421,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef USE_PAM
if (PAM_SUCCESS == retval) {
(void) pam_end (pamh, PAM_SUCCESS);
}
(void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
return E_SUCCESS;

View File

@ -124,15 +124,42 @@ static void usage (void)
static void fail_exit (int status)
{
if (group_locked) {
gr_unlock ();
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#ifdef SHADOWGRP
if (gshadow_locked) {
sgr_unlock ();
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
#endif /* SHADOWGRP */
if (passwd_locked) {
pw_unlock();
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking passwd file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
}
exit (status);
}
@ -145,14 +172,17 @@ static void fail_exit (int status)
*/
static void new_grent (struct group *grent)
{
if (nflg)
if (nflg) {
grent->gr_name = xstrdup (group_newname);
}
if (gflg)
if (gflg) {
grent->gr_gid = group_newid;
}
if (pflg)
if (pflg) {
grent->gr_passwd = group_passwd;
}
}
#ifdef SHADOWGRP
@ -164,11 +194,13 @@ static void new_grent (struct group *grent)
*/
static void new_sgent (struct sgrp *sgent)
{
if (nflg)
if (nflg) {
sgent->sg_name = xstrdup (group_newname);
}
if (pflg)
if (pflg) {
sgent->sg_passwd = group_passwd;
}
}
#endif /* SHADOWGRP */
@ -468,28 +500,73 @@ static void close_files (void)
{
if (gr_close () == 0) {
fprintf (stderr, _("%s: cannot rewrite group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"rewrite group file",
group_name, AUDIT_NO_ID, 0);
#endif
fail_exit (E_GRP_UPDATE);
}
gr_unlock ();
if (gr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking group file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
group_locked = false;
#ifdef SHADOWGRP
if (is_shadow_grp && (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite shadow group file\n"), Prog);
fail_exit (E_GRP_UPDATE);
}
if (is_shadow_grp) {
sgr_unlock ();
if (sgr_close () == 0)) {
fprintf (stderr,
_("%s: cannot rewrite the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"rewrite gshadow file",
group_name, AUDIT_NO_ID, 0);
#endif
fail_exit (E_GRP_UPDATE);
}
if (sgr_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the shadow group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the shadow group file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking gshadow file",
group, AUDIT_NO_ID, 0);
#endif
/* continue */
}
gshadow_locked = false;
}
#endif /* SHADOWGRP */
if (gflg) {
if (pw_close () == 0) {
fprintf (stderr,
_("%s: cannot rewrite passwd file\n"), Prog);
_("%s: cannot rewrite the passwd file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot rewrite the passwd file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"rewrite passwd file",
group_name, AUDIT_NO_ID, 0);
#endif
fail_exit (E_GRP_UPDATE);
}
pw_unlock();
if (pw_unlock () == 0) {
fprintf (stderr, _("%s: cannot unlock the passwd file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot unlock the passwd file"));
#ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"unlocking passwd file",
group_name, AUDIT_NO_ID, 0);
#endif
/* continue */
}
passwd_locked = false;
}
}
@ -503,11 +580,13 @@ static void open_files (void)
{
if (gr_lock () == 0) {
fprintf (stderr, _("%s: cannot lock the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot lock the group file"));
fail_exit (E_GRP_UPDATE);
}
group_locked = true;
if (gr_open (O_RDWR) == 0) {
fprintf (stderr, _("%s: cannot open the group file\n"), Prog);
SYSLOG ((LOG_WARN, "cannot open the group file"));
fail_exit (E_GRP_UPDATE);
}
#ifdef SHADOWGRP
@ -516,6 +595,7 @@ static void open_files (void)
fprintf (stderr,
_("%s: cannot lock the shadow group file\n"),
Prog);
SYSLOG ((LOG_WARN, "cannot lock the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
gshadow_locked = true;
@ -523,6 +603,7 @@ static void open_files (void)
fprintf (stderr,
_("%s: cannot open the shadow group file\n"),
Prog);
SYSLOG ((LOG_WARN, "cannot open the shadow group file"));
fail_exit (E_GRP_UPDATE);
}
}
@ -532,6 +613,7 @@ static void open_files (void)
fprintf (stderr,
_("%s: cannot lock the passwd file\n"),
Prog);
SYSLOG ((LOG_WARN, "cannot lock the passwd file"));
fail_exit (E_GRP_UPDATE);
}
passwd_locked = true;
@ -539,6 +621,7 @@ static void open_files (void)
fprintf (stderr,
_("%s: cannot open the passwd file\n"),
Prog);
SYSLOG ((LOG_WARN, "cannot open the passwd file"));
fail_exit (E_GRP_UPDATE);
}
}
@ -632,19 +715,14 @@ int main (int argc, char **argv)
if (PAM_SUCCESS == retval) {
retval = pam_authenticate (pamh, 0);
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
}
}
if (PAM_SUCCESS == retval) {
retval = pam_acct_mgmt (pamh, 0);
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
}
}
if (PAM_SUCCESS != retval) {
(void) pam_end (pamh, retval);
fprintf (stderr, _("%s: PAM authentication failed\n"), Prog);
fail_exit (1);
}
@ -729,9 +807,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef USE_PAM
if (PAM_SUCCESS == retval) {
(void) pam_end (pamh, PAM_SUCCESS);
}
(void) pam_end (pamh, PAM_SUCCESS);
#endif /* USE_PAM */
exit (E_SUCCESS);
/* NOT REACHED */